Upload
nirmal-poddar
View
226
Download
0
Embed Size (px)
Citation preview
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 1/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 1
CRYPTOGRAPHIC
AUTHENTICATIONFor
DEPARTMENT OF COMPUTER
APPLICATIONS,CUSAT
A Seminar report
Submitted for partial fulfillment of Degree of
Master Of Computer Applications
By NIRMAL PODDAR
DEPARTMENT OF COMPUTER APPLICATIONS
COCHIN UNIVERSITY OF SCIENCE AND TECHNOLOGY
KOCHI- 682022
KERALA.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 2/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 2
Certificate
Certified that this bonafide record of seminar entitled
SECURE EMAIL SYSTEM
Done by
NIRMAL PODDAR
of the V th semester, Department of Computer Applications in
the June 2010 in partial fulfillment of the requirements to the
award of Degree of Master of Computer Applications Of Cochin
University Of Science and Technology.
Dr. K. V. Pramod
Seminar Report Head Of Department
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 3/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 3
CONTENTS
Introduction to Cryptography Cryptographic Authentication
Three Basic Cryptographic Methods o Something you know
Password, OTP o Something you have
Smart Card, ATM Card , OTP Card o Something you are
Finger Print
Multifactor Authentication
Other cryptographic Authentication Methods o Password o One Time Password o Public Key Cryptographic
Elliptic Curve Cryptography o Zero Knowledge Proofs
Fiet ± Shamir Protocol Ali ± Baba¶s Cave
o Digital Certificate
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 4/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 4
Cryptography is a method of storing and transmitting data in a form that only those
it is intended for can read and process. It is a science of protecting information by encoding
it into an unreadable format.
Cryptography is an effective way of protecting sensitive i nformation as it is stored on
media or transmitted through network communication paths. Although the ultimate goal of
cryptography, and the mechanisms that make it up, is to hide information from un -
authorized individuals, most algorithms can be broken and the information can be revealed
if the attacker has enough time, desire, and resources. So a more realistic goal of
cryptography is to make obtaining the information too work -intensive to be worth it to the
attacker.
The first encryption methods date bac k to 4,000 years ago and were considered more of an
ancient art. As encryption evolved, it was mainly used to pass messages through hostile
environments of war, crisis, and for negotiation processes between conflicting groups of
people.
Throughout history, individuals and governments have worked to protect
communication by encrypting it. As time went on, the encryption algorithms and the devices
that used them increased in complexity, new methods and algorithms were continually
introduced, and it became an integrated part of the computing world.
Cryptography Definitions Algorithm Set of mathematical rules used in encryption and decryption
Cryptography Science of secret writing that enables you to store and
transmit
data in a form that is available only to the intended individuals
Cryptosystem Hardware or software implementation of cryptography that
transforms a message to cipher text and back to plaintext
Cryptanalysis Practice of obtaining plaintext from cipher text without a key
or breaking the the encryption
Cryptology The study of both cryptography and cryptanalysis
Cipher text Data in encrypted or unreadable format
Encipher Act of transforming data into an unreadable format
Decipher Act of transforming data into a readable format
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 5/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 5
Key Secret sequence of bits and instructions that governs the act of
encryption
and decryption
Cryptographic authentication :
The process of identifying ones identity
Authentication is the process of reliably verifying the identity of
someone (or something)
A computer
authenticates another
computer A computer is
authenticates a person
Users secret must be
remembered by the user
Authentication is the concept of proving user identity, typically in or to
establish communication order to gain access to a system or network.
There are three basic authentication means by which anindividual may authenticate his identity :
Something you have
o Can be stolen
Such as key , card
Something you know
o Can be guessed , shared , stolen
Such as password ,
Something you are
o Can be costly , copied
Such as biometrics
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 6/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 6
Something you KnowAuthentication based on what you know
Problem :
Eavesdropping
Solution -> Cryptography based
Storing User Password :
Password cannot stored as in clear text
Store hashed password
Password should be encrypted when you enter to login
Pros : It is simple to use . It is simple for understanding by user .
Cons : It can be guessed . It can be cracked easily .
To avoid the problem of using same password each time ,its alternative
One Time Password (OTP) has been developed . But it is difficul t to remember
new password each time .
Something you have
OTP Cards (e.g. SecurID): It is an electronic device that generates new password
each time. When the code button is pushed a new dynamic password is displayed on
the card.
The card is based on event-synchronous dynamic password system. The crypto-
algorithm incorporated in the card uses a counter that stays "in sync" with the server
based on the number of passwords generated.
