EDUCBA

EDUCBA

MENUMENU
  • Free Tutorials
  • Free Courses
  • Certification Courses
  • 600+ Courses All in One Bundle
  • Login

Mutual Authentication

By Swati TawdeSwati Tawde

Home » Software Development » Software Development Tutorials » Network Security Tutorial » Mutual Authentication

Mutual Authentication

Introduction to Mutual Authentication

Mutual authentication is a security mechanism used for user authentication, where both entities in communication link authenticate each other to proceed with secure communications. Mutual authentication is also known for two way authentication as both entities involved in communication authenticate each other. For example, If user X and User Y want to communicate using mutual authentication, User X authenticates User Y and User Y authenticate User X and then start the communication.

In this article, we are going to discuss the concept of mutual authentication and its implementation in a detailed manner.

Start Your Free Software Development Course

Web development, programming languages, Software testing & others

Implementation of Mutual Authentication

Mutual authentication can be implemented in various ways, namely Shared Secret, public keys, and timestamp based.

1. Mutual Authentication using Shared Key

Suppose User X and User Y wants to authenticate using a shared key, the protocol works as follows:

  • Assume that User X and User Y, both have shared key KAB.
  • User X sends his user name to user Y.
  • After receiving user name from X, user Y sends random challenge R1 to X.
  • Once X received random challenge R1, he encrypts R1 using the shared key KAB.
  • X sends an encrypted random challenge to Y.
  • Again User X sends random challenge R2 to user Y.
  • Once Y received random challenge R2, he encrypts R2 using shared key KAB.
  • Y sends an encrypted random challenge to X.

Explanation: From the above mentioned steps, we can conclude that both user X and Y authenticate each other. but as we can see that, as many messages are exchanged, this makes the protocol inefficient and increase the number of steps. We can reduce these steps by adding more information in steps.

The modification works as follows:

  • User X sends the user name and random challenge R2 to user A.
  • User Y encrypts the R2 using symmetric key KAB. Y generates its own random challenge R1 and sends both R1 and encrypted R2 to X.
  • User X verify encrypted R2. and encrypt the R1 with symmetric key KAB and send it to Y. user Y verifies encrypted R1.

This version of protocol reduces the number of steps, but it suffers from a reflection attack, assume that attacker Z wants to acts as X to Y. First Attacker Z sends a message to Y which contains user id and random challenge R2. Then Y will encrypt it using shared symmetric key KAB, and generate new random challenge R1 and send these two to Z. User Y thinks that he is sending to user X. Y is unaware of the attacker Z.

Popular Course in this category
All in One Software Development Bundle (600+ Courses, 50+ projects)600+ Online Courses | 3000+ Hours | Verifiable Certificates | Lifetime Access
4.6 (3,144 ratings)
Course Price

View Course

Related Courses
CDN Training (2 Courses)OSPF Training Program (2 Courses)Penetration Testing Training Program (2 Courses)

Attacker Z cannot encrypt R1 with KAB, but he has the encrypted R2. Now attacker Z creates a new session with user Y. and sends user id of X and random challenge R1. Y encrypt the R1 with KAB and generate New random challenge R3 and send it to Z.

An attacker can not proceed with the second session as he cannot encrypt R3. So he gets back to the first session he was created with Y earlier. Note that attacker Z could not encrypt R1 with KAB in the first session and was waiting. But now the attacker has R1 encrypted, because of the second session. and then it sends encrypted R1 to Y and completes the authentication.

To avoid a reflection attack, it is a surge that uses two different keys i.e. KAB or KBA. KAB can be used when X want to encrypt something and send it to, KBA can be used when Y wants to encrypt something and send it to X so that attacker Z cannot. encrypt R1 with KAB.

2. Mutual Authentication using Public Keys

Mutual authentication can also be implemented using public keys. To proceed with this method both user X and user Y must know each other’s public key. The protocol works as follows:

  • User X encrypts random challenge R2 using the public key of Y and sends it to User Y with his user name.
  • User Y decrypts the random challenge R2 with his private key. User Y creates its own random challenge R1 and encrypt it using public key X and send both (encrypted R1 and decrypted R2) to X.
  • User X decrypt random challenge R1 with his private key and send it to Y. User Y verifies R1

The above mentioned steps can vary.

