Authentication Mechanisms: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
(Instead of (poorly) copying an article from the wikipedia, link to it)
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
In [[computer security]], '''authentication''' ([[Greek language|Greek]]: ''αυθεντικός'', from 'authentes'='author') is the process by which a [[computer]], [[computer program]], or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. A [[blind credential]], in contrast, does not establish identity at all, but only a narrow right or status of the user or program.
In computer security, '''authentication''' ([[Greek language|Greek]]: ''αυθεντικός'', from 'authentes'='author') is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. A [[blind credential]], in contrast, does not establish identity at all, but only a narrow right or status of the user or program.


The problem of [[authorization]] is often thought to be identical to that of authentication; many widely adopted [[standardization|standard]] [[security protocol]]s, obligatory regulations, and even statutes are based on this assumption. However, there are many cases in which these two problems are different.
The problem of [[authorization]] is often thought to be identical to that of authentication; many widely adopted standardization|standard security protocols, obligatory regulations, and even statutes are based on this assumption. However, there are many cases in which these two problems are different.


One familiar example is [[access control]]. A computer system supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure before access is granted. A few examples are given below.
One familiar example is access control. A computer system supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure before access is granted. A few examples are given below.


However, note that much of the discussion on these topics is misleading because terms are used without precision. Part of this confusion may be due to the 'law enforcement' tone of much of the discussion. No computer, computer program, or computer user can 'confirm the identity' of another party. It is not possible to 'establish' or 'prove' an identity, either. There are tricky issues lurking under what appears to be a straightforward surface.
However, note that much of the discussion on these topics is misleading because terms are used without precision. Part of this confusion may be due to the 'law enforcement' tone of much of the discussion. No computer, computer program, or computer user can 'confirm the identity' of another party. It is not possible to 'establish' or 'prove' an identity, either. There are tricky issues lurking under what appears to be a straightforward surface.


It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. There have been many instances of such tests having been spoofed successfully; they have by their failure shown themselves, inescapably, to be inadequate. Many people continue to regard the test(s) -- and the decision to regard success in passing them -- as acceptable, and blame their failure on 'sloppiness' or 'incompetence' on the part of someone. The problem is that the test was supposed to work in practice -- not under ideal conditions of no sloppiness or incompetence -- and did not. It is the test which has failed in such cases. Consider the very common case of a confirmation [[email]] which must be replied to in order to activate an online account of some kind. Since email can easily be arranged to go to or come from [[bogus]] and untraceable addresses, this is just about the least authentication possible. Success in passing this test means little, without regard to sloppiness or incompetence.
It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. There have been many instances of such tests having been spoofed successfully; they have by their failure shown themselves, inescapably, to be inadequate. Many people continue to regard the test(s) -- and the decision to regard success in passing them -- as acceptable, and blame their failure on 'sloppiness' or 'incompetence' on the part of someone. The problem is that the test was supposed to work in practice -- not under ideal conditions of no sloppiness or incompetence -- and did not. It is the test which has failed in such cases. Consider the very common case of a confirmation email which must be replied to in order to activate an online account of some kind. Since email can easily be arranged to go to or come from bogus and untraceable addresses, this is just about the least authentication possible. Success in passing this test means little, without regard to sloppiness or incompetence.


Other common examples of access control involving authentication include:
Other common examples of access control involving authentication include:
*withdrawing cash from an [[Automated Teller Machine|ATM]].
*withdrawing cash from an Automated Teller Machine|ATM.
*controlling a remote computer over the [[Internet]].
*controlling a remote computer over the Internet.
*using an Internet banking system.
*using an Internet banking system.


