CNS - 06 - User Authentication I

• Date: [2020-10-01 gio 11:30]

• Lecturer: Giuseppe Bianchi

• Slides: CNS 06 - User Authentication

• Introduction: In the last lecture we discussed the difference between passwords and secrets. From now on we will treat passwords and secrets as the same thing (even though they are different in practice!), that is, they both allows me to authenticate. In this lecture we will talk about protocols used to authenticate.

Authentication is a proof of knowledge process in which we have to prove that we know the password. Notice that proving we know the password does not necessarily imply we have to show the password, although showing the password is sufficient to prove that we know the password.

There are also different techniques which can be classified by how much they reveal, such as

• PAP, Full disclosure

• CHAP, Some information leaks

• ZKP, no information leakeages (zero-knowledge protocols)

Modern cryptography makes use of zero-knowledge protocols, which have no information leakage, that is, they reaveal nothing. These methods however are typically more complex to implement, and so in real systems we dont see much of them. For example in 4/5G CHAP protocols are used.

Remember that

• One-way authentication: user proves to the site he is authentic.

• Mutual authentication: both parties provide to eachother their authenticity.

PAP (Password Authentication Protocol) is the simplest possible authentication approach.

In PAP the password (the secret) is pre-shared between the user and the authenticator. When the user wants to authenticate, he simply shows the password in clear to the authenticator. The authenticator has a big database, which is looked into when the user passes to it his password. If the check works out fine, that if the password sent by the user is found within the db, the user is authenticated.

CHAP - Challenge Handshake Authentication Protocol

The idea is to prove that I know the password without actually revealing it explicitly. To do this we introduce the concept of proof of knowledge, which is the result of a computation that can only be done if we know the secret.

If \(p\) is the secret, I am not telling you \(p\), but I'm telling you \(f(p)\), and I'm able to compute \(f(p)\) only because I know \(p\). To make this mechanism robust, the function \(f(\cdot)\) has to have some properties. For example, \(f(\cdot)\) cannot be the square function \(f(x) = x^2\), because the square function can be easily reversed. The properties desired are thus the following:

• Not Reversability: The computation must NOT reveal the secret itself. If \(r = f(p)\), then the inverse \(p = f^{-1}(r)\) must NOT be computable. That is, we cannot invert the function.

• Not Replayability: \(f(p)\) must not be replayed by an attacker. This means that \(f(p)\) cannot be a function only of \(p\), but it must include a nonce (also called a challenge).

The protocol is described as follows

1. The authenticator sends a challenge to the remote user. The authenticator also has to make sure that the challenge never repeats.

2. The remote users computes the reply

   \[R = H(\text{Challenge}, \text{Password}, \text{etc...})\]

   and sends to the authenticator the \(\text{UID}\) and the computed reply \(\text{R}\).

3. The authenticator takes the \(\text{UID}\) sent by the user and uses it to retrieve the password from the local db. After that he applies the function \(H\) with the challenge sent and computes again, separetly from the user, the value

   \[X = H(\text{Challenge}, \text{Password}, \text{etc...})\]

   After that he compares the result he himself obtained \((X)\) with the result sent by the remote user \((R)\) The final result of the authentication comes down to the result of this comparion: if both strings are the same, the user is authenticated, otherwise the user is not.

Graphically we get

Notice in the scheme how the authenticator does not need to reverse the function, he can simply re-computed the function \(H(\cdot)\), since he has all the inputs of the function.

Intuitively an hash function can be imagined as a "tritacarne", because it takes something as a input (some meat) and it scrambles it to give you a something which is uniquely associated with that input (a sort of fingerpint).

Conceptually an hash function (even non crypto) is a "summary function" that takes an arbitrary message of length \(X\) and gives as a result fixed size value \(Y = H(X)\) that we call digest (digest is the name assigned to the result of an hash function).

\[\text{arbitrary size } X \to \text{ fixed size } Y = H(X)\]

Generally an hash function should be relatively easy to compute for any given X. The minimal level of security for today standards is SHA256 which has a digest of the size of \(256\) bits. Older hash functions like MD5 are broken and should not be used.

Notice that the input can be shorted than the fixed size. To give some example, you can use the sha256-hash-calculator site to compute some SHA-256

(string) giuseppe is going to the see
(sha-256) 4a6e0e11ccaa265d61e8239d31f5e2c47fd93876343617db84ad37a22b86e368