As you know, there is a need for authentication in almost every computer system. In the course of this procedure, the computer system checks whether the user is really who he claims to be. To access a computer, internet, remote account management system from a bank account, etc., the user must prove to a computer system that “he is that person” and not someone else. To do this, he must provide the system with some authentication information, on the basis of which the authentication module of this system makes a decision about granting access to the required source (access is allowed / not). With toto rox you can have the best solution now.
Three types of information are currently used for such verification
The first is a unique set of characters that the user must know in order to successfully verify. The simplest example is password verification, for which it is sufficient to enter your system ID (for example login) and password in the system.
And finally, the third type of authentication – through biometric information that is integral to the user. This can be a fingerprint, an iris pattern, a face shape, voice parameters, etc.
Often combine different types of information on which authentication is performed
A typical example: authentication information is stored on a smart card, for access for which you must enter a password (PIN code). This authentication is called two-factor. There are real systems with three-factor authentication.
In some cases, mutual authentication is also required – when both participants in the information exchange verify each other. For example, before important data is transferred to an external server, the user must ensure that this is the server he needs.
In the case of external authentication (say, for example, that the user intends to access the external mail server to check his e-mail) there is a problem of sending authentication information via untrusted communication channels (via the Internet or local network). To keep the unique information secret, multiple authentication protocols are used when transferring through such channels. Let us consider a few of them, the most characteristic of different applications.
The simplest authentication protocol is password access (Password Access Protocol, PAP): all user information (login and password) is sent in clear text via the network (Fig. 1). The password that the server receives is compared with the reference password of this user, which is stored on the server. For security reasons, the server often stores passwords, not their passwords, but their hash values.
PAP protocol scheme
This scheme has a very significant drawback: an attacker who can intercept network packets can obtain a user’s password using a simple sniffer-type packet analyzer. And when the attacker has received it, he can easily pass the authentication under the name of the password owner.
During the verification process, the network can not only transfer a password, but also the result of the conversion say, the same password hash. Unfortunately, this does not eliminate the disadvantage described above – an attacker with the same success can intercept the password hash and use it later.
The disadvantage of this authentication scheme can be seen as the fact that every potential user of the system must first register with it – at least enter your password for later authentication. And the more complex request response authentication protocols described below make it possible in principle to extend the system to an unlimited number of users without prior registration.