Authentication Protocol is a strong security measure which is followed between two legitimate communication parties to protect their communication system from false or fraud transmissions by forming a set of rules. Before that the parties involved in communication must also prove their identity whether they are eligible to participate in communication or not. The messages exchanged between them must be genuine and completely secured so that the hackers by any means should not detect them. In short their communication should be completely secured. There are many different authentication protocols involved in different scenarios such as:
CAVE-based authentication Protocol
Cellular Authentication and Voice Encryption authentication protocol involves two network entities namely Authentication Center and Visitor location register which has two shared keys the Authentication key and shared secret data. The Authentication center authenticates Mobile station or it shares the Shared secret data with the visitor location register for authentication to occur. Visitor location register authenticates the mobile when it is in roaming if the shared secret data is shared with the network or it proxies the responses of the authentication from roamers to its home network. Here authentication key is 64-bit and shared secret data is 128-bit keys.
Challenge-handshake authentication protocol
CHAP is an authentication protocol that authenticates a user with other authenticating user like internet service provider and checks the validity or identity of the remote clients. This is used by Point-to-point protocol. It checks the identity at the time of establishment of link and the verification process is done by the shared secret like the password. When the connection is made the authenticator sends a challenge to the other client. The other client responds the challenge by calculating it using one way hash function and with the shared secret. Now the authenticator checks the calculated value with its own value, if it matches it acknowledges the client otherwise it terminates the connection. The authenticator sends the challenge at randomly selected time also.
Host Identity Protocol
This Protocol is used for technology of host identification for the use of Internet Protocol networks. This protocol uses IP addresses and domain name system as two main entities. This protocol is used in mobile computing. The networks in which HIP is implemented the occurrences of IP addresses are removed and replaced with cryptographic host identifiers.
Remote Authentication Dial In User Service
This protocol provides AAA management i.e. Authentication, authorization and accounting management for the computers that use a particular network service and also to connect to that service. This protocol authenticates the users before giving permission to access a particular network. It again authorizes certain network services for those particular users only and also accesses the account for usage to those users only. This is a client/server protocol which uses UDP for transport and it runs in the application layer.
This authenticating protocol form the rules to prove their identity for the nodes that are communicating which each other over a non- secure network in a secure manner. It mainly functions a client-server model and provides mutual authentication. This protocol helps in escaping from replay attacks and eavesdrops. This protocol builds on symmetric key cryptography and a third trusted party is required which is called key distribution center (KDC) which maintains the database of secret keys i.e. each of the client server maintains a secret key known to themselves and KDC. KDC generates session key which helps to continue on their secure interactions. The User logon the client machine which performs one way hash function on the given password and this becomes the session key. Then client authentication followed by client service authorization then client service requests are main steps of execution.
Password Authenticated key exchange Protocol (wireless networks)
This protocol helps in sharing the password between entities and shares the information using session key with each other after verifying their identities. But the major challenge to protocol is to deal with the password guessing attack or it is called dictionary attack, this is of two type's on-line dictionary attack in which the enemy attacker acts as a legitimate partner in the communication and maintains the interaction normally by running the protocol by selecting a random password. If the adversary protocol run is successful then he gets the correct password or he excludes the assumption password. The other type of attack is off-line dictionary attack in which the adversary secretly listens to the conversation of the communication of two legitimate parties and tries to gather data during their protocol execution. Then he checks the correctness of the guessed passwords from their conversation by being in off-line with the help of recorded data. Here off-line attacks are more difficult to defend. To defend the off-line attacks the conversation between legitimate parties should not reveal any hint to guess the information of password. Then some protocols were shown to be secure against off-line attacks by using public key cryptographic techniques. These protocols were known as Encrypted key exchange (EKE). Different public-key cryptosystems were tried to implement EKE but among all Diffe-Hellman key exchange became most well-known but showed a fine distinction with when implemented with RSA and other public key cryptographic systems. The problem with it is one party cannot validate the RSA public key of other party because the digital signature isn't used in the protocol.
Improvisation Attempt: A new proposal was that the RSA public key was validated by the client by sending number of encrypted messages by using RSA public key of the server. The server if it can decrypt all the encrypted messages then the client is ensured that the encryption is a permutation and it is a valid RSA public key. Then against undetectable online password guessing attack a notion was proposed stating that this protocol is insecure against online password guessing attack. In this way this attempt failed. Also after this many attempts were made but this improvisation led vulnerable to off-line dictionary attack. So this protocol proved a misconception.
