CRYPTOGRAPHIC

AUTHENTICATION
SUBMITTED BY
NIRMAL PODDAR
REG NO – 95580028
What is Cryptographic Authentication ?

 Establish and verify Identity

 Authentication is the concept of proving
user identity, typically in or to establish
communication order to gain access to a 
system or network.
 The process of identifying one’s identity
 The most basic form of authentication
involves the use of a login name and
password. Another form of authentication
involves the use of digital certificates (for
example when accessing secure web
sites).
There are three basic authentication means by
which an individual may authenticate his
identity.

 Something you have

 Can be stolen
 Such as key , card
 Something you know
 Can be guessed , shared , stolen
 Such as password ,
 Something you are
 Can be costly , copied
 Such as biometrics
Something you have
 OTP Cards (e.g. SecurID): generates new
password each time user logs in
 Smart Card: tamper-resistant, stores secret
information, entered into a card-reader
 Token / Key (i.e., iButton)
 ATM Card
 Strength of authentication depends on
difficulty of forging
Something You Know
 Example: Passwords
 Pros:
 Simple to implement
 Simple for users to understand
 Cons:
 Easy to crack (unless users choose strong ones)
 Passwords are reused many times

 One-time Passwords (OTP): different password

used each time, but it is difficult for user to
remember all of them
Something You are
 Biometrics Technique Effectiveness Acceptance
Palm Scan 1 6
Iris Scan 2 1
Retinal Scan 3 7
Finger Print 4 5
Voice ID 5 3
Facial Recognition 6 4
Signature Dynamics 7 2

 Pros: “raises the bar”

 Cons: false negatives/positives, social acceptance,
key management
 false positive: authentic user rejected
 false negative: impostor accepted
Two factor authentication :
 For Strong Authentication any two of the
basic methods can be combined
Such as :: ATM + PIN
Finger Print + OTP etc
Who is Authenticating Who?
 Person – to – Person ?
 Computer – to – Computer ?

 Three Types
 Client Authentication : server verifies client’s id
 Server Authentication : client verifies server’s id
 Mutual Authentication : Client and Server
Authentication Methods :
 Authentication can be accomplished in many ways.
The importance of selecting an environment
appropriate Authentication Method is perhaps the
most crucial decision in designing secure systems.

 Authentication protocols are capable of simply

authenticating the connecting party or
authenticating the connecting party as well as
authenticating itself to the connecting party.
Various types of methods :
 Passwords
 One Time Passwords
 Public Key Cryptography
 Zero Knowledge Proofs
 Digital Signatures
Passwords :
 Passwords are the most widely used form of
authentication Users provide an identifier, a typed
in word or phrase or perhaps a token card, along
with a password. In many systems the passwords,
on the host itself, are not stored as plain text but
are encrypted. Password authentication does not
normally require complicated or robust hardware
since authentication of this type is in general simple
and does not require much processing power.
Password :
Passwords :
 Password authentication has several
vulnerabilities, some of the more obvious
are:
 Password may be easy to guess.
 Writing the password down and placing it in a
highly visible area.
 Discovering passwords by eavesdropping or
even social engineering.
Passwords :
 The risk of eavesdropping can be managed
by using digests for authentication.
 The connecting party sends a value, typically
a hash of the client IP address, time stamp,
and additional secret information.
 The system is, however, vulnerable to active
attacks such as the-man-in-the middle
attack.
One Time Password :
 To avoid the problems associated with
password reuse, one-time passwords were
developed.
One Time Passwords :
One Time Passwords :
 There are two types of one-time passwords :
 a challenge-response password
 a password list.

 The challenge-response password responds with a

challenge value after receiving a user identifier. The
response is then calculated from either the
response value (with some electronic device) or
select from a table based on the challenge.
 A one-time password list makes use of lists of
passwords which are sequentially used by the
person wanting to access a system.

 The values are generated so that it is very hard to

calculate the next value from the previously
presented values.
 One-time-password lists, or OTPs, are an
alternative to deploying a security grid for user
authentication. With this approach, end-users
are provisioned with a list of randomly generated
passwords that are typically printed on a sheet
of paper, or hidden under "scratch cards" that
are distributed to and carried by end-users.
One Time Password List
One Time Password List :
One Time Password List :
 For example,
R: x1=f(R), x2=f(f(R)), ..., xn=f(xn-1).
-1
 The f( ) is chosen so that f is very difficult. First
the xn is used, then the xn-1 is used.
 It is important to keep in mind that Password
systems only authenticate the connecting party.
It does not provide the connecting party with any
method of authenticating the system they are
accessing, so it is vulnerable to spoofing or a
man-in-middle attack.
Public Key Cryptography
 Public key cryptography is based on very
complex mathematical problems that require
very specialized knowledge.
 Public key cryptography makes use of two
keys, one private and the other public.
 The two keys are linked together by way of an
extremely complex mathematical equation.
 The private key is used to decrypt and also
to encrypt messages between the communi -
cating machines. Both encryption and
verification of signature is accomplished with
the public key.
 The integrity of the public key is of the utmost
importance. The integrity of a public key is
usually assured by completion of a certification
process carried out by a certification authority
(CA). Once the CA has certified that the
credentials provided by the entity securing the
public key are valid, the CA will digitally sign the
key so that visitors accessing the material the
key is protecting will know the entity has been
certified.
 Basically, the public-key authentication
process includes the following:
 Client selects some random numbers and sends the
results to the server as a message: Message 1.
 The server then sends different random numbers

back to the client based on Message 1.

