Unit 6: Cryptography

In Unit 6: Cryptography , learn concepts like User Authentication and Kerberos: Introduction, Authentication Basics, Passwords, Authentication Tokens, Certificate-based-Authentication, Biometric Authentication, Kerberos, Key Distribution Center(KDC), Security
Handshake Pitfalls, Single Sign On (SSO) Approaches.

Que 1. What is Biometric Authentication? Explain techniques of Biometric Authentication.

• Biometric devices use human characteristics such as fingerprint, voice, or iris pattern to authenticate
  users.
• Samples taken during authentication can vary slightly due to physical changes in the user’s
  characteristics.
• Multiple samples are taken during registration and averaged to create a baseline for authentication.
• Biometric systems define two configurable parameters: False Accept Ratio (FAR) and False Reject Ratio
  (FRR).
• Combining passwords/PINs, smart cards, and biometrics provides the best security solution.This can be
  a complex system to build and/or use.

Working:

• Biometric authentication involves creating a user’s sample and storing it in a database.
• During authentication, the user provides a sample of the same nature (e.g. retina scan or fingerprint).
• The sample is sent over an encrypted session (e.g. SSL) to the server.
• On the server, the current sample is decrypted and compared with the one stored in the database.
• If the two samples match to the expected degree on the basis of FAR or FRR, the user is authenticated
  successfully.Otherwise, the user is considered invalid
  Types of Biometric Authentication

(a) Face: Distance between facial features is measured using geometrical techniques for identification.
(b) Voice: Unique characteristics of sound waves, such as pitch and tone, are used to identify individuals.
(c) Fingerprint: Uniqueness of fingerprints is leveraged using minutiae-based or image-based techniques
for authentication.
(d) Iris: Unique pattern inside the iris is identified using laser beams for reliable authentication.
(e) Retina: Blood vessel patterns at the back of the eye are examined to provide a unique identification
pattern for authentication (less common due to high cost).
f) Keystroke: Characteristics such as typing speed, keystroke strength, timing, and error patterns are
measured to identify users, but it is not as reliable as other authentication methods.
(g) Signature: Scanned computer-based signatures are compared with physical signatures on documents
for verification purposes.

Also Read – TCS Hiring 2024 Batch: Check Exam Date, Pattern, and Recruitment Process for a Bright Future!

Que 2. What do you mean by Authentication Tokens? Explain working of Authentication
Tokens scheme

Authentication Token
An authentication token is an extremely useful alternative to a password. An authentication token is a
small device that generates a new random value every time it is used. This random value becomes the
basis for authentication. The small devices are typically of the size of small key chains, calculators or
credit cards. Usually, an authentication token has the following features:
● Processor
● Liquid Crystal Display (LCD) for displaying outputs
● Battery
● (Optionally) a small keypad for entering information
● (Optionally) a real-time clock
Each authentication token (i.e. each device) is pre-programmed with a unique number, called a random
seed, or just seed. The seed forms the basis for ensuring the uniqueness of the output produced by the
token.

Working of Authentication token scheme
Step 1: Creation of a Token:

• The authentication server generates a random seed for the authentication token, which acts as a
  unique identifier for the user.
• The seed is stored in the token and associated with the user’s record in the user database.
• The user is unaware of the seed value programmed inside the token.
  Step 2: Use of Token:
• The authentication token generates one-time passwords (OTPs) based on the pre-programmed seed.
• When the user wants to authenticate, they enter their user ID and the latest OTP displayed on the
  token.
• The server retrieves the seed corresponding to the user ID from the user database and validates the
  OTP using a password-validation program.
• The server determines if the provided OTP matches the OTP generated by the token using
  synchronization techniques.
  Step 3: Server Returns an Appropriate Message back to the User:
• The server responds to the authentication attempt and sends a relevant message to the user.
• The message indicates whether the authentication process was successful or unsuccessful.
• The user can proceed with accessing the desired resources or services based on the server’s response.

Que 3. What are two approaches of SSO? Explain role of SSO.

Role of SSO
The role of Single Sign-On (SSO) is to provide a seamless and convenient authentication experience for users while improving security and reducing administrative overhead for organizations.

• Enhanced user experience: Users can
  access multiple applications and systems with a single set of credentials, simplifying the login process
  and improving productivity.
• Improved security: SSO reduces the reliance on weak passwords and enables centralized access
  control, enforcing strong security measures consistently across systems.
• Centralized authentication and access control: SSO centralizes the authentication process, allowing
  organizations to manage user access and authentication policies in one place
• Streamlined user provisioning and deprovisioning: SSO simplifies the management of user access privileges, making it easier to onboard and offboard users.
• Audit and compliance: SSO provides better visibility and control over user access, facilitating
  monitoring, auditing, and compliance with regulatory requirements.

Script-Based SSO:

In script-based SSO, authentication and
authorization are managed through scripts or
code embedded within applications.

• Users authenticate themselves individually to each application, and the script within each application verifies the user’s credentials.
• The script then establishes a session for the user, allowing them to access other applications
  without requiring further authentication.
• Example: An organization uses script-based SSO to enable its employees to access different internal
  systems such as email, document management, and HR portals. Once authenticated to one system,
  the user can seamlessly access other systems without entering credentials again.

