This document discusses various methods of entity authentication. It distinguishes between message authentication and entity authentication. Some common methods discussed include using passwords, challenge-response protocols, and digital signatures. Specific techniques covered are fixed passwords, salted passwords, one-time passwords, challenge-response using symmetric ciphers, keyed hash functions, asymmetric ciphers, and digital signatures. The document provides examples of how each method can enable both unidirectional and bidirectional entity authentication.
2. Objectives
• To distinguish between message authentication and
entity authentication
• To define witnesses used for identification
• To discuss some methods of entity authentication
using a password
• To introduce some challenge-response protocols for
entity authentication
3. INTRODUCTION
Entity authentication is a technique designed to
let one party prove the identity of another party. An
entity can be a person, a process, a client, or a server.
The entity whose identity needs to be proved is called
the claimant; the party that tries to prove the identity of
the claimant is called the verifier.
4. There are two differences between message authentication
(data-origin authentication).
1) Message authentication might not happen in real time;
entity authentication does.
2) Message authentication simply authenticates one
message; the process needs to be repeated for each new
message. Entity authentication authenticates the
claimant for the entire duration of a session.
Data Origin Vs Entity Authentication
5. Verification Categories
Something known
Something possessed
Something inherent
A secret known only by the claimant that can be
checked by the verifier. Example Password.
Something that can prove the claimant’s identity.
Example Passport.
An inherent characteristic of the claimant. Example
conventional signature,fingerprint,voice etc.
6. 14.6
This chapter discusses entity authentication. The next
chapter discusses key managment. These two topics are
very closely related., key management protocols use entity
authentication protocols.
Entity Authentication and Key Management
7. PASSWORDS
The simplest and oldest method of entity authentication
is the password-based authentication, where the
password is something that the claimant knows.A
password is used when a user needs to access a system
to use the system’s resources.
A Fixed Password is a password that is used over
and over again for every access.
Fixed Password
8. Fixed Password
First Approach
The System keeps a table that is sorted by user
identification.The user sends her identification and
password to the system.The system used the identification
to find the password in the table
Figure User ID and password file
9. Second Approach
To store the hash of the password. Any user can read the contents of the file,
because the hash function is a one way function.
Figure Hashing the password
10. Third Approach
This is called salting password, when the password string is created, a random
string called the salt, is concatenated to the password, then it is hashed.The Id,the salt
and the hash are stored in the file.
Figure Salting the password
11. 14.11
Fourth Approach
In the fourth approach, two identification techniques are
combined. A good example of this type of authentication
is the use of an ATM card with a PIN (personal
identification number).
12. 14.12
One-Time Password
First Approach
In the first approach, the user and the system agree upon
a list of passwords.
Second Approach
In the second approach, the user and the system agree to
sequentially update the password.
Third Approach
In the third approach, the user and the system create a
sequentially updated password using a hash function.
14. CHALLENGE-RESPONSE
In password authentication, the claimant proves her
identity by demonstrating that she knows a secret, the
password. In challenge-response authentication, the
claimant proves that she knows a secret without
sending it.
Using a Symmetric-Key Cipher
Using Keyed-Hash Functions
Using an Asymmetric-Key Cipher
Using Digital Signature
Topics discussed in this section:
15. 14.15
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
Note
16. Using a Symmetric-Key Cipher
First Approach
The verifier sends a nonce, a random number used only once to challenge the
claimant. A nonce must be time varying. Every time is created it is different.
Figure Nonce challenge
17. 14.17
Second Approach
The time varying value is time stamp,The challenge message is the current
time sent from the verifier to the claimant.
Figure Timestamp challenge
18. 14.18
Third Approach
The first and second appraches are unidirectional authentication.But we need
bidirectional
Figure Bidirectional authentication
19. Instead of using encryption/decryption for entity
authentication, we can also use a keyed-hash function
(MAC).
Using Keyed-Hash Functions
Figure Keyed-hash function
20. 14.20
Using an Asymmetric-Key Cipher
First Approach
B encrypts the challenge using a’s public key.A decrypts the message with a’s
private key.
Figure Unidirectional, asymmetric-key authentication
21. Second Approach
Two public keys are used,one in each direction.A sends her identity and nonce
encrypted with b’s public key.
Figure Bidirectional, asymmetric-key
22. Using Digital Signature
First Approach
B uses a plaintext challenge and A signs the response
Figure Digital signature, unidirectional