Lecture 17 - Entity Authentication
Lecture 17 - Entity Authentication
Branch: B.Tech
The system stores the identity of Alice, the value of n, and the value
of hn(P0)
One-Time Password
The system stores the identity of Alice, the value of n, and the value
of hn(P0).
When the system receives the response of the user in the third
message, it applies the hash function to the value received to see if
it matches the value stored in the entry.
If there is a match, access is granted; otherwise, it is denied.
The system then decrements the value of n in the entry and replaces
the old value of the password hn(P0) with the new value hn−1(P0).
One-Time Password
When the user tries to access the system for the second time, the value of
the counter it receives is n − 1.
The third message from the user is now hn−2(P0).
When the system receives this message, it applies the hash function to
get hn−1(P0), which can be compared with the updated entry.
The value of n in the entry is decremented each time there is an access.
When the value becomes 0, the user can no longer access the system;
everything must be set up again.
For this reason, the value of n is normally chosen as a large number such
as 1000.
One-Time Password
Lamport one-time
password
ZERO-KNOWLEDGE
In password authentication, the claimant needs to send her secret
(the password) to the verifier; this is subject to eavesdropping by
Eve.
In addition, a dishonest verifier could reveal the password to others
or use it to impersonate the claimant.
In zero-knowledge authentication, the claimant does not reveal
anything that might endanger the confidentiality of the secret.
The claimant proves to the verifier that she knows a secret, without
revealing it.
ZERO-KNOWLEDGE
The interactions are so designed that they cannot lead to revealing
or guessing the secret.
After exchanging messages, the verifier only knows that the
claimant does or does not have the secret, nothing more.
The result is a yes/no situation, just a single bit of information.
In zero-knowledge authentication, the claimant proves that she
knows a secret without revealing it.
Fiat-Shamir Protocol
In the Fiat-Shamir protocol, a trusted third party chooses two large prime
numbers p and q to calculate the value of n = p × q.
The value of n is announced to the public; the values of p and q are kept
secret.
Alice, the claimant, chooses a secret number s between 1 and n − 1
(exclusive).
She calculates v = s2 mod n.
She keeps s as her private key and registers v as her public key with the
third party.
Verification of Alice by Bob can be done in four steps
Fiat-Shamir Protocol
1. Alice, the claimant, chooses a random number r between 0 and n − 1 (r is called the
commitment). She then calculates the value of x = r2 mod n; x is called the witness.
2. Alice sends x to Bob as the witness.
3. Bob, the verifier, sends the challenge c to Alice. The value of c is either 0 or 1.
4. Alice calculates the response y = rsc. Note that r is the random number selected by
Alice in the first step, s is her private key, and c is the challenge (0 or 1).
5. Alice sends the response to Bob to show that she knows the value of her private key, s.
She claims to be Alice.
6. Bob calculates y2 and xvc. If these two values are congruent, then Alice either knows
the value of s (she is honest) or she has calculated the value of y in some other ways
(dishonest) because we can easily prove that y2 is the same as xvc in modulo n
arithmetic as shown below:
Fiat-Shamir Protocol
Fiat-Shamir Protocol
Let us elaborate on this interesting protocol. Alice can be honest (knows
the value of s) or dishonest (does not know the value of s).
If she is honest, she passes each round.
If she is not, she still can pass a round by predicting the value of challenge
correctly.
Two situations can happen:
Alice guesses that the value of c (the challenge) will be 1 (a prediction).
She calculates x = r2/v and sends x as the witness.
a) If her guess is correct (c turned out to be 1), she sends y = r as the response. We can see that she
passes the test (y2 = xvc).
b) If her guess is wrong (c turned out to be 0), she cannot find a value of y that passes the test. She
probably quits or sends a value that does not pass the test and Bob will abort the process.
Fiat-Shamir Protocol
Second Situation : Alice guesses that the value of c (challenge) will be 0.
She calculates x = r2 and sends x as the witness.
a) If her guess is correct (c turned out to be 0), she sends y = r as the response. We can see that she
passes the test (y2 = xvc).
b) If her guess is wrong (c turned out to be 1), she cannot find a value of y that passes the rest. She
probably quits or sends a value that does not pass the test and Bob will abort the process.
• We can see that a dishonest claimant has a 50 percent chance of fooling the verifier and passing the
test (by predicting the value of the challenge).
• In other words, Bob assigns a probability of 1/2 to each round of the test.
• If the process is repeated 20 times, the probability decreases to (1/2)20 or 9.54 × 10−7.
• In other words, it is highly improbable that Alice can guess correctly 20 times.
Feige-Fiat-Shamir Protocol
The Feige-Fiat-Shamir protocol is similar to the first approach except
that it uses a vector of private keys [s1, s2, …, sk], a vector of public
keys [v1, v2, …, vk], and a vector of challenges (c1, c2, …, ck).
The private keys are chosen randomly, but they must be relatively
prime to n.
The public keys are chosen such that vi = (si2)−1 mod n.
Feige-Fiat-Shamir Protocol
Guillou-Quisquater Protocol
The Guillou-Quisquater protocol is an extension of the Fiat-Shamir
protocol in which fewer number of rounds can be used to prove the
identity of the claimant.
A trusted third party chooses two large prime numbers p and q to
calculate the value of n = p × q. The trusted party also chooses an
exponent, e, which is coprime with φ, where φ = (p − 1)(q − 1).
The values of n and e are announced to the public; the values of p and q
are kept secret.
The trusted party chooses two numbers for each entity, v which is public
and s which is secret. However, in this case, the relationship between v
and s is different: se × v = 1 mod n
Guillou-Quisquater Protocol
BIOMETRICS
Biometrics is the measurement of physiological or behavioral features that identify a person
(authentication by something inherent).
Biometrics measures features that cannot be guessed, stolen, or shared.
Enrollment
Before using any biometric techniques for authentication, the corresponding feature ofeach person in the community should be
available in the database. This is referred to as enrollment.
Authentication
Authentication is done by verification or identification
Verification
In verification, a person’s feature is matched against a single record in the database (one-to-one matching) to find if she is who she is
claiming to be. This is useful, for example, when a bank needs to verify a customer’s signature on a check.
Identification
In identification, a person’s feature is matched against all records in the database (oneto-many matching) to find if she has a record in
the database. This is useful, for example, when a company needs to allow access to the building only to employees.
BIOMETRICS
Techniques
BIOMETRICS
Accuracy
Accuracy of biometric techniques is measured using two parameters: false
rejection rate (FRR) and false acceptance rate (FAR).
False Rejection Rate (FRR)
This parameter measures how often a person, who should be recognized, is not recognized by the
system. FRR is measured as the ratio of false rejection to the total number of attempts (in
percentage)