Authentication

Since ancient times, people have faced a rather difficult task - to verify the reliability of important messages. Speech passwords, complex prints were invented. The advent of authentication methods using mechanical devices greatly simplified the task, for example, an ordinary lock and key were invented a very long time ago. An example of an authentication system can be seen in the old tale "The Adventures of Ali Baba and the Forty Thieves . " This tale speaks of treasures hidden in a cave. The cave was fenced with stone. It was possible to move it only with the help of a unique speech password : " Sim-Sim , open !"

Currently, due to the vast development of network technologies, automatic authentication is used everywhere.

Documents Defining Authentication Standards

GOST R ISO / IEC 9594-8-98 - Basics of authentication

This standard:

• defines the format of authentication information stored by the directory;
• describes a method for obtaining authentication information from a directory;
• establishes the prerequisites for the methods of forming and placing authentication information in the directory;
• defines three ways in which application programs can use such authentication information to perform authentication, and describes how other security services can be provided through authentication.

This standard outlines two types of authentication: simple, using a password as a verification of claimed identity, and strong, using identity cards created using cryptographic methods

FIPS 113 - COMPUTER DATA AUTHENTICATION

This International Standard establishes a Data Authentication Algorithm (DAA) that can be used to detect unauthorized data changes, whether intentional or random, based on the algorithm specified in the Data Encryption Standard (DES) Federal Information Processing Standards Publication (FIPS PUB) 46 , and is compatible with both the Department of the Treasury's Electronic Funds and Security Transfer Policy and the American National Standards Institute (ANSI) and Standard for Financial Institution Message Authentication.

This standard is used to control the integrity of transmitted information by means of cryptographic authentication.

In any authentication system, you can usually distinguish several elements:

• subject who will undergo the procedure
• subject characterization
• the owner of the authentication system , responsible and supervising its work
• authentication mechanism itself, that is, the principle of the system
• an access control mechanism that grants certain access rights to a subject

Even before the advent of computers, various distinctive features of the subject were used, its characteristics. Now the use of one or another characteristic in the system depends on the required reliability, security and cost of implementation. There are 3 authentication factors:

• Something that we know, for example, some secret information . This is secret information that only an authorized subject should possess. The secret may be a certain phrase or password, for example, in the form of an oral message, a text presentation, a combination for a lock or a personal identification number ( PIN ). The password mechanism can be quite easily implemented and has a low cost. But it has significant drawbacks: it is often difficult to keep a password secret, attackers constantly come up with new ways to steal, crack and crack a password (see gangster cryptanalysis , brute force method ). This makes the password mechanism insecure.
• Something that we possess, for example, some unique physical object . It is important that the subject possesses some unique object. This can be a personal seal, a key to the lock , for a computer it is a data file containing a characteristic. The characteristic is often built into a particular authentication device, for example, a plastic card , a smart card . It is becoming more difficult for an attacker to get such a device than to crack a password, and the subject can immediately report if the device is stolen. This makes this method more secure than the password mechanism, but the cost of such a system is higher.
• Something that is an integral part of ourselves is biometrics . A characteristic is the physical characteristic of the subject. This can be a portrait, fingerprint or palm , voice or eye feature . From the point of view of the subject, this method is the simplest: you do not need to remember a password or carry an authentication device with you. However, the biometric system must be highly sensitive in order to confirm an authorized user, but reject an attacker with similar biometric parameters. Also, the cost of such a system is quite high. But, despite its shortcomings, biometrics remains a rather promising factor.

Electronic Signature Authentication

Federal Law dated 06.04.2011 N 63-ФЗ "On electronic signature" (as amended) provides for the following types of electronic signature:

• A simple electronic signature is an electronic signature that, through the use of codes, passwords or other means, confirms the fact that an electronic signature is generated by a certain person.
• Unqualified electronic signature - an electronic signature that:

1. obtained as a result of cryptographic conversion of information using an electronic signature key;
2. allows you to identify the person who signed the electronic document;
3. allows you to detect the fact of making changes to the electronic document after its signing;
4. created using electronic signature.

• Qualified electronic signature - an electronic signature that meets all the characteristics of an unqualified electronic signature and the following additional features:

1. the verification key of the electronic signature is indicated in the qualified certificate ;
2. To create and verify an electronic signature, electronic signature means are used that have received confirmation of compliance with the requirements established in accordance with this Federal Law.

