Authentication – methods and protocols.pptVIP

Authentication – methods and protocols - an overview Jens Bo Friis M.Sc. from Technical University of Denmark M. Cryptology from University of Aarhus Partner in IT Practice A/S Email: jbf@it-practice.dk Agenda Identity Authentication Some weak protocols Some strong protocols Identification Identification can be done by showing proof of identity: Passport Drivers license Creditkort Other picture identification Proof of identity is validated towards correctness, consistency and completeness. If everything is in order, the proof of identity is accepted But what if the proof of identity is stolen? What is somebody is issued a false/fake proof of identity. Issuing authentication crendentials When a proof of identity has been accepted by some company, they issue authentication credentials to be used during authentication. Typical authentication credentials: Password PIN code Cryptographic keys (Digital Certificate) Authentication protocol A user can identify himself towards a system by proving knowledge of authentication credentials This is called an authentication protocol The type of authentication protocol determines the security of the correctness of the proof of identity A weak protocol has low security of correctness of proof of identity. Choosing an authentication protocol Q: What level of security is needed of the proof of identity? International/national security? Financial and/or legal binding transactions? Online services, online transactions? Mails? Games? Vulnerabilities Stealing authentication credentials. This can be done by: Sniffing, Man-in-the-middle, keystroke loggers Attacks on the authentication protocol. This can be done by: Sniffing, man-in-the-middle, keystoke loggers, replay attacks Stealing proof of identity. This can be done by: Social engineering Sniffing/replay Keystroke loggers Man in the middle/Domain takeover Authentication methods Authentication methods is grouped in two types: One factor - something I know Two facto