Entity authentication

Learning objectives

Gain insight into

• entity authentication protocols,
• the benefits and limitations of authentication factors,
• key establishment protocols,
• why and how to use authentication servers.

Overview

Authentication methods are based on something known, owned, biometric, location or evidence of trusted third party authentication.

• A password is a case of something known. Passwords are a vulnerable, but cheap and convenient way of authenticating an entity. Several techniques to augment their effectiveness are in use including challenge-response and one-time passwords.
• Secure devices such as smart cards and USB tokens often combine the 'owned' with the 'known', since secret keys are locked in the token with a password or PIN code. However, within the broad category of secure tokens, trustworthiness is variable, depending on whether keys can be extracted, passwords can be eavesdropped or the device can be tampered with.
• Biometry identifies a person via physical characteristics.
• Location is often used as the sole authentication factor, but is insecure given the relative ease of spoofing IP or MAC addresses.
• Multi-factor authentication is stronger than single-factor.
• The Kerberos protocol uses a key distribution-based authentication server. Service consumers must authenticate with a central server to obtain a secret session key with service providers. Such schemes require a single sign-on to access servers across a trust domain.

While public key cryptography is well suited to entity authentication, performance constraints often mandate a symmetric algorithm for encrypting data passed between systems. Key establishment should be linked to authentication, so that a party has assurances that a key is only shared with the authenticated party. The Diffie-Hellman key agreement protocol underlies a host of current technologies such as STS (Station-to-Station protocol) and IKE.