Alice BobI am alice ,my password is 123axc235
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 7/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 7
Smart Card: A smart card is more useful and secure than a magnetic strip card.
The card can hold up to 80 times more data and is much harder to copy a chip than
magnetic strip. Data is protected because it is encrypted inside the chip. Although it
is not possible to steal data from the chip, the high cost and computing power
required deters criminals. The memory chip requires authentication before storeddata is unlocked.
Smart card uses In money people use smart cards to access their individual bank accounts and
withdraw money or check their account information.
Telephone calls prepaid telephone cards are credited with a number units to make
calls
Cell Phones Smart cards in cell phones contain subscriber information to identify
the user to the network. Computer Security to gain access to a personal computer, a smart card can
authenticate the user.
Travel Many subway systems use prepaid smart cards instead of tickets,
passengers swipe their cards to gain access.
Health smart cards provide an easy and safe way of storing and checking
confidential medical information.
tamper-resistant, stores secret information, entered into a card-reader
ATM Card : An ATM card is a plastic card that looks like a credit card. It allows you to do
the same things at a bank machine or Automatic Teller Machine (ATM) as you would at a
bank. You can get cash, deposit money, check account balances, and receive a copy of your
statement all electronically by using your ATM card and the password to your account,
which is called your Personal Identification Number, or PIN.
Strength of authentication depends on difficulty of forging
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 8/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 8
Something you are
Biometrics : Biometrics is the method to recognize or verify the identity of an
individual based on its unique physiological or behavioral characteristics such as Fingerprint,face, palm, iris, retinal, vein, voice and handwriting. Fingerprint verification is the most
established and matured biometrics techniques. We will only focus on fingerprint
technology hereafter.
Why biometrics?Biometrics authenticates an individual based on its unique characteristics. One can
consider himself as his own password, which can hardly be forgotten, stolen and forged.
Thus, biometrics provides a securer solution comparing with PIN or Smart Card
identification. Biometrics can also be widely found in many other applications such as time
attendance management.
What are the biometrics applications?The need for biometrics can be found in most of the security departments, military,
government and commercial applications.
One of the major biometrics applications is access control. PIN and Smart Card system
recognize the PIN or the card instead of you - it identifies what you posses. In other words,
someone can claim that he is you by using your PIN or you r smart card. However, a
biometrics system with fingerprint technology recognizes your finger instead of the PIN or
card - it identifies who you are. It will never grant access to anyone else except you.
Another major biometrics application is time atten dance management.Most of the existing
time attendance systems are based on smart card. Lost and damaged cards and cheating on
the system can lead to huge financial loss to the company. Using employee's fingerprint to
mark attendance instead is far more accurate, efficient, cost saving and cheat proof. The
daily attendance report can help the HR manager to save a bundle of time.
There are various types of Biometrics Authentication Methods :
Finger Print , Iris ,Retinal ,DNA ,etc.
All of these are used widely by users . It is easy to use .
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 9/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 9
Two Factor Authentication
The two components of two factor authentication
are:
Something you know
Something you have
Traditional authentication schemes used username and password pairs to authenticate
users. This provides minimal security, because many user passwords are very easy to guess.
In two factor authentication, the password still provides the something you know
component. In the most common implementations of two factor authentication, the
something you have component is provided by a small token card. The token card is a
compact electronic
device which displays a number on a small screen. By entering this number into the system
when you attempt to authenticate (login), you prove that that you are in posse ssion of the
card.
Multi-factor authentication, sometimes called strong authentication, is
an extension of two-factor authentication. While two-factor
authentication only involves exactly two factors, multi-factor
authentication involves two or more factors. Thus, every two-factor
authentication is a multi-factor authentication, but not vice versa.
Other cryptographic Authentication
Methods
Various cryptographic Authentication Methods are used .Some of these are as
follow :
Password
One Time Password
Public Key Cryptography
Zero Knowledge ProofsDigital Signature
Password :
What is password security?
In order to keep your information secure you must keep your password secure. The
following are not the only ways to keep your password secure but they are a good
start:
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 10/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 10
y Use passphrases (see below).
y Do not keep your password in open and public spaces (no sticky notes on
your monitors!).
y Change your password periodically.
y Do not use the same password for everything.
y If you think your password may have been compromised, change it
immediately.
y Never tell anyone your password.
Passphrase versus password:
Passphrases are more secure than passwords because they are generally longer,
making them less vulnerable to attack. With technology increasing every day we
strongly recommend using passphrases to secure your accounts.
