User and Entity Authentication

• User (Entity) authentication is a technique designed to let one party prove the identity of another party
• An entity can be a client, a server , a person or a process
• The entity whose identity needs to be proved is called the claimant
• The party that tries to verify the identity of the claimant is called the verifier
• When Bob tries to prove the identity of Alice then Alice is the Claimant and Bob is the verifier

Message vs Entity Authentication

• Message authentication authenticates one message at a time. The process needs to be repeated for each new message.
• But Entity authentication authenticates the claimant for the entire duration of a session
• For message authentication, it is not necessary for the client to be present online always. The sender can go offline after the message is sent and still that message will be authenticated.
• But in case of Entity Authentication, the other party needs to be online

Password base entity authentication

1.Fixed Password: Used over and over again for every access

Example:  e-mail

2.One-time-Password: This type of password is used only once

Example: Banking transactions

Fixed password based entity authentication

Method 1: Storing the password in a file Possible Attacks: Eavesdropping, Stealing the password, Accessing the password file, Guessing

Method 2: Storing Hash of the Password in a file Possible Attacks on Hashed Password: Dictionary Attack

Method 3: Salting the password