Do You Need a Digital ID?
Anne & Lynn Wheeler
lynn at garlic.com
Wed Mar 23 11:41:21 EST 2005
Jerrold Leichter wrote:
> That's fine for *describing* the system, and useful for analyzing its usability
> or acceptability. But it's not the whole story.
3-factor authentication paradigm obviously doesn't take into account
whether the authentication material is treated as a secret or a
shared-secret i.e. both biometrics and "something you know" can be
implemented as either secret or "shared-secret" .... "shared-secret"
tends to have copies of the authentication material in the possession of
the relying party ... while "secret" tends to be an infrastructure where
the relying-party can infer the existance of the "secret" by other
characteristics. it is one of the reasons that the x9.84 biometric
standard goes to great deal of description when biometrics are
implemented as "shared-secrets" ... with the biometric templates stored
at a central site.
3-factor authentication paradigm obviously also doesn't cover whether
the authentication is direct fact-to-face or that the relying party is
infering authentication taking place by the existance of other kinds of
evidence. for instance, a relying party validating a digital signature
with a public key will infer that the other party is in possession of
the corresponding private key. the relying party may not have direct
knowledge of the other party being in possession of the corresponding
private key ... the relying party just infers it from the validation of
a digital signature with the public key.
which then takes us back to your original response:
> This is a rather bizarre way of defining things. "Something you have"
> is a physical object. On the one hand, any physical object can
> be copied to an arbitrary degree of precision; on the other hand,
> no two physical objects are *identical*. So a distinction based
> on whether a replacement is "identical" to the original gets
> you nowhere.
ref:
http://www.garlic.com/~lynn/aadsm19.htm#2 Do you Need a Digital ID?
or
http://www.mail-archive.com/cryptography%40metzdowd.com/msg03734.html
3-factor authentication paradigm obviously also doesn't cover all the
sort of business rules that allow a relying party to infer something to
be true ... even when they don't have direct evidence that it is true
aka for a public/private key infrastructure where the relying party
normally is inferring that the private key owner has in fact attempted
to consistantly and reliably maintained the confidentiality and privacy
of the private key and therefor its usefullness as part of any 3-factor
authentication paradigm.
3-factor authentication paradigm might also help people designing and/or
analysing authentication infrastructures. "something you know"
operations may be some what more vulnerable to electronic sniffing,
phishing, and/or information harvesting attacks. "something you have"
hopefully are more resistant to electronic sniffing, phishing, and/or
information harvesting attacks ... although the transmission of static
data in non-face-to-face operations that allow the relying party to
infer the possession of the "something you have" has been shown to be
extremely vulnerable to skimming attacks (that enable the manufactor of
counterfeit magstripe plastic cards). Obviously sniffing and skimming
exploits involve very similar threat model.
One application would be to choose a multi-factor authentication
implementation where the different factors represent countermeasure to
different threats. A multi-factor authentication implementation, where
the different factors are vulnerable to the same threats, doesn't
provide a great deal of additional security. However, there are
obviously a lot of variouscharactistics like
* face-to-face or non-face-to-face
* direct evidence or inferring based on other evidence
* static or non-static data
* central store or remote inferrance
* treat models
* represents what kind of countermeasures
* resistance to counterfeiting/impersonation
* human factors
a difficult human factors has been the issue of "something you know"
shared-secrets. shared-secret pin/passwords have had two kinds of
guidelines 1) make it hard to guess (which tends to make it difficult to
memorize) 2) different shared-secret for every security domain (where
most institutions viewed that they were the only security domain, but in
reality many people now are faced with scores of different security
domains with scores of extremely difficult to remember shared-secrets).
lots of past posts on threats, vulnerabilities, exploits
http://www.garlic.com/~lynn/subpubkey.html#fraud
and lots of 3-factor authentication posts:
http://www.garlic.com/~lynn/subpubkey.html#3factor
and various past posts on general subject of designing high-assurance
systems
http://www.garlic.com/~lynn/subpubkey.html#assurance
we have somewhat viewed assurance and high-availability as similar ...
where a system needs to be resistant to all kinds of failures ...
regardless of whether they were failures due to attacks/exploits or just
plain simple failures. it is part of building real, industrial strength
infrastructures .... misc. posts on our high-availability project/product
http://www.garlic.com/~lynn/subtopic.html#hacmp
i have some ancient archived thread abouts (remote) 2-factor
authentication where plastic card is used with biometrics in place of
pin/password ... and the counter-argument was that they could show
biometrics was easier to counterfeit than pin/password .... ignoring the
fact that 30 percent of the audience that biometrics were being offered
to, routinely wrote their pin on their plastic card. it wasn't part of
the institutional design. Futhermore, the issue of having a 2nd factor
(pin/password or biometric) was supposedly a countermeasure for the
lost/stolen card threat. It was fairly trivial to show (regardless of
the theoritical strength of the particular biometrics versus an ideal
pin/password) that it would be more difficult to counterfeit the
biometrics than it would be for an criminal to utilize a pin/password
written on a lost/stolen card. ... refs:
http://www.garlic.com/~lynn/99.html#165 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/99.html#172 checks (was S/390 on PowerPC?)
http://www.garlic.com/~lynn/aadsm10.htm#bio2 biometrics
http://www.garlic.com/~lynn/aadsm10.htm#bio3 biometrics (addenda)
http://www.garlic.com/~lynn/aadsm10.htm#bio6 biometrics
http://www.garlic.com/~lynn/aadsm15.htm#36 VS: On-line signature standards
http://www.garlic.com/~lynn/2002e.html#18 Opinion on smartcard security
requested
http://www.garlic.com/~lynn/2002g.html#72 Biometrics not yet good enough?
http://www.garlic.com/~lynn/2002h.html#6 Biometric authentication for
intranet websites?
http://www.garlic.com/~lynn/2002h.html#8 Biometric authentication for
intranet websites?
http://www.garlic.com/~lynn/2002h.html#41 Biometric authentication for
intranet websites?
http://www.garlic.com/~lynn/2002o.html#62 Certificate Authority:
Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#63 Certificate Authority:
Industry vs. Government
http://www.garlic.com/~lynn/2002o.html#64 smartcard+fingerprint
http://www.garlic.com/~lynn/2002o.html#65 smartcard+fingerprint
http://www.garlic.com/~lynn/2003o.html#44 Biometrics
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list