Session 2: Identification and Authentication Flashcards
What is the difference between identification and authentication. Why must they be combined?
Identification is to attach some property to an entity. One example is the name of a person where the entity (the person) is attached to the property (name). The name can be used as a property to identify the person.
Authentication is the check required to verify that the entity trying to identify itself with a given property is in fact legitimate.
Authentication is essential for ensuring correct identification. Without authentication, any entity could present themselves as whatever they wanted without ever being detected when presenting false claims.
What are roughly the 5 categories/groups of network-based attacks?
- Spoofing attacks where the original address is fraudulent
- Re-sending previously captured messages (simple replay)
- Eavesdropping (passive - may be the beginning of an attack)
- Message suspension (DoS)
- Interception and potentially alter content (man in the middle attack)
How is authentication handled to inhibit endpoint (spoofing attacks)?
in general, authentication of a host on the network relies on providing evidence to others proving that you are who you say you are. This can be accomplished through either knowing something, being something (biometrics), and possesion (like possesing a cryptographic key or token).
The most straightforward method of authentication is using passwords. These are however vulnerable to eavesdropping, replay and guessing, and dictionary attacks.
What are the different types of replay attacks and how can networks be protected?
There are several types of replay attacks. The most important are:
- Single replay where a single message is repeated.
- Logable replay can be used for time-stamped messages. Replay can occur within the recorded period.
- Undetectable replay can occur if the mechanisms require for detecting duplicate messages is not enabled. It also may occur if the attacker manages to suppress the original packet.
- Backwards replay is a special sort of replay attack which can be performed in symmetrical authentication channels.
Replay attacks can be protected against through using sequence numbers (as can be found in the TCP-header). Sequence numbers is however no perfect solution as they are not guaranteed to be integrity protected (control for tampering).
How can replay attacks be countered?
The usage of time-stamps is generally considered undesirable. A different approach is to use challenge/response protocols. On a general level this might look like a token being presented to the counterpart which is then tasked with responding in a particular manner where the nonce itself, or a reference to it, is included in the reply.
What is the Needham-Schroeder protocol used for?
The NS protocol is used for the distribution of shared session keys between hosts.
If the two hosts A and B want to communicate securely, they must encrypt their communication. As solely using public key crypto is inefficient (computationally expensive) we often prefer to use symmetric keys. If A and B uses NS to establish such a key, they will do the following:
A sends a message to B containing a nonce (large number) and A’s identity. This message is encrypted using B’s public key. Upon arrival B will decrypt the message and see the identity of A and its nonce. For B to prove its identity to A, B sends back a message containing the nonce generated by A with one of its own. By sending A’s nonce in return B can prove that it is capable of decrypting the encrypted message (which requires B’s private key). Once A receives and decrypts the message from B ( and sends B’s nonce in return), A and B will posses both the nonces which can be combined to construct the shared symmetric key.
The key flaw with this protocol is that the receiver does not need to provide his identity. This means if A connects to a dodgy website C, then C can establish a connection between A and B without A being aware. This would enable C to potentially collect valuable credentials. See full explanation here: https://www.youtube.com/watch?v=EtpdLBeIaus&t=10s
What is Kerberos?
Kerberos is a protocol used for establishing symmetric key session between hosts in a manner that does not require the usage of public keys.
This is accomplished through using a trusted thrid party known as the key distribution center (KDC). The KDC runs two servers, the authentication and ticket server. When the host A wants to communicate with host B, A will first reach out to the authentication server running on the KDC. This is done through using a long term key established between A and the KBC. If the autentication is succesful, the authentication server will provide A with a ticket which enabling it to communicate with the ticket server. The ticket sent to a from the authentication server is encrypted with the private key between the ticket and authentication server. Consequently, A cannot read it but simply passes it along to the ticket server. Through being encrypted with the private key, the ticket server knows that the authentication server issued it. The ticket server will inspect whether A has the permission to communicate with B. If so, a new ticket with a session key issued to enable symmetric key communication between A and B. The tickets issued always have a short expiration date. This requires the hosts to renew their tickets every so often which entails more frequent authentication.
One often overlooked advantage with symmetric key encryption is its resilience to quantum computers which are likely to make asymmetric encryption schemes like RSA much less secure
See more detailed description here:
https://www.youtube.com/watch?v=qW361k3-BtU