Passphrase selection:
y Long enough to be hard to guess (eg, automatically by a search program, as
from a list of famous phrases).
y Not a famous quotation from literature, holy books, etc.
y Hard to guess by intuitioneven by someone who knows the user well.
y Easy to remember and type accurately.
One time passwords :
For application that requires higher level of security than static password can
deliver , the KerPass mobile client allows setting a dedicated token that
generates OATH (time synchronous) one time password. A new "PassCode"
can be generated every 30 seconds , and it remains valid for at most 5 minutes.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 11/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 11
Public Key Cryptography : Public key cryptography was invented
in 1976 by Whitfield Diffie and Martin Hellman. For this reason, it is
sometime called Diffie-Hellman encryption. It is also called
asymmetric encryption because it uses two keys instead of one key ( symmetric
encryption).
Public-key encryption (also called asymmetric encryption) involves a pair of
keys--a public key and a private key--associated with an entity that needs to
authenticate its identity electronically or to sign or encrypt data. Each public
key is published , and the corresponding private key is kept secret . Data
encrypted with your public key can be decrypted only with your private
key. Figure shows a simplified view of the way public-key encryption works.
Figure Public-key encryption
The scheme shown in Figure , lets you freely distribute a public key, and onlyyou will be able to read data encrypted using this key. In general, to send
encrypted data to someone, you encrypt the data with that person's public
key, and the person receiving the encrypted data decrypts it with the
corresponding private k ey.
One Important Authentication method : ECC
ECC : Elliptic Curve Cryptography
an E lliptic Curve is a set of point on a curve2 3
y x ax b! given certainreal numbers a and b . For example
Elli pt ic Curve Groups: The set of points on an elliptic curve, plus a special
point g form and additive group. The addition of two points on an elliptic
curve is defined geometrically, as shown in the following example.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 12/22
Cr t r hi uth ti ti 2010
Cr t r hi uth ti ti P
Elli p
ic Cu¡ v
¢ E ncry p
i on Al gorit h £
¤
de¥ e¦ d on the diffic§ ̈
ty of c© ̈
c§ ¨ ©
ting kP whe e k is a
product of two large primes and P is an element in the Elliptic Curve Group. Geometrically
to add a point P to it self you first construct the tangent line to the curve at the point.
Then the line will intersect the curve at only one point, and the addition of 2 P is then
defined to be the negative of the point of intersection as seen below.
Elliptic curve groups over real numbers are not practical for cryptography due to slowness of
calculations and round-off error. This Elliptic Curves Over Finite Fields are used. An elliptic
curve over a finite field p F of characteristic greater than three can be formed by choosing
the variables a and b within the field p F .
Roughly speaking the elliptic curve is then the set of points ( , ) x y which satisf y the elliptic
curve e uation 2 3 y x ax b! modulo p , where , p
x y F ; together with a special point g
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 13/22
Cr t r hi uth ti ti 2010
Cr t r hi uth ti ti P
. If 3 x ax b contains no repeated factors, or e uivalently if 3 24 27 0(mod )a b p | , then
these points form a group.
It is well known that EGC (the Elliptic Curve Group) is an additive abelian group with g
serving as its identity element.
Ex a ple: In the ECG of 2 2 y x x!
over the field23
F the point (9,5) satisfies the e uation
(mod ) y x x|
as 25 729 9(mod 23)| .
The elements of this ECG are given in the pictured below.
Obviously we no longer have a curve to define our addition geometrically. Emulating the
geometric construction for addition, the formulas for addition over p
F (characteristic 3) are
given as follows: Let 1 1( , ) P x y and 2 2( , )Q x y be elements of the ECG. Then 3 3( , ) P Q x y !
, where
and
2
3 1 2 x x xP!
3 1 3 1( ) y x x yP!
2 1
2 1
2
1
1
3
2
y yif P Q
x x
x aif P Q
y
P
®{± ±
! ¯± !
±°
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 14/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 14
These formulas can be easily calculated with computers. For field of characteristic 2 the
equations for addition are worse!
At the heart of every cryptosystem is a hard mathematical problem that is computationallyinfeasible to solve. The Discrete Logarithm Problem is the basis for the security of many
cryptosystem including the Elliptic Curve Cryptosystem.
Definition of the Discrete Logarithm Problem:
In the multiplication group p
F v , the discrete logarithm problem that is: Given
elements r and q in p
F v , find a number k such that (mod )r qk p! .
Similarly the Elliptic Curve Discrete Logarithm Problem is: Given points P and Q in an
ECG over a finite field find an integer k such that P k Q! . Here k is called the
discrete log of Q to the base P.
