Authentication Protocols
Celia Li
Computer Science and Engineering
York University
1
Outline
 Overview of authentication
 Symmetric key authentication protocols
(Kerberos)
 Public key authentication protocols (SSL)
 Authentication protocols in Wireless Local
Area Networks (WLAN)
2
Outline
 Overview of authentication
 Symmetric key authentication protocols
(Kerberos)
 Public key authentication protocols (SSL)
 Authentication protocols in Wireless Local
Area Networks (WLAN).
3
Overview of Authentication
The process of determining whether someone is,
in fact, who it is declared to be.
An authentication protocol consists of a sequence
of messages between principals and will be
described using different notations.
Principals: parties who cooperate by exchanging
messages over networks.
4
Notation
E(K : M): denotes encrypting message plaintext M
with key K.
Ka: key of principal A
Kab: shared key of principle A and B
Principals are generally denoted by capitals such as
A, B and S (server)
(1) A  B : M1
(2) B  S : M2
(3) S  B : M3
5
Notation
Na: A number generated by a principal A. Generally
termed as a nonce.
A nonce could be
• a timestamp: a number denoting the current time.
• a sequence number
• a random number that can be used for one time
A  B : A, E(Kab : Na)
A is identity of node A (ip address or computer name)
6
Overview of Authentication
Timeliness in Authentication Protocols
 An authentication protocol is required to
guarantee that the parties involved in the
authentication process are present during the
execution of the protocol.
 Nonces are generally used to assess
timeliness in authentication protocols.
7
Attacks on Authentication
Protocol
Replay attack:
The attacker records the message of an
authentication protocol and replays this information
to attempt to falsely authenticate to the other
principle.
Counter measures:
 Using timestamps, sequence number or random
numbers.
8
Outline
 Overview of authentication
 Symmetric key authentication protocols
(Kerberos)
 Public key authentication protocols (SSL)
 Authentication protocols in Wireless Local
Area Networks (WLAN)
9
Symmetric Key Authentication Without
Trusted Third Party

Symmetric key one-pass unilateral authentication protocol
B authenticates A:
If Na (timestamp) has a recent value, B can prove A’s identity.

Symmetric key two-pass unilateral authentication protocol
B authenticates A:

Symmetric key three-pass mutual authentication
B authenticates A:
A authenticates B:
Na: Timestampt , Ra, Rb: Random numbers. Each random number only
10
can be used one time.
Symmetric Key Authentication With
Trusted Third Party

NS (Needham-Schroeder) Symmetric Key Authentication
A & B trust S, Kas is a shared key of A & S, Kbs is a shared key of B & S
• A gets a shared key
Kab generated by S
• B gets shared key Kab
• A authenticates B
• B authenticates A
S: Trusted Third Party
(1)
(2)
A
(3), (5)
B
(4)
11
Kerberos Authentication
 A typical example of symmetric key
authentication with trusted third party
 The trusted third party in Kerberos is the
authentication server which is in charge of
distribute shared keys.
 Kerberos ticket is employed for the
authentication purpose
12
Kerberos Authentication
Kerberos Ticket
 A certificate issued by an authentication server,
encrypted using the key of the authentication
server.
 The ticket contains
 the key that will be used for authentication
of the client to the verifier who will verify the
correctness of the key
 the name of the principal to whom the key
was issued
 an expiration time of the ticket
13
Kerberos authentication
 Client C wants to access server S. Client C and sever S need to authenticate
each other
 Authentication server is comprised of two parts:
 A: Key Distribution Server
 G: Ticket Grant Server
 (1) C sends a random number N1 to A
 (2) A sends back a ticket Tcg to C.
 Kac: shared key between A and C
 Kcg: shared key between C and G
C authenticates A if N1 is correct
14
Kerberos authentication
 (3) C forwards the ticket Tcg to G
 N2: random number
 T: time stamp
 G authenticates C if time stamp is correct
 (4) G sends back a service ticket Tcs to C.
 Kcs: shared key between C and S
 C authenticates G if N2 is correct
 (5) C sends ticket Tcs to S
 T’: time stamp
 S authenticates C if time stamp is correct
 (6) C authenticates S if time stamp is correct
15
Outline
 Overview of authentication
 Symmetric key authentication protocols
(Kerberos)
 Public key authentication protocols (SSL)
 Authentication protocols in Wireless Local
Area Networks (WLAN)
16
Public Key Certificate
 Commonly used for public key authentication
protocols
 An electronic document which uses a digital
signature to bind together a public key with an
identity:
 the name of a person or an organization,
their address
 Issued by a certification authority (CA)
 e.g. VeriSign
 The certificate can be used to verify if a public
key belongs to an individual.
17
Public Key Certificate
Public key certificates include:
 Public key of the user
 DN (name of the user)
 Validity period of the certificate
 Name of the certificate issuer
 Digital signature of the
certificate issuer
18
Public Key Authentication without
Trusted Third Party
Public key one-pass unilateral authentication protocol
B authenticates A:
Public key two-pass unilateral authentication protocol
B authenticates A:
Public key three-Pass mutual authentication protocol
B authenticates A:
A authenticates B:
CertA: public key certificate of A
Ka-1: private key of A, Kb-1: private key of b
19
Public Key Authentication with
Trusted Third Party
NS (Needham-Schroeder) Public Key Authentication Protocol
A asks B’s public key from S
S sends B’s public key Kb to A
B gets A’s identity
B asks A’s public key from S
S sends A’s public key Ka to B
A authenticates B by verifying Na
B authenticates A by verifying Nb
S: Trusted Third Party
(5)
(1)
(4)
(2)
A
(3) (7)
(6)
B
20
Secure Socket Layer Protocol (SSL)
• Universally accepted on the Web for
authenticated and encrypted communication
between clients and servers.
• Typical example of public key authentication
• Protect sensitive information such as Social
Security Number (SSN), Credit Card Number, etc.
Web Server
Client
21
SSL



