Abstract: The security measure in today's networking world has been reached to a peak state where for every new networking update or invention the threat to it is also coming into picture at the same time which challenges the computing world to develop highly secure mechanisms. In earlier days this was not the case or the threats were occurred rarely. This paper presents the different secure authentication protocols and their mechanisms and consequences and to which extent they provide the security aspect.
Authentication Protocol is a strong security measure which is followed between two legitimate communication parties to protect their communication system from false or fraud transmissions by forming a set of rules. Before that the parties involved in communication must also prove their identity whether they are eligible to participate in communication or not. The messages exchanged between them must be genuine and completely secured so that the hackers by any means should not detect them. In short their communication should be completely secured. There are many different authentication protocols involved in different scenarios such as:
Get your grade
or your money back
using our Essay Writing Service!
CAVE-based authentication Protocol
Cellular Authentication and Voice Encryption authentication protocol involves two network entities namely Authentication Center and Visitor location register. They have two shared keys the Authentication key and shared secret data. The Authentication center authenticates Mobile station or it shares the Shared secret data with the visitor location register for authentication to happen. Visitor location register authenticates the mobile when it is in roaming state if the shared secret data is shared with the network or it proxies the responses of the authentication from roamers to its home network. Here authentication key is 64-bit and shared secret data is 128-bit keys.
Challenge-handshake authentication protocol
CHAP is an authentication protocol that authenticates a user who is operating with other authenticating user like internet service provider and checks the validity or identity of the remote clients on the other side. This task is performed by the Point-to-point protocol. It checks the identity and validates the other client at the time of establishment of link and the verification process is done by the shared secret like the password. When the connection is made the authenticator issues a challenge to the other client. The other client responds the challenge by calculating it using one way hash function. The client also uses shared secret to respond. Now the authenticator checks the calculated value with its own value, if it matches it acknowledges the client that it is ready to share the conversation as it proved to be authorized. Otherwise it terminates the connection as the client is not authorized. The authenticator sends the challenge at randomly selected time also.
Host Identity Protocol
This Protocol is used for technology of host identification for the use of Internet Protocol networks. This protocol uses IP addresses and domain name system as two main entities. This protocol is used in mobile computing. The networks in which HIP is implemented the occurrences of IP addresses are removed and replaced with cryptographic host identifiers.
Remote Authentication Dial In User Service
This protocol provides AAA management i.e. Authentication, authorization and accounting management for the computers that use a particular network service and also to connect to that service. This protocol authenticates the users before giving permission to access a particular network. It again authorizes certain network services for those particular users only and also accesses the account for usage to those users only. This is a client/server protocol which uses UDP for transport and it runs in the application layer level.
This authenticating protocol form the rules to prove their identity for the nodes that are communicating which each other over a non- secure network in a completely secure manner. It mainly functions a client-server model and also provides mutual authentication. This protocol helps in escaping from replay attacks and eavesdrops. This protocol builds on symmetric key cryptography and a third trusted party is required which is called key distribution center (KDC).
(KDC) which maintains the database of secret keys i.e. each of the client servers maintains a secret key known to themselves and KDC. Here the KDC generates session key which helps to continue on their secure interactions between the two authorized parties. The User logon the client machine which performs one way hash function on the given password and this becomes the session key. Then client authentication followed by client service authorization then client service requests are main steps of execution of this protocol.
Password Authenticated key exchange Protocol (wireless networks)
Always on Time
Marked to Standard
This protocol helps in sharing the password between entities and shares the information using session key with each other after verifying their identities. But the major challenge to protocol is to deal with the password guessing attack or it is called dictionary attack, this is of two type's on-line dictionary attack in which the enemy attacker acts as a legitimate or legal partner in the communication and maintains the interaction normally by running the protocol by selecting a password randomly. If the adversary (enemy) protocol run is successful then he gets the correct password or else he excludes the assumption password. The other type of attack is off-line dictionary attack in which the adversary secretly listens to the conversation of the communication of two legitimate parties and tries to gather data during their protocol execution. Then he checks the correctness of the guessed passwords from their conversation by being in off-line with the help of recorded data of the authorized parties. Here off-line attacks are more difficult to defend. To defend the off-line attacks the conversation between legitimate parties should not reveal any hint or whisker like thing to guess the information of password. Then some protocols were shown to be secure against off-line attacks by using public key cryptographic techniques. These protocols were known as Encrypted key exchange (EKE) protocols. Different public-key cryptosystems were tried to implement EKE but among all Diffe-Hellman key exchange became most well-known but showed a fine distinction with when implemented with Rivest, Shamir and Adleman (RSA) and other public key cryptographic systems. The problem with it is one authorized party cannot validate the RSA public key of other authorized party because the digital signature isn't used in the protocol.
Improvisation Attempt: A new proposal was that the RSA public key should be validated by the client by continuously sending number of encrypted messages by using RSA public key of the server. The server if it can decrypt all the encrypted messages then the client is said to be ensured that the encryption is a permutation and it is a valid RSA public key. Then against undetectable online password guessing attack a notion was proposed stating that this protocol is insecure against online password guessing attack. In this way this attempt failed. Also after this many attempts were made but this improvisation led vulnerable to off-line dictionary attack. So this protocol proved a misconception.