Diffie Hellman Key Exchange
This protocol is one of the earliest forms of protocol in which the two authorized communicating parties having no knowledge about each other share a secret key over a communication channel which is insecure. This protocol establishes a shared secret key that can be used for communicating secretly over a public network known as key exchange protocol. In this protocol generally two parties exchange the prime and the generator such that prime is greater than generator. Then both the parties generate a random number and keep it as secret. Then this protocol implementation uses multiplicative group of integers modulo p. In short here both parties agree on a cyclic group and generating element now one party picks a random natural number and sends generating element to power of natural number to other party. The second party also does the same then both the parties compute generating element to power of natural numbers of both parties which leads to possession of group element which serves as a shared secret key between two authorized parties. Thus if one party encrypts the message the other party decrypts that message using the shared secret key. This protocol can suffer from MITM Man in the Middle Attack who can view, insert false message and modify the messages at his will without the knowledge of authorized parties and can act as authorized party. He can view the messages and intercept the messages also. This is the main drawback when this Diffie Hellman protocol is used without authentication. Otherwise they use password-authenticated key agreement to avoid themselves from MITM attacks.
Authentication of session initiation protocol
The Session Initiation Protocol is used in 3G network mobile phones and VOIP. IP based telephony is the major application of this protocol. It doesn't require any internet support for VOIP due to which it is much prone to attacks like TCP session Hijacking, Spoofing etc. The 4 major resources like the registrar, proxy server, user agent, redirect server. In this SIP authentication procedure SIP user agent client must identify user agent server. Therefore SIP authentication procedure applies to user-to-user communications. This SIP authentication procedure is a challenge based mechanism where a server after receiving a request challenges the client or sender of request to prove its identity, and in that challenge a uniquely generated nonce. Here the client and server share a secret password. The sender uses the shared password with nonce to give a response. Then the server authenticates the request after the requester sends the request again with the computed value. By this mechanism the password is never sent in clear text. The authentication involves the computation of nonce, username, password and realm and then compare with the response. This authentication procedure runs intermediate proxy server needs the calling side that needs to be authenticated before it accepts the call or accepts the registration. The intermediate proxy server sends a Sip plain message. After receiving the message the proxy server decides that authentication is required and sends a SIP error message requesting authentication and this error is the challenge. The user agent client receives the challenge and then it computes it and sends it as new SIP request message. This digest authentication does not provide high level security due to that it is based on shared secret other than public key mechanism.
Terminal Access Controller and Access Control System and TACACS+
TACAS (Terminal Access Controller and Access Control System) is an authentication protocol (remote) which is used for communicating with authenticating server. This protocol allows the remote server that is accessible to communicate with authenticating server to check whether the user has an authorized access to the network. This TACAS protocol uses TCP or UDP port 49. The TACAS allows the client to accept the password and username. Then it sends a request query to the TACAS authentication server. The server is generally a program that is normally running on the host. The role of the host is to decide whether to accept or deny the request. It then sends a response back. The routing node called TIP would then allow the access or deny. This is based on the response from the host. TACAS+ like RADIUS provides AAA management. This protocol has replaced TACAS protocol in more recently updated networks. The TACAS protocol utilizes TCP. The advantages of TACAS+ are this protocol offers the multiprotocol support, such as IP and Apple Talk. The packet encryption is done completely in its normal operation. This helps in secure communications. This TACAS+ is an enhancement to TACAS as it is a Cisco proprietary. This TACAS+ protocol is completely incompatible with other previous protocols which give uniqueness to it.
Radio Frequency Identification-Authentication Protocols
This RFID protocol emerged as a promising technique that is largely deployed systematically for inventory management, the automatic identifiers generally and some applications like retail operations. This is an improvement over barcode as it doesn't require direct line-of sight reading. Initially while dealing with light weight RFID protocols there are many attacks and threats in particular integrity attacks which made it compromised. The attacks like off-line man-in-the-middle attack, tag cloning, Tag disabling etc. By the affect of these attacks certain security measurements are taken like the authentication, unlink ability of session, forward and backward security. Then to counter attack those EPCGen2 compliant protocols were cam into action which supported the security measures like forward and backward security, session unlink ability. This protocol uses the mechanism called the cryptographic mechanism is a synchronized pseudorandom number generator (RNG) which is shared with the back-end server. Finally the correct authentication is gained by using a less numbers say 2 that is drawn from the RNG. From this protocol one has to expect favorable outcomes additional to constant key-look up and an efficiently implemented on an EPCGen2 platform. This EPC Global UHF Class-2 Generation 2 standard describes the physical and logical requirements for a passive-backscatter. Here there will be three basic operations select, Inventory and access used by an Interrogator man ages tag populations.
NT LAN Manager, also known as NTLM
Password-authenticated key agreement protocols
Extensible Authentication Protocol
Password Authentication Protocol
Protected Extensible Authentication Protocol
Secure Remote Password protocol
Authentication and key agreement Protocol
Challenge Response Authentication Mechanism-MD5
Microsoft Version-CHAP and Microsoft-CHAPv2 variants of CHAP