Cryptography-Based Authentication for Protecting Cyber Systems

Introduction

Entity authentication studies how to verify the identity of an entity (either a human being or a computer) and it is a fundamental issue in protecting cyber systems, including web services and web applications.

Four factors can be used to authenticate an entity, namely, what you know, what you have, who you are, and where you are. A what-you-know authentication verifies an entity through the proof of memorable knowledge, such as a password, a PIN number, or the answer to a specific question. Password authentication is the most commonly seen knowledge-based authentication. A what-you-have authentication verifies an entity through the proof of possession of a hardware token, which stores a strong secret that most human beings have difficulty to remember. Example hardware tokens include a USB token, a smartcard, and a Radio Frequency Identification (RFID). A who-you-are authentication verifies a human being user through his/her biological or behavioral characteristics and hence is also called biometric authentication. Example biological characteristics include fingerprints, voices, faces, iris and DNA; example behavioral characteristics include handwritten signature and keystrokes. A where-you-are authentication verifies an entity through its geographical location, for example, through the global positioning system (GPS).

What roles does cryptography play in these entity authentication categories? This question turns out to be surprisingly elusive. This is in sharp contrast to the fact that cryptography is widely known for providing data confidentiality through encryption (including symmetric-key encryption and public-key encryption), data integrity through message authentication code (MAC, such as cipher-based MAC and hash-based MAC), and non-repudiation through digital signatures.

This book chapter is to fill this gap and provide a comprehensive view on the important roles of cryptography in the first three authentication factors for protecting cyber systems. First, in the what-you-know authentication category, we will focus on three significant roles of cryptography in password authentication: (1) the application of cryptographic hash functions in the generation of password verification data (PVD) to protect against malicious server administrator and server compromise-based network attacks; (2) the use of cryptographic algorithms in the password-based challenge/response protocol, which has been used by Microsoft Windows authentication and HTTP digest authentication; (3) the marriage of password authentication with cryptographic key exchange protocols, resulting in password-authenticated key exchange (PAKE) protocols that offer password-based mutual authentication.

Second, in the token-based what-you-have authentication category, we will study the cases where a token stores either a symmetric key or the private key of a public/private key pair. For symmetric key-based authentication, we focus on the symmetric key-based challenge/response authentication paradigm and its applications. For private key-based authentication, we shall focus on the authenticated key exchange paradigm, which has been used in IP Security (IPsec) Internet Key Exchange (IKE), Secure Socket Layer (SSL), and Secure Shell (SSH).

Third, in the biometric-based who-you-are authentication category, we will study fuzzy extractor, a new cryptographic primitive that can be used to enhance the security and privacy of biometric authentication through protecting biometric reference templates.

This chapter is organized around cryptography’s roles in these authentication categories. Before going into these details, we shall first review some basic authentication concepts in next section.