Entity Authentication – TLS Cryptography In-Depth

Brief history of password-based authentication – Entity Authentication

5.4.1 Brief history of password-based authentication

Password-based authentication was introduced in the early 1960s when the first time-sharing systems, such as the famous Compatible Time-Sharing System (CTSS) and, later on, Multics, were developed at the Massachusetts Institute of Technology.

A key problem the designers of these systems faced is that they – unlike earlier mainframe computers – were used by multiple people, each having their own private files. To protect access to these files, an authentication mechanism had to be added, and passwords were chosen for their simplicity and low usage of computing resources [116].

From these early time-sharing systems, passwords found their way into operating systems such as Unix, BSD, and Xenix as well as their many derivatives, such as SunOS, AIX, FreeBSD, Solaris, and Linux. Eventually, password-based authentication established itself as the main authentication method in IT systems.

Although passwords have many well-known, serious security problems (see the Disadvantages of password-based authentication section later in this chapter), they remain the dominant authentication mechanism on the internet and, in general, in IT systems [81] since they are easy to implement and have relatively good usability.

The diversity of technical systems and the usability of authentication, especially for non-technically-savvy users, are prime examples of the many barriers preventing the move beyond alphanumeric passwords [81].

IT systems that require user authentication are very heterogeneous, ranging from embedded smart home appliances to personal computers, tablets, and smartphones to web services and social media sites. To date, no other alternative authentication solution covers all these systems and services.

Moreover, passwords are conceptually simple and therefore usable even for people without a significant technical background. Stronger authentication mechanisms, such as two-factor authentication or the use of dedicated hardware keys, require much higher technical proficiency and put additional effort on the user.

5.4.2 Storing passwords

As early as 1977, the Multics Security Evaluation report by US Airforce’s Electronic Systems Division [54] identified the login password file of any operating system as an attractive target because the information contained in this file enables undetected impersonation attacks and, as a result, a long-term exploitation of the system.

This attack vector was deemed especially critical if exposed to attackers who are not always authorized users of the system. For such attackers, obtaining a legitimate user’s password provides an entry into the system that would not exist otherwise. The report [54] also considered the possibility of passwords appearing in memory dumps and concluded that password files must be protected.

In the early 1970s, Needham [202] was the first to note this security weakness and therefore proposed to store encrypted passwords together with the user ID. Needham’s proposal included the use of a one-way function as there was no need to decrypt the passwords since the password supplied by the user must only be encrypted and compared to the ciphertext of the password stored for that user on the system.

The rationale for this approach was that even if an attacker could get hold of the file with encrypted passwords and their user IDs, it would be impossible for her to compute the plaintext passwords from the ciphertexts.

In Chapter 4, Encryption and Decryption, we briefly introduced the concept of one-way functions. These functions are also referred to as hash functions, and we are going to cover them in detail in Chapter 11, Hash Functions and Message Authentication Codes. For now, it is sufficient to recall that these functions are easy to compute but computationally infeasible to revert. Roughly speaking, this means that given some input x and a hash function f, it is easy to compute the hash value y = f(x), but it is impossible to efficiently obtain the original input x given the hash value y.