authentication and authorization (was: Question on the state of the security industry)

Anne & Lynn Wheeler lynn at garlic.com
Thu Jul 1 22:40:39 EDT 2004


At 12:26 PM 7/1/2004, John Denker wrote:
>The object of phishing is to perpetrate so-called "identity
>theft", so I must begin by objecting to that concept on two
>different grounds.

there are two sides of this .... some amount of crime statistics call it 
ID-theft .... which plausibly could be either identity or identification 
... but in general involves situation where criminal is impersonating you 
to one degree or another to perform some fraudulent action.

there has been some attempt to distinguish impersonation events between 
fraudulently extracting money from existing accounts and fraudulently 
creating new accounts in your name.

practically, objecting to the label id-theft may be like objecting to the 
label suicide bomber.

in general, the problem is using any kind of static data for 
authentication. it applies to name, birthdate, mother's maiden name, pins, 
passwords, account numbers .... any kind of static data. it worked for a 
long time ... but it was based on assumption that it had characteristics of 
1) shared-secret and 2) used uniquely, different static data in different 
security domains.

the growth of electronic environments has drastically affected this in lots 
of ways (invalidating the core assumptions that was behind the use of such 
static data for authentication, it wasn't that static data didn't work ... 
but it worked well only as long as the underlying assumptions were valid):

1) drastic increase in number of different electronic environments 
requiring unique shared secrets ..... basic human factors making it 
impossible to process unique shared secret for every possible (scores of 
unique) environment

2) drastic increase in number of different electronic environments ... 
drastically increasing the number of places that shared secrets are being 
used ... which increasing the places that shared secrets can be harvested 
(for criminal purposes)

3) drastic increase in electronic environments that contain information 
about individuals ... drastically increasing the number of places that 
personal information can be harvested (of the type that is likely to be 
used in shared-secret, static authentication information) for criminal 
purposes.

minor reference to the account based scenario .... security proportional to 
risk
http://www.garlic.com/~lynn/2001h.html#61

and then there is the whole thing about frequent confusion of 
identification and authentication:
http://www.garlic.com/~lynn/aepay3.htm#mcomm (my) misc. additional comments 
on X9.59 issues.
http://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? 
Photo ID's and Payment Infrastructure
http://www.garlic.com/~lynn/aadsm9.htm#pkcs12b A PKI Question: PKCS11-> PKCS12
http://www.garlic.com/~lynn/aadsm14.htm#40 The real problem that https has 
conspicuously failed to fix
http://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
http://www.garlic.com/~lynn/aadsm17.htm#13 A combined EMV and ID card
http://www.garlic.com/~lynn/aadsm17.htm#16 PKI International Consortium
http://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and 
Identiification?
http://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing 
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing 
Authentication and Identiification? (addenda)
http://www.garlic.com/~lynn/2003j.html#47 The Tao Of Backup: End of postings



Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list