Password Authentication

• Reusable Password Authentication
• One Time Password Authentication

Reusable Password Authentication

One of the methods of authentication in a computer system is to enter your user ID, colloquially called " login " ( English login - user name, account) and password - some confidential information. A reliable (reference) login-password pair is stored in a special database.

Simple authentication has the following general algorithm :

1. The subject requests access to the system and enters a personal identifier and password.
2. The unique data entered is sent to the authentication server, where it is compared with the reference.
3. If the data coincides with the reference, authentication is considered successful, with a difference - the subject moves to the 1st step

The password entered by the subject can be transmitted on the network in two ways:

• Unencrypted, plain text, based on Password Authentication Protocol (PAP)
• Using SSL or TLS encryption. In this case, the unique data entered by the subject is transmitted over the network securely.

Security

From the point of view of the best security when storing and transmitting passwords, unidirectional functions should be used. Typically, cryptographically strong hash functions are used for these purposes. In this case, only the password image is stored on the server. Having received the password and having done its hash conversion , the system compares the result with the reference image stored in it. With their identity, the passwords match. For an attacker who gained access to the image, it is almost impossible to calculate the password itself.

The use of reusable passwords has a number of significant disadvantages. First, the master password itself or its hashed image is stored on the authentication server. Often, the password is stored without cryptographic conversions in system files. By gaining access to them, an attacker can easily get to confidential information. Secondly, the subject is forced to remember (or write down) his reusable password. An attacker can get it by simply applying the skills of social engineering , without any technical means. In addition, the security of the system is greatly reduced when the subject chooses a password for himself. Often they find themselves some kind of word or combination of words that are present in the dictionary. In GOST 28147-89, the key length is 256 bits (32 bytes). When using a pseudo-random number generator, the key has good statistical properties. The password, which is, for example, a word from the dictionary, can be reduced to a pseudo-random number 16 bits long, which is 16 times shorter than the GOST key. With enough time, an attacker can crack a password with a simple brute force attack. The solution to this problem is to use random passwords or a limited time for the subject’s password, after which the password must be changed.

Account Databases

On computers with UNIX family OS, the base is the /etc/master.passwd file (on Linux distributions, the / etc / shadow file is usually readable only by root ), in which user passwords are stored as hash functions of open passwords, in addition, the same file stores information about user rights. Initially, on Unix systems, the password (in encrypted form) was stored in the / etc / passwd file , which was readable by all users, which was unsafe.

On computers running Windows NT / 2000 / XP / 2003 (not part of the Windows domain ), this database is called SAM ( Security Account Manager - Account Protection Manager). The SAM database stores user accounts , which includes all the data necessary for the security system to function. Located in the% windir% \ system32 \ config \ directory.

In Windows Server 2000/2003 domains, this base is Active Directory .

However, the use of special hardware (components) is recognized as a more reliable way of storing authentication data.

If necessary, to ensure that employees work on different computers (with security support), they use hardware-software systems that allow storing authentication data and cryptographic keys on the organization’s server. Users can freely work on any computer ( workstation ), having access to their authentication data and cryptographic keys.

One-Time Authentication

Having obtained once a reusable password of the subject, the attacker has constant access to hacked confidential information. This problem is solved by using one-time passwords ( OTP - One Time Password ). The essence of this method - the password is valid for only one login, with each next access request - a new password is required. The authentication mechanism for one-time passwords can be implemented both hardware and software.

Technologies for using one-time passwords can be divided into:

• Using a pseudo-random number generator, common for the subject and system
• Using timestamps with a single time system
• Using a random password database, uniform for the subject and for the system

The first method uses a pseudo-random number generator with the same value for the subject and for the system. The password generated by the subject can be transferred to the system by sequential use of the one-way function or with each new request, based on unique information from the previous request.

The second method uses timestamps. An example of such a technology is SecurID . It is based on the use of hardware keys and time synchronization. Authentication is based on the generation of random numbers at specific time intervals. A unique secret key is stored only in the system’s base and in the subject’s hardware device. When a subject requests access to the system, he is prompted to enter a PIN code, as well as a randomly generated number displayed at that moment on the hardware device. The system compares the entered PIN code and the subject’s secret key from its database and generates a random number based on the parameters of the secret key from the database and the current time. Next, the identity of the generated number and the number entered by the subject is checked.

