Kaliski Mutual Authentication
Kaliski Mutual Authentication
Kaliski Mutual Authentication
Introduction
User authentication is growing in importance in e-commerce Many organizations are calling for stronger authentication mechanisms than the typical password-based schemes
e.g., FFIEC guidance on authentication in Internet banking (Oct. 2005); FSTC Better Mutual Authentication project
As these efforts illustrate, authentication strength depends on more than just the factors
And the authentication story depends on more than just the user
User
Agent
Resource
Evidence
Auth. Factors
Users Devices
Auth. Protocol
User and Users Devices present Evidence to Agent demonstrating possession of Authentication Factors
Agent conveys Evidence to Resource in Authentication Protocol
Authentication server: User authenticates once to authentication server, which relays ticket or authentication assertion to resource
e.g.: Kerberos; Identity providers
Validation server: Resource relies on separate validation server for part or all of authentication decision
e.g.: Credential federation
Ceremony = Carl Ellison / Jesse Walker model for protocols involving users
Compound authentication mechanism combines two or more mechanisms more than one authentication decision
Example Factors
Security Challenges
Corrupted agent can misuse evidence Rogue resource can also misuse evidence, unless agent runs strong protocol Man-in-the-middle is also a threat, depending on protocol Even if mechanism protects user authentication, attacker may be able to mislead the user into disclosing other sensitive information
Key question: How does user authenticate the resource and the agent?
User
Agent
Resource
Evidence
Auth. Factors
Users Devices
Auth. Protocol
1. Resource PKI
Resource authenticates to agent with certificate Agent presents evidence via lock icon, certificate status But how does user know lock is actually from agent? Also, certificate trust lists can easily be confused
2. Zero-knowledge protocols
Resource authenticates via ZK proof of knowledge of evidence Reverse hashing is a weaker variant Agent presents evidence via visual indicator But how does user know indicator is actually from agent, or that protocol is even running?
Agent presents resource identifier via pattern based on hash of resource identifier
But again, how does user know that pattern is from agent?
Each approach to resource authentication has pros and cons in terms of usability, security against various threats
Agent needs a trustworthy user interface*, otherwise user cant rely on evidence presented
Resource should enable some evidence that the agent can present to user Rapport-building is important if user cant be sure that agent is running strong protocols
Contextual factors provide a foundation
* See Trustworthy Interfaces for Passwords and Personal Information workshop (crypto.stanford.edu/TIPPI)
Radio-frequency ID tags tiny chips with antennas are used to track inventory, and increasingly to authenticate items
e.g.: Passports, containers, etc.
Security challenges are also similar plus, rogue reader can potentially read without permission How does RFID tag authenticate the reader?
2. Symmetric crypto
Reader authenticates with shared symmetric key But how to identify which key without enabling tracking?
4. Reader identification
Reader broadcasts its authorization for the auditors; tag checks that authorization is present, but doesnt verify
Conclusions
All parties need assurance that the others are authentic both the user or tag, and the system
Obtaining this assurance is an important challenge in protocol design whether for e-commerce or physical objects
Authentication is more than just about factors the evidence, the protocols and the user interface all affect security
Contact Information