Data Protection and Security

   

VII

Identification and Entity Authentication

    

VII.III

Authentication Protocols

    
   
 

Challenge-Response Authentication Protocols:

A very common enhancement of classical password based authentication is to introduce a cryptographic challenge/response protocol. We will first discuss protocols based on shared secret. The protocol in Figure 3 is composed of three steps:

  1. Alice identifies herself to Bob.
  2. Bob sends a random number (the challenge) to Alice.
  3. Alice computes the response which is cryptographically transformed challenge with Alice and Bob’s shared secret Kalice-bob.

The transformation could be done in a number of ways. It could be done by using the shared secret as a secret key to a secret-key encryption algorithm which takes the challenge as the plaintext and produces the corresponding ciphertext as the response or by computing the response as the hash value of the combination of the challenge and the shared secret.


Figure 3. Challenge-Response protocol based on a shared secret.

This protocol is an improvement over passwords as no password is transmitted in plain. However it has a number of essential limitations. These are:

  • Authentication is not mutual: This means only Bob authenticates Alice not viceversa. Without mutual authentication, an attacker can respond as if he is Bob and fool Alice into assuming the attacker is Bob.
  • Man-in-the-middle attack: An attacker can even succeed in impersonating himself as Alice. After intercepting Bob’s challenge and fool Alice into thinking he is Bob, the attacker sends Bob’s challenge to Alice in order to get the correct response that can be sent to Bob as if it is originated from Alice.
  • Connection can be hijacked: When the integrity of the remainder of the conversation between Alice and Bob is not protected, an attacker can hijack the connection and generates packets as if they are coming from Alice.
  • Off-line password guessing attack: If an attacker captures the challenge and the response and knows which cryptographic algorithm is used, he can mount an offline dicitonary attacks. This means guessing a password, turning that password into a key K and see whether the following equality holds:

F(K,R) = F(Kalice-bob,R)

  • Database reading: In order to verify the response, Bob needs to store Alice’s password in a database or in a file. This security vulnerability was already mentioned.

It is possible to make this protocol more efficient and reduce it to a one-round protocol by using timestamps instead of challenge/response. One nice feature of challenge/response protocols is that it is not possible to replay the response messages because if the challenge is chosen from a sufficiently large space, no two challenges are the same and therefore all responses should be different. Since it is not possible to go back in time, the current time value can be used like the unique challenge Bob provides if Bob and Alice have a synchronized clock value.

Of course even when clocks are perfectly synchronized, Bob should accept the result with acceptable clock skew because of the transmission delay between two parties.

Figure 4. Authentication protocol based on a timestamp and a shared secret.

Note: The protocols based on public key cryptography eliminates the problem related to database reading since two parties no longer share a secret.

   
   
       
 
«previous session [1] [2] [3] [4] [5] [6] [7] [8] [9] next session »
   
       
 
«proceed to previous sectionproceed to next section »
  chapter index