Transcript Chapter 14 Entity Authentication Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 14.1

Chapter 14
Entity Authentication
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
14.1
Chapter 14
Objectives
 To distinguish between message authentication and
entity authentication
 To define witnesses used for identification
 To discuss some methods of entity authentication
using a password
 To introduce some challenge-response protocols for
entity authentication
 To introduce some zero-knowledge protocols for
entity authentication
 To define biometrics and distinguish between
physiological and behavioral techniques
14.2
14-1 INTRODUCTION
Entity authentication is a technique designed to let one
party prove the identity of another party. An entity can
be a person, a process, a client, or a server. The entity
whose identity needs to be proved is called the
claimant; the party that tries to prove the identity of
the claimant is called the verifier.
Topics discussed in this section:
14.1.1 Data-Origin Versus Entity Authentication
14.1.2 Verification Categories
14.1.3 Entity Authentication and Key Management
14.3
14.1.1 Data-Origin Versus Entity Authentication
There are two differences between message
authentication (data-origin authentication), discussed in
Chapter 13, and entity authentication, discussed in this
chapter.
1) Message authentication might not happen in real
time; entity authentication does.
2) Message authentication simply authenticates one
message; the process needs to be repeated for each
new message. Entity authentication authenticates the
claimant for the entire duration of a session.
14.4
14.1.2 Verification Categories
Something known
Something possessed
Something inherent
14.5
14-2 PASSWORDS
The simplest and oldest method of entity
authentication is the password-based authentication,
where the password is something that the claimant
knows.
Topics discussed in this section:
14.2.1 Fixed Password
14.2.2 One-Time Password
14.6
14.2.1 Fixed Password
First Approach

14.7
Figure 14.1 User ID and password file
Attacks on the first approach
 Eavesdropping
 Stealing a password
 Accessing a password file
 guessing
14.2.1 Continued
Second Approach
Figure 14.2 Hashing the password
 Dictionary attack
Create a list of password, calculate the hash value,
and search the second-column entries to find a
match.
14.8
14.2.1 Continued
Third Approach
Figure 14.3 Salting the password
 When the password is created, a random string, called the
salt, is concatenated to the password. The salted password is
then hashed.
 The Unix OS uses a variation of this method.
14.9
Dictionary attack becomes more difficult
14.2.1 Continued
Fourth Approach
• In the fourth approach, two identification techniques
are combined.
• A good example of this type of authentication is the use
of an ATM card (something possessed) with a PIN
(personal identification number) (something known).
14.10
14.2.2 One-Time Password
 A one-time password is a password that is used only
once.
 In the first approach, the user and the system agree
upon a list of passwords.
 In the second approach, the user and the system agree
to sequentially update the password.
 The user and the system agree on an original pwd, P1, which is
valid only for the first access.
 During the first access, the user generates a new pwd P2, and
encrypt this pwd with P1 as the key, P2 is the pwd for the second
access.
If Eve can guess the first pwd P1, she can find all of the
subsequent ones.
14.11
14.2.2 One-Time Password

14.12
In the third approach, the user and the system
create a sequentially updated password using a
hash function.
14.2.2 Continued
Figure 14.4 the third approach -- Lamport one-time password
 Alice and Bob agree upon an
original password P0 and a counter n.
 The system stores the identity of
Alice, the value of n and the hash.
14.13
14.2.2 Continued
 When system receives the response
of the user n in the third message, it
applies the hash function to check.
 The system then decrease counter
and hash value from n to n-1.
Where the value becomes 0, the user
can no longer access the system
Everything must be set up again.
14.14
14-3 CHALLENGE-RESPONSE
In password authentication, the claimant proves her
identity by demonstrating that she knows a secret, the
password. However, because the claimant reveals this
secret, it is susceptible to interception by the adversary.
In challenge-response authentication, the claimant
proves that she knows a secret without sending it.
Topics discussed in this section:
14.3.1
14.3.2
14.3.3
14.3.4
14.15
Using a Symmetric-Key Cipher
Using Keyed-Hash Functions
Using an Asymmetric-Key Cipher
Using Digital Signature
14-3 Continue
Note
In challenge-response authentication, the claimant
proves that she knows a secret without sending it to
the verifier.
Note
The challenge is a time-varying value sent by the
verifier; the response is the result
of a function applied on the challenge.
14.16
14.3.1 Using a Symmetric-Key Cipher
First Approach
14.17
Figure 14.5 Nonce challenge
1.
ID of claimant
2.
The challenge: RB is the nonce randomly chosen by the Bob to
challenge Alice
3.
Alice encrypts the nonce using the shared secret key known only
to Alice and Bob. Bob decrypts the message. If the nonce
obtained from decryption is the same as the one sent by Bob.
14.3.1 Using a Symmetric-Key Cipher
First Approach
14.18
Figure 14.5 Nonce challenge

The use of nonce prevents a replay of the third message by Eve.

Eve can not reply the third message and pretend that it is a new request
from authentication by Alice.