This doesnt seem like a difficult problem, but if you dont know what k is calculating
P k Q! takes roughly2
2k operations. So if k is say, 160 bits long, then it would take about
802
operations!! To put this into perspe ctive, if you could do a billion operations persecond, this would take about 38 million years. This is a huge savings over the standard
public key encryption system where 1024 and 3074 bit keys are recommended. The smaller
size of the keys for Elliptic Curve Encryption makes it idea for applications such as encrypting
cell-phone calls, credit card transactions, and other applications where memory and speed
are an issue. There are pros and cons to both ECC and RSA encryption. ECC is faster then
RSA for signing and decryption, but slower than RSA for signature verification and
encryption. Much of the material used in this paper can be found in the websites listed in
the references.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 15/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 15
Zero-Knowledge Proofs
Goldwasser, Micali, and Rackoff first put forward the basic notion of Zero -Knowledge Proof
in 1985. Zero-Knowledge (ZK) protocol is an instance of interactive proof protocol. An
interactive proof protocol is one that authenticates a prover to a verifier using challenge-
response mechanism. In this kind, the verifier can accept or reject the prover at the end of
their communication.
The ZK protocol overcomes major concerns with widely used password based
authentication. In a simple password based authentication, the verifier authenticates the
prover based on a password. The verifier has some, if not complete, knowledge of the
provers password. The verifier can thus impersonate the prover to a third party with whom
the prover may share the same password. The main objective of zero-knowledge protocol isto enable the prover convince the verifier that she knows the secret without revealing any
information about the secret itself. ZK protocols are mostly probabilistic, where the proofs
hold good with a very high probability of success, and are not necessarily absolute. So, the
verifier may either accept or reject the proof after exchanging multiple messages. The
messages consist of challenges and responses. The probability of error can be reduced to a
desirable level by increasing the number of challenges and responses.
There are different variations of zero-knowledge protocols that exist. Some of them are
Perfect ZK, Resettable ZK, Concurrent ZK, Statistical ZK etc.
Properties of Zero-Knowledge Proofs
ZK protocols derive their properties from interactive proof protocols.
Completeness: The protocol is considered complete, if it succeeds with a very high
probability for an honest verifier and an honest prover. The acceptable level of probabilitydepends on the application.
Soundness: T he protocol is considered sound, if it fails for any other false assertion, given a
dishonest prover and an honest verifier.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 16/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 16
Advantages of Zero-knowledge proofs
Z ero knowledge transfer As the verifier does not learn anything about provers secret s (no
knowledge transferred between two parties), he cannot impersonate the prover to a third
person. Also the prover cannot cheat the verifier with several iterations of the protocol.
E fficiency The computational efficiency of ZK protocol is because of its interactive proofs
nature. The costly computation related to encryption is avoided.
Degradation The security of protocol itself does not get degraded with continuous use as
no information about the secret is divulged.
Unsolved mathematical assumptions ZK protocols are based on various mathematical
Problems like discrete logarithms and integer factorization.
Fiat-Shamir Identification protocol
Fiat-Shamir identification protocol is an example of ZK protocol. In this protocol Alice proves to Bob
her knowledge of a secret, s, using many rounds of three message challenge-responses.
Step1 - A random modulus, n, product of two large prime numbers p and q, is generated by a
Trusted Party. The trusted party keeps the primes p and q secret and publishes n.
Step2 -Alice, the prover selects a secret s, relatively prime to n. Alice, then makes v (=s2) public.
Step3 -To prove her knowledge of the secret s, Alice chooses a random number r, (1e
re
n-1) using arandom generator. She sends x = r
2mod n, to Bob, the verifier. This is her commitment to
authentication.
Step4 -Bob randomly sends either a 0 or a 1 as e, his challenge.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 17/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 17
Step5 -Alice computes the response y = r se
mod n, where e {0,1} is the challenge she receives from
Bob. Thus, depending on Bobs challenge, 0 or 1, Alice responds with r or, r.se mod n.
Step6 -Bob accepts the response upon checking y2| x * v
emod n, and rejects if y = 0.
Steps 3-6 are repeated every time Alice wants to prove her knowledge of the secret, symbolically
represented in Fig- 1.
A B: x = r2 mod n
A B: e {0,1}
A
B: y = r * s
e
mod n
Fig ± 1 Fiat-Shamir Zero-knowledge protocol
After several iterations, with a very high probability Bob can verify Alices
identification. Also Alices response in either case does not reveal the secret s
(with y = r or y = r* s mod n).
