用户鉴别机制
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
时间令牌可以克服用户需输入三次数据的缺点
• Use time as the variable input to the authentication process
用时间作为鉴别过程的输入变量
Chapter 7
32
Time-based Tokens-1
时间令牌-1
• Password generation and login request 口令生成与登录请求
Chapter 7
16
The Problem of Password
口令安全问题
• Each App needs its own user id and password 每个应用都需要其自己的用户名和口令 • Password maintenance is a very big concern 口令维护是一大问题 •Password should be designed to deterrent to dictionary attack 口令应该设计成阻止字典攻击
Chapter 7
1
User Authentication Mechanisms 用户鉴别机制
Chapter 7
2
Authentication 鉴别
• Who is who? 解决谁是谁的问题
• Identifies a user or a resource 鉴别一个用户或一个资源
• Establishes trust before communication can
User database
Chapter 7
20
Authentication Tokens-step2
Use of token
鉴别令牌-步骤2(使用令牌)
Multi-factor authentication:多因子鉴别 •Something that you know 知道什么
•Something you have 拥有什么
鉴别令牌类型
Authentication Tokens
Challenge/Response Tokens
Time-based Tokens
挑战/响 应令牌
Fig 7.19
基于时间 令牌
Chapter 7
24
Challenge/Response Tokens-1 挑战/响应令牌-1
•User sends a login request(用户发送登录请求)
怎么办?
Chapter 7
11
Chapter 7
12
Message Digests of Passwords
口令消息摘要
• Original clear text password is never stored/transmitted 绝不存储/传输原始明文口令
• Message digest of password is stored in the database, and the same is used for authentication
挑战/响应令牌-4
• Server verifies the encrypted random challenge(服务器验 证来自用户的加密随机挑战)
1. Server decrypt the encrypted random challenge received from the user with the user’s seed
Step 1: Calculate the message digests of the passwords on the server-side.
tiger newroad april …
Passwords
Message digest algorithm
G%6$1
Vt^80+1 +{:>9mn
Message digests of passwords
数据库中存储口令消息摘要,同样用其进行鉴别
• Can lead to replay attacks 可能导致重放攻击
Chapter 7
13
Message Digests of Passwords-1
口令消息摘要-1
Store message digests in the user database
Password Authentication – 1
口令鉴别—1
Login Screen
User id : _________ Password : _________
Ok
Cancel
Fig 7.1
Chapter 7
6
Password Authentication – 2
口令鉴别—2
Login request Id = atul Password = april
• Authentication Tokens 鉴别令牌
• Certificate-based Authentication 基于证书的鉴别
• Biometrics 生物方法
Chapter 7
4
Passwords(Clear Text Passwords ) 口令(明文口令)
Chapter 7
5
•Something you are 是什么
Chapter 7
21
Chapter 7
22
Authentication Tokens-step3
Server returns an message 鉴别令牌-步骤3(服务器向用户返回消息)
Chapter 7
23
Authentication Token Types
User database
Chapter 7
Message Digests of Passwords-2
14
口令消息摘要-2
User anthentication
Chapter 7
Message Digests of Passwords-3
15
口令消息摘要-3
Server-side validation
Creation of a token
鉴别令牌-步骤1(生成令牌)
Server
Id = atul Seed = 615019191
User record creation
Seed = 615019191
Seed Authentication token
Id Seed Jyoti 159010191 Amar 415901617 Atul 615019191
Chapter 7
25
Challenge/Response Tokens-2
挑战/响应令牌-2
•Server creates a random challenge(服务器产生随机挑战)
Chapter 7
26
Challenge/Response Tokens-3
挑战/响应令牌-3
•User signs random challenge with message digest of the password(用户用口令的消息摘要签名随机挑战)
• Database contains passwords in clear text 数据库包含明文口令
• Password travels in clear text from user’s computer to the server
口令以明文的形式从用户计算机传到服务器
口令在传输信 道上被截获,
Login Screen
User Id
Atul
Random Challenge 8102811291012
Your response
Chapter 7
27
Challenge/Response Tokens-3
挑战/响应令牌-3
Chapter 7
28
Challenge/Response Tokens-4
•But it should be easy to remember 但是口令又应该容易记忆
Chapter 7
17
Authentication Tokens
鉴别令牌
• Authentication Token is a small device 鉴别令牌是一个小设备
• Usually it has processor,LCD, battery,keypad,
鉴别令牌-步骤1(生成令牌)
• Token and server are synchronized initially 令牌最初和服务器保持同步
• Token generates fresh passwords periodically 令牌定期产生新的口令
Chapter 7
19
Authentication Tokens-step1
9
Password Authentication – 5
口令鉴别—5
Login successful
Application Menu 1. View Balance 2. Transfer money ….
