Current location - Quotes Website - Signature design - The difference between identity authentication and message authentication in computer
The difference between identity authentication and message authentication in computer
Technical Analysis and Comparison of Computer Identity Authentication

This paper comprehensively evaluates the advantages and disadvantages of some authentication mechanisms and schemes, analyzes the theory and application of identity authentication, lists some implementation methods, technical status quo and development trend of identity authentication, and designs a simple identity authentication scheme realized by digital signature.

Keywords: analysis and comparative application of identity authentication technology

With the advent of the Internet age, people can get all kinds of information through the Internet. However, due to the openness of the network, it is facing security threats such as computer virus, man-made malicious attacks, network software vulnerabilities, "back door" and unauthorized access. Therefore, network security has been paid more and more attention. As the first and most important line of defense of network security, identity authentication technology has attracted extensive attention.

I. Identity authentication method based on secret information

1, password check

Password verification means that the system establishes a username/password pair for each legal user. When the user logs in to the system or uses a function, the system will prompt the user to enter the user name and password. The system verifies whether the user name and password entered by the user match the user name/password pairs of existing legal users in the system (these user name/password pairs are encrypted and stored in the system). If they match a username/password pair, the user's identity is verified.

Disadvantages: Its security is only based on the confidentiality of users' passwords, which are generally short static data, easy to guess and easy to be attacked. Snooping, dictionary attacks, exhaustive attempts, network data stream eavesdropping and replay attacks can easily break the authentication system.

2. One-way authentication

If both communication parties only need one party to pass the authentication of the other party, such authentication process is one-way authentication, that is, the password checking method mentioned above is one-way authentication, but this simple one-way authentication is not combined with secret distribution.

There are mainly two kinds of one-way authentication schemes combined with secret distribution: one is to use a secret encryption system, which requires a trusted third party-usually called KDC (Secret Distribution Center) or AS (Authentication Server). By using this third party, both parties' identity authentication and secret distribution can be realized, such as DES algorithm, which has the advantages of small calculation, high speed and high efficiency. The other uses asymmetric encryption system, and uses different secret SK for encryption and decryption without the participation of a third party. The typical public encryption algorithm is RSA. The advantages of authentication can meet the requirements of network openness and simple secret management, and can easily realize functions such as digital signature and identity authentication, which is the core foundation of e-commerce and other technologies at present. Its disadvantage is that the algorithm is complex.

3, two-way authentication

In two-way authentication, two communication parties need to authenticate each other's identities and then exchange session secrets. The typical scheme is Needham/Schroeder protocol. Advantages: high confidentiality, but you will encounter message replay attacks.

4. Zero-knowledge identification

Usually, authentication needs to transmit password or identity information, but it would be nice if you can authenticate your identity without transmitting this information. Zero-knowledge proof is a technology: the authenticated party A has some secret information, and A tries to convince the authenticator B that he does have that information, but he doesn't want the authenticator B to know that information.

For example, the simplified scheme of the famous Gefei-Fiat-Chamil zero-knowledge authentication protocol.

Suppose that the trusted arbitration chooses a random modulus n, and n is the product of two prime numbers, which is actually at least 5 12 bits or as long as 1024 bits. The arbiter generates a random number v such that x2 = v mod n, that is, v is the remainder of the modulus n, and V- 1 mod n exists. Take V as the official password of the prover, and then calculate the smallest integer s:s=sqrt(v- 1)mod n as the private password of the authenticated party. The protocol to realize identity authentication is as follows: the authenticated party A takes a random number r, where r

This is a round of authentication. A and B can repeat this protocol T times until A believes that B knows S. ..

Second, the identity authentication method based on physical security

Although the above authentication methods have different principles, they all have the same feature, that is, they only rely on some secret information known by users. On the contrary, another authentication scheme relies on some unique biological information or hardware held by users.

Biological schemes include authentication based on fingerprint recognition, authentication based on voice recognition and authentication based on iris recognition. This technology uses the powerful functions of computer and network technology for image processing and pattern recognition, and has good security, reliability and effectiveness. Compared with the traditional means of identity confirmation, it has undoubtedly made a qualitative leap. In recent years, the global biometric technology has shifted from the research stage to the application stage, and the research and application of this technology are in full swing, with very broad prospects.