Diffie Hellman Key Exchange
This protocol is one of the earliest forms of protocol in which the two authorized communicating parties communicate having no knowledge about each other share a secret key over a communication channel which is to be insecure channel. This protocol establishes a shared secret key that can be used for communicating secretly over a public network known as key exchange protocol. In this protocol generally two parties exchange the prime and the generator such that prime is greater than generator. Then both the parties generate a random number and keep it as secret. Then this protocol implementation uses multiplicative group of integers modulo p formula. In short here both parties agree on a cyclic group and generating element then one party picks a random natural number and sends generating element to power of natural number to other party. The second party also does the same then both the parties compute generating element to power of natural numbers of both parties which leads to possession of group element which serves as a shared secret key between two authorized parties. Thus if one party encrypts the message the other party decrypts that message using the shared secret key. This protocol has a drawback like this protocol can suffer from MITM Man in the Middle Attack who can view, insert false message and modify the messages at his will without the knowledge of authorized parties and can act as authorized party. He can view the messages and intercept the messages also. This is the main drawback when this Diffie Hellman protocol is used without authentication. Otherwise they use password-authenticated key agreement to avoid themselves from MITM attacks.
Authentication of session initiation protocol
The Session Initiation Protocol is used in 3G network mobile phones and VOIP. IP based telephony is the major application of this protocol. It doesn't require any internet support for VOIP due to which it is much prone to attacks like TCP session Hijacking, Spoofing etc. The 4 major resources like the registrar, proxy server, user agent, redirect server. Firstly in this SIP authentication procedure SIP user agent client must identify user agent server. That is the reason the SIP authentication procedure applies to user-to-user communications. This SIP authentication procedure is a challenge based mechanism where a server after receiving a request challenges the client or sender of request to prove its identity that the party is authorized, and in that challenge a uniquely generated nonce is sent. Here the client and server share a secret password. The sender uses the shared password with nonce to give a response. Then the server authenticates the request after the requester sends the request again with the computed value. By this mechanism it is clear that the password is never sent in clear text. The authentication involves the computation of nonce, username, password and realm and then compare with the response. This authentication procedure runs intermediate proxy server that needs the calling side to be authenticated before it accepts the call or accepts the registration. The intermediate proxy server sends a Sip plain message. After receiving the message the proxy server decides that authentication is required and sends a SIP error message requesting authentication and this error is taken as the challenge. The user agent client receives the challenge and then it computes it. Then it sends it as new SIP request message. This digest authentication does not provide high level security due to that it is based on shared secret other than public key mechanism.
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Terminal Access Controller and Access Control System and TACACS+
TACAS (Terminal Access Controller and Access Control System) is an authentication protocol (remote) which is used for communicating with authenticating server. This protocol allows the remote server that is accessible to communicate with authenticating server to check whether the user has an authorized access to the network or unauthorized access. This TACAS protocol uses TCP or UDP port. The TACAS allows the client to take the password and username. Then it sends a request query to the TACAS authentication server. The server is generally a program that is normally running on the host. The role of the host is to decide whether to accept or deny the request. It then sends a response back. The routing node called TIP would then allow the access or deny. This is based on the response from the host. TACAS+ like RADIUS provides AAA management. This protocol has replaced TACAS protocol in more recently updated networks and coming networks in future also. The TACAS protocol utilizes TCP. The advantages of TACAS+ are this protocol offers the multiprotocol support, such as IP and Apple Talk for example. The packet encryption is done completely in its normal operation. This helps in secure communications. This TACAS+ is an enhancement to TACAS as it is a Cisco proprietary. This TACAS+ protocol is completely incompatible with other previous protocols which give uniqueness to it.
Radio Frequency Identification-Authentication Protocols
This RFID protocol emerged as a promising technique that is largely deployed systematically for inventory management, the automatic identifiers generally and some applications like retail operations. This is an improvement over barcode as it doesn't require direct line-of sight reading. Initially while dealing with light weight RFID protocols there are many attacks and threats in particular integrity attacks which made it compromised. The attacks like off-line man-in-the-middle attack, tag cloning, Tag disabling etc. By the affect of these attacks certain security measurements are taken like the authentication, unlink ability of session, forward and backward security. Then to counter attack those EPCGen2 compliant protocols came into action which supported the security measures like forward and backward security, session unlink ability. This protocol uses the mechanism called the cryptographic mechanism i.e. it is a synchronized pseudorandom number generator (RNG) which is shared with the back-end server. Finally the correct authentication is gained by using a less numbers say 2 that is drawn from the RNG. From this protocol one has to expect favorable outcomes additional to constant key-look up and an efficiently implemented on an EPCGen2 platform. This EPC Global UHF Class-2 Generation 2 standard describes the physical and logical requirements for a passive-backscatter. Here there will be three basic operations select, Inventory and access used by an Interrogator man ages tag populations.
Authentication based on a shared secret key
This protocol uses a shared secret key by both the authorizing parties. This protocol provides a two-way authentication. This authentication technique functions using a challenge response protocol. A challenge response protocol is a rule that to identify the opposite user is authorized or not one party sends a random number to other called nonce which is used just once and the other party transforms it into special form which helps it to identify the other party is authorized party. This random number is stored with both the parties along with the shared secret key. Both the parties before sharing the key encrypt and decrypt their formal identities to become authorized. There was a wrong attempt in this protocol to improvise it by making it shortened. This shorter version includes many requests in one transmission but it proved harmful as a new attack is seen when implemented known as reflection attack. This reflection attack is caused by third person who is not authorized who can break the multiple sessions of the authorized parties and introduce false transmissions which could lead to false communication. The third person sends message as authorized party and receives the response from other side correctly. But when he should sent his identity the authorized party detects it as false party and sends the message as it is to the third person with which he can't move forward. This should not be done in shortened two way authentication protocol. Hence this attack is defeated.