Fig 7.5
Server
Chapter 7
10
Problems with the clear-text Passwords 明文口令存在的问题
Step 2: Store the user ids and message digests of the passwords in the user database.
Server
User creation program
Id Password Jyoti G%6$1 Amar Vt^80+1 Atul +{:>9mn
挑战/响应令牌-5
• Server returns an appropriate message back to user(服务 器向用户返回相应消息)
Chapter 7
31
Time-based Tokens
时间令牌
• Time-based Tokens can overcome user ‘s”make three entries”
服务器用用户的种子解密从用户那里收到的加密随机挑战
2. Server can encrypt its own version of random challenge with the user’s seed
服务器用用户的种子加密自己的随机挑战
Chapter 7
29
Chapter 7
30
Challenge/Response Tokens-5
Fig 7.2
Server
Chapter 7
7
Password Authentication – 3
口令鉴别—3
Server
User authenticator program
Id = atul Password = april
Id Password Jyoti tiger Amar n ewroad Atul april ……
Fig 7.3
ChaptLeabharlann Baidur 7
8
Password Authentication – 4
口令鉴别—4
Server
User authenticator program
Success
Id Password Jyoti tiger Amar newroad Atul april ……
Fig 7.4
Chapter 7
Chapter 7
33
Time-based Tokens-1
时间令牌-1
Chapter 7
34
Time-based Tokens-2
时间令牌-2
•Server-side verification 服务器方验证
Chapter 7
35
Chapter 7
36
Time-based Tokens-3
时间令牌-3
•Server returns an appropriate message back to the user
服务器返回相应消息给用户
Chapter 7
37
Certificate-based Authentication
基于证书鉴别
• User’s certificate details need to be stored on the server-side 用户的证书细节需要保存到服务器端
clock 令牌通常具有处理器、LCD、电池、小键盘、时 钟等
• It has a random seed which ensure to product unique output 随机种子以确保鉴别令牌产生唯一输出
Chapter 7
18
Authentication Tokens-step1
Creation of a token
take place
在双方通信前先建立信任
你能举出生 活中鉴别的
实例吗?
Chapter 7
3
Authentication Mechanisms 鉴别机制
• Passwords(Clear Text Passwords ) 口令(明文口令)
• Message digests of passwords 口令的消息摘要
• Use time as the variable input to the authentication process
用时间作为鉴别过程的输入变量
Chapter 7
32
Time-based Tokens-1
时间令牌-1
• Password generation and login request 口令生成与登录请求
Chapter 7
16
The Problem of Password
口令安全问题
• Each App needs its own user id and password 每个应用都需要其自己的用户名和口令 • Password maintenance is a very big concern 口令维护是一大问题 •Password should be designed to deterrent to dictionary attack 口令应该设计成阻止字典攻击
Chapter 7
1
User Authentication Mechanisms 用户鉴别机制
Chapter 7
2
Authentication 鉴别
• Who is who? 解决谁是谁的问题
• Identifies a user or a resource 鉴别一个用户或一个资源
• Establishes trust before communication can
User database
Chapter 7
20
Authentication Tokens-step2
Use of token
鉴别令牌-步骤2(使用令牌)
Multi-factor authentication:多因子鉴别 •Something that you know 知道什么
•Something you have 拥有什么
鉴别令牌类型
Authentication Tokens
Challenge/Response Tokens
Time-based Tokens
挑战/响 应令牌
Fig 7.19
基于时间 令牌
Chapter 7
24
Challenge/Response Tokens-1 挑战/响应令牌-1
•User sends a login request(用户发送登录请求)
怎么办?
Chapter 7
11
Chapter 7
12
Message Digests of Passwords
口令消息摘要
• Original clear text password is never stored/transmitted 绝不存储/传输原始明文口令
• Message digest of password is stored in the database, and the same is used for authentication
挑战/响应令牌-4
• Server verifies the encrypted random challenge(服务器验 证来自用户的加密随机挑战)
1. Server decrypt the encrypted random challenge received from the user with the user’s seed
Step 1: Calculate the message digests of the passwords on the server-side.