The methods by which a human can authenticate themselves are generally classified into three cases:
The methods by which a human can authenticate themselves are generally classified into three cases:
*Something the user '''is''' (e.g., [[fingerprint]] or [[retina|retinal]] pattern, [[DNA]] sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition or other [[biometric]] identifier)
*Something the user '''is''' (e.g., [[Wikipedia:Fingerprint|fingerprint]] or [[retina|retinal]] pattern, [[DNA]] sequence (there are assorted definitions of what is sufficient), voice pattern (again several definitions), signature recognition or other [[biometric]] identifier)
*Something the user '''has''' (e.g., ID card)
*Something the user '''has''' (e.g., ID card)
*Something the user '''knows''' (e.g., a [[password]], a [[pass phrase]] or a [[personal identification number]] (PIN))
*Something the user '''knows''' (e.g., a [[password]], a [[pass phrase]] or a [[personal identification number]] (PIN))
Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term 'two-factor authentication' is used.
Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term 'two-factor authentication' is used.


Historically, [[fingerprint]]s have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other [[biometric]] methods are promising (retinal scans are an example), but have shown themselves to be easily [[spoof]]able in practice.
Historically, [[Wikipedia:Fingerprint|fingerprint]]s have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other [[biometric]] methods are promising (retinal scans are an example), but have shown themselves to be easily [[spoof]]able in practice.


In a computer data context, cryptographic methods have been developed (''see'' [[digital signature]] and [[challenge-response authentication]]) which are currently not spoofable '''if''' (and only if) the originator's key has not been compromised. That the originator (or anyone other than an [[Adversary|attacker]]) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a [[digital signature|digitally signed]] [[legal instrument|contract]] may be questioned when a new attack on the cryptography underlying the signature is discovered.
In a computer data context, cryptographic methods have been developed (''see'' [[digital signature]] and [[challenge-response authentication]]) which are currently not spoofable '''if''' (and only if) the originator's key has not been compromised. That the originator (or anyone other than an [[Adversary|attacker]]) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a [[digital signature|digitally signed]] [[legal instrument|contract]] may be questioned when a new attack on the cryptography underlying the signature is discovered.

Latest revision as of 05:10, 31 August 2005

In computer security, authentication (Greek: αυθεντικός, from 'authentes'='author') is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party. A blind credential, in contrast, does not establish identity at all, but only a narrow right or status of the user or program.

The problem of authorization is often thought to be identical to that of authentication; many widely adopted standardization|standard security protocols, obligatory regulations, and even statutes are based on this assumption. However, there are many cases in which these two problems are different.

One familiar example is access control. A computer system supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure before access is granted. A few examples are given below.

However, note that much of the discussion on these topics is misleading because terms are used without precision. Part of this confusion may be due to the 'law enforcement' tone of much of the discussion. No computer, computer program, or computer user can 'confirm the identity' of another party. It is not possible to 'establish' or 'prove' an identity, either. There are tricky issues lurking under what appears to be a straightforward surface.

It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. There have been many instances of such tests having been spoofed successfully; they have by their failure shown themselves, inescapably, to be inadequate. Many people continue to regard the test(s) -- and the decision to regard success in passing them -- as acceptable, and blame their failure on 'sloppiness' or 'incompetence' on the part of someone. The problem is that the test was supposed to work in practice -- not under ideal conditions of no sloppiness or incompetence -- and did not. It is the test which has failed in such cases. Consider the very common case of a confirmation email which must be replied to in order to activate an online account of some kind. Since email can easily be arranged to go to or come from bogus and untraceable addresses, this is just about the least authentication possible. Success in passing this test means little, without regard to sloppiness or incompetence.

Other common examples of access control involving authentication include:

  • withdrawing cash from an Automated Teller Machine|ATM.
  • controlling a remote computer over the Internet.
  • using an Internet banking system.

The methods by which a human can authenticate themselves are generally classified into three cases:

Sometimes a combination of methods is used, e.g., a bank card and a PIN, in which case the term 'two-factor authentication' is used.

Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability. Other biometric methods are promising (retinal scans are an example), but have shown themselves to be easily spoofable in practice.

In a computer data context, cryptographic methods have been developed (see digital signature and challenge-response authentication) which are currently not spoofable if (and only if) the originator's key has not been compromised. That the originator (or anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a digitally signed contract may be questioned when a new attack on the cryptography underlying the signature is discovered.