The third method is based on a single password database for the subject and the system and high-precision synchronization between them. Moreover, each password from the set can be used only once. Due to this, even if an attacker intercepts the password used by the subject, it will no longer be valid.

Compared to using reusable passwords, one-time passwords provide a higher degree of protection.

SMS Authentication

The relevance of ensuring the security of mobile communications, such as ip-phone, stimulates new developments in this area. Among them are authentication using SMS messages.

The procedure for this authentication includes the following steps:

1. Enter username and password
2. Immediately after this, PhoneFactor ( security service ) sends a one-time authentication key in the form of an SMS text message .
3. The received key is used for authentication

The attractiveness of this method lies in the fact that the key is obtained not from the channel through which out-of-band authentication is performed, which virtually eliminates the “ man in the middle ” attack. An additional level of security may be provided by the requirement to enter the PIN code of the mobile device.

This method is widely used in banking operations via the Internet.

Biometric Authentication

Authentication methods based on measuring the biometric parameters of a person provide almost 100% identification, solving the problems of losing passwords and personal identifiers.

Examples of the implementation of these methods are user identification systems according to the iris pattern, palm prints, ear shapes, infrared picture of capillary vessels, handwriting, smell, voice timbre and even DNA.

A new direction is the use of biometric characteristics in smart payment cards, badges, badges and cellular elements. For example, when calculating in a store, the card bearer puts his finger on the scanner to confirm that the card is really his.

Most used biometric attributes and related systems

• Fingerprints . Such scanners are small in size, versatile, relatively inexpensive. The biological repeatability of the fingerprint is 10 ⁻⁵ %. Currently promoted by law enforcement agencies due to large allocations to electronic fingerprint archives.
• Hand geometry. Suitable devices are used when finger scanners are difficult to use due to dirt or injuries. The biological repeatability of hand geometry is about 2%.
• The iris of the eye . These devices have the highest accuracy. The theoretical probability of coincidence of two irises is 1 in 10 ⁷⁸ .
• Thermal image of the face. Systems allow to identify a person at a distance of tens of meters. In combination with database data retrieval, such systems are used to identify authorized employees and screen out outsiders. However, when light changes, face scanners have a relatively high percentage of errors.
• Face recognition. Systems based on this approach allow you to identify a person in certain conditions with an error of no more than 3%. Depending on the method, it is possible to identify a person at distances from half a meter to several tens of meters. This method is convenient in that it allows the implementation of regular means ( webcam , etc.). More sophisticated methods require more sophisticated devices. Some (not all) methods have the disadvantage of substitution: you can carry out identification by replacing the face of a real person with his photo.
• The voice . Voice check is convenient for use in telecommunication applications. The 16-bit sound card and condenser microphone required for this cost less than $ 25. The probability of error is 2 - 5%. This technology is suitable for verifying by voice over telephone communication channels; it is more reliable than frequency dialing of a personal number. Now the directions of identifying a person and his condition by voice are developing - he is excited, sick, tells the truth, not in himself, etc.
• Keyboard input. Here, when entering, for example, a password, the speed and intervals between clicks are tracked.
• Signature Digitizers are used to control handwritten signatures.

At the same time, biometric authentication has several disadvantages:

1. The biometric template is compared not with the result of the initial processing of the user's characteristics, but with what has come to the place of comparison. A lot can happen during the journey.
2. The template database could be modified by an attacker.
3. The difference between the use of biometrics in the controlled area, under the watchful eye of the guard, and in the "field" conditions, when, for example, a fake, etc.
4. Some of the biometric data of a person changes (as a result of aging, as well as injuries, burns, cuts, illness, amputation, etc.), so the template base needs constant maintenance, and this creates certain problems for both users and administrators .
5. If your biometric data is stolen or compromised, then this is usually for life. Passwords, for all their insecurity, can be changed as a last resort. You cannot change your finger, eye, or voice, at least quickly.
6. Biometric characteristics are unique identifiers, but they cannot be kept secret.

Location Authentication

• GPS Authentication
• Location Based Internet Authentication

GPS Authentication

The newest area of ​​authentication is proof of authenticity of a remote user at his location. This protective mechanism is based on the use of a space navigation system, such as GPS ( Global Positioning System ).

