COMPOUND AUTHENTICATORS | ||
The first version of this article was sended to comp.security.misc (98/12/11). Before there was not any theory of compound authenticators. For example, the guide [1] notes only informally: "One would expect greater assurance from a combination of type 1 and type 2 mechanisms than either used alone." This article describes the basics of this theory. Elementary and Compound AuthenticatorsConsider the following model for an authentication system. A user submits an authenticator as a proof of identification. If the authentication system recognizes the authenticator, then it accepts the proof. If the authentication system does not recognize the authenticator, then it rejects the proof.
If we interpret "is recognized" as "is true" and "is not recognized" as "is false", then continuity with logic is evident.
The negation of the authenticator "the fingerprint of the criminal X" is "any fingerprint different from the fingerprint of the criminal X". First authenticator (verifies identity) can have the properties "it is long-life" and "it distinguishes identical twins". Second authenticator (verifies collective identity) can have the property "it is long-life", too. We can not formally elicit from properties of an authenticator properties of its negation.
A compound authenticator can be an "elementary" authenticator in most complex compound authenticator and so on. In symbolic notation we can denote a compound authenticator with help parentheses, as in the following example:
Obviously, I denote the conjunction by AND, the disjunction by OR. I suppose farther that an expression of a compound authenticator can be converted into an expression in the disjunctive normal form. Properties of a compound authenticatorIf authenticators share the property "it is changeless in a changing environment", then the conjunction and the disjunction of these authenticators have the same property. But it does not hold generally, consider the conjunction of many authenticators having the property "it is easy and fast to use". But there is an interesting problem: What are the properties of an compound authenticator if one authenticator has the property "it eliminates a concrete threat of false acceptance or false rejection" and second one has not? False rejection.If a compound authenticator of valid entity is recognized, then false rejection does not set in. We consider, for instance, the threat of the forgetting of an authenticator at home. The fingerprint eliminates this threat. Yes, only partly if "the forgetting of an authenticator at home" has somewhat a horrible sense. But any chip card has not this property. The conjunction of the fingerprint with the chip card does not eliminate the threat of the forgetting of an authenticator at home. Generally, the following proposition holds:
The user who forget the card can submit his fingerprint as the alternative authenticator. Hence, the following proposition holds:
False acceptance.If a compound authenticator of invalid entity (intruder) is not recognized, then false acceptance does not set in. We consider, for example, the threat of copying or theft of authenticators apart from the process I&A. An action eliminates this threat but parameter does not. Hence, their conjunction has this property. An intruder can easy copy parameter but the conjunction with an unknown action will not recognized. Generally, the following proposition holds:
In case of the disjunction an intruder submits only the copying parameter and this will recognized. Therefore:
You can test of the validity of the propositions by the examples of the properties: "it does not changed with a stress", "it is long-life" (the sphere of the elimination of false rejection) or "it is high specific", "it can be easy changed" (the sphere of the elimination of false acceptance). Complex propertiesThe property of an authenticator "it can be used by an irresponsible person" has a influence upon false acceptance and false rejection. I.e. we have to consider instead the complex property "it can be used by an irresponsible person" two simple properties "it cannot be forgotten or lost" (the sphere of the elimination of false acceptance) and "it cannot be stolen, duplicated or handed over" (the sphere of the elimination of false rejection). ConclusionIn literature, e.g. [1], is informally described only the description of the conjunction of authenticators usually named a combination of methods or principles, which is applied to the elimination of the threat of false acceptance. In practice we use the disjunction of authenticators, too. If we use an additional authenticator, then we have to be careful not to lose some from the importance properties of the compound authenticator (see on the propositions 1 and 4). At the same time the propositions confirm that the following rule holds in all cases: A defense against false acceptance can weaken a defense against false rejection and vice versa. Literature1. Guide to Understanding I&A.
NCSC-TG-017 Library No. 5-235,479. Version
1. |
last modified 26th April 2002
Copyright © 1998-2002 Vladimir Zabrodsky
Czech Republic