Kaliski Mutual Authentication

7/31/2019 Kaliski Mutual Authentication

1/20

Stronger Authentication: The Feeling is Mutual

Burt Kaliski, RSA Laboratories

December 6, 2005


2/20

Introduction

User authentication is growing in importance in e-commerce Many organizations are calling for stronger authentication

mechanisms than the typical password-based schemes

e.g., FFIEC guidance on authentication in Internet banking (Oct.

2005); FSTC Better Mutual Authentication project

As these efforts illustrate, authentication strength depends onmore than just the factors

And the authentication story depends on more than just theuser


3/20

User Authentication Model

User Agent Resource

Users Devices

Auth.Factors

Evidence Auth.Protocol

Forward Authentication Steps

User and Users Devices presentEvidenceto Agentdemonstratingpossession ofAuthentication Factors

Agent conveys Evidence to Resourcein

Authentication Protocol


4/20

Variations on the Model

Local authentication:User authenticates directly to resource,without agent e.g.: Log into PC; Unlock smart card

Authentication server: User authenticates once toauthentication server, which relays ticketorauthenticationassertionto resource

e.g.: Kerberos; Identity providers

Validation server: Resource relies on separate validation serverfor part or all of authentication decision e.g.: Credential federation

Contextual factors: Where & when did the protocol originate?


5/20

Describing an Authentication Mechanism

An authentication mechanism is a ceremony* involving: Selected authentication factors

Particular evidence about those factors; and a

Specific protocol for conveying the evidence

Simple authentication mechanismhas one resource, oneauthentication decision

Ceremony = Carl Ellison / Jesse Walker

model for protocols involving users


6/20

Composing Authentication Mechanisms

Compound authentication mechanismcombines two or moremechanisms more than one authentication decision

Recursive composition:One mechanism enables access tofactors of another

e.g.: Unlock smart card with PIN, authenticate to resource withsmart card

smart card = (local) resource for first decision

Sequential composition:One mechanism adds to another e.g.: Authenticate to resource with password, then later withanswers to life questions; Risk-based approaches


7/20

Example Factors

Something you know: Password / PIN

Knowledge-based authentication

CognometricsTM (PassFacesTM)

Something you have: One-time password token

Smart card / USB token

Mobile phone

Something you are / can do: Biometrics


8/20

Example Factors & Evidence

Something you know: Password / PIN Password / PIN

Knowledge-based authentication Answer

CognometricsTM (PassFacesTM) Image selection

Something you have: One-time password token One-time password

Smart card / USB token Signature

Mobile phone Voice confirmation

Something you are / can do: Biometrics Fingerprint


9/20

Example Authentication Protocols

Agent can send evidence directly to resource over securechannel e.g.: Password over SSL/TLS; Simple EAP mechanisms

Or, can prove knowledge of evidence e.g.: MS-CHAP

e.g.: Zero-knowledge password protocols: EKE, SPEKE, etc.

Agent can transform evidence to associate with resourcecontext

e.g.: Password hashing; EAP-POTP

Can also combine evidence, perhaps with factors held locally


10/20

Security Challenges

Corrupted agentcan misuse evidence Rogue resourcecan also misuse evidence, unless agent runs

strong protocol

Man-in-the-middleis also a threat, depending on protocol

Even if mechanism protects user authentication, attacker maybe able to mislead the user into disclosing othersensitiveinformation

Key question: How does user authenticate the resource andthe agent?


11/20

Resource Authentication Model

User Agent Resource

Users Devices

Auth.Factors

Evidence Auth.Protocol

Reverse Authentication Steps

Resource demonstrates authenticity toAgent in Authentication Protocol

Agent presents Evidence of authenticity

to User and Users Devices


12/20

Resource Authentication Examples

1.Resource PKI Resource authenticates to agent with certificate

Agent presents evidence via lock icon, certificate status

But how does user know lock is actually from agent? Also,

certificate trust lists can easily be confused

2.Zero-knowledge protocols Resource authenticates via ZK proof of knowledge of evidence

Reverse hashing is a weaker variant

Agent presents evidence via visual indicator

But how does user know indicator is actually from agent, or that

protocol is even running?


13/20

Resource Authentication Examples (contd)

3. Next one-time password Resource authenticates to user by providing next one-time

password (assumes user has OTP device as one factor)

Agent presents next OTP directly to user

But only authenticates that resource is presentdoesnt detect

man-in-the-middle

4. Dynamic security skins (Rachna Dhamija)

Resource authenticates to agent with certificate

Agent presents resource identifier via pattern based on hash of

resource identifier

But again, how does user know that pattern is from agent?


14/20

Resource Authentication Examples (contd)

5. Watermark or user-selected image Resource authenticates to user by providing a previously

registered watermark or image

Agent presents picture directly to user

Again, doesnt detect man-in-the-middle


15/20

Summary: Mutual User Authentication

Each approach to resource authentication has pros and cons interms of usability, security against various threats

Agent needs a trustworthy user interface*, otherwise user cantrely on evidence presented

Resource should enable some evidence that the agent canpresent to user

Rapport-buildingis important if user cant be sure that agent isrunning strong protocols

Contextual factors provide a foundation

* See Trustworthy Interfaces for Passwords

and Personal Information workshop

(crypto.stanford.edu/TIPPI)


16/20

Related Example: RFID Tag Authentication

Radio-frequency ID tags tiny chips with antennas are usedto track inventory, and increasingly to authenticate items e.g.: Passports, containers, etc.

Authentication model is similar to user authentication: User / Devices = RFID tag

Agent = Reader

Resource = Back-end system

Security challenges are also similar plus, rogue readercanpotentially read without permission

How does RFID tag authenticate the reader?


17/20

Reader Authentication Examples

1. Reader / back-end PKI Reader or back-end authenticates to tag with certificate

But hard for typical tags to do public-key crypto operations

2. Symmetric crypto Reader authenticates with shared symmetric key

But how to identify which key without enabling tracking?

3. One-time identities (e.g., Ari Juels minimalist crypto) Reader, tag authenticate with one-time identifiers and PIN

4. Reader identification Reader broadcasts its authorization for the auditors; tag checks

that authorization is present, but doesnt verify


18/20

Conclusions

All parties need assurance that the others are authentic boththe user or tag, and the system

Obtaining this assurance is an important challenge in protocoldesign whether for e-commerce or physical objects

Authentication is more than just about factors the evidence,the protocols and the user interface all affect security


19/20

Contact Information

Burt KaliskiRSA [email protected]

www.rsasecurity.com/rsalabs
mailto:[email protected]:[email protected]


20/20

Kaliski Mutual Authentication

Documents

Transcript of Kaliski Mutual Authentication