For instance, we studied how a dual-factor authentication works when a password generator is used: S - U: N U → P : N,PIN P → U : {N,PIN}x U → S: {N,PIN}x Can you modify the set of rules outlined above to describe the protocol of dual-factor authentication when a mobile device is involved? please submit 1. a high-level overview of how the protocol would work 2. the description of the protocol using the formal notation

Transcribed Image Text:

Protocols The Dual Factor Authentication More specifically security protocols S - U: N U → P : N,PIN P → U : {N,PIN}x U → S: {N,PIN}x IN, PINIK N? **.. "specify the steps that principals use to establish trust relationships" Where • S: server • P: password generator The Case of the Garage • U: User • K: encryption K Trust On First Use (TOFU) EXIT EXIT ENTRANCE Security module that handles • Trust software machine T → G : T, {T,N}KT • Software tries to find machine ID Where • T: token (represented by serial number) No id then ask the user (e.g. Whatsapp, Smart TV ...) G: garage • N: "unique number" The Case of the Dual Factor Pay Pal a e Authentication Remote Key Management S - U: N U → P : N,PIN P → U : {N,PIN}K U → S: {N,PIN}K KDC (A,B) KDC N? Where Alice KA. KDC (R1, Кв.крс (А,R1)) knows R1 • S: server • P: password generator • U: User KB-KDC (A,R1) Bob knows R1 • K: encryption K When do Protocols Fail? Alice, Bob communicate using shared session key R1 Remote Key Management (cont'd) User authentication is heavily based on a protocol that uses a Password/PIN Using protocol notation Eavesdropping • People looking over your shoulder • Fake login Webpage • Devices capturing keystrokes - Man-in-the-middle attack A → S: A,B S → A : {A,B, KAB, T}KAs' {A, B, Kab, T}Kps A → B : {A,B, KAB, T}Kps+ {M}KaB The Challenge-Response • Where T represents the timestamp Protocol Needham-Schroeder protocol E → T: N 10:24 Aud M- Today 10 24 AM 4th St, San Francisco, CA T → E : T, {T,N}K Message 1 A → S: A,B,NA Message 2 S → A : {N4,B,KAB, {KAB,A}kpg }K¼s Message 3 A — В: (КАВ-А}крs where • E is the engine controller • Tis the transponder K is the encryption key Message 4 B → A : {Ng}K N random challenge Message 5 A → B : {Ng- 1}KB In Practice Kerberos User is given access to the system Exit Enter JUser wants to enter the system User is presented with a challenge User attempts the Yes challenge Developed by MIT • Network authentication tool No A → S : A,B S → A : {Ts,L, KAB, B, {Ts, L, KAB,A}Kps }Kas A → B : {Ts,L, KAB, A}Kns+ {A, TA}K,aB B → A : {TA+1}K,B surce: https://www.geeksforgeeks.org/challenge-response-authentication-mechanism-cram/ Challenge Response Authentication Mechanism (CRAM) - Completely Automated Public Turing Test Login Example: Microsoft ActiveDirectory - Biometric

Transcribed Image Text:

For instance, we studied how a dual-factor authentication works when a password generator is used: S → U : N U → P : N,PIN P → U : {N,PIN}x U → S: {N,PIN}K Can you modify the set of rules outlined above to describe the protocol of dual-factor authentication when a mobile device is involved? please submit 1. a high-level overview of how the protocol would work 2. the description of the protocol using the formal notation