Authentication
Authentication
Guevara Noubir
College of Computer and Information Science
Northeastern University
[email protected]
Outline
Overview of Authentication Systems
[Chapter 9]
Authentication of People
[Chapter 10]
Offline attack:
How?
Attacker captures X = f(password)
Dictionary attack: try to guess the password value offline
Obtaining X in a unix system: “ypcat passwd”
Unix system: using the salt
Protection:
If offline attacks are possible then the secret space should be large
Offline attacks:
Need at least: 64 random bits = 20 digits
Too long to remember by a human!
Or 11 characters from a-z, A-Z, 0-9, and punctuation marks
Too long to remember by a human
Or 16 characters pronounceable password (a vowel every two
characters)
Conclusion:
A secret a person is willing to remember and type will not be as good as
a 64-bit random number
Biometrics:
Retinal scanner
Fingerprint readers
Face recognition
Iris scanner
Handprint readers
Voiceprints
Keystroke timing
Signature
One solution:
Lamport’s scheme allows a finite number of authentications
RSA variant:
B stores: “A”, W, A’s public key, Y = W ’{A’s private
key}
A sends: A, W{ga mod p}
B sends: W{gb mod p}, (gab mod p){Y}, c
A replies: [hash(gab mod p, c)]sign-A