Cryptography Reference
In-Depth Information
Section 8.2 could be used. All of these techniques are deployed in different
commercial devices, namely:
Clock-based
. The user and the device have synchronised clocks and thus the
current time can be used to generate an input that both the user and the
device will 'understand'.
Sequence numbers
. The user and the device both maintain synchronised
sequence numbers.
Nonce-based
. The device randomly generates a number, known as a
challenge
,
and sends it to the user, who computes a cryptographic
response
. Such
mechanisms are often referred to as
challenge-response
mechanisms.
8.5.2
Example dynamic password scheme
We now give an example of a dynamic password scheme.
DYNAMIC PASSWORD SCHEME DESCRIPTION
Before any authentication attempts are made, the user is given a token on
which the password function has already been implemented in the form of a
symmetric cryptographic algorithm
A
(this could be an encryption algorithm)
with symmetric key
K
. While the algorithm
A
could be standard across the entire
system, the key
K
is shared only by the server and the token held by the user.
Note that a different user, with a different token, will share a different key with
the server. Thus, as far as the server is concerned, correct use of key
K
will be
associated with a specific user.
A further feature of this example scheme is that the user has some means
of identifying themselves to the token, otherwise anyone who steals the token
could pass themselves off as the user. In our example, this process will be
implemented using a PIN. The token will only activate if the user enters the
correct PIN.
Figure 8.3 shows an authentication attempt using this dynamic password
scheme:
1. The server randomly generates a challenge and sends it to the user. It is possible
that the user first sends a message to the server requesting that the server send
them a challenge.
2. The user authenticates themselves to the token using the PIN.
3. If the PIN is correct then the token is activated. The user then uses the token
interface by means of a keypad to enter the challenge into the token.
4. The token uses the password function to compute a response to the challenge.
If algorithm
A
is an encryption algorithm then the challenge can be regarded
as a plaintext and the response is the ciphertext that results from applying
encryption algorithm
A
using key
K
. The token displays the result to the user on
its screen.
