...

Challenge-Response Scheme

Authentication is necessary and the importance cannot be overemphasized as we live in a world were we struggle with the need for privacy (The argument about Privacy being a good thing or a necessary human right is an argument that can totally go on for years) ,crimes and many other important reasons why you may want to protect data/Information. The need to keep these Information private to a set of people has led to the concept of Authentication. Another major struggle we face is making sure that the Authentication techniques/methods available to us are as secure as possible with respect to known attacks and to some extent Zero-day attacks.

Ways to Authenticate a User/Entity

  • What a person knows – A code, images, combination of numbers and letters etc.
  • What a person has – This is arguably the most vulnerable form of authentication as it usually requires a physical device to complete authentications (ID cards, Tickets, Keys, Hard Tokens etc) and
  • What a person is – This tends to shift in the biological direction( Fingerprint, Optical recognition, DNA etc)

 

“The argument about the need for privacy being a necessary human right is an argument that can totally go on for years. Crime is also perpetuated daily and the guys on the bad side of the law could also argue that privacy should be a human right so as to stay under the radar and prevent getting caught. So it’s usually two sides to the debate..”

lhtqjazuprq-breather.jpg
9l_326fiszk-luca-bravo.jpg

Basic Model For Authentication

Why Hashing?

Hashing is basically a mix of a random string of characters together to mask an actual string, letter or characters. Hashing is passing characters into an algorithm to transform those characters into something that is not easily understood by an entity not familiar with the particular algorithm used.

Important Properties of Hashes

  • Hashes are fixed length: Regardless of the length of the passwords. Hash algorithms are set to output the same length of encrypted characters. This is usually important for two reasons:
    • The storage factor: Using hashes help the database admins allocated a fixed amount of resources for storing these passwords. This helps prevent an under-allocation or over-allocation of resources.
    • The security factor: Using hashes with fixed length helps make an attackers job harder by leaving him with no clue or the actual password length. If I had a password for my online banking app as (‘foobar’) without the fixed-length property, the hash to my password should translate as ‘a245bt’ with exactly 6 characters as well. This is bad because an attacker knows how many character combinations to hash in order to get my actual password.
  • Hashes are irreversible: hash scheme is a one-way output scheme. This means that given a particular hash of a password it is impossible to compute a reverse of that hash to retrieve the password
  • Hashes are collision-resistant:
    • Weak Collision property: Given a particular password, it is impossible to find another password (plaintext) where the hashes will remain the same
    • Strong Collision property: An attacker shouldn’t be able to compute two different plaintext strings, characters etc that hash to the same value.

Inasmuch as the authentication schemes that have been put in place are somewhat useful. These schemes are largely vulnerable due to the human factor in play in the authentication models. The interaction between systems, these schemes and checks largely depend on the human. The problem with the schemes available for authentication is the fact that everything a human can think of is computable by a computer in N time. The imperfection and faults in humans lead to a major compromise in the effectiveness of these security schemes.

Hash Tables

In creating Hash tables for dictionary attacks. It’s always been a debate to choose what factor you’d like to give up between memory/storage and speed. It used to be a struggle to compute a whole dictionary of hashes and try a brute force attack. The problem with this is it takes up so much memory as all the hashes are already pre-computed and stored in the dictionary. The advantage of this was. It didn’t take up as much time depending on the strength of the password and the accuracy of the dictionary

Rainbow Tables

Rainbow tables were the best alternatives for cracking passwords. It supported the time-memory trade-off. It uses the binary search to go through the tables and it doesn’t store any hashes. It is relatively faster than performing linear searches with normal hash tables.

Choosing Passwords correctly

The safest way is to not choose. Human passwords have very low entropies. Most people choose passwords from names, birthdays, events. Mainly things they hold dear which is never random enough making it relatively easy, less time consuming to recover

– If you ever have to choose a password, choose a password that has completely nothing to do with you. That way it gets totally hard for an attacker to design a dictionary tailored for you.

The Challenge-Response System

Challenge-Response is simply an added level of authentication where a client/user receives a challenge from a server to prove the client is the original person trying to get authenticated. The client then sends a response confirming the client knows the password. This scheme also uses a property called Zero-Knowledge. The main objective of the challenge-response scheme is to prevent attackers from running a replay attack on an already successful protocol run, authentication etc.

 

 

Seraphinite AcceleratorOptimized by Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.