And communications the republic of uzbekistan tashkent university of information technologies

steal it, but even then it would be of no use to anyone since unlocking its utility, as 
a smartcard, requires additional steps. 
Here is how the additional steps work (it works on my Kyocera): Step #1: 
When I turn the device on, it asks me for a password to access to the highly 
encrypted password vault stored in the flash memory. That opens the PDA, which 
is now capable of acting as if it were my smartcard. Step #2: The PDA then asks 
me for my signature or a pre-defined handwritten phrase. The idiosyncrasies of my 
writing style have been already captured in an encrypted template. If my writing 
and the template match, I have positively identified myself and I am ready to 
conduct business. Step #3: Under certain circumstances, additional security can be 
obtained by voice recognition. Since the device in my hand is already a cell phone, 
this supplemental means for authentication can be advantageous, especially when 
dealing with lower security needs
. 
Authentication protocols 
An authentication protocol is a type of computer communication protocol or 
cryptographic protocol specifically designed for transfer of authentication data 
between two entities. It allows to authenticate the connecting entity (e.g. Client 
connecting to a Server) as well as authenticate itself to the connecting entity 
(Server to a client) by declaring the type of information needed for authentication 
as well as syntax. It is the most important layer of protection needed for secure 
communication within computer networks[9]. 
Purpose 
With the increasing amount of trustworthy information being accessible over 
the network the need for keeping unauthorized persons from access to this data 
emerged. Stealing someone's identity is easy in the computing world - special 
verification methods had to be invented to find out whether the person/computer 
requesting data is really who he says that he is. The task of the authentication 
protocol is to specify the exact series of steps needed for execution of the 
authentication. It has to comply with the main protocol principles: 

1.
A Protocol has to involve two or more parties and everyone involved in the 
protocol must know the protocol in advance. 
2.
All the included parties have to follow the protocol. 
3.
A protocol has to be unambiguous - each step must be defined precisely. 
4.
A protocol must be complete - must include a specified action for every 
possible situation. 
An illustration of password-based authentication using simple authentication 
protocol: Alice (an entity wishing to be verified) and Bob (an entity verifying 
Alice's identity) are both aware of the protocol they agreed on using. Bob has 
Alice's password stored in a database for comparison. 
1.
Alice sends Bob her password in a packet complying with the protocol rules. 
2.
Bob checks the received password against the one stored in his database. 
Then he sends a packet saying "Authentication successful" or 
"Authentication failed" based on the result.
This is an example of a very basic authentication protocol vulnerable to many 
threats such as eavesdropping, replay attack, man-in-the-middle attacks, dictionary 
attacks or brute-force attacks. Most recently used authentication protocols are 
much more complicated in order to be more resilient against these attacks. 
 
Authentication protocols developed for PPP Point-to-Point Protocol
 
Protocols used mainly by Point-to-Point Protocol (PPP) servers to validate 
the identity of remote clients before granting them access to server data. Most of 
them are using a password as the cornerstone of the authentication. The password 
has to be shared between the communicating entities in advance. 

 
Fig 2.1 PAP - Password Authentication Protocol 
Password Authentication Protocol is one of the oldest authentication 
protocols. Authentication is initialized by client/user by sending packet 
with credentials (username and password) at the beginning of the connection. It is 
highly insecure because the credentials are being transmitted over the network in 
plain ASCII text thus it is vulnerable even to the most simple attacks like 
Eavesdropping and man-in-the-middle based attacks. 
CHAP - Challenge-handshake authentication protocol 
The authentication process in this protocol is always initialized by the 
server/host and can be performed anytime during the session, even repeatedly. 
Server sends a random string (usually 128B long). Client uses his password and the 
string received as parameters for MD5 hash function and then sends the result 
together with username in plain text. Server uses the username to apply the same 
function and compares the calculated and received hash. An authentication is 
successful or unsuccessful. 
EAP - Extensible Authentication Protocol 
EAP was originally developed for PPP(Point-to-Point Protocol) but today is 
widely used in IEEE 802.3, IEEE 802.11(Wi Fi) or IEEE 802.16 as a part of IEEE 
802.1x authentication framework. The latest version is standardized in RFC 5247. 
The advantage of EAP is that it is only a general authentication framework for 
client-server authentication - the specific way of authentication is defined in its 

many versions called EAP-methods. More than 40 EAP-methods exist, the most 
common are: 

EAP-MD5 

EAP-TLS 

EAP-TTLS 

EAP-FAST 

EAP-PEAP 
AAA architecture protocols (Authentication, Authorization, Accounting) 
Complex protocols used in larger networks for verifying the user 
(Authentication), controlling access to server data (Authorization) and monitoring 
network resources and information needed for billing of services (Accounting). 
TACACS, XTACACS and TACACS+
 
The oldest AAA protocol using IP based authentication without any 
encryption (usernames and passwords were transported as plain text). Later version 
XTACACS (Extended TACACS) added authorization and accounting. Both of 
these protocols were later replaced by TACACS+. TACACS+ separates the AAA 
components thus they can be segregated and handled on separate servers (It can 
even use another protocol for e.g. Authorization). It uses TCP (Transmission 
Control Protocol) for transport and encrypts the whole packet. TACACS+ is Cisco 
proprietary. 
RADIUS
 
Remote Authentication Dial-In User Service (RADIUS) is a full AAA 
protocol commonly used by ISP. Credentials are mostly username-password 
combination based, it uses Network access servers and UDP protocol for transport
. 
DIAMETER 
Diameter 
(protocol) evolved 
from 
RADIUS 
and 
involves 
many 
improvements such as usage of more reliable TCP or SCTP transport protocol and 
higher security thanks to TLS. 

 
Fig 2.2 
Kerberos authentication scheme 
Kerberos is a centralized network authentication system developed 
at MIT and available as a free implementation from MIT but also in many 
commercial products. It is the default authentication method in Windows 2000 and 
later. The authentication process itself is much more complicated than in the 
previous protocols - Kerberos uses symmetric key cryptography, requires a trusted 
third party and can use public-key cryptography during certain phases of 
authentication if need be. 

Download 0,5 Mb.

Do'stlaringiz bilan baham: