3. Authentication 3.1. Password Authentication

Authentication is the method of proof by the user that he really is who he claims to be. The authentication procedure must be distinguished from identification , which implies only the presentation by the user of his name - the identifier. Two parties are involved in the authentication - one side (the client) proves its authenticity, the other (the authentication server) - accepts the evidence and makes a decision. As evidence of authenticity can act:

- something that the authenticator knows (password, key, etc.);

- something that the authenticated user owns (electronic magnetic card);

- something that is part of it (biometric parameters).

3.1. Password Authentication

Simplicity of implementation and logical clarity of the principles of operation make password authentication systems the most popular. And although there are many threats to this authorization scheme (picking a password, analyzing traffic, re-playing the authentication request), it is used in most information systems, and the tasks of protecting against these threats are usually solved by a set of measures, one of the central places in which cryptographic protection takes.

Currently, there are two main methods of user authentication:

- with unidirectional transfer of information from the client to the authentication server;

- technology "request-response"

A unidirectional scheme implies the transmission of its identifier and password from the client to the server, which are checked by the server against the database it has, and a decision is made on the identity of the client based on the comparison results. To counteract the passive interception of a password during transmission over a network, password hashing is used. The scheme of unidirectional authentication is presented in Figure 3.1.

Fig.3.1. Unidirectional authentication scheme

Having intercepted a request while transmitting it over the network, the attacker will not be able to use it to obtain the user's password for subsequent authentication on behalf of the user with the id identifier, since the password is transmitted in the q ’ hashed form, and it’s impossible to reverse the hash operation.

The scheme shown in Figure 3.1 is unable to withstand an unauthorized replay attack, when an attacker, intercepting the network traffic of an authenticated user authentication session, later replicates it exactly, and thus gains access to resources. To resist an attack of this kind, time marks or some one-time numbers are added to the request, which, by agreement of the parties, can be used only once. Authentication scheme with one-time numbers is presented in Figure 3.2. The additional parameter t in this scheme is either a random number generated for each authentication request, or a one-time number from the set previously agreed by both parties. Using this scheme, an attacker will not be able to replay a previously saved request to authenticate a legitimate user, because it uses the value t that is considered to have already been used, and the server will reject the repeated request.

Fig.3.2. Authentication scheme with unauthorized play protection

An obvious requirement for such a system authentication is the presence on the server side of the database, in which the already used t values ​​would be stored. If a time stamp is used as t , then additional requirements are imposed on the authentication system for the time synchronization of the client and server computing facilities. The development of such authentication schemes has become a "request-response" scheme. In this scheme, in response to the client's request for authentication, the server sends him some random or pseudo-random number ( challenge ), the client must perform some cryptographic action (block encryption, hashing) on ​​the combination of the passphrase and the number sent by the server. The result of this action is sent to the server, which, having performed similar actions with the challenge and the client password stored in it, compares the result with the value sent by the user and makes an authentication decision. Authentication scheme "request-response" is shown in Figure 3.3. The request-response scheme also protects against unauthorized replay, as the server generates a unique challenge for each authentication session.

Fig.3.3. Authentication scheme with unauthorized play protection

Speaking about password authentication, it is necessary to say a few words about the quality of passwords used. In order for the authentication system to be protected from guessing or brute-force attacks, it is necessary that the password length and its semantic fullness withstand such attacks as much as possible. Typical errors when choosing a password:

• the user selects as a password a phrase derived from the user ID;
• the user chooses a word of a language or a common phrase as a password. Such passwords are chosen by the attacker by means of a dictionary attack — a search of words and the most frequently used phrases according to a specific dictionary. As practice shows, a small amount of required phrases in a dictionary is sufficient for a successful dictionary attack;
• use as a password very short phrases that are easily selected by enumeration of all possible options.

Based on this list, an ideal one would call a password of several tens of characters, which is an unreadable phrase with the largest possible set of characters used. However, the practical use of such a password is fraught with other problems, since the user will not be able to remember it, he will be forced to store it in clear form on paper or magnetic media, which is the cause of password theft .

As another threat to password authentication, social engineering methods used by hackers can be called when social communication methods are used to disclose a password (for example, a call on behalf of the system administrator asking for his password).

