le trong ngoc security fundamentals entity authentication mechanisms 4/2011
TRANSCRIPT
![Page 1: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/1.jpg)
Le Trong Ngoc
Security Fundamentals
Entity Authentication Mechanisms
4/2011
![Page 2: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/2.jpg)
1.2
4-1 Continued
Entity authentication is a technique designed to let one party prove the identity of another party. An entity can be a person, a process, a client, or a server. The entity whose identity needs to be proved is called the claimant; the party that tries to prove the identity of the claimant is called the verifier.
![Page 3: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/3.jpg)
1.3
4-1 Continued
There are two differences between message authentication (data-origin authentication) and entity authentication, discussed in this chapter.
1) Message authentication might not happen in real time; entity authentication does.
2) Message authentication simply authenticates one message; the process needs to be repeated for each new message. Entity authentication authenticates the claimant for the entire duration of a session.
![Page 4: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/4.jpg)
1.4
4-1 Continued
Something known
Something possessed
Something inherent
![Page 5: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/5.jpg)
1.5
4-2 PASSWORDS
The simplest and oldest method of entity authentication is the password-based authentication, where the password is something that the claimant knows.
![Page 6: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/6.jpg)
1.6
4-2 Continued
First Approach
User ID and password file
![Page 7: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/7.jpg)
1.7
4-2 Continued
Hashing the password
Second Approach
![Page 8: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/8.jpg)
1.8
4-2 Continued
Third Approach
Salting the password
![Page 9: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/9.jpg)
1.9
4-2 Continued
Fourth ApproachIn the fourth approach, two identification techniques are combined. A good example of this type of authentication is the use of an ATM card with a PIN (personal identification number).
![Page 10: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/10.jpg)
1.10
4-2 Continued
One-Time PasswordFirst ApproachIn the first approach, the user and the system agree upon a list of passwords.
Second ApproachIn the second approach, the user and the system agree to sequentially update the password.
Third ApproachIn the third approach, the user and the system create a sequentially updated password using a hash function.
![Page 11: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/11.jpg)
1.11
4-2 Continued
Lamport one-time password
![Page 12: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/12.jpg)
1.12
4-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her identity by demonstrating that she knows a secret, the password. In challenge-response authentication, the claimant proves that she knows a secret without sending it.
![Page 13: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/13.jpg)
1.13
4-3 Continued
In challenge-response authentication, the claimant proves that she knows a secret without sending it to
the verifier.
The challenge is a time-varying value sent by the verifier; the response is the result
of a function applied on the challenge.
![Page 14: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/14.jpg)
1.14
4-3 Continued
First Approach
Nonce challenge
![Page 15: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/15.jpg)
1.15
4-3 Continued
Second Approach
Timestamp challenge
![Page 16: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/16.jpg)
1.16
4-3 Continued
Third Approach.
Bidirectional authentication
![Page 17: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/17.jpg)
1.17
4-3 Continued
Instead of using encryption/decryption for entity authentication, we can also use a keyed-hash function (MAC).
Keyed-hash function
Using Keyed-Hash Functions
![Page 18: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/18.jpg)
1.18
4-3 Continued
First Approach
Unidirectional, asymmetric-key authentication
Using an Asymmetric-Key Cipher
![Page 19: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/19.jpg)
1.19
4-3 Continued
Second Approach
Bidirectional, asymmetric-key
![Page 20: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/20.jpg)
1.20
4-3 Continued
Using Digital Signature
First Approach
Digital signature, unidirectional
![Page 21: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/21.jpg)
1.21
4-3 Continued
Second Approach
Digital signature, bidirectional authentication
![Page 22: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/22.jpg)
1.22
4-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does not reveal anything that might endanger the confidentiality of the secret. The claimant proves to the verifier that she knows a secret, without revealing it. The interactions are so designed that they cannot lead to revealing or guessing the secret.
Fiat-Shamir ProtocolFeige-Fiat-Shamir ProtocolGuillou-Quisquater Protocol
![Page 23: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/23.jpg)
1.23
4-4 Continued
Fiat-Shamir protocol
![Page 24: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/24.jpg)
1.24
4-4 Continued
Cave Example
![Page 25: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/25.jpg)
1.25
4-4 Continued
Feige-Fiat-Shamir protocol
![Page 26: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/26.jpg)
1.26
4-4 Continued
Guillou-Quisquater protocol
![Page 27: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/27.jpg)
1.27
4-4 Continued
Guillou-Quisquater protocol
![Page 28: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/28.jpg)
1.28
4-5 BIOMETRICS
Biometrics is the measurement of physiological or behavioral features that identify a person (authentication by something inherent). Biometrics measures features that cannot be guessed, stolen, or shared.
ComponentsEnrollmentAuthenticationTechniquesAccuracyApplications
![Page 29: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/29.jpg)
1.29
4-5 Continued
Several components are needed for biometrics, including capturing devices, processors, and storage devices..
Components
![Page 30: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/30.jpg)
1.30
4-5 Continued
Before using any biometric techniques for authentication, the corresponding feature of each person in the community should be available in the database. This is referred to as enrollment.
Enrollment
![Page 31: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/31.jpg)
1.31
4-5 Continued
Authentication
Verification
Identification
![Page 32: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/32.jpg)
1.32
4-5 Continued
Techniques
![Page 33: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/33.jpg)
1.33
4-5 Continued
Physiological Techniques
Fingerprint
Iris
Retina
Face
Hands
Voice
DNA
![Page 34: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/34.jpg)
1.34
4-5 Continued
Behavioral Techniques
Signature
Keystroke
![Page 35: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/35.jpg)
1.35
4-5 Continued
Accuracy
False Rejection Rate (FRR)
False Acceptance Rate (FAR)
![Page 36: Le Trong Ngoc Security Fundamentals Entity Authentication Mechanisms 4/2011](https://reader033.vdocuments.mx/reader033/viewer/2022051517/56649eb25503460f94bb8cec/html5/thumbnails/36.jpg)
1.36
4-5 Continued
Several applications of biometrics are already in use. In commercial environments, these include access to facilities, access to information systems, transaction at point-ofsales, and employee timekeeping. In the law enforcement system, they include investigations (using fingerprints or DNA) and forensic analysis. Border control and immigration control also use some biometric techniques.
Applications