By this article I am opening the discussion of the basics of
identification
and authentication (I&A for short). I discovered that
the definition of I&A is incomplete. This has an important consequence.
One, widely used, assertion in the theory of I&A is incomplete and inaccurate.
Definition (for example [1])
Identification is a statement of who the user is (globally
known) whereas authentication is proof of identification.
Authentication is the process by which a claimed identity is
verified.
Counterexamples
a) (e.g. [1]) In one system with many individuals performing
administrator or security officer tasks, the system established
an identifier associated with the role being performed.
In an extended logon, a two-step identification and authentication
occurred; first as the system administrator, and then as the individual
performing that role.
b) Drugs and alcohol have effects on behaviors of man, change his
abilities when he is about to drive, fly in airplane, control
dangerous machines, gun or your computing systems. Ability has
something to do with identity. About a drunken man, intoxicated man
or man who used drugs we say "he is not himself".
How we can see there are three types of identifications - a statement of
identity, collective identity and ability. Consequently, identification is
a statement of user's identity or/and collective identity
or/and ability. Authentication is the process by which a claimed
identification is verified.
|
Assertion (e.g. [1])
Users' identities are verified using one of three generic
methods: something they know (type 1), something they have (type
2), or something they are (type 3).
Counterexamples
1) In the Latin text of Vegetius' Epitoma Rei Militaris
(LIBER III, V. Signorum militarium quanta sint genera) there are
presents signals (from Middle French, from Medieval Latin signale, from Late Latin, neuter of signalis of a sign, from Latin signum) using for verifying
collective identity. Vegetius writes about passwords, insignia and signs,
i.e. about methods of type 1 and type 2 according to [1].
2) Biometric schemes, such as fingerprint readers, lip print readers,
retinal scanners, DNA analyzers, Bertillion systems, can proof identity
of non-active (even dead) person; schemes as dynamic signature,
keystroke patterns, intrinsic skills can proof identity of living
persons or their ability.
3) On-line lie detector can analyze the human emotions during answering
questions: "What is your name?" or "What is your name and what is
your role in the system?"
The user supplies one or more authentication elements - authenticators -
as a proof of identification. A kind of authenticators should be defined
as a set of authenticators that can be used in the same type of
identification of the same entity. Consequently, there are four kinds
of authenticators:
Signals - can be used as a proof of identity or collective identity of
material (person, machine) or immaterial (process) entity.
Parameters - can be used as a proof of identity of non-active material
entity.
Actions - can be used as a proof of identity of active material entity or
its ability.
Emotions - can be used by person as a proof of identity or collective
identity.
|
Appendix
Assertion (e.g. [1])
It's "theoretically" possible to have
self-identifying authentication (or it might be called
self-authenticating identification). Examples of such might be a
fingerprint reader or a DNA analysis of cells scraped from the skin.
Counterexample
We suppose this method of protection: whoever can enter underground
cave with treasures, if he comes first on Good Friday "when sun will highest"
under Devils castle (our country tale).
In the process of I&A a step of
identification can be missed, if identity or/and collective identity
or/and ability can be determined from authenticators.
The process of I&A can be reduced only
by using authenticators, if authenticators "open a way" to a protected
resource.
|
Literature
1. A Guide to Understanding Identification and Authentication in
Trusted Systems NCSC-TG-017 Library No. 5-235,479 Version 1
|