New Role Based Authentication Protocol Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The paper proposes a new role-based authentication protocol, which is different from identity-based authentication model. The protocol does not disclose any unique identifier that is bound to user's identity. By verifying user's role the protocol can convince service the user is valid and his role is acceptable. Protocol can achieve the goal of authentication and meet identity privacy requirement at the same time. Protocol analysis indicates the protocol is easy to cooperate with role-based authorization and is safer than multi-server authentication schema. Simulation proves the protocol satisfies both authentication and identity privacy requirements.

Introduction to authentication protocol


Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Windows Server 2003 family authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain once, using a single password or smart card, and authenticate to any computer in the domain.


It refers to rules governing the transmission of data. Protocol in computer terms is an agreed-upon format for transmitting data between two devices. The protocol determines the following:

the type of error checking to be used

data compression method, if any 

how the sending device will indicate that it has finished sending a message

How the receiving device will indicate that it has received a message 

There are a variety of standard protocols from which programmers can choose. Each has particular advantages and disadvantages; for example, some are simpler than others, some are more reliable, and some are faster.

Authentication protocol

An authentication protocol is a type of cryptographic protocol with the purpose of authenticating entities wishing to communicate securely.

In other words, we can say that Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Windows Server 2003 family authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain once, using a single password or smart card, and authenticate to any computer in the domain.

Types of authentication protocols

The process of authentication is a critical component in computer activity. Users cannot perform many functions on a computer network or the Internet without first being authenticated by a server. Logging into an individual computer or a website requires a reliable authentication protocol to run on the back end to establish verification of the user. There are different authentication protocols such as:

Cave-based authentication

Challenge-handshake authentication protocol




Extensible authentication protocol

Host identity protocol


Ms-chap and ms-chapv2 variants of chap

Lan manager


Password-authenticated key agreement protocols

Password authentication protocol

Secure remote password protocol

Protected extensible authentication protocol


Tacacs and tacacs+

Rfid-authentication protocols

Challenge-Handshake Authentication Protocol

The Challenge-Handshake Authentication Protocol (CHAP) is used to periodically verify the identity of the peer using a 3-way handshake. This is done upon initial link establishment, and MAY be repeated

Any time after the link has been established. Authenticator sends a "challenge" message to the peer. hash" function. Calculation of the expected hash value. If the values match, the authentication is acknowledged; otherwise the connection SHOULD be terminated.


CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and a variable challenge value. The use of repeated challenges is intended to limit

the time of exposure to any single attack. The authenticator is in control of the frequency and timing of the challenges.

This authentication method depends upon a "secret" known only to the Authenticator and that peer. The secret is not sent over the link.


CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.

It is not as useful for large installations, since every possible secret is maintained at both ends of the link. Implementation Note: To avoid sending the secret over other links in the network, it is recommended that the challenge and response values be examined at a central server, rather than each network access server. Otherwise, the secret SHOULD be sent to such servers in a reversibly encrypted form. Either case requires a trusted relationship, which is outside the scope of this



A password-based protocol designed in the augmented model can resist server compromise.

In other words, an adversary who compromised a password problem from a server cannot impersonate a user without launching dictionary attacks. On developing the new three-pass password-based protocol, we and a conceptually simple but novel password guessing attack which can be mounted on every three-pass password-based Protocol by exploiting a small window of vulnerability resulting from a standard technique to Resist on-line guessing attacks, say from counting the number of failed requests. Our attack is due to the server's failure to synchronize multiple simultaneous requests, and is unavoidable in three-pass protocols unless special care is taken in both the design and implementation phases.

If want to restrict access to certain areas of your website to certain users, then you must format your site for authenticating passwords. Password authentication enables you to validate and verify the identity of an individual requesting access to a particular URL. This enables you to protect these restricted areas from hackers. Follow the steps below to set up a very basic function in PHP.


The RADIUS protocol for authenticating users is one of the oldest systems used on the Internet. The protocol has been a standard platform since the era of dial-up Internet connections. RADIUS runs as a software program on a server. The server is usually used exclusively for RADIUS authentication. When a user attempts to connect to a network, a RADIUS client program directs all user data to the RADIUS server for authentication. The server hosts the user authentication data in an encrypted format and sends a pass or fails response back to the connection platform. Authentication is thus either established or denied. If denied, the user simply tries again. Once established, the RADIUS interaction is finished. Additional network services requiring authentication are handled by other protocols, if necessary.