For the practical application of the considered principles and algorithms of password authentication, a number of authentication protocols have been developed at present. Consider the most popular.

PAP (Password Authentification Protocol) is the easiest authentication protocol for PPP connections. The username and password are requested by the remote access server and returned by the remote access client in plain text format.

The Challenge Handshake Authentification Protocol (CHAP) authentication protocol uses a request-response authentication scheme for PPP connections. Described in the RFC 1994 specification, uses irreversible industrial standard MD5 encryption to hash a response to a request issued by a remote access server. It can also be used to periodically verify the authenticity of a subject within an already established connection.

The Extensible Authentication Protocol (EAP) is an extension of PPP that provides authentication of remote users using special devices. There is support for a set of authentication schemes. These schemes include access code generators, remote connection, Kerberos V5 protocol, one-time passwords, smart key based authentication, certificates, and more. EAP works with remote clients, as well as PPTP and L2TP clients.

The Kerberos protocol is a set of methods for identifying and verifying the truth of information exchange partners (workstations, users, or servers) in an open (unprotected) network. The protocol involves the interaction of two participants A and B by means of a server that they both trust and have with them secret long-term keys.

The basic Kerberos protocol involves the interaction of the following participants: Client A, Relying Party B, and a trusted T server ( Kerberos authentication server). At the beginning of work, A and B do not have a common secret in the form of an encryption key, while T has a shared secret with each of them in the form of a customer database and their secret keys. The Kerberos protocol solves the following tasks: client A authentication (mutual authentication is also possible), the exchange of a temporary session encryption key.

Fig.3.4. General Kerberos protocol scheme

The operation of the protocol is as follows. A requests T for the necessary data, called an identity , which allows B to verify A.’s authenticity. Here, he acts as a key distribution center ( key distribution center, KDC) and sends A session key and ticket (encrypted with key B) encrypted with his secret key. This ticket, which A then transmits to B, contains a session key and data about A, which allows B to authenticate A. To prevent an unauthorized replay from playing, A transmits a message (authenticator) along with the ticket, containing present a note on the current time and an encrypted session key. The operation of the basic Kerberos protocol is illustrated in Figure 2. 3.4., In which the following notation is used:

E - symmetric encryption algorithm (DES);

N A is the current time set by A;

T And - timestamp according to local clock A;

k - session key interaction A and B, generated by T;

L is the validity period of the session key;

K AT, K BT - secret encryption keys А-Т and В-Т;

ticket ticket, for example, ticket B = E KBT ( k, A, L );

auth - authenticator, for example, authenticator A E k ( A, T A ).

User A sends data T to server T to receive a session key with B in message (1). Server T generates the session key k , determines its lifetime L , encrypts them on the key K AT , and also forms the ticket ticket B using the secret key K BT and transmits this information to the user in a message (2) . User A, having received the message (2), decrypts its first part with its key K AT , extracts the session key and uses it to form the auth authenticator, which, together with the ticket, sends B to the message (3). B receives the message (3), decrypts the ticket with K BT , receives k and decrypts the authenticator. In doing so, B must check to:

a) match the values ​​of the identifier A in the ticket and the authenticator;

b) the timestamp T A in the authenticator was correct;

c) the current time B was in the interval of the lifetime L specified in the ticket.

If all checks are passed, then B announces that A has successfully passed the authentication process, and sends A value encrypted in the session key to A. In the message (4). The user then compares the T A value from B with the one sent in the authenticator. If they match, user A can, in turn, authenticate B.

The full version of the Kerberos protocol, in contrast to the base, uses two levels of servers. The first server is called an authentication server. It generates long-term tickets, which are called tickets to get tickets (ticket granting ticker, TGT). The second type of servers (ticket issuing servers) upon receipt of the TGT generates another type of tickets - resource tickets (RT), which are directly used for authentication. Using such a scheme allows you to significantly unload the authentication server if there are many users in the system, but at the same time maintain the centralized principle of managing the authentication procedure.

In the Microsoft Windows 2000 operating system, user authentication is performed using the Kerberos version 5 protocol, supplemented by extensions related to the public key infrastructure. The initial user verification is carried out within the framework of the Winlogon process, which provides for the unified registration of users in the system. Kerberos Key Distribution Center is integrated with other Windows 2000 security services installed on a domain controller.