Because once Bob received the response in the first time, the value of RB is
not valid any more. There will be a new value next time.
14.3.1 Continued
Figure 14.6 Timestamp challenge
Second Approach
The challenge message is the current time sent from the verifier
to the claimant.
The claimant encrypt Alice ID and time with Alice-Bob secret
key.
Assume the claimant and verifier clocks are synchronized.
14.19
14.3.1 Continued
Third Approach.
1.
2.
3.
4.
14.20
Figure 14.7 Bidirectional authentication
Alice ID
The challenge from Bob to Alice RB
Alice respond and send her challenge RA
Bob’srd response. RA and RB are switched to prevent a replay attack of
the 3 message by an adversary.
14.3.2 Using Keyed-Hash Functions
Instead of using encryption/decryption for entity
authentication, we can also use a keyed-hash function
(MAC).
Figure 14.8 Keyed-hash function
1. The challenge message is the current time sent from the
verifier to the claimant.
2. The timestamp is sent both as plaintext and as text scrambled
by the keyed-hash function.
3. Bob compares his calculation with what he received.
14.21
14.3.3 Using an Asymmetric-Key Cipher
First Approach
Figure 14.9 Unidirectional, asymmetric-key authentication

Encrypt ID Bob and a nonce with Alice’s public key
 Ownership of claimant’s private key
14.22
14.3.3 Continued
Second Approach
Figure 14.10 Bidirectional, asymmetric-key
14.23
14.3.4 Using Digital Signature
First Approach
Figure 14.11 Digital signature, unidirectional
 Ownership of claimant’s private key
14.24
14.3.4 Continued
Second Approach
Figure 14.12 Digital signature, bidirectional authentication
14.25
14-4 ZERO-KNOWLEDGE
In zero-knowledge authentication, the claimant does
not reveal anything that might endanger the
confidentiality of the secret. The claimant proves to the
verifier that she knows a secret, without revealing it.
The interactions are so designed that they cannot lead
to revealing or guessing the secret.
Topics discussed in this section:
14.4.1 Fiat-Shamir Protocol
14.4.2 Feige-Fiat-Shamir Protocol
14.4.3 Guillou-Quisquater Protocol
14.26
14.4.1 Fiat-Shamir Protocol
v  s modn
2
 Choose two large prime number p and q to calculate the value of n = p × q. n
is public and p and q are kept secret
 Choose a secret number s and calculate v  s 2 modn
 Keep s as private key and register v as public key
Verification of Alice by Bob can be done in six steps:
1. Alice, the claimant, chooses a random number r (commitment) between 0
and n-1. She sent witness x  r 2 modn to Bob
2. Bob, the verifier, sends the challenge c to Alice. The value of c is either 0
or 1.
3. Alice sends the response y  rs c modn to Bob to show that she knows the
value of her private key s. She claims to be Alice.
4. Bob calculates y 2 and xv c . If two values are congruent, Alice knows the
value of s.
14.27
14.4.1 Fiat-Shamir Protocol
Figure 14.13 Fiat-Shamir protocol
y 2 is from private key and challenge
xv c
is from public key of Alice
y 2 modn  (rs c )2 modn  r 2 s 2c modn  r 2 (s 2 )c modn  xvc modn
14.28
14.4.1 Continued
Cave Example
Figure 14.14 Cave example
The door can only be
opened with a magic word.
Alice claims that she knows
the word and that she can
open the door. Bob and
Alice are at pint 1. Alice
enters the cave and reaches
the point 2.
1.
Alice chooses to go either right or left. After Alice disappears, Bob comes to
point 2 and asks Alice to come up from either the right or left.
2.
if Alice knows the magic word, she will come up from the right direction. If
she does not know the word, she comes up from the right direction with ½
probability.
3.
The game will be repeated many times.
14.29
14.4.2 Feige-Fiat-Shamir Protocol
Figure 14.15 Feige-Fiat-Shamir protocol
(vi  si2 )  1modn
y 2v1 1 v2 2    vk k  r 2 ( s1 1 ) 2 ( s2 2 ) 2    ( sk k ) 2 v1 1 v2 2    vk
c
c
c
c
c
c
 x( s1 ) c1 (v1 1 )(s2 ) c2 (v2 2 )    ( sk ) ck (vk k )
2
c
2
c
2
 x( s1 v1 ) c1 ( s2 v2 ) c2    ( sk vk ) ck
2
2
 x(1) c1 (1) c2    (1) ck  x
14.30
2
c
c
c
ck
14.4.3 Guillou-Quisquater Protocol
Figure 14.16 Guillou-Quisquater protocol
s  v  1modn
e
y e  v c  (r  s c ) e  v c  r e  s ce  v c
 r e  ( s e  v) c  x 1c  x
14.31
14-5 BIOMETRICS
Biometrics is the measurement of physiological or
behavioral features that identify a person
(authentication by something inherent). Biometrics
measures features that cannot be guessed, stolen, or
shared.
Several components are needed for biometrics, including
capturing devices, processors, and storage devices..
14.32
14.5.2 Enrollment
Before using any biometric techniques for authentication,
the corresponding feature of each person in the
community should be available in the database. This is
referred to as enrollment.
14.33
14.5.3 Authentication
Verification
Identification
14.34
Figure 14.17 Techniques