Do You Need a Digital ID?

Anne & Lynn Wheeler lynn at garlic.com
Wed Mar 23 11:41:21 EST 2005 

Jerrold Leichter wrote:
> That's fine for *describing* the system, and useful for analyzing its usability
> or acceptability.  But it's not the whole story.

3-factor authentication paradigm obviously doesn't take into account 
whether the authentication material is treated as a secret or a 
shared-secret i.e. both biometrics and "something you know" can be 
implemented as either secret or "shared-secret" .... "shared-secret" 
tends to have copies of the authentication material in the possession of 
the relying party ... while "secret" tends to be an infrastructure where 
the relying-party can infer the existance of the "secret" by other 
characteristics. it is one of the reasons that the x9.84 biometric 
standard goes to great deal of description when biometrics are 
implemented as "shared-secrets" ... with the biometric templates stored 
at a central site.

3-factor authentication paradigm obviously also doesn't cover whether 
the authentication is direct fact-to-face or that the relying party is 
infering authentication taking place by the existance of other kinds of 
evidence. for instance, a relying party validating a digital signature 
with a public key will infer that the other party is in possession of 
the corresponding private key. the relying party may not have direct 
knowledge of the other party being in possession of the corresponding 
private key ... the relying party just infers it from the validation of 
a digital signature with the public key.

which then takes us back to your original response:
 > This is a rather bizarre way of defining things.  "Something you have"
 > is a physical object.  On the one hand, any physical object can
 > be copied to an arbitrary degree of precision; on the other hand,
 > no two physical objects are *identical*.  So a distinction based
 > on whether a replacement is "identical" to the original gets
 > you nowhere.

ref:
http://www.garlic.com/~lynn/aadsm19.htm#2 Do you Need a Digital ID?
or
http://www.mail-archive.com/cryptography%40metzdowd.com/msg03734.html

3-factor authentication paradigm obviously also doesn't cover all the 
sort of business rules that allow a relying party to infer something to 
be true ... even when they don't have direct evidence that it is true
aka for a public/private key infrastructure where the relying party
normally is inferring that the private key owner has in fact attempted 
to consistantly and reliably maintained the confidentiality and privacy 
of the private key and therefor its usefullness as part of any 3-factor 
authentication paradigm.

3-factor authentication paradigm might also help people designing and/or 
analysing authentication infrastructures. "something you know" 
operations may be some what more vulnerable to electronic sniffing, 
phishing, and/or  information harvesting attacks. "something you have" 
hopefully are more resistant to electronic sniffing, phishing, and/or 
information harvesting attacks ... although the transmission of static 
data in non-face-to-face operations that allow the relying party to 
infer the possession of the "something you have" has been shown to be 
extremely vulnerable to skimming attacks (that enable the manufactor of 
counterfeit magstripe plastic cards). Obviously sniffing and skimming 
exploits involve very similar threat model.

One application would be to choose a multi-factor authentication 
implementation where the different factors represent countermeasure to 
different threats. A multi-factor authentication implementation, where 
the different factors are vulnerable to the same threats, doesn't 
provide a great deal of additional security. However, there are 
obviously a lot of variouscharactistics like

* face-to-face or non-face-to-face
* direct evidence or inferring based on other evidence
* static or non-static data
* central store or remote inferrance
* treat models
* represents what kind of countermeasures
* resistance to counterfeiting/impersonation
* human factors

a difficult human factors has been the issue of "something you know" 
shared-secrets. shared-secret pin/passwords have had two kinds of 
guidelines 1) make it hard to guess (which tends to make it difficult to 
memorize) 2) different shared-secret for every security domain (where 
most institutions viewed that they were the only security domain, but in 
reality many people now are faced with scores of different security 
domains with scores of extremely difficult to remember shared-secrets).

lots of past posts on threats, vulnerabilities, exploits
http://www.garlic.com/~lynn/subpubkey.html#fraud
and lots of 3-factor authentication posts:
http://www.garlic.com/~lynn/subpubkey.html#3factor
and various past posts on general subject of designing high-assurance
systems
http://www.garlic.com/~lynn/subpubkey.html#assurance

we have somewhat viewed assurance and high-availability as similar ... 
where a system needs to be resistant to all kinds of failures ... 
regardless of whether they were failures due to attacks/exploits or just 
plain simple failures. it is part of building real, industrial strength 
infrastructures .... misc. posts on our high-availability project/product
http://www.garlic.com/~lynn/subtopic.html#hacmp

i have some ancient archived thread abouts (remote) 2-factor 
authentication where plastic card is used with biometrics in place of 
pin/password ... and the counter-argument was that they could show 
biometrics was easier to counterfeit than pin/password .... ignoring the 
fact that 30 percent of the audience that biometrics were being offered 
to, routinely wrote their pin on their plastic card. it wasn't part of 
the institutional design. Futhermore, the issue of having a 2nd factor
(pin/password or biometric) was supposedly a countermeasure for the 
lost/stolen card threat. It was fairly trivial to show (regardless of 
the theoritical strength of the particular biometrics versus an ideal 
pin/password) that it would be more difficult to counterfeit the 
biometrics than it would be for an criminal to utilize a pin/password 
written on a lost/stolen card. ... refs:
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/aadsm10.htm#bio2 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/2002e.html#18 Opinion  on smartcard security 
requested
http://www.garlic.com/~lynn/2002g.html#72 Biometrics not yet good enough?
http://www.garlic.com/~lynn/2002h.html#6 Biometric authentication for 
intranet websites?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for 
intranet websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for 
intranet websites?
http://www.garlic.com/~lynn/2002o.html#62 Certificate Authority: 
Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#63 Certificate Authority: 
Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#64 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#65 smartcard+fingerprint
http://www.garlic.com/~lynn/2003o.html#44 Biometrics


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list