1
Authentication
Docsity.com
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Guidelines and tips
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community
Ask the community for help and clear up your study doubts
University Rankings
Discover the best universities in your country according to Docsity users
Free resources
Our save-the-student-ebooks!
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Comparison of Authentication Technologies: Kerberos, CHAP, Certificates, Biometrics, Slides of Network security
An overview of various authentication technologies including kerberos, chap, digital certificates, and biometrics. It covers the basics of each technology, how they work, and their advantages and disadvantages. The document also includes diagrams and examples to help illustrate the concepts.
Typology: Slides
2012/2013
1 / 26
This page cannot be seen from the preview
Don't miss anything!
Related documents
Partial preview of the text
Download Comparison of Authentication Technologies: Kerberos, CHAP, Certificates, Biometrics and more Slides Network security in PDF only on Docsity!
1
Authentication
2
Authentication
- Strong passwords
- Kerberos
- CHAP
- Digital Certificates
- Biometrics
4
Kerberos
- Developed at MIT in 1983
- Meant for internal networks
- Passwords are sent in cleartext
- Developed for authenticating users in a single or
multi-server environment
- Current version # is 5
- Freeware (http://web.mit.edu/is/help/kerberos)
- Sets up a key for every specified service for the
authenticated user
5
Kerberos
- How authentication works?
- User logs in with userid and password
- User wants access to use a service (e.g. FTP)
- Request goes to an Authentication Server (AS) in encrypted form using the password of user
- AS verifies the user using the password associated with the userid
- AS sends two data items back to user. One of the data items is encrypted with user’s password. It is called the Ticket. The other data item is encrypted with the requested service’s master key, called the Session key.
7
Kerberos – Single service diagram
Key Distribution Center Authentication Server (AS)
User
Service
1
2
3
4
8
Kerberos
- The previous description is suited for a
single-server single-service environment.
For multi-server multi-service environment
a different authentication process is used.
- Upon initial login, the user is automatically
authenticated and a Ticket-Granting Ticket
(TGT) is created. The user sends the TGT
for any service needed to the Ticket
Granting Server (TGS) and obtains the
necessary key to access the service.
10
Challenge Handshake
Authentication Protocol
- CHAP is a point-to-point protocol
- Used where hosts are connected to routers using
switched circuits or dial-up lines
- Host asks the AS permission to use CHAP
- AS responds with permission to use CHAP
- AS sends a challenge message to host
11
Challenge Handshake
Authentication Protocol
- Host selects a one-way hash function and hashes
the message from AS. The hashed value is sent to AS. AS calculates the same hash value using the same hash function. If the values match then connection is maintained, otherwise the connection is terminated.
- Under CHAP, AS periodically sends challenge
sequences to verify authenticity of host
13
Digital Certificates
- Digital Certificates can be issued by any
one as long as there are people willing to
believe them
- Major CAs are:
- Verisign
- GeoTrust
- BeTrusted
- Thawte
14
Digital Certificates
- Digital Certificates are part of the authentication mechanism. The other part is Digital Signature.
- When a user uses the digital signature, the user starts with their private key and encrypts the message and sends it. The receiver uses the sender’s public key and decrypts the message
- In traditional encryption, the sender uses the public key of the receiver and encrypts the message and sends it and the receiver decrypts the message with their private key
16
Digital Certificates
- Security token is usually a hardware device such
as a Smart Card
- If the security token is a software token, it is
usually associated with a particular workstation
- Security tokens use two-factor authentication
using a password and a device (or an appropriate hardware identifier)
17
Digital Certificates
- Passive token is a storage device that holds
multiple keys. Appropriate key is transmitted using the transmission device used.
- Inexpensive to manufacture
- Sometimes an extra PIN is required to use the
passive token
- Examples:
- Garage door opener
- ATM card
19
Digital Certificates
- A One-time password has a limited duration validity on a single use
- Generated using a counter-based token or a clock- based token
- Counter-based token is an active token that generates a one-time password based on a counter in the server and the secret key of the user
- Clock-based token is an active token that generates one-time passwords based on the server clock
20
Biometrics
- Biometric authentication involves unique
physical or behavioral characteristics of
individuals
- Example: finger print, retinal scan, facial recognition
- Finger print authentication has matured as a reliable technology
- Retinal scan and facial recognition are yet to come to a level of reliability