Authentication Method with Impersonal Token Cards

Quantified Score

Visualization

Abstract

Traditional methods of user authentication in distributedsystems suffer from an important weakness which is dueto the low degree of randomness in secrets that human beingscan use for identification. Even though weak secrets(passwords and PINs) are typically not exposed in the clearover the communication lines, they can be discovered withoff-line brute force attacks based on exhaustive trials. Sincesuch secrets are chosen from a relatively small key space,a determined adversary can try all possible values until amatch is found between the trial value and the messagerecorded from a genuine authentication session. Authenticationdevices like smart cards and token cards offer an attractive solution by providing a user with a cryptogmphicallystrong key for authentication. In contrast to passwordsand PINs, the device's key can be chosen from amuch larger key space thus making a brute force attackcomputationally infeasible or, at least, difficult.In this paper we present a novel authentication methodwhereby the authentication device (a token card) is usedsolely to provide a secure channel between a human userand an authentication server (AS), Since the communicationchannel is secured by the card, the user can still utilize weak secrets for authentication purposes, but, withoutany risk of exposure. Furthermore, the card's and theuser's secrets are mutually independent, i.e., the card isnot associated with any particular user. Since the card isimpersonal, it can be freely shared by several users. Thiseliminates the high cost of administration which is typicalof existing designs requiring fixed user-device relationship.Moreover, our method does not require any couplingbetween the token card and the workstation (e.g., a galvanic connection) which would be difficult to implementon a global scale and retrofit onto existing equipment.