Do You Need a Digital ID?
Anne & Lynn Wheeler
lynn at garlic.com
Tue Mar 15 14:40:59 EST 2005
R.A. Hettinga wrote:
> <http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp>
>
i've been asked to flush out my merged security taxonomy and glossary
http://www.garlic.com/~lynn/index.html#glosnote
to highlight the distinction between identity theft and account theft.
typically identity theft is that enuf information is obtained to
fraudulently be able to open new accounts in the victim's name (among
other things) while account theft is that the thief has enuf information
to perform fraudulent transactions against an existing account of the
victim.
account theft tends to be attacks on poor authentication procedures by
account institutions and/or use of social engineering or phishing to
obtain the victim's account authentication information (which shares a
lot in common with straight identity theft).
a common exploit is the use of skimming/sniffing of static
authentication verification data that enables creating counterfeit
tokens/cards that enables fraudulent transactions.
given 3-factor authentication:
* something you have
* something you know
* something you are
there can be a great deal of confusion whether a token/card represents
"something you have" or not. If a token/card contains valid
authentication information and if that token/card is lost/stolen and a
new account has to be created .... then it is likely the token/card
represents "something you have" authentication.
however, some infrastructure just utilize a token/card to provide the
equilvalent of userid (say an account number which isn't required to be
secret) and the actual authentication is in the form of a password/PIN
... i.e. "something you know" authentication. just because a token/card
is involved along with a PIN/password doesn't automatically imply that
two-factor authentication is involved.
if a re-issued a new token/card (to replace a lost/stolen token/card) is
identical to the lost/stolen token/card ... then it is likely that there
is no "something you have" authentication involved (even tho a
token/card is involved in the process) ... and therefor the
infrastructure is just single factor authentication.
at the basics, a digital signature is an indirect indication of
"something you have" authentication .... aka the existance of a digital
signature implies that the originator accessed and utilized a private
key in the generation of the digital signature. a digital signature by
itself says nothing about the integrity of that "something you have"
authentication ... since the digital signature doesn't carry any
indication of the integrity measures used to secure and access the
associated private key.
there is some temptation to claim that the a lot of the problems with
establishment of digital signature technology is that the basic trust
building blocks haven't been established. numerous institutions have
spent a lot of time focusing on the trust infrastructures associated
with certification authority operation and digital certificates ....
which have nothing directly to do with any form of 3 factor authentication.
the basic building block is that a financial (or other) institutions
have ongoing relationships represented by established accounts and that
the entities associated with those accounts have established
authentication material. In the case of digital signatures, that would
be public keys. To the degree that a relying party institution
(financial or other) can trust what is represented by a digital
signature is the integrity level of the environment that protects the
access and use of the associated private key .... w/o additional
knowledge, the relying party only knows that some entity accessed and
utilized a specific private key ... as in a simple, single factor,
"something you have" authentication.
A digital signature by itself has no indication of the security and
integrity level associated with the private key protection, access and
use ... and/or if there is anything more than simple, single factor,
"something you have" authentication.
Furthermore, in the great majority of the transactions involving
established relationships, there is no need for digital certificates to
establish identication information .... straight-forward authentication
tends to be sufficient.
misc. past 3-factor authentication posts
http://www.garlic.com/~lynn/subpubkey.html#3factor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list