  • User X send his user name and random challenge R1 to Y
  • User Y encrypt R2 using his private key and send it to X along with R1
  • User X encrypts R1 using his private key and send back it to Y.

3. Mutual Authentication using the Timestamp

Mutual authentication steps can be reduced into two steps using time stamps. This protocol works as follows:

  • User X sends his user name and current timestamp which is encrypted with shared symmetric key KAB to user Y.
  • User Y decrypts the time stamp using KAB and obtain the original timestamp. Then Y add 1 to timestamp and encrypt the additional timestamp with KBA, not KAB and send it to User X with his user name.

Recommended Article

This is a guide to Mutual Authentication. Here we discuss the top 3 Methods of Mutual Authentication like Shared Secret, Public Keys, and Timestamp Based etc. You can also go through our other suggested articles to learn more –

  1. What is Cybersecurity Framework?
  2. Top 6 Security Technologies You Should Learn
  3. What is Network Security? | Concept & Advantages
  4. Network Security Interview Questions | Top 6

All in One Software Development Bundle (600+ Courses, 50+ projects)

600+ Online Courses

3000+ Hours

Verifiable Certificates

Lifetime Access

Learn More

3 Shares
Share
Tweet
Share
Primary Sidebar
Network Security Tutorial
  • Advanced
    • Cryptosystems
    • Configuring DHCP Server
    • Block Cipher modes of Operation
    • TCP/IP Model
    • Types of Network
    • Types of Network Devices
    • Types of Network Topology
    • Types of Intrusion Prevention System
    • Types of Proxy Servers
    • Types of Websites
    • Types of NAT 
    • Mobile IP
    • Career in Automobile Design
    • What is TFS
    • What is NAT
    • What is OSI Model
    • Data Link Layer OSI Model
    • What is Cross Site Scripting
    • Applications of Sensors
    • ARP Packet Format
    • Asymmetric Information
    • Autoencoders
    • What is FTP Server?
    • IPS Tools
    • IPv4 Header Format
    • IPv6 Header Format
    • Authentication Header
    • Kerberos
    • Network Mapper
    • Network Scanning Tools
    • Network Mapping Tools
    • Network Access Control
    • Vulnerability Assessment Tools
    • Network Sniffer
    • Networking Commands
    • Networking Devices
    • Networking Strategies
    • Digital Certificate
    • What is a Digital Signature?
    • Digital Signature Softwares
    • Digital Signature Types
    • Digital Signature vs Digital Certificate
    • PKCS
    • What is FTP
    • FTP Commands
    • What is MIME?
    • What is Smart Card?
    • Networking Ports
    • Mutual Authentication
    • Password Authentication
    • Data Masking 
    • Authentication Tokens
    • Biometric Authentication
    • What is IP?
    • IPSec
    • Secure Electronic Transaction
    • What is CIDR
    • Static Binding and Dynamic Binding
    • What is SSL
    • PKIX
    • Public Key Infrastructure
    • What is Wireshark
    • Daisy Chain Topology
    • Markov Logic Network
    • Security engineering
    • SNMP Monitoring Tools
    • Network Analysis Tools
    • Server Monitoring Tools
    • Network Discovery Tools
    • Network Management Tool
    • SIEM Tools
    • OSINT Tools
    • Multiple Ping Tool
  • Basics
    • Security Consultant Definition
    • Security Policies
    • What is Network Security
    • What is Data Security?
    • What is Cryptography
    • Cryptography Techniques
    • Cryptography Tools
    • Data Security Techniques and Privacy
    • Digital Signature Cryptography
    • Java Cryptography
    • Basics of Cybersecurity
    • What is Network Topology
    • Algorithms and Cryptography
    • HTTP Methods
    • Security Technologies
    • Security Architecture
    • Network Topologies
    • What is a Physical Address?
    • Logical Address
    • What is Storage Area Network?
    • Mobile Ad Hoc Network
    • What is Computer Networks?
    • Security Principles
    • What is Remote Access?
  • Protocols
    • What is TCP Protocol
    • What is TCP/IP
    • How do IP Addresses Work?
    • Routing Protocols Types
    • What is Telnet
    • What is TFTP
    • What is DHCP
    • What is SFTP
    • Address Resolution Protocol
    • Internet Control Message Protocol
    • Simple Mail Transfer Protocol
    • Internet Security Protocols
    • SMTP Protocol
    • Types of Networking Protocols
    • User Datagram Protocol
    • Data Link Layer
    • Data Link Layer Services
    • Network Layer
    • Transport Layer Protocols
    • What Is Networking Protocols
    • TFTP
    • What is ARP
    • Basic Fundamental Of Networking
    • What is IPv4
    • What is IPv6
    • CIFS Protocol
    • What is SMB?
    • What is EIGRP
    • What is LLDP?
  • Routing
    • What is Router
    • Types of Routers
    • Dynamic Routing
    • Routing Algorithms
    • Routing Protocol
    • What is Routing
    • What is Static Routing
    • Important Types of DNS Servers (Powerful)
  • Attacks
    • Types of Network Attacks
    • What is Trojan Horse Virus
    • What is DOS
    • Types of DOS Attacks
    • DDos Attack Mitigation
    • Ransomware Attack  
    • Types of Cyber Attack
    • What is a Brute Force Attack
    • What is a Phishing Attack
    • What is Cyber Attack
    • What is DDoS Attack
    • What is Man In The Middle Attack
    • What is Man In The Middle Attack
    • What is Ransomware
    • What is Pharming
    • What is Phishing
    • What is CSRF
    • DNS Amplification Attack
    • Denial of Service Attack
  • Algorithm
    • IDEA Algorithm
    • MD5 Algorithm
    • Symmetric Algorithms
    • Diffie Hellman Key Exchange Algorithm
    • Digital Signature Algorithm
    • Encryption Algorithm
    • Advanced Encryption Standard
    • Asymmetric Encryption
    • ElGamal Encryption
    • HMAC
    • DES Algorithm
    • Brute Force Algorithm
    • SHA Algorithm
    • RSA Algorithm
    • What is Digital Certificate?
    • Certificate Revocation
    • RC5
  • Encryption/ Decryption
    • Encryption process
    • Public Key Encryption
    • Symmetric Key Encryption
    • What is Encryption
    • What is Decryption
    • Types of Cipher
    • Transposition Techniques
    • What is Steganography
    • One Time Pad
    • Steganography Techniques
  • Hosting
    • Types of Web Hosting
    • Free Web Hosting Sites
    • What is Hosting
    • What is VPS Hosting
    • What is Web Hosting
    • Types of Domain
    • VPN Applications for PC
    • Why we use VPN?
    • What is Virtual Host?
  • Firewalls
    • What is a Firewall?
    • Types of Firewalls
    • Firewall Devices
    • Firewall Uses
  • Interview Questions
    • Network Security Interview Questions
    • Networking Interview Questions
    • EIGRP Interview Questions