A user with GPS equipment repeatedly sends the coordinates of the given satellites located in the line of sight. The authentication subsystem, knowing the orbits of the satellites, can determine the user's location with an accuracy of a meter. High reliability of authentication is determined by the fact that satellite orbits are subject to fluctuations, which are difficult to predict. In addition, the coordinates are constantly changing, which negates the possibility of interception.

The complexity of hacking the system is that the equipment transmits a digitized satellite signal without performing any calculations. All location calculations are performed on the authentication server.

GPS equipment is simple and reliable to use and relatively inexpensive. This allows it to be used in cases where an authorized remote user must be in the right place.

Internet Based Location Authentication

This mechanism is based on the use of information about the location of servers, wireless access points through which the Internet is connected.

The relative simplicity of hacking is that location information can be changed using so-called proxies or anonymous access systems.

Multi-Factor Authentication

Recently, the so-called advanced, or multi-factor authentication, has been increasingly used. It is built on the sharing of several authentication factors. This greatly increases the security of the system.

An example is the use of SIM cards in mobile phones . The subject inserts his card (authentication device) hardware into the phone and, when turned on, enters his PIN-code (password).

Also, for example, in some modern laptops there is a fingerprint scanner. Thus, when entering the system, the subject must go through this procedure ( biometrics ), and then enter the password .

Choosing one or another authentication factor or method for the system, it is necessary, first of all, to proceed from the required degree of security, the cost of building the system, and ensuring the mobility of the subject.

You can give a comparison table:

The authentication procedure is used in the exchange of information between computers, using very complex cryptographic protocols that protect the communication line from listening to or replacing one of the participants in the interaction. And since, as a rule, authentication is necessary for both objects that establish network interaction, authentication can be mutual.

Thus, several authentication families can be distinguished:

User Authentication on PC:

• Encrypted Name (login)
• Password Authentication Protocol , PAP (login-password combination)
• Access card (USB with certificate, SSO)
• Biometrics (voice, fingerprint / palm / iris)

Network Authentication:

• Secure SNMP using digital signature
• SAML (Security Assertion Markup Language)
• Cookie session
• Kerberos Tickets
• X.509 Certificates
• OpenID Connect authentication add-in over OAuth 2.0 protocol

The operating systems of the Windows NT 4 family use the NTLM protocol (NT LAN Manager - NT LAN Manager). And in Windows 2000/2003 domains, the much more advanced Kerberos protocol is used .

Authentication is required when accessing services such as:

• Email
• web forum
• social networks
• Internet banking
• payment systems
• corporate sites
• online stores

A positive result of authentication (in addition to establishing trust and generating a session key) is the authorization of the user, that is, granting him access rights to resources defined for his tasks.

• Unified Identification and Authentication System
• Cyrus SASL
• Token (authorization)
• One time password
• Login
• Needham-Schroeder Authentication Protocol
• Account
• Internet Authentication

• Richard E. Smith. Authentication: From passwords to Public keys = Authentication: From Passwords to Public Keys First Edition. - M .: Williams, 2002 .-- S. 432. - ISBN 0-201-61599-1 .
• under. edited by A.A. Shelupanova, S.L. Gruzdeva, Yu.S. Nahaeva. Authentication Theory and practice of providing access to information resources. = Authentication. Theory and practice of ensuring access to information resources .. - M .: Hot line - Telecom, 2009. - S. 552. - ISBN 978-5-9912-0110-0 .
• Schneier B. Applied Cryptography. Protocols, algorithms, C source code = Applied Cryptography. Protocols, Algorithms and Source Code in C. - M .: Triumph, 2002 .-- 816 p. - 3000 copies. - ISBN 5-89392-055-4 .
• Linn J. Common Authentication Technology Overview ,.
• Bellovin S. and M. Merritt. Limitations of the Kerberos Authentication System.
• Kaufman, C. Distributed Authentication Security Service (DASS).
• Anderson, B.,. TACACS User Identification Telnet Option. - December 1984.
• Tardo J. and K. Alagappan. SPX: Global Authentication Using Public Key Certificates. - M. California, 1991 .-- S. pp. 232-244.
• A.A. Smooth, V.E. Dementiev. Basic principles of information security of computer networks .. - Ulyanovsk: UlSTU, 2009. - P. 156.

• Authentication Protocols / BYTE Russia No. 4 (80), April 2005