Authentication

Core Concepts

Identification: Claiming an identity, such as providing a username.
Authentication: Proving that the claimed identity is valid.
Authorization: Determining what an authenticated entity is permitted to do.
Pre-shared key: A long-term secret shared in advance by two parties.
Session key: A temporary key created for a single session.
Mutual authentication: Both parties prove their identities to each other.
Trusted third party: A server trusted to generate and distribute session keys.
Nonce: A random value used once to prove freshness.
Timestamp: A time value that proves a message is recent.
Session identifier: A random value that ties messages to one protocol run.
Replay attack: Reusing an old ticket or message to trick a party into accepting it.

Symmetric Protocols and Kerberos

Needham–Schroeder protocol: Uses nonces to prove freshness but is vulnerable if old keys are exposed.
Denning–Sacco modification: Adds timestamps to tickets to prevent replay, requiring clocks.
Otway–Rees protocol: Uses a session identifier and nonces to prevent replay without clocks.
Kerberos: A ticket-based authentication system using timestamps and single sign-on.
Authentication Server (AS): The Kerberos service that verifies a user at login and issues a ticket for the TGS.
Ticket Granting Server (TGS): The Kerberos service that issues service tickets for individual servers.
Ticket: An encrypted block in Kerberos that carries a session key and identity.

Password Protocols and Hashing

Password Authentication Protocol (PAP): Sends the password in plaintext; insecure on networks.
Challenge–Handshake Authentication Protocol (CHAP): Uses a server challenge and hashed response so the password is never sent.
Password hash: A one-way transformation of a password stored instead of the plaintext.
Dictionary attack: Guessing from a list of common passwords.
Rainbow table attack: Using precomputed password→hash mappings to crack unsalted hashes.
Credential stuffing: Reusing stolen username/password pairs across many services.
Password spraying: Trying a few common passwords across many accounts.
Salt: A random value stored with a hash so identical passwords give different results.
Slow hashing functions: Algorithms like bcrypt, scrypt, or Argon2 that make each guess costly.

One-Time Passwords (OTPs)

One-time password (OTP): A password valid for only one login session, preventing reuse and replay.
S/Key (sequence-based OTP): Generates a sequence of values by repeated hashing; the server stores the last value, and each login uses the previous one.
Challenge-based OTP: Uses a random server challenge and a shared secret to compute a one-time response; proves possession of a device, unlike CHAP.
HOTP (counter-based OTP): Generates codes from a shared secret and counter; both sides advance counters to stay in sync.
TOTP (time-based OTP): Generates codes from a shared secret and the current time slice; each code is valid only briefly.

Passwordless and Multi-Factor Authentication

Multi-factor authentication (MFA): Requires factors from different categories (knowledge, possession, biometrics).
Push notifications: An MFA method where login attempts trigger an approval request on a phone.
MFA fatigue: An attack that overwhelms a user with repeated push requests.
Number matching authentication: MFA where the user types a code from the login screen into the authenticator app.
Passkey: A passwordless credential using a public/private key pair unique to each service.

Adversary-in-the-Middle Attacks

Adversary-in-the-middle attack: An attack where an adversary relays traffic between client and server to intercept or alter messages.

Biometric Authentication

Pattern recognition: Biometric systems compare similarity scores, not exact equality.
Threshold: A cutoff score that decides whether a match is accepted or rejected.
False Accept Rate (FAR): Probability that an impostor is incorrectly accepted.
False Reject Rate (FRR): Probability that a genuine user is incorrectly rejected.
ROC (Receiver Operating Characteristic): A plot showing the trade-off between FAR and FRR at different thresholds.
Equal Error Rate (EER): The point where FAR and FRR are equal; used as a performance summary.
Physiological biometrics: Traits based on the body, such as fingerprints, face, or iris.
Behavioral biometrics: Traits based on actions or habits, such as voice, typing rhythm, or gait.
Fingerprint minutiae: Small details in a fingerprint, such as ridge endings or bifurcations, used for matching.
Robustness: How consistently a trait can be measured for the same person.
Distinctiveness: How well a trait separates one person from another.
Enrollment: Capturing initial samples to build a reference template.
Sensing: Using a scanner or camera to record biometric data.
Feature extraction: Converting raw data into a compact set of features.
Pattern matching: Comparing extracted features against the stored template.
Decision: Accepting or rejecting based on the threshold.
Trusted device: A sensor or scanner that can be verified as genuine and untampered.
Liveness detection: Techniques that ensure the input comes from a live human, not a photo or prosthetic.
Tamper-proof communication: Protecting the path between sensor and matcher against injected or replayed data.
Compartmentalization: The ability to use different secrets for different services; not possible with biometrics.
Revocation: The ability to change a secret if compromised; not possible with biometric traits.
Theft of biometric: Risk that a fingerprint, face, or other trait can be copied and reused without consent.
Cooperative system: A system where the subject willingly presents the biometric (e.g., phone unlock).
Non-cooperative system: A system that captures data without cooperation, often for surveillance.