In this paper the idea of an enhanced security authentication procedure is presented. This procedure prohibits the transmission of the user’s password over the network while still providing the same authentication service. To achieve that, Kerberos Protocol and a secure password repository are adopted, namely a smart card. The conditional access to a smart card system provides a secure place to keep
credentials safe. Then, by referencing to them through identifiers, an authentication system may perform its
scope without revealing the secrets at all. This elevates the trustworthiness of the mechanism while at the
same time it achieves to reduce the overhead of the authentication systems due to the elaborate encryptions
procedures.
AUTHENTICATION MECHANISM ENHANCEMENT UTILISING SECURE REPOSITORY FOR PASSWORDLESS HANDSHAKE
1. Authentication mechanism enhancement
utilising secure repository for passwordless
handshake
Ioannis A. Pikrammenos, Panagiotis Tolis and
Panagiotis Perakis
School of Computing, Mediterranean College
– University of Derby, Athens, Greece
International Journal of Network Security & Its Applications (IJNSA) Vol. 11, No.4, July 2019
DOI: 10.5121/ijnsa.2019.11401
2. 2
Introduction
• prevent the exposure of the user’s
password during the authentication
phase in a network
• change of passwords infrequent intervals
leaves little room for attackers
• enhanced capabilities of password
utilization improve the performance of the
systems
3. 3
Structure
1. literature review
2. authentication protocols
3. security features of each proposal
4. proposed solution and its main
outcomes
5. discussion about challenges and future
work
6. conclusions
4. 4
Authentication
• Authentication comes from the Greek
lemma αὐθεντικός (authentikos)
– is confirming the truth of an attribute of a
single piece of data claimed to be true by an
entity
• user identification was introduced to allow
the system to identify the user and thus
to specify his access privileges
5. 5
Username
• should be created using the system-wide
character set
– should not be separated into discrete words
– should meet a specific limit of characters
• lower limit is one (1) character as there shouldn’t
be a “no one” (from Homer Odyssey) user
• systems-specific extend
– multiple systems = diverse usernames
• username once created cannot be
altered
6. 6
Password
• to prove user authenticity to the system
• the more secure a password is the more
difficult it becomes for humans to conceal or
even remember it
– transmission of the password “over the air”
– password codeword is also exposed by its shape
– protection of the communication channel
– man-in-the-middle attack
– secrets change in time
7. 7
Authentication procedure
• how one party verifies another's identity
• credentials are transmitted over the
network
• technologies used for security proposal
– Lightweight Directory Access Protocol,
– Kerberos
8. 8
LDAP
• by providing a Domain Name (DN) and a set of
credentials, a client can use the bind
operation to authenticate itself to the directory
• there are different types of bind methods in
LDAP
– In a simple bind, the user presents a clear-text DN
and password to the LDAP server
9. 9
Threats against LDAP
• Heartbleed
– length of payload greater than the amount of data
expected in the HeartbeatRequest message
• Session Hijacking
– Man-in-the-Middle attack
• the harassment of the communication channel
imposes severe security threats to the
authentication service
– the service can be restored while the incident
cannot
10. 10
Kerberos
• offers a means of validating the identity of
individuals on an accessible
(unprotected) network
• conducts authentication by using
standard cryptography
– symmetric-key cryptography
– public-key cryptography
12. 12
Threats against Kerberos
• Rainbow table, given the poor-quality of the
user-selected passwords
• illegitimate person gains access to the KDC
database
• Man-In-The-Middle record all data on the wire
and even alter the transmitted data selectively
• weakness is that the key kC used to encrypt
the client's credentials is derived from a
password, and passwords are notoriously
vulnerable
13. 13
Proposition
• Credentials’ current values are deterministic for
the authentication though stochastic in time
– set of passwords are linked to each username
• Username current value may be kept away
from the user knowledge
• one could identify the credentials set through
the identifier of the selected password’s thesis
along with the pre-computed list in the secure
media
– no one except the issuer-authentication service may
know the actual value of the identified password
14. 14
Proposition – Smart Card
• Secrets precomputed and stored in a
secure repository
• under the control of the user but not
under his authority
• valid password is identified through the
list number
• alteration of the valid password may take
effect without the exposure of its value
16. 16
Kerberos oriented implementation
1. Authority Service Request step needs to be changed
• smart card’s ID as well as the enlisted password ID
AS_REQ = (PrincipalClient, PrincipalService, IP_list, Lifetime,
SCidCode, Pid)
2. database scheme at the AS has to transform the password
record from a fixed size variable to a fixed size list
• objectClass: SCidCodeuserPassword1
• objectClass: SCidCodeuserPassword2
• …
3. turn-based identification mechanism could be utilized when a
password has to be changed
4. the passwords may now be selected by the system
• the scope of using string2key and namely PBKDF2 mechanisms is
raised
5. host machine does not contain a local repository
• Ticket Granting Server needs to redirect the ticket’s destination from
the machine to the card
17. 17
LDAP oriented implementation
1. smart card ID should be stored in AS
repository and linked to the user’s
principal name
2. password repository should be changed
from the terminal’s file system to the
smart card
18. 18
Eliminated Threats
• Man in the Middle attack
– even by hijacking the session will have no clue of
the secret
• Dictionary – Brute force attacks
– there is no fixed length or format of the password
• Clone attack
– replay legitimate messages to hijack a session is not
further handful because of the dynamic change of
passwords
• Social Engineering
– user will not be able to expose something that
he/she does not know
19. 19
Related work – Future wok
• the majority of current security proposals based
on Kerberos protocol are related to the
cryptographic aspect
• a smart card integration design was proposed
– swap the encryption-decryption mechanism from
terminal to smart card
• the above resolve the issues created by
dictionary attacks
– remains vulnerable against Brute Force and Man in
the Middle attacks
• If the smart card is breached, then the secrets
are exposed
– Future work could focus on securing the
authentication process end-to-end
20. 20
Conclusions
• proposed solution is implemented alike
LDAP and Kerberos.
• a leeway of enhancements is presented
• changes required in protocols are
minimal while the impact is great
• authentication procedure is further
hardened, freed from known
vulnerabilities