The Kerberos authentication protocol is among the most widely used in networking environments. The Kerberos system identifies users by implementing a large and complex library of encrypted "keys" that only the Kerberos platform assigns. These keys cannot be read or exported out of Kerberos. Human users, as well as network services which require access to a domain, are authenticated by Kerberos in the same way. Once Kerberos verifies a user's password equates to a stored key, it authenticates the user. When this user tries to access other network services,

additional authentication may be requested. However, all network services on a Kerberos system interact directly with Kerberos, not the user. The efficiency of the Kerberos environment allows users to authenticate once, and access is subsequently granted to other services through key-sharing. Once authenticated, Kerberos plays the role of an authority for that user and manages the processing of the key file for all subsequent services. The system uses these keys to convince any other networking service that the user has already been authenticated.


LAN Manager also called LM or Lanman In terms of security this is the lowest level at which any Windows computer can operate. The LAN Manager Authentication Level can be set relatively low to ensure compatibility with computers using other authentication protocols, because not all clients can use the highest level available. However, increasing compatibility also increases vulnerability, as the older LM and NTLMv1 protocols are now considered insecure.

Send LM & NTLM responses: Level 0 offers the lowest level of security because LM and NTLM are considered obsolete. Clients at this setting never use NTLMv2. Servers at this setting will accept any of the three protocols. Send NTLM response only: When level 2 is implemented across a domain, clients begin using NTLMv1 and can use NTLMv2 if the servers on the network support it. Domain controllers will again continue to accept any of the three protocols. Lan Manger (LM) is one of the oldest authentication protocols that Microsoft has used. It was first introduced with Windows and is not very secure. The features of LM are not very luxurious and you can quickly see that they pose many security risks just by reading the description of each.

The hash is case-insensitive. The character set is limited to 142 characters. The hash is broken down into 2-7 character chunks. If the password is shorter than 14 characters, the password will be padded with nulls to get the password to 14 characters. The hash result is a 128-bit value. Kerberos is an industry standardized and approved authentication protocol. Kerberos is in its fifth version as defined in the Internet Engineering Task Force's IETF Request For Comments RFCKerberos

enforces the mutual authentication process by using a ticketing system. The authentication process is handled primarily by the client, reducing the load on the servers. Domain controllers share the authentication load by running as Kerberos Distribution Centers (KDCs).

No portion of the password is ever transmitted over the network. Attackers are prevented from capturing and replaying packets from the network since the packets are time sensitive.


NTLMv2 was not released with an initial operating system debut. It was released within Service Pack (SP) 4 of Windows NT 4. With the poor password protection of LM and NTLM, Microsoft fixed many of the issues that these older authentication protocols possessed. The features of NTLMv2 include the following. Passwords can be up to 128 characters long. Mutual authentication between the client and server. Provides longer keys to produce the stronger password hash.

What authentication protocol does your Operating System support?

Windows 2000/XP/2003 Windows 2000, XP, and Server 2003 come standard with support for all authentication protocols that Microsoft supports: LM, NTLM, NTLMv2, and Kerberos. These computers will use Kerberos when they are communicating with Active Directory and the members of Active Directory. When these computers are in a workgroup, they will use NTLMv2. The LM and NTLM are supported and used when communicating with legacy operating systems that only support these old weak protocols.

Uses of Authentications Protocols

This option specifies a list of URLs, each pointing to a user authentication service that is capable of processing authentication requests encapsulated in the User Authentication Protocol (UAP). UAP servers can accept either HTTP 1.1 or SSLv3 connections. If the list includes a URL that does not contain a port component, the normal default port is assumed (i.e., port 80 for http and port 443 for https). If the list includes a URL that does not contain a path component, the path /uap is assumed.

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1


| Code | Length | URL list


Code 98

Role of Authentication Protocol

Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Windows Server 2003 family authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain once, using a single password or smart card, and authenticate to any computer in the domain.


Everyone must use passwords to protect network resources. The operating system must also protect these passwords by encrypting them using a password hash. Some password hashes are very insecure and can cause immediate vulnerabilities to the computer and network. Other password hashes, like NTLMv2, add new features that help protect the password hash, but if the password is not long enough, the password hash can be decrypted quickly. It is up to network admins, security pros, and each user to take actions to protect passwords and hashes. Making passwords longer can go a long way to beating these crack tools.