My Cryptographic Authentication Final

8/8/2019 My Cryptographic Authentication Final

http://slidepdf.com/reader/full/my-cryptographic-authentication-final 1/51

CRYPTOGRAPHIC

AUTHENTICATION

SUBMITTED BY

NIRMAL PODDAR

REG NO ± 95580028



What is Cryptogr aphic Authentication ?

Establish and verify Identity

Authentication is the concept of pr oving

user identity, typically in or to establish

communication or der to gain access to

a system or network.

The pr ocess of identifying one¶s identity



The most basic f or m of authentication

involves the use of a login name and

passwor d. Another f or m of authentication involves the use of digital cer tificates (f or

example when accessing secur e web

sites).



Ther e ar e thr ee basic authentication means by

which an individual may authenticate his

identity.

Something you have Can be stolen

Such as key , car d

Something you know Can be guessed , shar ed , stolen

Such as passwor d ,

Something you ar e Can be costly , copied

Such as biometrics



Something you have OTP Car ds (e.g. SecurID): gener ates new

passwor d each time user logs in

Smar t Car d: tamper-r esistant, stor es secr et inf or mation, enter ed into a car d-r eader

Token / Key (i.e., iButton)

ATM Car d Str ength of authentication depends on

difficulty of f or ging



Something You Know Example: Passwor ds

Pr os:

Simple to implement

Simple f or users to understand

Cons:

Easy to cr ack (unless users choose str ong ones)

Passwor ds ar e r eused many times

One-time Passwor ds (OTP): diff er ent passwor d used each time, but it is difficult f or user to r emember all of them



Something You ar e

Biometrics

Pr os: ³r aises the bar´

Cons: f alse negatives/positives, social acceptance,key management f alse positive: authentic user r ejected

f alse negative: impostor accepted

Technique Effectiveness Acceptance

Palm Scan 1 6

Iris Scan 2 1

Retinal Scan 3 7

Finger Print 4 5

Voice ID 5 3

Facial Recognition 6 4

Signatur e Dynamics 7 2



Two f actor authentication : For Str ong Authentication any two of the

basic methods can be combined

Such as :: ATM + PINFinger Print + OTP

etc



Who is Authenticating Who? Person ± to ± Person ?

Computer ± to ± Computer ?

Thr ee Types Client Authentication : server verifies client¶s id

Server Authentication : client verifies server ¶s id

Mutual Authentication : Client and Server



Authentication Methods : Authentication can be accomplished in many ways.

The impor tance of selecting an envir onment

appr opriate Authentication Method is per haps the most crucial decision in designing secur e systems.

Authentication pr otocols ar e capable of simply

authenticating the connecting par ty or

authenticating the connecting par ty as well as

authenticating itself to the connecting par ty.



Various types of methods :

Passwor ds

One Time Passwor ds

Public Key Cryptogr aphy

Zer o Knowledge Pr oofs

Digital Signatur es



Passwor ds :

Passwor ds ar e the most widely used f or m of

authentication Users pr ovide an identifier, a typed

in wor d or phr ase or per haps a token car d, along with a passwor d. In many systems the passwor ds,

on the host itself, ar e not stor ed as plain text but

ar e encrypted. Passwor d authentication does not

nor mally r equir e complicated or r obust har dwar e since authentication of this type is in gener al simple

and does not r equir e much pr ocessing power.



Passwor d :



Passwor ds :

Passwor d authentication has sever al

vulner abilities, some of the mor e obvious

ar e: Passwor d may be easy to guess.

Writing the passwor d down and placing it in a

highly visible ar ea. Discovering passwor ds by eavesdr opping or

even social engineering.



Passwor ds :

The risk of eavesdr opping can be managed

by using digests f or authentication.

The connecting par ty sends a value, typically

a hash of the client IP addr ess, time stamp,

and additional secr et inf or mation.

The system is, however, vulner able to active attacks such as the-man-in-the middle

attack.



One Time Passwor d :

To avoid the pr oblems associated with

passwor d r euse, one-time passwor ds wer e

developed.



One Time Passwor ds :



One Time Passwor ds :

Ther e ar e two types of one-time passwor ds : a challenge-r esponse passwor d

a passwor d list.

The challenge-r esponse passwor d r esponds with a

challenge value af ter r eceiving a user identifier. The

r esponse is then calculated fr om either the

r esponse value (with some electr onic device) or

select fr om a table based on the challenge.



A one-time passwor d list makes use of lists of

passwor ds which ar e sequentially used by the

person wanting to access a system.

The values ar e gener ated so that it is very har d to

calculate the next value fr om the pr eviously

pr esented values.



One-time-passwor d lists, or OTPs, ar e an

alter native to deploying a security grid f or user

authentication. With this appr oach, end-usersar e pr ovisioned with a list of r andomly gener ated

passwor ds that ar e typically printed on a sheet

of paper, or hidden under "scr atch car ds" that

ar e distributed to and carried by end-users.



One Time Passwor d List



One Time Passwor d List :



One Time Passwor d List :

For example,

R: x1=f(R), x2=f(f(R)), ..., xn=f(xn-1).

The f( ) is chosen so that f -1 is very difficult. First the xn is used, then the xn-1 is used.

It is impor tant to keep in mind that Passwor d

systems only authenticate the connecting par ty.

It does not pr ovide the connecting par ty with any

method of authenticating the system they ar e

accessing, so it is vulner able to spoofing or a

man-in-middle attack.



