Authentication

Core Concepts

Identification: Claiming an identity, such as providing a username.
Authentication: Proving that the claimed identity is valid.
Authorization: Determining what an authenticated entity is permitted to do.
Pre-shared key: A long-term secret shared in advance by two parties.
Session key: A temporary key created for a single session.
Mutual authentication: Both parties prove their identities to each other.
Trusted third party: A server trusted to generate and distribute session keys.
Nonce: A random value used once to prove freshness.
Timestamp: A time value that proves a message is recent.
Session identifier: A random value that ties messages to one protocol run.
Replay attack: Reusing an old ticket or message to trick a party into accepting it.

Needham–Schroeder protocol: Uses nonces to prove freshness but is vulnerable if old keys are exposed.
Denning–Sacco modification: Adds timestamps to tickets to prevent replay, requiring clocks.
Otway–Rees protocol: Uses a session identifier and nonces to prevent replay without clocks.
Kerberos: A ticket-based authentication system using timestamps and single sign-on.
Authentication Server (AS): The Kerberos service that verifies a user at login and issues a ticket for the TGS.
Ticket Granting Server (TGS): The Kerberos service that issues service tickets for individual servers.
Ticket: An encrypted block in Kerberos that carries a session key and identity.

Password Authentication Protocol (PAP): Sends the password in plaintext; insecure on networks.
Challenge–Handshake Authentication Protocol (CHAP): Uses a server challenge and hashed response so the password is never sent.
Password hash: A one-way transformation of a password stored instead of the plaintext.
Dictionary attack: Guessing from a list of common passwords.
Rainbow table attack: Using precomputed password→hash mappings to crack unsalted hashes.
Credential stuffing: Reusing stolen username/password pairs across many services.
Password spraying: Trying a few common passwords across many accounts.
Salt: A random value stored with a hash so identical passwords give different results.
Slow hashing functions: Algorithms like bcrypt, scrypt, or Argon2 that make each guess costly.

One-time password (OTP): A password valid for only one login session, preventing reuse and replay.
S/Key (sequence-based OTP): Generates a sequence of values by repeated hashing; the server stores the last value, and each login uses the previous one.
Challenge-based OTP: Uses a random server challenge and a shared secret to compute a one-time response; proves possession of a device, unlike CHAP.
HOTP (counter-based OTP): Generates codes from a shared secret and counter; both sides advance counters to stay in sync.
TOTP (time-based OTP): Generates codes from a shared secret and the current time slice; each code is valid only briefly.

Multi-factor authentication (MFA): Requires factors from different categories (knowledge, possession, biometrics).
Push notifications: An MFA method where login attempts trigger an approval request on a phone.
MFA fatigue: An attack that overwhelms a user with repeated push requests.
Number matching authentication: MFA where the user types a code from the login screen into the authenticator app.
Passkey: A passwordless credential using a public/private key pair unique to each service.

Adversary-in-the-middle attack: An attack where an adversary relays traffic between client and server to intercept or alter messages.