Since the prover is required to commit a value (the random num ber r) before the
verifier sends a challenge, the probability that a dishonest impersonator can
authenticate as Alice is only ½. Repeating the above steps several times decreases
the probability that an impersonator without knowledge of the secret can get the
correct response.
It is important that Alice does not repeat the random number r. Bob can collect a
set of Alices responses and learn about the secret s, with repeated r. Later Bob
can impersonate Alice to a third person.
Classic Example of Zero-Knowledge Proofs
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 18/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 18
Ali Baba¶s cave
Lets consider an example of Ali Babas Cave. Alice wants to prove to Bob her knowledge of
the secret to open the door R -S in the cave without revealing the secret.
Fig 2. Representation of Ali Babas Cave
They work as follows:
Alice enters the tunnel and takes the path either R or S. Bob is not aware of this, standing
outside the tunnel (P). Bob comes to Q and calls out Alice through either R or S. The
probability that Alice comes out through the right tunn el is only ½ , if she does not know the
secret. So bob can repeat this several times until he is convinced that Alice knows the secret
to open the door. In this process, Bob doesnt learn the secret.
Real-Time Applic at i ons of Zero-K now l edge Proofs
ZK protocols are used for many real-time applications like authentication, e-voting,
watermark verification, etc. Some products like Skys VideoCrypt, Microsofts NGSCB also
use ZK protocols. Here, a few of them are mentioned.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 19/22
Cryptographic Authentication 2010
Cryptographic Authentication Page 19
Digital Signature
The Digital Signature Algorithm (DSA) is a United States FederalGovernment standard or FIPS for digital signatures. It was proposed bythe National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS).
A d i gi tal si gnature is an encrypted hash value. From our previous example, if
Kevin wanted to ensure that the message he sent to Maureen was not
modified and he wants her to be sure that it came only from him, he can
digitally sign the message. This means that a one-way hashing function would
be run on the message and then Kevin would encrypt that hash value with his
private key. When Maureen receives the message, she will perform thehashing function on the message and come up with her own hash value. Then
she will decrypt the sent hash value with Kevins public key. She then compares
the two values and if they are the same, she can be sure that the message was
not altered during transmission. She is also sure that the message came from
Kevin because the value was encrypted with his private key. The hashing
function ensures the integrity of the message and the signing of the hash
value provides authentication and nonrepudiation. The act of signing just
means that the value was encrypted with a private key. The steps of a digital
signature are outlined in Figure .
We need to be clear on all the available choices within cryptography, because
different steps and algorithms provide different types of security services:
A message can be encrypted, which provides confidentiality.
A message can be hashed, which provides integrity
A message can be digitally signed, which provides authentication and
integrity.
A message can be encrypted and digitally signed, which provides
confidentiality, authentication, and integrity.
Some algorithms can only perform encryption, whereas others can performdigital signatures and encryption. When hashing is involved, a hashing
algorithm is used, not an encryption algorithm.
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 20/22
Cr t r hi uth ti ti 2010
Cr t r hi uth ti ti P
K ti :
p : Prime number where 2 L-1 < p < 2L
For 512 <= L <= 1024 and L is multiple of 64; q : Prime devisor of (P-1) , where 2 159
< q < 2 160
;
g : h (p-1)/q mod p, where h is any integer with 1 < h < (p-1)
such that h(p-1)/q
mod p > 1
¶ P i t K :X : Random or Pseudorandom integer with 0 < x < q
¶ P li K :Y = g
xmod p
¶ P M S tK = random or pseudorandom integer with 0 < k < q
Si i :R = (g
kmod) mod q
S = [k-1
(H(M) + xr)] mod q
Signature = (r , s)
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 21/22
8/8/2019 Cryptographic Authentication Seminar
http://slidepdf.com/reader/full/cryptographic-authentication-seminar 22/22
Cryptographic Authentication 2010
CryptographicAuthentication Page 22
Conclusion User authentication can be handled using one or more different
authentication methods. Some authentication methods such as plain
password authentication are easily implemented but are in general weak
and primitive. The fact that plain password authentication it is still by far the most
widely used form of authentication, gives credence to the seriousness of
the lack of security on both the Internet and within private networks.
Other methods of authentication, that may be more complex and
require more time to implement and maintain, provide strong and
reliable authentication (provided one keeps its secrets secret, i.e. private
keys and phrases).
References
y Cryptography and Network Security ,Principles and Practices ± WilliamStallings
y http://en.wikipedia.org
y www.google.com , etc