This thesis is motivated by the problem of user authentication mechanisms, i.e. the problem of associating a digital identity with a physical person for later verification. Authentication in the physical world is an old story, keys opened doors, people were recognised by the guard at the door and secret passwords let the right persons through the gates. Projecting this physical image on the digital world is a bit more complicated though. The purpose of any authentication mechanism is to authenticate the different users when providing verifiable proof of their identities. All authentication mechanisms don’t have a clear connection between physical persons requiring access to the system and an identity representing the user in the system. This thesis will primarily deal with physical users requiring access to a system and the implications thereof.
Contents
1 Introduction
1.1 Aim of the thesis
1.2 Background
1.3 Problems to be solved
1.4 Method
1.5 Scope
1.6 Structure of the paper
Part I – Theoretical background
2 Identities
2.1 Users and Identities
2.1.1 Access control
2.2 Binding users to identities
2.3 Identities and roles
3 Cryptography
3.1 Key-less cryptographic functions
3.1.1 One-way functions
3.1.2 Hash functions
3.2 Symmetric cryptography
3.3 Asymmetric cryptography
3.4 Key generation
3.5 Certificates
4 Design patterns for authentication mechanisms
4.1 Local authentication
4.2 Indirect authentication
4.3 Direct authentication
4.4 Offline authentication
5 Components in authentication mechanisms
5.1 Passwords
5.1.1 Entropy and bit-space
5.1.2 The generation procedure
5.1.3 One-time passwords
5.1.4 Pros
5.1.5 Problems
5.1.6 Possible solutions to the problems
5.2 Token
5.2.1 Physical security of the authentication device
5.2.2 Passive
5.2.3 Active
5.3 Biometrics
5.3.1 Actions and movement
5.4 Location
5.5 Cryptography
6 Authentication mechanisms
6.1 Symmetric mechanisms
6.1.1 Kerberos
6.2 Asymmetric mechanisms
6.2.1 DSSA/SPX
6.2.2 X.509 Authentication service
6.3 One-time password mechanisms
6.4 The RADIUS protocol
6.5 Strong user authentication mechanisms
7 Attacks against authentication mechanisms
7.1 Guessing attacks
7.1.1 Brute force
7.1.2 Dictionary
7.2 Interception attacks
7.2.1 Sniffing
7.2.2 Man in the middle attack
7.2.3 Spoofing and masquerading
7.2.4 Attack on the underlying infrastructure
7.3 Denial of service attack
7.4 Social engineering
7.5 Attacks on biometrics
Part II – Analysis and Construction
8 Scenarios
8.1 Goals
8.2 Scenario I – External known client
8.3 Scenario II – External unknown client
8.4 Scenario III – Internal client
9 Practical analysis of strong user authentication mechanisms
9.1 Products
9.1.1 Mideye
9.1.2 RSA-SecureID
9.1.3 Siemens-Smartcard
9.2 Strength of security
9.2.1 Cryptography
9.2.2 Misuse and theft
9.2.3 Token interface
9.3 Physical protection
9.4 Ease of use
9.5 Efficient administration
9.6 Economical aspects
9.7 Further usage
9.8 Analysis
9.8.1 Classifying information
9.8.2 Mideye
9.8.3 Secure-ID
9.8.4 Siemens-smartcard
9.8.5 Analysis summary
10 Construction
10.1 The authentication server
10.1.1 Design
10.1.2 Configuration
10.2 Equipment
10.3 Infrastructure context
11 Conclusion
11.1 Conclusions about authentication in general
11.2 Conclusions about the practical implementation
12 Discussion
12.1 Pointers to further development
Appendix
Author: Haraldsson, Emil
Source: Linköping University
Download URL 2: Visit Now