• Table of Contents

Remote User-Authentication Principles

User authentication is the process of determining whether some user or some application or process acting on behalf of a user is, in fact, who or what it declares itself to be.

Means of Authentication

There are three general means, or authentication factors, of authenticating a user’s identity, which can be used alone or in combination:

1. Knowledge factor (something the individual knows): Requires the user to demonstrate knowledge of secret information.
2. Possession factor (something the individual possesses): Physical entity possessed by the authorized user to connect to the client computer or portal.
3. Inherence factor (something the individual is or does): Refers to characteristics, called — static and dynamic — biometrics, that are unique or almost unique to the individual.

The specific items used during authentication, such as a password or hardware token, are referred to as authenticators.

Figure 3.1 Authentication factors.

Next, we delve into the methods through which these authentication factors are implemented. This leads us to the distinction between unilateral and mutual authentication protocols.

1. Unilateral authentication involves a one-way identity verification process, where one party proves its identity to the other.
2. Mutual authentication extends the verification process to both parties, ensuring a two-way confirmation of identities.

Now, let's consider the broader implications of authentication.

Replay Attacks

When it comes to authenticated key exchange, we encounter two key challenges: keeping information confidential and ensuring timely communication.

• To prevent impersonation and protect session keys, it's crucial to share identification and session-key details in an encrypted form. This requires having secret or public keys ready for secure communication.
• Timeliness is vital because of the risk of message replays. Successful replays could let adversaries compromise a session key or impersonate another party. Even less severe cases of successful replays can disrupt operations by presenting deceptive messages.

For context, message replay is a specific type of replay attack. In a replay attack, intercepted messages are maliciously retransmitted, aiming to exploit vulnerabilities in the authentication process.