A method of identity authentication based on secret information
1. Password check
Password check is the system for each legitimate user to establish a user name/password pair, when the user logged into the system or use a function, prompting the user to enter their own user name and password, the system by checking user input user name, password and the system has a legitimate user name/password pairs (these user names/ If the password matches the encrypted storage within the system, the user's identity is authenticated if it matches a username/password pair.
Disadvantage: Its security is based only on the confidentiality of the user password, and the user password is generally short and static data, easy to guess, and vulnerable to attack, using snooping, dictionary attacks, exhaustive attempts, network data stream eavesdropping, replay attacks, etc. are easy to breach the authentication system.
2. One-way authentication
If the two sides of the communication only need to be identified by the other party, the authentication process is a one-way authentication, that is, the password check before the method is a one-way authentication, but this simple one-way authentication has not been combined with the hierarchy distribution.
The one-way authentication with the hierarchy distribution mainly has two kinds of schemes: one kind adopts the hierarchy encryption system, need a trustworthy third party--commonly called the KDC (dense hierarchy distribution center) or as (authentication server), with this third party to realize the identity authentication and dense hierarchy distribution of both sides of the communication, such as DES algorithm, the advantage calculation is small, Fast, high security, but the secret distribution of its dense hierarchy is difficult, and the other class uses asymmetric hierarchy encryption system, encryption and decryption using different hierarchy SK, no third party participation, the typical public hierarchy encryption algorithm has RSA. The authentication advantages can adapt to the open requirements of the network, the hierarchy management is simple, and can easily realize the functions of digital signature and identity authentication, which is the core foundation of the current electronic commerce technology. The disadvantage is that the algorithm is complex.
3. Two-way authentication
In two-way authentication, both sides of the communication need to identify each other's identities, and then Exchange session secret hierarchy, the typical scheme is Needham/schroeder protocol. The advantages are high confidentiality but will encounter message replay attacks.
4.0 Knowledge Proof of identity
The usual authentication requires the transmission of passwords or identity information, but it would be nice if it could be authenticated without transmitting the information. 0 knowledge proves to be such a technique: The authenticated party a grasps certain secret information, a wants to let authentication party B believe that he really grasps that information, but does not want to let authentication party B know that information.
A simplified scheme such as the famous Feige-fiat-shamir 0 Knowledge authentication protocol.
Assuming that the trusted quorum designates a random modulus n,n to be two major product, the actual is at least 512 bits or up to 1024 bits. The arbitrator produces a random number V, so that x2=v mod n, i.e. V is the remainder of modulo n, and has v-1mod N present. Using V as the hierarchy of the authenticator, and then calculating the smallest integer s:s=sqrt (V-1) mod n as the private hierarchy of the authenticated party. The agreement for the implementation of the identity certificate is as follows: The authenticated party A takes a random number R, here r<m, calculates X=R2 mod m, sends X to authentication party B; If B=1, a will y=rs to B; if b=0, then B verifies x=r2 mod m, thereby confirming that a knows sqrt (x); Then B verifies x=y2.v mod m, thereby confirming that a knows S.
This is a round of identification, A and B can repeat this protocol for T-Times until a believes B knows S.
Second, the authentication method based on physical security
Although the aforementioned authentication methods differ in principle, they have a common feature, which is that they rely only on the information that a user knows about a secret. In contrast, another type of authentication scheme is dependent on certain biological information specific to the user or the hardware that the user holds.
Biology-based programs include identity authentication based on fingerprint identification, voice-based identity authentication, and identity authentication based on iris recognition. This technology uses the powerful function of computer and network technology for image processing and pattern recognition, which has good security, reliability and validity, and has undoubtedly produced a qualitative leap compared with the traditional means of identity confirmation. In recent years, the global biometric technology has shifted from the research stage to the application stage, the research and application of this technology such as fire, tea, the prospect is very broad.
Third, the application of identity authentication
1. Kerberos is a trusted third-party authentication protocol designed by MIT for distributed networks. The Kerberos service on the network acts as a trusted arbiter, providing secure network authentication that allows individuals to access different machines in the network. Kerberos is based on symmetric cryptography (which uses DES for data encryption, but can also be substituted by other algorithms), and it shares a different secret hierarchy with each entity on the network, knowing that the secret hierarchy is proof of identity. Its design objective is to provide strong authentication services for client/server applications through the dense hierarchy system. The implementation of the authentication process does not depend on the authentication of the host operating system, no host address-based trust, no physical security of all hosts on the network, and assumes that packets sent over the network can be arbitrarily read, modified, and inserted into the data.
Kerberos also has some problems: the corruption of the Kerberos service server will make the whole security system not work, as in the transmission user and the TGS session secret hierarchy is encrypted with the user secret hierarchy, and the user secret hierarchy is generated by the user password, and therefore may be subject to password guessing attacks ; Kerberos uses timestamps, so there is a time synchronization problem; To use Kerberos for an application, the client and server software of the system must be modified.
2. Identity Authentication in HTTP
HTTP provides a basic password-based authentication method, and currently all Web servers can support access control through Basic authentication. When a user requests a page or runs a CGI program, Access control files are located in the directory where Access objects are accessed (for example, NCSA. haaccess file), which specifies that those users can access the directory, the Web server reads the access control file, obtains access control information from the client, and requires the customer to submit a user name and password to a certain encoding (generally Base64), pay the service party, After verifying the user's identity and password, the service sends back the requested page or executes the EGI program. Therefore, HTTP uses a plaintext transmission of the password check (although the transmission process is encoded, but not encrypted), the lack of security. Users can first use SSI to establish an encrypted channel and then use the Basic authentication method for identity authentication, but based on the IP address of identity authentication.
3. Identity Authentication in IP
IP protocol because in the network layer, can not understand the higher level of information, so the IP protocol authentication can not be based on the user's identity authentication, but based on IP address authentication.
Iv. technical discussion of identity authentication
There are other ways to implement identity authentication in computer networks, such as digital signature technology. The transmitted message proves its authenticity by digital signature, and the simple example is the direct use of RSA algorithm and the secret hierarchy of the sender.
Because a digital signature has a function to ensure the identity of the issuer of the information authenticity, that is, the information is indeed the signature of the signer, others can not be imitated, which is similar to the situation of identity authentication, the core of identity authentication is to confirm that someone is indeed his claimed identity. Well, I think we should be able to use the digital signature mechanism to achieve authentication, but this can be difficult, if not pre-hierarchy distribution (even if the public hierarchy, there is a mechanism to pass the real public hierarchy information to each user). It is possible that a digital signature is impossible.
The difference between computer authentication and message authentication