Server Certificate
The SSL protocol requires a server certificate
so that client can authenticate the server.
Client Certificate (Optional)
You can optionally configure your server to
request a client certificate so that server can
authenticate the client.
Only discuss how client authenticates server
in SSL
22
SSL
Client authenticates server based
on certificate issued by certificate
authority (CA)
1. Client  server: Hello message
2. Server  client: server’s public key
certificate, including server’s public
key, digital signature signed by
certificate authority (CA)
3. Client uses CA’s public key to verify
digital signature signed by CA, thus
verifies server’s certificate.
4. Client  server: a random number
in order to prove server’s identity.
5. Server encrypts random number with
its private key.
6. Server  client: the encrypted
message
7. Clients decrypts the message using
server’s public key to verify identity of23
the server.
Compare SSL and Kerberos
SSL
Kerberos
Uses public key encryption Uses symmetric key
encryption
Certificate based
Relies on a trusted
third party
Ideal for secure
Ideal for networked
communications with a
environments where
large, variable user base all services and users
that is not known in
are known in
advance, such as the
advance.
WWW.
24
Outline
 Overview of authentication
 Symmetric key authentication protocols
(Kerberos)
 Public key authentication protocols (SSL)
 Authentication protocols in Wireless Local
Area Networks (WLAN)
25
Authentication Protocols in WLAN
WPA (Wi-Fi Protected Access)
Certification program created to secure wireless computer networks.
• Provides stronger data encryption and user authentication
• Implements the IEEE 802.11i standard.
The three entities of WPA are the client, the Authentication Server (AS),
and the Access Point (AP).
AS
• Only after the client is authenticated by the authentication server, the26
authenticator (Access Point) allows the client to access the network
Authentication Protocols in WLAN
 Symmetric key approach: EAP-LEAP
 Public key approach:
EAP-TLS
Symmetric Key Approaches
 Efficient and require little computational power
Resource constrain, e.g., computational power
of PDAs, mobile VoIP phones, have.
 Drawbacks
 Most protocols derive the shared secret from
the user's password and some passwords are
not strong, it is easy for the attacker to extract the
secret key from them.
27
Lightweight Extensible Authentication
Protocol (LEAP)
The server knows the password of the client. Password is the
shared key between the client C and authentication server S
28
Authentication Protocols in WLAN
Public key Approaches
 Provides strong security
 Cannot authenticate a client without
public certificate
Example: EAP-TLS
29
EAP-Transport Layer Security (EAP-TLS)
• AS verifies client’s digital signature
using client’s public key got from
client’s certificate Certclient
• Get random number p by decrypting
with its private key
• Client calculates H(c,s,p),
compares it with the value sent by As
30
References
[1] Kerberos http://web.mit.edu/kerberos/www/
[2] SSL
http://docs.sun.com/source/816-615610/contents.htm
[3] EAP-TLS
http://en.wikipedia.org/wiki/Extensible_Authentication_Pro
tocol
31