★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
authentication.ppt
1. Authentication and Authorization
• Authentication is the process of verifying a
principal’s identity (but how to define
“identity”?)
– Who the person is
– Or, what the person is
• Authorization is the process of determining
whether a principal can perform certain actions
– What the person can do
– Typically based on authentication result
1
2. Authentication in Cyber Space
• Authentication based on what you know.
– If you know a secret, then you are linked to an
“identity”
– The secret needs to be associated with the
identity beforehand (authentication state)
• Authentication protocol is the process of
proving that one knows the secret, a.k.a
“credential.”
2
5. Hash function and salt
• A “salt” is used to increase the input space of a
hash function
– Even though a cryptographic function H is hard to
invert, if the number of possible inputs to H is small, a
brute-force search can easily find the pre-image from
a given hash
– If we append the input string with a salt and apply H
on the whole string, then the number of possible
inputs to the hash function is increased S fold where
S is the number of all possible salts.
– For password hash, the salt is used to mitigate
dictionary attack
5
6. What is a dictionary attack?
• Pre-compute the hash of commonly used
passwords
• Looking up a password from the hash
takes only constant time if the password
falls into the dictionary
6
7. Password verification with salt
Hash
Function
Password
Salt, Hash on file
e.g. /etc/shadow
H1==H2?
H2
OK
FAIL
Y
N
S
7
(S, H1)
8. Challenge-Response Protocol
• Objective: Bob (prover) convinces Alice (verifier)
that he knows the secret, while not leaking the
secret to anyone (including Alice)
• Threat model: insecure communication channel
– Cryptographic primitives unbreakable
– Attacker can do anything else:
• Intercept messages
• Replace messages
• Inject messages
• Re-order messages
• Encrypt/decrypt a message if he knows the keys
8
9. Challenge-Response Protocol
• General process
– Verifier picks a challenge message and send it to prover.
– Prover produces a response using the secret and sends
the response back to the verifier
– Verifier checks whether the response is valid
• Requirements
– Protect Verifier: if Bob does not know the secret, the
protocol shall fail
– Protect Prover: the secret shall not be revealed in the
process, not even to the verifier (computationally infeasible
to infer)
9
10. Using MAC in authentication
protocol
Alice Bob
Mallory
Secret K
Secret K
m, MAC(m,K)
m
10
14. SSH public key-based
authentication
Secure channel
{m}Kpub
H(m)
H is a cryptographic
hash function
~/.ssh/id_dsa
Private key Kpriv
(Passphrase-protected)
Client
(Bob)
~/.ssh/.authorized_keys
Public key Kpub
Server
(Alice)
14
15. SSH Public Key-based
Authentication
• What is a secure channel?
– Messages sent are encrypted by a shared secret key
– Messages are authenticated using MAC
– The SSH public key-based authentication is used by the
server to authenticate the user at the other end of the
secure channel
– SSH also supports other kinds of authentication, such as
password authentication, which needs a secure channel.
• This challenge-response protocol is better than
asking the client to sign a challenge message
– Server gains zero knowledge
– The hash function is to protect the private key from a
chosen-ciphertext attack
15
16. SSH Agent
• The private key must be protected by a
passphrase.
– The passphrase is used to generate a key to
encrypt the private key stored in the file
system.
• An SSH agent can load the private key
into memory and perform the challenge-
response protocol on behalf of the user.
16
18. Using SSH Agent
• SSH agent stores private keys in memory and performs
crypto calculation
– User only needs to enter passphrase when the agent retrieves
the private key
• Communication between SSH client and agent mediated
through file-system protection
– An SSH client can only connect to an agent started by the same
user, except for user root, who can connect to any user’s agent
• Advantage: user does not need to type in passphrase to
decrypt the private key every time he wants to log in.
18
20. Agent Forwarding
• Alice can contact the SSH agent on Bob through
the SSH channel if Bob allows his agent
connection to be forwarded to Alice
– SSH client on Alice becomes “man in the middle”
– Useful when the user on Bob wants to login to other
machines from Alice
– root user can always connect to forwarded agents
– Bob’s private key never leaves his machine; when
Bob tears down the connection with Alice, root on
Alice will no longer be able to impersonate Bob
20
21. Exercise after class
• Set up public key-based authentication
using SSH agent for logging into
departmental Linux machines (e.g.,
grad.csee.usf.edu).
– Generate your public/private key pair
– Upload your public key to the server
– Figure out how to use SSH agent
– Find a clever way to start/connect to your
SSH agent
21