Авторы: Чернышова А.В., Афанасьева А.А.
Источник: Программная инженерия: методы и технологии разработки информационно вычислительных систем (ПИИВС2022): Сборник материалов IV Международной научно-практической конференции, г. Донецк, 29-30 ноября 2022 г. – Донецк: Донецкий национальный технический университет, 2022 – С. 74-80.
Abstract. The article provides a brief overview of the client-server architecture, as well as methods and approaches for secure user authentication. Their features and application possibilities are indicated. A promising task is to develop a secure authentication protocol for client-server applications, taking into account the advantages and disadvantages of modern methods and standards.
One of the most important tasks for any computer system is the reliable and secure authentication of its subjects. To solve this problem, authentication protocols use special rules for transmitting information and various cryptographic algorithms.
Secure user authentication occurs in the operating system, when computers work in domain structures, when users work on the network when using TCP/IP stack protocols. Client-server applications are no exception. Developers of modern client-server applications must necessarily solve the issue of secure user authentication in their application.
Today it is difficult to imagine that programmers do not use secure means of user authentication based on cryptographic algorithms when developing a client-server application. Any modern application uses security measures to transfer confidential information. To do this, secure authentication protocols are used, or their own offers of secure authentication based on existing standards and solutions.
Every user of modern computer systems encounters authentication procedures repeatedly, working in the system every day [2]. Working in the operating system, using social network services, working in the corporate network of an organization, using e-mail, Internet banking – this is a small list where secure authentication is used. Separately, biometric means of authenticating users by fingerprint, palm, iris, as well as voice authentication should be mentioned.
User authentication is the first step in ensuring data protection. To date, there are enough methods and approaches for authenticating subjects of various systems. But with all the abundance of means and authentication protocols with cryptographic protection, hacking of software systems still happens, information leaks when unauthorized access to the system is obtained.
The issues of unauthorized access to software systems, including the client-server model, are still relevant.
Probably the problem is complex, related to the design and development of the application, as well as the means of protection used at different stages of the creation and operation of the application.
Applications using cloud data storage deserve special attention. Information leakage from cloud storage is not so rare and is a problem in the modern world.
Let's analyze some authentication tools to make a conclusion about their safe use when developing applications with client-server architecture.
The Client-Server architecture (the terms "Client-Server network" or "Client-Server model" are also used) provides for the separation of the processes of providing services and sending requests to them on different computers on the network, each of which performs its tasks independently of the others [1].
This architecture is the basis of Internet services and web applications, social networks, as well as other applications that distribute information over the Internet. A client is an object that requests the necessary data from the server at the level of interaction between the client part of the application and the server part of the application.
The client-server model is distinguished by its efficiency. It is achieved mainly by separating the execution of individual application tasks between different platforms. The server delivers services, and the client consumes. At the same time, the client application does not manage all the data, but only provides the user with the results of requests sent to the server.
Multiple clients can simultaneously have access to server services and any shared resources. The integrity of data in the client-server architecture is due to their centralized management. At the same time, the independence of the individual data of each client is provided.
When considering the process of granting access in client-server applications, you can find terms such as identification, authentication and authorization. These concepts are not identical, but they all relate to information security elements in client-server applications.
The identification of a user or a hardware and software component is understood as the procedure for recognizing him as a legal subject of the system, based on some unique identifier. Usually, this identifier is stored in the system database and assigned to the subject during its registration. Often, at the identification stage, user information is recognized based on the login. Some user corresponds to some identifier and login, which is assigned during registration in the system.
Authentication is the basis of the security of any system, which consists in verifying the authenticity of user data by the server [4]. Authentication by itself does not imply verification of user rights. The possibilities of accessing specific functions and information are determined at the next stage, namely at the authorization stage.
At the moment, there are two main documents defining authentication standards:
The standard - GOST R ISO/IEC 9594-8-98 — Basics of Authentication defines the format of authentication information stored by the directory. The standard describes a method for obtaining authentication information from the directory, establishes prerequisites for the methods of generating and placing authentication information in the directory, and defines the ways in which application programs can use authentication information to perform authentication. The standard also describes how other security services can be provided using authentication.
This standard sets out two types of authentication: simple, using a password as a verification of the declared identity, and strict, using identity cards created using cryptographic methods. Simple authentication offers some limited protection against unauthorized access. Only strong authentication should be used as the basis of security services.
Authentication (and other security services) can only be offered in the context of a specific security strategy. The users of the application program must determine their own protection strategy, which may be limited to the services provided by the standard.
In practice, there are various authentication methods. Choosing the most appropriate method for a particular software system is one of the most important decisions when designing its security subsystem.
There are such approaches to authentication as "the subject knows", "the subject possesses" and "the subject exists".
In the first case, it means that the user of the computer system has information known only to him. This can be a password, a secret key, or a digital code transmitted in the protocol for authentication. By the possession of the subject, we mean the presence of, for example, a token or a password generator. The latter approach assumes the presence of individual biometric features of the user, such as voice or fingerprints, in the verification protocol.
Depending on the technical means used, a combination of these methods is possible. In cryptographic protocols, the first approach is more often implemented, based on identifying the user by password.
Password authentication is perhaps the most widely used method. In this case, each subject of the system has a secret password consisting of combinations of alphanumeric and numeric sequences. The differences between the protocols based on password verification consist in the means of storing the password in the system and the methods of its verification.
When using password information for user authentication, there are threats of disclosure, listening and password selection. To prevent them, cryptographic methods and tools are used that make it difficult or slow down the possibilities of brute force or password guessing.