Public Key Cryptogr aphy

Public key cryptogr aphy is based on very

complex mathematical pr oblems that r equir e

very specialized knowledge. Public key cryptogr aphy makes use of two

keys, one private and the other public.

The two keys ar e linked together by way of an extr emely complex mathematical equation.



The private key is used to decrypt and also

to encrypt messages between the communi -

cating machines. Both encryption and verification of signatur e is accomplished with

the public key.



The integrity of the public key is of the utmost

impor tance. The integrity of a public key is

usually assur ed by completion of a cer tification pr ocess carried out by a cer tification authority

(CA). Once the CA has cer tified that the

cr edentials pr ovided by the entity securing the

public key ar e valid, the CA will digitally sign the key so that visitors accessing the material the

key is pr otecting will know the entity has been

cer tified.



Basically, the public-key authentication

pr ocess includes the f ollowing:

Client selects some r andom numbers and sends the r esults to the server as a message: Message 1.

The server then sends diff er ent r andom numbers

back to the client based on Message 1.

The Clients then computes the new value and sendsMessage 2 to the server.

The Server then uses the clients public key to verify

that the values r etur ned could have only been

computed using the private key.



One impor tant methods :

Elliptic Curve Cryptogr aphic Algorithm :



Zer o Knowledge Pr oofs :

Zer o-knowledge pr oofs make it possible f or

a Host to convince another Host to allow

access without r evealing any "secr et inf or mation". The hosts involved in this f or m

of authentication usually communicate

sever al times to finalize authentication.



The client will first cr eate a r andom but

difficult pr oblem to solve and then solves it

using inf or mation it has.

The client then commits the solution using a

bit-commitment scheme and then sends the

pr oblem and commitment to the server.



The server then asks the client to either

pr ove that the pr oblems ar e r elated or

open the committed solution and pr ove that it is the solution. The client complies

with the r equest.

Typically, about ten successful exchangeswill be r equir ed to take place bef or e the

authentication pr ocess is complete and

access is gr anted.



The zer o-knowledge pr oof can be made to

be non-inter actively. In this instance only one

message fr om client to server is needed.This method utilizes a one-way hash function

wher e the committing answers ar e based on

the output of that hash function. The number of pr oofs needed is gener ally lar ger (64 or

mor e), to avoid brute-f orce attacks.



Example :



The zer o-knowledge pr oof of identity has it

shar e of pr oblems. Per haps the most

vulner able one is that while Host A thinkshe is pr oving his identity to Host B, it is

possible f or Host B to simultaneously

authenticate to a thir d par ty, Host C, using Host A¶s cr edentials.



Example :

Let us consider an intuitive example called Ali Baba's Cave . Alice

wants to pr ove to Bob that she knows the secr et wor ds that will

open the por tal at R -S in the cave, but she does not wish to r eveal

the secr et to Bob. In this scenario, Alice's commitment is to go to R or S . A typical r ound in the pr oof pr oceeds as f ollows: Bob goes

to P and waits ther e while Alice goes to R or S . Bob then goes

to Q and shouts to ask Alice to appear fr om either the right side or

the lef t side of the tunnel. If Alice does not know the secr et wor ds

(f or example, "Open Sesame"), ther e is only a 50 percent chance

she will come out fr om the right tunnel. Bob will r epeat this r ound asmany times as he desir es until he is cer tain Alice knows the secr et

wor ds. No matter how many times the pr oof r epeats, Bob does not

lear n the secr et wor ds.



Digital Signatur e :

To cr eate a digital signatur e fr om a

message, cr eate a hash value, also known

as a message digest, fr om the message. Then, use the signer 's private key to sign

the hash value. The f ollowing illustr ation

shows the pr ocess f or cr eating a digital signatur e.



To verify a digital signatur e, both the message and

the signatur e ar e r equir ed. First, a hash value must

be cr eated fr om the message in the same way as it was done when the signatur e was cr eated. This

hash value is then verified against the signatur e,

using the public key of the signer. If the hash value

and the signatur e match, you can be confident that the message is the one originally signed and that it

has not been tamper ed with. The f ollowing

illustr ation shows the pr ocess of verifying a digital

signatur e.



A hash value consists of a small amount of

binary data, typically 160 bits. It is pr oduced

using a hashing algorithm. All hash values shar e the f ollowing pr oper ties,

r egar dless of the algorithm used: A hash value is of a fixed length, r egar dless of the size of the

message. Every pair of nonidentical messages tr anslates into a

diff er ent hash value, even if the two messages diff er only by

a single bit. Using today's technology, it is not f easible to

discover a pair of messages that tr anslate to the same hash

value without br eaking the hashing algorithm.



Conclusion :

Other methods of authentication, that may be

mor e complex and r equir e mor e time to

implement and maintain, pr ovide str ong and r eliable authentication (pr ovided one keeps its

secr ets secr et, i.e. private keys and phr ases).



Conclusion :

That being said, one of the key f actors to be

consider ed in deter mining which method of

authentication to implement is usability. The usability f actor cannot be ignor ed when designing

authentication systems.

If the authentication methods ar e not deemed

usable by those f orced to utilize them, then theywill avoid using the system or persistently try to

bypass them. Usability is a key issue to the

adoption and maintenance of a security system.

My Cryptographic Authentication Final

Documents

Transcript of My Cryptographic Authentication Final