 The Clients then computes the new value and sends

Message 2 to the server.

 The Server then uses the clients public key to verify

that the values returned could have only been

computed using the private key.
One important methods :
 Elliptic Curve Cryptographic Algorithm :
Zero Knowledge Proofs :
 Zero-knowledge proofs make it possible for
a Host to convince another Host to allow
access without revealing any "secret
information". The hosts involved in this form
of authentication usually communicate
several times to finalize authentication.
 The client will first create a random but
difficult problem to solve and then solves it
using information it has.
 The client then commits the solution using a
bit-commitment scheme and then sends the
problem and commitment to the server.
 The server then asks the client to either
prove that the problems are related or
open the committed solution and prove
that it is the solution. The client complies
with the request.
 Typically, about ten successful exchanges
will be required to take place before the
authentication process is complete and
access is granted.
 The zero-knowledge proof can be made to
be non-interactively. In this instance only one
message from client to server is needed.
This method utilizes a one-way hash function
where the committing answers are based on
the output of that hash function. The number
of proofs needed is generally larger (64 or
more), to avoid brute-force attacks.
Example :
 The zero-knowledge proof of identity has it
share of problems. Perhaps the most
vulnerable one is that while Host A thinks
he is proving his identity to Host B, it is
possible for Host B to simultaneously
authenticate to a third party, Host C, using
Host A’s credentials.
Example :
 Let us consider an intuitive example called Ali Baba's Cave . Alice
wants to prove to Bob that she knows the secret words that will
open the portal at R-S in the cave, but she does not wish to reveal
the secret to Bob. In this scenario, Alice's commitment is to go
to R or S. A typical round in the proof proceeds as follows: Bob goes
to P and waits there while Alice goes to Ror S. Bob then goes
to Q and shouts to ask Alice to appear from either the right side or
the left side of the tunnel. If Alice does not know the secret words
(for example, "Open Sesame"), there is only a 50 percent chance
she will come out from the right tunnel. Bob will repeat this round as
many times as he desires until he is certain Alice knows the secret
words. No matter how many times the proof repeats, Bob does not
learn the secret words.
Digital Signature :
 To create a digital signature from a
message, create a hash value, also known
as a message digest, from the message.
 Then, use the signer's private key to sign
the hash value. The following illustration
shows the process for creating a digital
signature.
 To verify a digital signature, both the message and
the signature are required. First, a hash value must
be created from the message in the same way as it
was done when the signature was created. This
hash value is then verified against the signature,
using the public key of the signer. If the hash value
and the signature match, you can be confident that
the message is the one originally signed and that it
has not been tampered with. The following
illustration shows the process of verifying a digital
signature.
 A hash value consists of a small amount of
binary data, typically 160 bits. It is produced
using a hashing algorithm.
 All hash values share the following properties,
regardless of the algorithm used:
 A hash value is of a fixed length, regardless of the size of the
message.
 Every pair of nonidentical messages translates into a
different hash value, even if the two messages differ only by
a single bit. Using today's technology, it is not feasible to
discover a pair of messages that translate to the same hash
value without breaking the hashing algorithm.
 All hashing algorithms are fully deterministic. That
is, each time a particular message is hashed using
the same algorithm, the same hash value is
produced.
 All hashing algorithms are one-way. Given a hash

value, it is not possible to recover the original

message. In fact, none of the properties of the
original message can be determined with the hash
value alone.
Conclusion :
 User authentication can be handled using one or
more different authentication methods. Some
authentication methods such as plain password
authentication are easily implemented but are in
general weak and primitive.
 The fact that plain password authentication it is
still by far the most widely used form of
authentication, gives credence to the seriousness
of the lack of security on both the Internet and
within private networks.
Conclusion :
 Other methods of authentication, that may be
more complex and require more time to
implement and maintain, provide strong and
reliable authentication (provided one keeps its
secrets secret, i.e. private keys and phrases).
Conclusion :
 That being said, one of the key factors to be
considered in determining which method of
authentication to implement is usability. The
usability factor cannot be ignored when designing
authentication systems.
 If the authentication methods are not deemed
usable by those forced to utilize them, then they
will avoid using the system or persistently try to
bypass them. Usability is a key issue to the
adoption and maintenance of a security system.