Cryptography Important Question Bank with Answers

UNIT 6

1. What is Biometric Authentication? Explain techniques of Biometric Authentication.

Answer:
• Biometric devices use human characteristics such as fingerprint, voice, or iris pattern to authenticate
users.
• Samples taken during authentication can vary slightly due to physical changes in the user's
characteristics.
• Multiple samples are taken during registration and averaged to create a baseline for authentication.
• Biometric systems define two configurable parameters: False Accept Ratio (FAR) and False Reject Ratio
(FRR).
• Combining passwords/PINs, smart cards, and biometrics provides the best security solution.This can be
a complex system to build and/or use.
Working:
• Biometric authentication involves creating a user's sample and storing it in a database.
• During authentication, the user provides a sample of the same nature (e.g. retina scan or fingerprint).
• The sample is sent over an encrypted session (e.g. SSL) to the server.
• On the server, the current sample is decrypted and compared with the one stored in the database.
• If the two samples match to the expected degree on the basis of FAR or FRR, the user is authenticated
successfully.Otherwise, the user is considered invalid
Types of Biometric Authentication

(a) Face: Distance between facial features is measured using geometrical techniques for identification.
(b) Voice: Unique characteristics of sound waves, such as pitch and tone, are used to identify individuals.
(c) Fingerprint: Uniqueness of fingerprints is leveraged using minutiae-based or image-based techniques
for authentication.
(d) Iris: Unique pattern inside the iris is identified using laser beams for reliable authentication.
(e) Retina: Blood vessel patterns at the back of the eye are examined to provide a unique identification
pattern for authentication (less common due to high cost).
f) Keystroke: Characteristics such as typing speed, keystroke strength, timing, and error patterns are
measured to identify users, but it is not as reliable as other authentication methods.
(g) Signature: Scanned computer-based signatures are compared with physical signatures on documents
for verification purposes.
2. What do you mean by Authentication Tokens? Explain working of Authentication
Tokens scheme.
Authentication Token
An authentication token is an extremely useful alternative to a password. An authentication token is a
small device that generates a new random value every time it is used. This random value becomes the
basis for authentication. The small devices are typically of the size of small key chains, calculators or
credit cards. Usually, an authentication token has the following features:
● Processor
● Liquid Crystal Display (LCD) for displaying outputs
● Battery
● (Optionally) a small keypad for entering information
● (Optionally) a real-time clock
Each authentication token (i.e. each device) is pre-programmed with a unique number, called a random
seed, or just seed. The seed forms the basis for ensuring the uniqueness of the output produced by the
token.
Working of Authentication token scheme
Step 1: Creation of a Token:
• The authentication server generates a random seed for the authentication token, which acts as a
unique identifier for the user.
• The seed is stored in the token and associated with the user's record in the user database.
• The user is unaware of the seed value programmed inside the token.
Step 2: Use of Token:
• The authentication token generates one-time passwords (OTPs) based on the pre-programmed seed.
• When the user wants to authenticate, they enter their user ID and the latest OTP displayed on the
token.
• The server retrieves the seed corresponding to the user ID from the user database and validates the
OTP using a password-validation program.
• The server determines if the provided OTP matches the OTP generated by the token using
synchronization techniques.
Step 3: Server Returns an Appropriate Message back to the User:
• The server responds to the authentication attempt and sends a relevant message to the user.
• The message indicates whether the authentication process was successful or unsuccessful.
• The user can proceed with accessing the desired resources or services based on the server's response.

3. What are two approaches of SSO?

Explain role of SSO.
Role of SSO
The role of Single Sign-On (SSO) is to
provide a seamless and convenient
authentication experience for users
while improving security and reducing
administrative overhead for
organizations.
• Enhanced user experience: Users can
access multiple applications and systems with a single set of credentials, simplifying the login process
and improving productivity.
• Improved security: SSO reduces the reliance on weak passwords and enables centralized access
control, enforcing strong security measures consistently across systems.
• Centralized authentication and access control: SSO centralizes the authentication process, allowing
organizations to manage user access and authentication policies in one place.
• Streamlined user provisioning and deprovisioning: SSO simplifies the management of user access
privileges, making it easier to onboard and offboard users.
• Audit and compliance: SSO provides better visibility and control over user access, facilitating
monitoring, auditing, and compliance with regulatory requirements.

Script-Based SSO:
• In script-based SSO, authentication and
authorization are managed through scripts or
code embedded within applications.
• Users authenticate themselves individually to
each application, and the script within each
application verifies the user's credentials.
• The script then establishes a session for the user, allowing them to access other applications
without requiring further authentication.
• Example: An organization uses script-based SSO to enable its employees to access different internal
systems such as email, document management, and HR portals. Once authenticated to one system,
the user can seamlessly access other systems without entering credentials again.
Agent-Based SSO:
• Agent-based SSO relies on a dedicated software agent installed on the user's device or workstation.
• The agent intercepts authentication requests from applications and handles the authentication
process on behalf of the user.
• Upon successful authentication, the agent provides a security token to the application, allowing the
user to access multiple applications without additional login prompts.
• Example: A user logs into their computer and launches a web browser. The agent installed on the
computer automatically authenticates the user to the browser, and subsequent requests to various
web applications are handled by the agent, providing a seamless single sign-on experience.