Agent-Based SSO:

• Agent-based SSO relies on a dedicated software agent installed on the user’s device or workstation.
• The agent intercepts authentication requests from applications and handles the authentication
  process on behalf of the user.
• Upon successful authentication, the agent provides a security token to the application, allowing the
  user to access multiple applications without additional login prompts.
• Example: A user logs into their computer and launches a web browser. The agent installed on the
  computer automatically authenticates the user to the browser, and subsequent requests to various
  web applications are handled by the agent, providing a seamless single sign-on experience.

Que 4. What is Kerberos? Explain Kerberos processing steps for client server authentication with help of neat diagram

Kerberos provides a centralized authentication server whose function is to authenticate users to servers and servers to users. In Kerberos Authentication server and database is used for client authentication. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal.

The main components of Kerberos are:

• Authentication Server (AS):
  The Authentication Server performs the initial authentication and ticket for Ticket Granting Service.
• Database:
  The Authentication Server verifies the access rights of users in the database.
• Ticket Granting Server (TGS):
  The Ticket Granting Server issues the ticket for the Server

Kerberos Overview:

• Step-1:
  User login and request services on the host. Thus user requests for ticket-granting service.
• Step-2:
  Authentication Server verifies user’s access right using database and then gives ticket-grantingticket and session key. Results are encrypted using the Password of the user.
• Step-3:
  The decryption of the message is done using the password then send the ticket to Ticket Granting
  Server. The Ticket contains authenticators like user names and network addresses.
• Step-4:
  Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then
  creates the ticket for requesting services from the Server.
• Step-5:
  The user sends the Ticket and Authenticator to the Server.
• Step-6:
  The server verifies the Ticket and authenticators then generate access to the service. After this User
  can access the services.

Que 5. Explain the concept of Key Distribution Center (KDC) with neat diagram.

• Key Distribution Center (KDC) is a central authority dealing with keys for individual computers
  (nodes) in a computer network. It is similar to the concept of the Authentication Server (AS) and
  Ticket Granting Server (TGS) in Kerberos

The basic idea is that every node shares a unique secret key with the KDC. Whenever user A wants
to communicate securely with user B, the following happens:

1. The background is that A has shared secret key KA with KDC. Similarly, B is assumed to share a
   secret key KB with the KDC.
2. A sends a request to KDC encrypted with KA, which includes
   (a) Identities of A and B
   (b) A random number R, called a nonce
3. KDC responds with a message encrypted with KA, containing
   (a) One-time symmetric key KS
   (b) Original request that was sent by A, for verification
   (c) Plus, KS encrypted with KB and ID of A encrypted with KB
4. A and B can now communicate by using KS for encryption.

Also Read: Unit 4: Cryptography

Que 6. Discuss with diagram Certificate-based-Authentication.

• Certificate-based authentication is an emerging mechanism based on digital certificates.
• In PKI (Public Key Infrastructure), both the server and optionally the client possess digital certificates for secure transactions.
• SSL (Secure Sockets Layer) requires the server to have a digital certificate, while client authentication is optional.
• Certificate-based authentication is stronger than password-based authentication because it relies on possessing a certificate rather than knowing a password.
• During login, the user sends their certificate to the server as part of the login request.
• The server verifies the validity of the certificate by checking against a stored copy.
• To prevent misuse of someone else’s certificate, certificate-based authentication is often made a 2- factor process by combining possession of the certificate with knowledge of a password

Step 1: Creation, Storage, and Distribution of Digital Certificates

• Digital certificates are created by the Certificate Authority (CA) for each user
• Copies of the certificates are stored by the server in its database
• Certificates are sent to the respective users

Step 2: Login Request

User sends their user ID to the server

Step 3: Server Creates a Ranadoam Challenge

Server creates a random challenge (a random number) and sends it to the user

Step 4: User Signs the Random Challenge

• User signs the random challenge with their private key
• The signature is sent to the server for verification

Step 5: Server Returns an Appropriate Message Back to the User

• The server verifies the signature and sends an appropriate message back to the user, depending on
  the success or failure of the authentication process

Que 7. What you mean by authentication? Differentiate between authentication and authorization

Authentication:

• Verifies the identity of a user or system entity.
• Confirms the validity and accuracy of the claimed identity.
• Ensures that a user or entity is who they claim to be before granting access.
• Prevents unauthorized access and protects sensitive information.
• Authentication methods can include
  • Something the user knows (e.g., a password).
  • Something the user has (e.g., a physical token or a smartphone).
  • Something the user is (e.g., biometric characteristics).

Authorization:

• Grants or denies access rights and permissions to authenticated users or entities.
• Determines what actions or resources an authenticated user can access.
• Controls user privileges and prevents unauthorized activities.
• Involves defining roles, permissions, and access levels for different users or groups.
• Ensures authenticated users have appropriate privileges based on their roles and responsibilities.

Authentication	Authorization
Verifies the identity of a user or entity	Grants or denies access rights and permissions
Confirms the validity and accuracy of the claimed identity	Determines what actions or resources an authenticated user can access.
Ensures that a user or entity is who they claim to be before granting access	Controls user privileges and prevents unauthorized activities.
Prevents unauthorized access and protects sensitive information.	Defines roles, permissions, and access levels for users or groups

Also Read: Unit 3: Cryptography