authentication and authorization (was: Question on the state of the security industry)

Anne & Lynn Wheeler lynn at garlic.com
Wed Jul 7 12:07:29 EDT 2004 

At 07:23 AM 7/5/2004, Anton Stiglic wrote:
>Identity has many meanings.   In a typical dictionary you will find several
>definitions for the word identity.  When we are talking about information
>systems, we usually talk about a digital identity, which has other meanings
>as well. If you are in the field of psychology, philosophy, or computer
>science, identity won't mean the same thing. One definition that relates to
>computer science that I like is the following:
>"the individual characteristics by which a thing or person is recognized or
>known".

another way of looking at it in an authentication/authorization infrastructure
is that some set of privileges are asserted ... this is typically done by 
having some
sort of identification associated with those privileges (like an account number
or userid). There can be some confusion whether what is being asserted is a
tag, identity or identification. if the tag being asserted, is something 
like a
person's name, the institution is likely just using it for a tag to look up 
the
set of privileges associated with that name (they may not actually care who
you are ... they want to know what privileges are associated with the 
name/tag).

then there is some sort of authentication as to the binding to those set of
privileges .... aka 3-factor authentication taxonomy

* something you know
* something you have
* something you are

note, in some scenarios .... it is possible that knowing the account
number provides both the privilege assertion as well as the "something you
know" authentication (aka knowing the account number is sufficient
to make withdrawals).

in any case there are frequently used institutional processes that can be
characterized by assertion of privileges and authentication. The taxonomy
of those processes can be considered independent of the terms used to
label the processes (is a guard really interested in who you are or just
finding out what privileges and permissions you have).

so we have an environment with institutions and CSOs and an attitude
that the institution and the institution integrity must be protected from
outsiders (and criminal insiders)

however, with the prevalent use of "static data" and "something you know"
authentication paradigms ... there is huge amounts of static data laying
around, ripe for the harvesting ... where the criminal impersonates an
individual. so one view is that the vulnerability is the extensive use
by institutions of "static data" and "something you know" authentication,
where the individual may have little or no ability to protect the majority
of the information. The crime appears to be against the individual and
the source of the information may be totally unrelated to where the
crime actually occurs. Assuming that the source of the vulnerability
are the institutional infrastructures, some laws have been passed to
try and hold the institutions responsible for the protection of
individual information. in some scenarios, institutions are
charged with protecting individual information from the institution
itself (which sort of inverts a security officers job of protecting
institution from others).

However, in some scenarios
http://www.garlic.com/~lynn/2001h.html#61
the common use of static data is so pervasive that an individual's information
is found at thousands of institutions. The value of the information to the
criminal is that the same information can be used to perpetrate fraud
across all institutions and so the criminal value is enormous. However
the value to each individual institution may be minimal. As a result
there can be situations where an individual institution hasn't the
infrastructure or the funding to provide the countermeasures necessary
to keep the criminals away from the information (they simply don't
have the resources to provide security proportional to the risk).

The value of the static data authentication information to a criminal
is far greater than the value of the information to the institution ...
or the cost to the criminal to acquire the information is possibly
orders of magnitude less than the value of the information (for
criminal purposes).

Given such a situation .... the infrastructures simply don't have
the resources to provide the countermeasures adequate to meet
the attacks they are going to experience (there is such a huge
mismatch between the value of the information to the individual
institutions and the value of the information to the criminal).

Which results in my assertion that there has to be a drastic
move away from the existing "static data" authentication paradigm
.... because there is such a mismatch between the value
to secure the information verses the value of attacks to
obtain the information.

It isn't that theory can't provide  mechanisms to protect
the information .... it that the information is spread far and
wide and is in constant use by thousands of business processes,
and that protection problem is analogous to the problem of
having people  memorize a hundred different 8+character
passwords that  change every month (which is also a shortcoming
of the static data authenticaton paradigm).



--
Anne & Lynn Wheeler    http://www.garlic.com/~lynn/ 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list