|
|
 |
 |
| Please note, that the Knowledge Base isn't translated to english completely at the moment. You will still find some german texts - we are translating permanently the outstanding parts! Thank you for understanding! |
Password Systems - "what you know" |
| |
|
|
|
At first view a password system is the cheapest way for authentication of somebody. Added to the identity (user name) the password, better a passphrase, is stored and compared to the entered value, when authentication should be done.
But passwords can be passed on to other people knowingly or unconsiously. In addition all possible passwords can be tested systematically. Also passcodes, which are determined by user himself, are embedded in a social context and can be guessed. These bad result of these facts can be improved by security techniques only to a certain extend, e.g. by reducing allowed failures, therefore other measures are necessary. With increasing number of passwords you are getting troubles to remember all - especially the ones, which are used less frequent - also this problem has to be counteracted.
|
Cleartext password system |
This is the simplest password system and has no security at all. Passwords are in cleartext at the input terminal, while transmission and check at authentication systems. Passwords can be intercepted at these places, in addition all passwords are stored in the database in cleartext. Perhaps such a system could be sufficient in systems
- where the database is protected against manipulation or access.
- the input terminal is connected directly (or encrypted with changing keys) with the authentication system and protected against manipulation or access.
Closely related are systems, where a symmetric encryption key is the shared secred (Pre-Shared-Key). A successfull authentication is done, if encrypted communication can be established. At least attacking the transmission is possilbe only by cryptanalytic methods e.g.: WEP
A certain improvement is a system where a password or secret can be used only once, but one-time-passwords have to be administrated in a secure manner. Storing, distribution and user handling have to be considered e.g. Transaction numbers in online banking.
|
|
|
Password derivation |
Instead of transmitting and storing passwords in cleartext, it is better to apply certain algorithms and transmit or store the resulting value. For this purpose cryptographic hash algorithms are used or normal encryption algorithms, where the password is used as encryption key. e.g. used in local authentication, passwort fileencryption
This improves security of the stored password at the authentication system, although the input terminal should be protected against manipulation! At first view also the transmission seems to be protected, but it isn't because, this data can be copied and replayed (Replay Attack), this means, that a transmission has to be encrypted (with changing keys) anyway.
Because encryption without authenticating the communication partner isn't worth anything - the authentication problem is moved to the encryption level. Because of the necessity of changing keys and authentication of the participant only protocols like SSL/TLS are candidates. To counteract replay attacks it is recommendet to use a little bit randomnes, resulting in challenge response systems
.
|
|
|
Chain of hash values |
Hash-value-chains are special one-time-password-systems. Starting with a seed-value a certain number of cryptographic hash-values is computed. This list of "chained" hashes is the password-list. The Server is storing only the last hash-value, authenticationis done with the last but one hash value, hashing this value have to result in the last stored value. Disadvantage is the necessary storing an unhandy one time passwords. This method was also suggested for digital coins.
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
Legal notice