Related Courses

CDN Training

OSPF Certification Training

Penetration Training Course

Footer
About Us
  • Blog
  • Who is EDUCBA?
  • Sign Up
  • Corporate Training
  • Certificate from Top Institutions
  • Contact Us
  • Verifiable Certificate
  • Reviews
  • Terms and Conditions
  • Privacy Policy
  •  
Apps
  • iPhone & iPad
  • Android
Resources
  • Free Courses
  • Java Tutorials
  • Python Tutorials
  • All Tutorials
Certification Courses
  • All Courses
  • Software Development Course - All in One Bundle
  • Become a Python Developer
  • Java Course
  • Become a Selenium Automation Tester
  • Become an IoT Developer
  • ASP.NET Course
  • VB.NET Course
  • PHP Course

© 2020 - EDUCBA. ALL RIGHTS RESERVED. THE CERTIFICATION NAMES ARE THE TRADEMARKS OF THEIR RESPECTIVE OWNERS.

EDUCBA Login

Forgot Password?

EDUCBA
Free Software Development Course

Web development, programming languages, Software testing & others

*Please provide your correct email id. Login details for this Free course will be emailed to you
Book Your One Instructor : One Learner Free Class

Let’s Get Started

This website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the cookie policy. By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to our Privacy Policy

EDUCBA

*Please provide your correct email id. Login details for this Free course will be emailed to you
EDUCBA
Free Software Development Course

Web development, programming languages, Software testing & others

*Please provide your correct email id. Login details for this Free course will be emailed to you

Special Offer - All in One Software Development Bundle (600+ Courses, 50+ projects) Learn More