User Authentication

User Authentication

The main issue in security is key management. However, key management involves user authentication. We, therefore, briefly discuss these issues.

User Authentication with Symmetric-Key Cryptography

In this section, we discuss authentication as a procedure that verifies the identity of one entity for another.

An entity can be a person, a process, a client, or a server; in our examples, entities are people. Specifically, Bob needs to verify the identity of Alice and vice versa.

Note that entity authentication, as discussed here, is different from the message authentication that we discussed in the previous section.

In message authentication, the identity of the sender is verified for each single message.

In user authentication, the user identity is verified once for the entire duration of system access.

User Authentication with Public-Key Cryptography

We can use .public-key cryptography to authenticate a user. Alice can encrypt the message with her private key and let Bob use Alice's public key to decrypt the message and authenticate her.

However, we have the man-in-the-middle attack problem because Eve can announce her public key to Bob in place of Alice.

Eve can then encrypt the message containing a nonce with her private key. Bob decrypts it with Eve's public key, which he believes is Alice's. Bob is fooled.

Alice needs a better means to advertise her public key; Bob needs a better way to verify Alice's public key.