tiger newroad april …
Passwords
Message digest algorithm
G%6$1
Vt^80+1 +{:>9mn
Message digests of passwords
数据库中存储口令消息摘要,同样用其进行鉴别
• Can lead to replay attacks 可能导致重放攻击
Chapter 7
13
Message Digests of Passwords-1
口令消息摘要-1
Store message digests in the user database
Password Authentication – 1
口令鉴别—1
Login Screen
User id : _________ Password : _________
Ok
Cancel
Fig 7.1
Chapter 7
6
Password Authentication – 2
口令鉴别—2
Login request Id = atul Password = april
• Authentication Tokens 鉴别令牌
• Certificate-based Authentication 基于证书的鉴别
• Biometrics 生物方法
Chapter 7
4
Passwords(Clear Text Passwords ) 口令(明文口令)
Chapter 7
5
•Something you are 是什么
Chapter 7
21
Chapter 7
22
Authentication Tokens-step3
Server returns an message 鉴别令牌-步骤3(服务器向用户返回消息)
Chapter 7
23
Authentication Token Types
User database
Chapter 7
Message Digests of Passwords-2
14
口令消息摘要-2
User anthentication
Chapter 7
Message Digests of Passwords-3
15
口令消息摘要-3
Server-side validation
Creation of a token
鉴别令牌-步骤1(生成令牌)
Server
Id = atul Seed = 615019191
User record creation
Seed = 615019191
Seed Authentication token
Id Seed Jyoti 159010191 Amar 415901617 Atul 615019191
Chapter 7
25
Challenge/Response Tokens-2
挑战/响应令牌-2
•Server creates a random challenge(服务器产生随机挑战)
Chapter 7
26
Challenge/Response Tokens-3
挑战/响应令牌-3
•User signs random challenge with message digest of the password(用户用口令的消息摘要签名随机挑战)
• Database contains passwords in clear text 数据库包含明文口令
• Password travels in clear text from user’s computer to the server
口令以明文的形式从用户计算机传到服务器
口令在传输信 道上被截获,
Login Screen
User Id
Atul
Random Challenge 8102811291012
Your response
Chapter 7
27
Challenge/Response Tokens-3
挑战/响应令牌-3
Chapter 7
28
Challenge/Response Tokens-4
•But it should be easy to remember 但是口令又应该容易记忆
Chapter 7
17
Authentication Tokens
鉴别令牌
• Authentication Token is a small device 鉴别令牌是一个小设备
• Usually it has processor,LCD, battery,keypad,
鉴别令牌-步骤1(生成令牌)
• Token and server are synchronized initially 令牌最初和服务器保持同步
• Token generates fresh passwords periodically 令牌定期产生新的口令
Chapter 7
19
Authentication Tokens-step1
9
Password Authentication – 5
口令鉴别—5
Login successful
Application Menu 1. View Balance 2. Transfer money ….
Fig 7.5
Server
Chapter 7
10
Problems with the clear-text Passwords 明文口令存在的问题
Step 2: Store the user ids and message digests of the passwords in the user database.
Server
User creation program
Id Password Jyoti G%6$1 Amar Vt^80+1 Atul +{:>9mn
挑战/响应令牌-5
• Server returns an appropriate message back to user(服务 器向用户返回相应消息)
Chapter 7
31
Time-based Tokens
时间令牌
• Time-based Tokens can overcome user ‘s”make three entries”
服务器用用户的种子解密从用户那里收到的加密随机挑战
2. Server can encrypt its own version of random challenge with the user’s seed
服务器用用户的种子加密自己的随机挑战
Chapter 7
29
Chapter 7
30
Challenge/Response Tokens-5
Fig 7.2
Server
Chapter 7
7
Password Authentication – 3
口令鉴别—3
Server
User authenticator program
Id = atul Password = april
Id Password Jyoti tiger Amar n ewroad Atul april ……
Fig 7.3
ChaptLeabharlann Baidur 7
8
Password Authentication – 4
口令鉴别—4
Server
User authenticator program
Success
Id Password Jyoti tiger Amar newroad Atul april ……
Fig 7.4
Chapter 7
Chapter 7
33
Time-based Tokens-1
时间令牌-1
Chapter 7
34
Time-based Tokens-2
时间令牌-2
•Server-side verification 服务器方验证
Chapter 7
35
Chapter 7
36
Time-based Tokens-3
时间令牌-3
•Server returns an appropriate message back to the user
服务器返回相应消息给用户
Chapter 7
37
Certificate-based Authentication
基于证书鉴别
• User’s certificate details need to be stored on the server-side 用户的证书细节需要保存到服务器端
clock 令牌通常具有处理器、LCD、电池、小键盘、时 钟等
• It has a random seed which ensure to product unique output 随机种子以确保鉴别令牌产生唯一输出
Chapter 7
18
Authentication Tokens-step1
Creation of a token
take place
在双方通信前先建立信任
你能举出生 活中鉴别的
实例吗?
Chapter 7
3
Authentication Mechanisms 鉴别机制
• Passwords(Clear Text Passwords ) 口令(明文口令)
• Message digests of passwords 口令的消息摘要