Third, the application of identity authentication

1 and Kerberos are trusted third-party authentication protocols designed by MIT for distributed networks. Kerberos service on the network plays the role of trusted arbiter, which can provide secure network authentication and allow individuals to access different machines in the network. Kerberos is based on symmetric encryption technology (DES is used to encrypt data, but it can be replaced by other algorithms). It shares different secrets with every entity on the network. Do you know that this secret is proof of identity? Its design goal is to provide powerful authentication service for client/server applications through encryption system. The realization of this authentication process does not depend on the authentication of the host operating system, the trust based on the host address, the physical security of all hosts on the network, and it is assumed that the data packets transmitted on the network can be read, modified and inserted at will. Kerberos also has some problems: the damage of Kerberos service server will make the whole security system unable to work; AS encrypts the session secret between the user and TGS with the user secret generated by the user password, so it may be attacked by password guessing; Kerberos uses timestamp, so there is time synchronization problem; In order to use Kerberos in the application system, the client and server software of the system should be modified.

2. Authentication in 2.HTTP

HTTP provides a basic authentication method based on password. At present, all Web servers can support access control through "basic authentication". When a user requests a page or runs a CGI program, there will be an access control file (such as. NCSA's haaccess file) is placed in the directory where the accessed object is located, and it is stipulated that those users can access this directory. The Web server reads the access control file, obtains the access control information from it, and requires the customer to submit the user name and password pair, which is encoded in some way (generally Base64) and paid to the service provider. After checking the user's identity and password, the service provider can send back the requested page or execute the EGI program. Therefore, HTTP uses the password verification method of plaintext transmission (although it is encoded in the transmission process, it is not encrypted), which lacks security. Users can use SSI to establish an encrypted channel first, and then use the basic authentication method to authenticate, instead of authentication based on IP address.

3. Authentication in 3.IP

Because the IP protocol is in the network layer and can't understand higher-level information, the identity authentication in the IP protocol is not based on the user's identity authentication, but on the IP address.

Four. Discussion on identity authentication technology

There are other ways to realize identity authentication in computer networks, such as digital signature technology. The authenticity of the transmitted information is proved by digital signature. A simple example is to directly use RSA algorithm and sender's secret.

Because one function of digital signature is to ensure the authenticity of the sender's identity, that is, the information is indeed signed by the alleged signer and cannot be copied by others, which is somewhat similar to the case of identity authentication; The core of identity authentication is to confirm that someone is who he claims to be. Then, I think it should be possible to use the digital signature mechanism to realize identity authentication, but there may be a difficulty, if the secret is not distributed in advance (even if it is public, there must be a mechanism to deliver the real public information to every user). Maybe the digital signature can't be realized.

Verb (abbreviation of verb) conclusion

In practical application, the selection of authentication scheme should be comprehensively considered from two aspects: system requirements and security performance of authentication mechanism, and the one with the highest security performance is not necessarily the best. How to reduce the computation and communication in identity authentication mechanism and information authentication mechanism while providing high security performance is also a subject that researchers in the field of information security need to further study.

References:

[1] American D.E.R tanning. Cryptography and Data Security, Science Press. 199 1. 1 1.

[2] Dekaat Jenkins, translated by Wei Yan, translated by Internet network security professional reference manual. Machinery Industry Press. 1998.

Related articles
  • Spicy eyes resell gifts, Jerry changes his face, Jin Jing deducts money, and uncovers the word "profit" in the entertainment circle. what do you think?
  • Where can I buy a signed jersey certificate?
  • 5, yuan to eat chicken laptop recommended, 219
  • Help me design a personalized signature
  • How to sign wps
  • What size are Yao MingĄ¯s shoes?
  • What materials does the lawyer write before the trial?
  • How to set the mailbox signature for foxmail mailbox?
  • And many, many slow-motion lyrics. What song is it?
  • Tutoring homework is half angry.

    • copyright 2024 Quotes Website All rights reserved