You are on page 1of 6

CRITICAL ANALYSIS ON LAMPORT’S

AUTHENTICATION ALGORITHM
Ganesh Kumar Muthiah
Middlesex University, London, UK.
GM489@mdx.ac.uk
30th June 2008

ABSTRACT: “Digitalized signatures and public
Authentication is the main issue in key
communication between the users
in internet. There are many ways functions as intractable as
to initiate a secure communication factorization” [2], in his paper
and many algorithms to provide called “password authentication
authentication one such technique with insecure communication” [1]
to authenticate user is by Dr.Lamport implied a technique
password, but there is also many such as ‘one way hashing’[1]. In
flaws and drawback in this paper I would like to criticize
authentication using password. Dr. and bring out the possible flaws
Leslie Lamport gave a solution for with Lamport’s technique in
some of the drawback in Michael password authentication and give
o. Rabin’s paper named possible solution to make it more
reliable algorithm for making
secure authentication.
Key words: Authentication, hashing, eaves dropping, small ‘n’ attack,
mutual SSL, salt, picture password, one way authentication

INTRODUCTION: stealing and eavesdropping. The
The major issue in online technique he used to eliminate the
communication is password
authentication. When ever the user password theft from the database
needs to sign in to a network or and eaves dropping by one way
communicate with the end user he hashing function. Let us see how
is need to be authenticated. There this method works and will see any
are many ways to authenticate the drawbacks and improvements that
end side, one such way is been told could be made.
in Dr.Lamport’s paper, [1] he
introduced a new method to over
THEORY:
come the problem of password file
OVERVIEW OF End user will reply back with the
LAMPORT’S ‘n’ value, this ‘n’ value is been pre
TECHNIQUES: agreed by the both user and this
According to Dr. value will be stored in the database
Lamport’s solution for avoiding of both users and server. Now the
the password theft which is stored initiator will compute the hash n-1
in the system is to store the (password) and reply back to the
password in encrypted format i.e. server which answers the value of
in general when a user need to start ‘n’. “The server calculates hash
the communication with end (hash n-1 (password)) = hash n
system he has to send a password (password). If this value matches
or a value to the server then the the one on file, then the login is
server checks the value in its successful. The server replaces
database which is in plain text, if hash n (password) with hash n-1
the value is equal then the server (password) and decrements ‘n’.”
establish the service but the Dr. [3].
Lamport suggested, the server to FLAWS &
save the user’s password as IMPROVEMENT ON
encrypted value in the database, LAMPORT’S
even if an intruder compromise the TECHNIQUES:
system or server he will not be There are several flaws in this
able to get the plain text password technique let us see the first flaw
stored in the system. But if the now. The value of ‘n’ should not
attacker is listening to the victim’s be higher value if so it will be
packet he can easily sniff the difficult to re hash the function and
password and claims the server as also the value should not be lesser,
an original user. To avoid this if its lesser they have to be reset
problem of eaves dropping the very often. To make this technique
user’s packet, he suggested another safer from dictionary attack we can
method by using sequence of add a value called salt along with
password hashing or chain hashing the ‘n’. Salt is a unique number
[1]. that is chosen by the user during
In this technique when the the password installation on the
user needs to communicate with server, now even if the value of
the end system he gives his ‘n’=1 the user doesn’t need to reset
username and password in the the password he/she just need to
browser and the browser send this change the salt value [3].
data to the server, now the server The next flaw is there is no
sends the username to the end user. mutual authentication. The user
will think that he is to the user B, now the user B will
communicating with the server but send the ‘n’ to the server back, but
actually an intruder would have in this attack the intruder will
been in the middle of the channel. receive the value ‘n’ and replace
I.e. man in the middle attack [4]. the value with ‘m’ which is his
To avoid this attack we should own value and forwards it to the
have a strong mutual user A. User A will hash the
authentication between the users. function {hash(m-1)
This can be done by implementing (password)}and sends back to the
mutual SSL [5]. Mutual SSL is intruder and he will be able to
done by mutual authentication calculate the { hash m (password)}
process which is similar to SSL only if value of ‘m’ is lesser than
with more authentication and also ‘n’[3]. This attack can be over
non repudiation. We can also come by the user by just
increase the mutual authentication remembering the value of the ‘n’
by digital signature or by getting and salt that the user have used
their key from key distribution before for authentication, but to
centre (KDC). [6] make it more secure from the
The other flaw is small ‘n’ attackers I suggest to implement
attack. Small ‘n’ attack is similar IPSec based VPN or SSL based
to man in the middle attack [4]. VPN between the users to avoid
When the user A sends the small ’n’ attack or man in the
password and username to server, middle attack.
the server will send the username
more. If this picture password is
FUTURE DEVELOPMENT been implemented in internet or
If the password is going to be online communication then there
text or number it is easy to sniff will not be much problem with
and we need all these encryption
technique to safe guard the authentication and all these
password, so what I suggest here is authentication protocols will go
to use picture password where it is worthless.
very difficult to crack the CONCLUTION:
password and it is very easy for the In this paper I critically
user to remember the password reviewed about the Dr. Lamport’s
than the text.[8] The future cyber authentication method and I pin
world will be avoiding using pointed the flaws in those method
textual and numeric password. By and I gave the various solutions
using this picture password we can such as using mutual SSL, KDC
avoid dictionary attack and many for mutual authentication and for
avoiding small‘n’attack I [8] “Picture this: A password you
suggested to secure the channel by never forget” by Alex salkever on
May 15, 2001 e - journals in
using IPSec VPN or SSL VPN. As
www.businessweek.com.
a further work I also suggested to
implement the picture password [9] “Scientists draw new technology to
instead of textual password which improve password protection” News
may keep an end to these flaws in link 24 October 2007 in
the user authentication. http://www.ncl.ac.uk/press.office/newsli
nk/?ref=1193216061.
REFERENCE:

[1] “Password Authentication with
Insecure Communication”,
Communications of the ACM, vol.
24(11), 1981, p. 770-772 by Dr. Leslie
Lamport

[2] “My writing” by Dr.Leslie
Lamport Content 35, May 2008.
http://research.microsoft.com/users/lamp
ort/pubs/pubs.html#dig-sig

[3] “CEON 350” by Thomas
Schwarz,S.j., OEN,SCU
http://www.cse.scu.edu/~tschwarz/coen3
50/lamportHash.html

[4] “Hacking Exposed: Network
Security Secrets & Solutions - Page
368” by Stuart Mc Clure, Joel Scambary
George Kurtz 2005.

[5] “Mutual Authentication”
http://en.wikipedia.org/wiki/Mutual_aut
hentication.

[6] “RFC 3634 KDC” ftp://ftp.rfc-
editor.org/in-notes/rfc3634.txt.

[7] White paper “Access Anywhere
System 2003-04”
http://www.ncl.ac.uk/press.office/newsli
nk/?ref=1193216061.
COURSE WORK

CCM4330
NETWORK SECURITY: STANDARDS, PROTOCOLS AND
APPLICATION

MIDDLESEX UNIVERSITY
HENDON
2008

MODULE LEADER

Dr A. LASEBAE
SCHOOL OF COMPUTING SCIENCE

TOPIC:

CRITICAL ANALYSIS OF LAMPORT’S AUTHENTICATION
ALGORITHM

DONE BY
GANESH KUMAR MUTHIAH
GM489@MDX.AC.UK
M00193665