Chapter 9 Overview of Authentication System.ppt

第九章 Chapter 9 Overview of Authentication System Introduction Authentication is the process of reliably verifying the identity of someone (or something). 9.1 Password-Based Authentication When we use the phrase password-based authentication we are referring to a secret quantity (the password) that you state to prove you know it. 9.1 Password-Based Authentication The big problem with password-based authentication is eavesdropping. The adversary can impersonate the user by replaying the wiretapped password. 9.1.1 Off- vs. On-Line Password Guessing On-line password guessing attack: Type passwords at the system that is going to verify the password. The system can make it impossible to guess too many passwords in this manner. Ex: ATM. The system can be designed to be slow, so as not to allow very many guesses per unit time. 9.1.1 Off- vs. On-Line Password Guessing Off-line password guessing attack: Dictionary attack An attacker guesses a password and verifies his guess off-line. If his guess fails the attacker tries again with another password, until he finds the proper one. 9.1.2 Storing User Passwords How does a server know Alice’s password? Alice’s authentication information is individually configured into every server Alice will use. One location: authentication storage node stores Alice’s information, and servers retrieve that information when they want to authentication Alice. One location: authentication facilitator node, stores Alice’s information, and a server that wants to authenticate Alice sends the information received from Alice to this node, which does the authentication and tells the server YES or NO. 9.1.2 Storing User Passwords In case 2 and 3, it’s important for the server to authenticate the authentication storage or facilitator node. The server were fooled into thinking a bad guy’s node was the authentication storage or facilitator node. The server could be tricked into believing the wrong authentication information, and therefore let ba