Authentication is used as a defense against unauthorized access to a computer network. It uses an exchange of information to verify the identity of a user. The information can be encrypted at both ends.
Authentication over a network is an especially important part for enabling security when remote clients are allowed to access network servers. Generally, authentication can be accomplished by verifying one or more of a password or PIN (something that a user knows), a biometric information (something that a user is), and some identification token, such as a smart-card (something that a user has).
In addition to authentication, key exchange is an important part of communication across a data network. Once a client and server have been authenticated, a secure communication channel can be set up between them, which is achieved by exchanging keys for the communication.
Authentication over a data network, especially a public data network like the Internet, is difficult because the communication between the client and server is susceptible to many different types of attacks.
A basic authentication scheme is for a server to request a password from the client. The client types the password and sends it over the wire to the server. This technique is vulnerable to eavesdroppers who may be monitoring the line with sniffers and network analyzers. Captured information can be used by a hacker in what is called a “replay attack” to illegally log on to a system. Even an encrypted password can be used in this manner.
For example, in an eavesdropping attack, an adversary may learn secret information by intercepting communication between the client and the server. Another type of attack is a spoofing attack, in which an adversary impersonates the server, so that the client believes that it is communicating with the legitimate server, but instead is actually communicating with the adversary. In such an attack, the client may provide sensitive information to the adversary. If the adversary learns password information, the adversary may replay that information to the server to impersonate the legitimate client in what is called a replay attack. Replay attacks are effective even if the password sent from the client is encrypted because the adversary does not need to know the actual password, but instead must provide something to the server that the server expects from the legitimate client (in this case, an encrypted password).
Further, in any password based authentication protocol, there exists the possibility that passwords will be weak such that they are susceptible to dictionary attacks. A dictionary attack is a brute force attack on a password that is performed by testing a large number of likely passwords (e.g. all the words in an English dictionary) against some known information about the desired password. The known information may be publicly available or may have been obtained by the adversary through one of the above described techniques. Dictionary attacks are often effective because users often choose easily remembered, and easily guessed, passwords.
One solution to avoid attacks with replaying captured reusable passwords is to use one-time passwords (OTP). A one-time password can e.g be one password in a set of passwords, so constructed that it is extremely difficult to calculate the next password in the set given the previous passwords. A one-time password system may consist of the user being presented with a one-time password on the screen, where this grants the visitor access for one day. After the given time period finishes, no more passwords are available to the visitor, and thus the access to the system is removed.
Usually, a OTP (one-time password) system generates a series of passwords that are used to log on to a specific system. Once one of the passwords is used, it cannot be used again. The logon system will always expect a new one-time-password at the next logon. This is done by decrementing a sequence number. Therefore, the possibility of replay attacks is eliminated
One-time passwords are e.g. used by traveling computer users, who often want to connect to their home system via untrusted terminals at conference hotels, other universities, and airports, where trusted encryption software is not available. A loss of confidentiality is often acceptable in these situations for the session content, but not for reusable login passwords. The goal of a one-time-password login scheme is merely to provide a significant increase of security but it does not protect from sophisticated active attacks such as session hijacking, host emulation, man-in-the-middle, etc.
In determining which type of authentication to use, an analysis of the security level needed and the existing situation are usually done. It can e.g. be considered whether a session takes place between two machines or between a human being and a machine, and then decide how strong the authentication mechanism must be.
For example, if the connection is negotiated between two machines, it should be considered whether the other location is trusted, whether that machine protects its own networks against security attacks, and whether it is physically accessible to many users.
If the connection is negotiated with a user who must type in a token or password, it should be considered how secure the password is and how frequently it should be changed or if one-time passwords should be used. Once the user's connection is authenticated, authorization restrictions can be used to prevent the caller from accessing systems or networks waned to be protected.
The authentication process is typically handled by access protocols, all of which include password encryption. Password encryption protects against passive attacks, in which an unauthorized user monitors information being transmitted, and tries to use it later to establish what appears to be a valid session.
Authentication of terminal-server logins uses password expiration as an added security measure.
The most secure password authentication uses token cards to overcome the limitations of static passwords. Token cards protect against both passive attacks and replay attacks, in which an unauthorized user records valid authentication information exchanged between systems and then replays it later to gain entry. Because token cards provide one-time-only passwords, the password changes many times a day, making replay impossible.
Pre-authentication methods use call information to verify the calling number and dialed number, respectively, before answering a call. Using callback for added security takes place so that after authentication is complete, the call is hang up and a call back is made, ensuring that the connection is made only with a trusted number.
A rise recently in computer-based attacks is likely to continue. The vulnerabilities that are being exploited are complex and the hackers that are perpetrating attacks are becoming ever more sophisticated.
In an increasingly interconnected world more dependent on computers than ever before, hacking is a growing and very serious threat to information and computer security. Additionally, hackers have more tools and techniques than ever before, and the number of attacks is growing daily. For governments, businesses and ordinary individuals, the threat of hacking has created a need for secure information systems and networks which has never been greater.
The ability to gain access to a computer system or network that otherwise are unauthorized to access causes mischief, fraud, theft, deception, destruction or some other harm. Hacking (or cracking, the criminal aspect of the activity) consist of seizing control (or attempting to) of an information system to disrupt, deny use, steal resources, steal data of value, monitor surreptitiously, or otherwise cause harm.
Hackers may also hack into a computer system and not change, add or take anything. They merely enter the unauthorized site and leave it exactly as it was found. The fundamental problem is, however, that when there is unauthorized access of information systems, there is a loss of control. Many security experts say that once a system has been infiltrated, even if the information has not been altered, the system can no longer be trusted.
New hacker techniques are developed and new security vulnerabilities in networks are found every day. Hackers are getting more and more advanced and thus, harder to prevent and detect.
A hacker can steal or guess a password or encryption key in order to gain access to a computer system. Using this method, a hacker does not have to sit at the computer and guess the password, because the computer can actually do the guessing itself.
The above described problems indicate that there is a continuous need to develop new methods and aspects for ensuring secrecy to be the step before advanced hackers.