Authentication Exchange

Authentication Exchange is a #Security Mechanism that confirm an entity’s identity by means of information exchange before gaining access to a resource. It usually involves a unique piece of information that could unambiguously recognise an entity such as username/password pair#, secret key, or biometric data.

A transparent Authentication Exchange could be happened if the user doesn’t aware that the Authentication# is taking place. The underlying mechanism is that the user is blocked by the network, without letting they know that they are being blocked. After a successful authentication, the user will be able to access the network since the port is open to the user.

Links to this page

X.509 Authentication Service

X.509 Authentication Service defines a directory service and a framework that provides Authentication# services to its users. The directory is a server or in distributed architecture, a set of servers that maintains a database that stores user information. It can also serve as a repository of Public-Key Certificates# which contain the public-key of a user and signed with the private key of a trusted CA (Certification Authority).
Triple A (AAA)

AAA refers to Authentication# (who are you), Authorisation# (what can you do) and Accounting# (what did you do).
Simple Authentication Dialogue

Simple Authentication Dialogue is a simple scheme that authenticates# users with username and password. It comes with a problem: If the password is transmitted in plaintext, then the user is vulnerable to eavesdropping#. Furthermore, it could prompt too many times for the user to enter their password as their sessions come to an end which could be one of the information the Cryptanalyst can utilise.
Security Mechanism

Authentication Exchange
SNMPv3 1998

#SNMPv3, defined by RFC 2570 - 2575, addresses security issues of #SNMPv1 1988 and #SNMPv2 1993 by using User Security Model (USM), including overall architecture and security capability. It provides authentication service# that is part of User-Based Security (UBS), privacy# (Data Encryption Standard (DES) message encryption), and Access Control# to allowed operations, device information, and Management Information Base (MIB) access.
SNMPv1 1988

SNMPv1 uses community, a relationship between a SNMP manager and a set of SNMP agents, to establish trust between them. It provides three aspects of agent control including: authentication service#, access policy#, and proxy service. This is later inherited by its successor SNMPv2 1993#. However, it has a major security issue as it transmits a password, called “community string”, in cleartext to authenticate clients.
Peer Entity Authentication

Peer Entity Authentication is a kind of #Security Service that utilises encryption#, Digital Signature# and Authentication Exchange# in order to counter Masquerade#.
Kerberos

Kerberos is a protocol utilising #Symmetric Cryptography to provide Security Service# in Application Layer#. It is done by authenticate the user in order to gain temporary access to internal or remote resources. There are currently two versions of Kerberos implementation: Version 4# and Version 5#. Regardless of the version, three components make up the structure of Kerberos which is used to guard the network: Authentication#, Accounting and Auditing. It has two main ~~components~~ servers: Authentication Server and Ticket Granting Server.

There are four requirements for Kerberos. First, it needs to be secure so that the eavesdropper# will not obtain enough information for impersonation. Second, it must be highly reliable where there is at least one system able to back up another (typically in a distributed server architecture). Third, the Authentication# should be transparent that is the user should not aware that the authentication is taking place beyond the need to enter a password. Last but not least, it should be scalable so that it is capable of supporting large numbers of clients and servers.
IP Security (IPsec)

The data encapsulation is done by two extension headers (append to the IP header): Authentication Header (AH) and Encapsulating Security Payload (ESP), defined by RFC 4303 and RFC 4302 respectively. AH provides Access Control#, Authentication# (including the IP Address#) and Connectionless Data Integrity# services using Message Authentication Code (MAC# /HMAC) where both parties must share secret key. It guards against address spoofing attacks and Replay Attack. ESP provides Confidentiality# services over message contents and traffic flow (but limited) and optionally support Access Control# services like in AH using MAC. It can also guard against Replay Attack#. The users can design which kind of ciphers, modes, and padding to be used in ESP. The IPsec could be set up to have AH only or ESP only or both.
Availability

Availability is the ability of the loss or a reduction in accessibility of elements of a distributed system. By proper use of Data Integrity# and Authentication Exchange#, it could counter Denial of Service (DoS)#.
Authorisation

Authorisation defines what rights and services an entity have or is allowed after a successful Authentication. For example, an authroisation could take place by determining which applications or protocols could be used based on the provided IP Address.

#security