As part of password authentication, there are options with fixed and one-time passwords. If the password can remain unchanged from session to session, it is fixed. Recommendations on the duration of using such a password are provided by the regulations of the software system. Passwords are supposed to be changed periodically by the user himself. However, in this case, a reliable mechanism for transmitting the password over unsecured communication channels is still needed. Password authentication is potentially vulnerable due to the use of social engineering, the introduction of keyloggers, the possibility of interception [3].
One-time passwords, unlike fixed passwords, cannot be used for re-authentication. As the name implies, each of these passwords can be used only once and ceases to be valid after the next authentication of the subject.
One-time password authentication is often used in conjunction with a fixed password for additional confirmation of the identity of the subject. At the same time, the so-called two-factor authentication is used, which significantly increases the security of the system. This method involves authenticating the user not only with his password, but also by having some device for generating one-time passwords.
There are several methods based on one-time passwords used in authentication protocols. The method of one-time passwords with shared lists implies the presence of a predefined list or card of passwords that must be stored by both the client and the server. The next password can be selected by the client for use in the authentication protocol and then removed from the general list. Obviously, this approach requires the preliminary formation of a fairly long list of passwords, as well as the search for a password with which the client once again tries to authenticate himself.
One-time passwords can be transmitted to the user electronically via SMS or other communication channel. This method is also popular for additional authentication, for example, when changing a fixed password or other data of the subject, performing financial transactions, confirming transactions with the bank.
In systems with a reliable communication channel that provides for additional actions in case of possible disconnection, the method of one-time password authentication based on consistently updated passwords can be used. With this approach, the client and server initially have only one password. Each subsequent password is encrypted on the key obtained from the previous password.
Another authentication method based on one-time passwords is the use of password sequences built on hash functions. This method, proposed by Leslie Lamport, involves modifying the password using a unidirectional function. To use it, the client and the server must agree on the initial password and the number of uses of the hash function.
One-time passwords can be obtained by various methods. The most popular at the moment include software (RSA SecurID) or hardware implementations of tokens (Google Authenticator) that generate one-time passwords using some secret key and a timestamp. At the same time, the receiving party must also have a secret key. Hardware tokens are more applicable in systems with access control to provide the authentication function of the subject of one application to another. This token is generated based on reliable information about the user, can be used by other applications for authentication or even authorization of the subject.
In addition to password-based authentication protocols, there are also request-response protocols. In such protocols, the subject can be authenticated by verifying his knowledge of some secret information without presenting the secret itself.
This approach is based on the user's response to server requests that change with each session. Moreover, the response of the authenticated subject should depend on both the question and some secret. All requests from the receiving party (server) must differ from each other in order to avoid interception of useful information that can be detected by an attacker when listening to unsecured communication channels. If this requirement is ignored, the secret information can also be used by an illegal entity during the next authentication session.
In addition, in protocols based on the "request-response" method, it is necessary to ensure the freshness of the secret information received. During the session, verification and confirmation of the relevance of one or another generated value can be performed. This allows you to guarantee the uniqueness of the session even if it is interrupted and authentication is attempted again.
The parameters of values unique to each session are, for example, random numbers or numerical sequences. Timestamps can also be used. It is equally important to guarantee the integrity of these parameters by using their cryptographic transformations based on other data used in the protocol.
There is also the possibility of user authentication using pre-generated access keys. Access keys are generated by the server as a unique and rather long set of characters, and are stored in client applications that authenticate using the received keys. This method is very popular in various web services.
Additional key settings by the user are applicable to this approach: the validity period of each of the specific keys (usually limited, but may also be permanent), as well as the access level of the subject (delegation of rights when authenticating with a given key). Some systems use this approach as an additional authentication method, while some of them only allow this authentication method for third-party client applications. To a greater extent, this is due to an attempt to additionally secure user data (login and password) from interception via communication channels.
In conclusion, it is worth saying that the client-server architecture is already the basis of almost any corporate network, Internet sites, social networks, web applications and not only. It is possible that further development of information technologies will occur with the direct use of this architecture. The issues of secure authentication of developed client-server applications are certainly relevant today, despite the fact that secure authentication protocols exist today.
In addition to ensuring data integrity, an important task of any client-server application is to authenticate clients and further provide them with access to the necessary information (authorization). This stage is essential when providing access to a variety of subjects to various server resources in a client-server architecture.
One of the most important security mechanisms at the client-server application level is authentication.
The article presents modern methods and approaches to user authentication, their features and application possibilities are indicated. The main documents defining authentication standards are also described.
In the future, it is planned to conduct a more in-depth study of modern authentication protocols, which will reveal their advantages and disadvantages by performing a comparative analysis of authentication protocols, study authentication standards in detail, and also determine requirements for improving the effectiveness of existing authentication protocols when used in client-server applications.
1. Архитектура Клиент-сервер
[Электронный ресурс] – Режим доступа: [Ссылка]
2. Афанасьев, А. А. Аутентификация. Теория и практика обеспечения безопасного доступа к информационным ресурсам. Учебное пособие / А. А. Афанасьев, Л. Т. Веденьев, А. А. Воронцов. – Москва : Горячая линия - Телеком, 2012. – 550 с. – ISBN 978-5-9912-0257-2. – EDN RBAWOP.
3. Шапиро, Л. Аутентификация и одноразовые пароли. Теоретические основы. Часть 1 / Л. Шапиро // Системный администратор. – 2012. – № 9(118). – С. 88-91. – EDN RFVKTR.
4. Что такое Аутентификация: Методы и Элементы [Электронный ресурс] – Режим доступа: [Ссылка]