4. What is Kerberos? Explain Kerberos processing steps for client server authentication
with help of neat diagram.
Kerberos provides a centralized authentication server whose function is to authenticate users to servers
and servers to users. In Kerberos Authentication server and database is used for client authentication.
Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and
service on the network is a principal.
The main components of Kerberos are:
• Authentication Server (AS):
The Authentication Server performs the initial authentication and ticket for Ticket Granting Service.
• Database:
The Authentication Server verifies the access rights of users in the database.
• Ticket Granting Server (TGS):
The Ticket Granting Server issues the ticket for the Server
Kerberos Overview:
• Step-1:
User login and request services on the host. Thus user requests for ticket-granting service.
• Step-2:
Authentication Server verifies user’s access right using database and then gives ticket-granting-
ticket and session key. Results are encrypted using the Password of the user.
• Step-3:
The decryption of the message is done using the password then send the ticket to Ticket Granting
Server. The Ticket contains authenticators like user names and network addresses.
• Step-4:
Ticket Granting Server decrypts the ticket sent by User and authenticator verifies the request then
creates the ticket for requesting services from the Server.
• Step-5:
The user sends the Ticket and Authenticator to the Server.
• Step-6:
The server verifies the Ticket and authenticators then generate access to the service. After this User
can access the services.

5. Explain the concept of Key Distribution Center (KDC) with neat diagram.
• Key Distribution Center (KDC) is a central authority dealing with keys for individual computers
(nodes) in a computer network. It is similar to the concept of the Authentication Server (AS) and
Ticket Granting Server (TGS) in Kerberos.
 • The basic idea is that every node shares a unique secret key with the KDC. Whenever user A wants
to communicate securely with user B, the following happens:
1. The background is that A has shared secret key KA with KDC. Similarly, B is assumed to share a
secret key KB with the KDC.
2. A sends a request to KDC encrypted with KA, which includes
(a) Identities of A and B
(b) A random number R, called a nonce
3. KDC responds with a message encrypted with KA, containing
(a) One-time symmetric key KS
(b) Original request that was sent by A, for verification
(c) Plus, KS encrypted with KB and ID of A encrypted with KB
4. A and B can now communicate by using KS for encryption.

Question 6. Discuss with diagram Certificate-based-Authentication.

• Certificate-based authentication is an emerging mechanism based on digital certificates.

• In PKI (Public Key Infrastructure), both the server and optionally the client possess digital
certificates for secure transactions.
• SSL (Secure Sockets Layer) requires the server to have a digital certificate, while client
authentication is optional.
• Certificate-based authentication is stronger than password-based authentication because it relies
on possessing a certificate rather than knowing a password.
• During login, the user sends their certificate to the server as part of the login request.
• The server verifies the validity of the certificate by checking against a stored copy.
• To prevent misuse of someone else's certificate, certificate-based authentication is often made a 2-
factor process by combining possession of the certificate with knowledge of a password

Step 1: Creation, Storage, and Distribution of Digital Certificates

• Digital certificates are created by the Certificate Authority (CA) for each user
• Copies of the certificates are stored by the server in its database
• Certificates are sent to the respective users
Step 2: Login Request
• User sends their user ID to the server
Step 3: Server Creates a Random Challenge
• Server creates a random challenge (a random number) and sends it to the user
Step 4: User Signs the Random Challenge
• User signs the random challenge with their private key
• The signature is sent to the server for verification
Step 5: Server Returns an Appropriate Message Back to the User
• The server verifies the signature and sends an appropriate message back to the user, depending on
the success or failure of the authentication process
•
7. What you mean by authentication? Differentiate between authentication and authorization

Authentication:
• Verifies the identity of a user or system entity.
• Confirms the validity and accuracy of the claimed identity.
• Ensures that a user or entity is who they claim to be before granting access.
• Prevents unauthorized access and protects sensitive information.
• Authentication methods can include:
• Something the user knows (e.g., a password).
• Something the user has (e.g., a physical token or a smartphone).
• Something the user is (e.g., biometric characteristics).
Authorization:
• Grants or denies access rights and permissions to authenticated users or entities.
• Determines what actions or resources an authenticated user can access.
• Controls user privileges and prevents unauthorized activities.
• Involves defining roles, permissions, and access levels for different users or groups.
• Ensures authenticated users have appropriate privileges based on their roles and responsibilities.

Authentication Authorization
Verifies the identity of a user or entity. Grants or denies access rights and permissions.
Confirms the validity and accuracy of the Determines what actions or resources an
claimed identity. authenticated user can access.
Ensures that a user or entity is who they claim Controls user privileges and prevents
to be before granting access. unauthorized activities.
Prevents unauthorized access and protects Defines roles, permissions, and access levels for
sensitive information. users or groups.
Examples of authentication factors: Examples of authorization mechanisms:
<ul><li> <ul><li>
Something the user knows Role-based access control (RBAC)
(e.g., password) </li><li>
</li><li> Access control lists(ACLs)
Something the user has </li><li>
(e.g., token, smartphone) Attribute-based access control (ABAC)
</li><li> </li></ul>
Something the user is
(e.g., biometrics)