In the previous article "explaining the authentication process" in the cissp development path series specially planned by 51cto Security channel, j0ker describes the three verification elements, passwords, passphrases, and their safe use principles for user authentication. As a user verification solution with the lowest technical implementation difficulty and cost, the password-based user verification solution is widely used in our daily life and work. However, due to the vulnerability of the password itself, attackers can easily crack or steal the password. Therefore, in a high-security system, password verification is often used, add other verification methods to enhance the security of the system-this is the user's all credenave (something you have) and the user biometric features to be introduced in the next article ..
In the previous article "explaining the authentication process" in the cissp development path series specially planned by 51cto Security channel, j0ker describes the three verification elements, passwords, passphrases, and their safe use principles for user authentication. As a user verification solution with the lowest technical implementation difficulty and cost, the password-based user verification solution is widely used in our daily life and work. However, due to the vulnerability of the password itself, attackers can easily crack or steal the password. Therefore, in a high-security system, password verification is often used, add other verification methods to enhance system security-this is all the user credenave (something you have) described in this article) and the next article will introduce the two methods of user biometric characteristics (something you are) user verification.
The biggest difference between all the creden of a user and the traditional password method is that all the creden of a user are all items of the user, users do not need to know how they operate. They only need to be provided when the system requires users to perform authentication. You may think that j0ker is a little abstract. To give a simple example, you need to enter a room with guards, if you only need to access the password without requiring the security guard to verify other attributes of the user, it is the traditional password method. If the user needs to provide his/her work permit or key to access the security guard after the password is entered, this is to use all the user's creden for verification. Further, according to regulations, the user must also be a person recognized by the guard before the user can access the website. This is the identity authentication method of the user's biological characteristics. Therefore, all the creden of the user are equivalent to the key for the user to enter the system.
All user creden can also be divided into logical and physical creden in the existing form: All creden of logical users are stored in the user's system, when used, it is automatically or manually submitted to the verification system by the user. In this form of user creden, a variety of digital certificates and a file containing special characters or content are common, or software-implemented products such as token. All the creden of physical users include one-time passwords (OTP), memory cards, and smart cards. Because all the creden of logical users are at risk of being copied and used by attackers, all physical user creden are more secure than logical ones.
The following j0ker will introduce the two most widely used credential schemes, one-time password (OTP) and Smart Card:
The one-time password (OTP) is different from the traditional one-time password. The one-time password can only be used once and becomes invalid after use. In this way, even if the user's one-time password is obtained by the attacker, the attacker cannot use the one-time password to log on to the user's system, because the one-time password has expired.
Unlike what we think, one-time passwords have a long history, and they are even used earlier than computers-cryptographic libraries commonly used in the modern military and espionage fields, it can be considered as the predecessor of a one-time password. Until now, many one-time password lists have been printed on paper and handed over to users. It is still the cheapest but safe one-time password solution, some banks in China have adopted this one-time password implementation method to enhance the security of online banking. You can pay attention when using online banking of relevant banks. Of course, the security of this one-time password depends on whether the user can properly keep the password book with the one-time password printed.
More one-time password solutions are implemented using electronic and computer technologies. The user end of such one-time password solutions is usually a device similar to a small calculator or a key pendant with buttons ranging in number, this device is also called a token device in the industry ). The user enters data into the token device according to certain rules. After the token device is calculated, a result is returned to the user. The result is the one-time password for the user to log on to the system. Token devices can be divided into synchronous token devices and asynchronous token devices according to their implementation methods:
Synchronous token device (synchronous token): the token device stores a benchmark value that is the same as that of the verification server, for example, accurate to microseconds, or a variable value set by the Administrator. The token Device Based on Time Synchronization is called clock-Based Token, while the token device based on variable value calculation is called counter-Based Token. They generate a one-time password in roughly the same way. After the user enters the password, the token device uses the variables synchronized with the server as a parameter to regenerate a one-time password for logging on to the system. The verification server uses the same variables and algorithms to process the user password stored in the database. If the one-time password provided by the user is the same as the one-time password calculated by the Verification server, this proves that the user is a legitimate user of the system.
Figure 1 workflow of a time synchronization-Based Token device (clock-Based Token)
Figure 2. Variable-Based Token-based device Workflow
Asynchronous token: Because the synchronous token device needs to be consistent with the time or value variable of the verification server, it is not easy to deploy and maintain the synchronous token device. The asynchronous token device does not have this disadvantage. It does not need to verify the time or variable synchronization between server maintenance and the token device. The asynchronous token device uses the one-time password generation method (challenge-response). After a user initiates a login request, the verification server returns a number based on the password entered by the user, after entering the number in the token device for calculation, the user returns the calculation result to the verification server, the verification server also performs the same calculation steps and compares the results with the user input. If the two values are the same, the verification succeeds and the user can log on to the system.
In recent years, the market has also seen a one-time password solution that uses the token program installed in the user system to replace the physical token device. This solution further reduces the cost of user deployment and maintenance, it is also more suitable for enterprises that require security and are cost-sensitive to verification solutions.
Smart Card: a card is a plastic card similar to a credit card. It contains a micro-chip that stores information related to user authentication. Some advanced smart cards also include dedicated computing chips that provide certain encryption/decryption or other computing functions. Smart cards are more widely used than one-time passwords and are often used by enterprises to provide physical security access control solutions.