This preview shows page 1. Sign up to view the full content.
Unformatted text preview: use of the system (or some resource of the
system) by unauthorized users by verifying the identity of a user making a request.
Authentication basically involves identification and verification. Identification is
the process of claiming a certain identity by a user, while verification is the
process of verifying the user's claimed identity. Thus, the correctness of an
authentication process relies heavily on the verification procedure employed. The three basic approaches to user authentication are as follows:
Proof by Knowledge. In this approach, authentication involves verifying
something that can only be known by an authorized user. Authentication of a user
based on the password supplied by him/her is an example of proof by knowledge.
Authentication methods based on the concept of proof by knowledge are again of
two types - direct demonstration method and challenge-response method. In the
direct demonstration method, a user claims his/her identity by supplying
information (like typing in a password) that the verifier checks against pre-stored
information. On the other hand, in the challenge-response method, a user proves
his or her identity by responding correctly to the challenge questions asked by the
verifier. For instance, at the time of initially registering in a system as a user, the
user picks a function, for example, x + 18. When the user logs in, the system
randomly selects and displays a number, say 105, in which case the user must type
123 for authentication to be successful.
Proof by Possession. In this approach, a user proves his/her identity by
producing some item that can only be possessed by an authorized user. The
system is designed to verify the produced item to confirm the claimed identity.
For example, a plastic card with a magnetic strip on it that has a user identifier
number written on it in invisible, electronic form may be used as the item to be
produced by the user. The user inserts the card in a slot meant for this purpose in
the system's terminal, which then extracts the user identifier number from the c...
View Full Document
This document was uploaded on 04/07/2014.
- Spring '14