Vladimir Zabrodsky: Compound Authenticators



	COMPOUND AUTHENTICATORS

The first version of this article was sended to comp.security.misc (98/12/11).

Before there was not any theory of compound authenticators. For example, the guide [1] notes only informally: "One would expect greater assurance from a combination of type 1 and type 2 mechanisms than either used alone." This article describes the basics of this theory.

Elementary and Compound Authenticators

Consider the following model for an authentication system. A user submits an authenticator as a proof of identification. If the authentication system recognizes the authenticator, then it accepts the proof. If the authentication system does not recognize the authenticator, then it rejects the proof.

Definition 1

The elementary authenticator is one authenticator submitted by a user; if the authentication system recognize its then a proof of identification is accepted, in opposite case it is rejected.

Definition 2

The compound authenticator is composed of at least one elementary authenticator and at least one operation. Consider the following operations:
The negation of an elementary authenticator is a compound authenticator, which is recognized, if an elementary authenticator is not recognized, and vice versa.
The conjunction of two (or more) elementary authenticators is a compound authenticator, which is recognized, if all elementary authenticators are recognized, else it is not recognized.
The disjunction of two (or more) elementary authenticators is an compound authenticator, which is recognized, if at least one elementary authenticator is recognized.

Note 1
If we interpret "is recognized" as "is true" and "is not recognized" as "is false", then continuity with logic is evident.

Note 2
The negation of the authenticator "the fingerprint of the criminal X" is "any fingerprint different from the fingerprint of the criminal X". First authenticator (verifies identity) can have the properties "it is long-life" and "it distinguishes identical twins". Second authenticator (verifies collective identity) can have the property "it is long-life", too. We can not formally elicit from properties of an authenticator properties of its negation.

Note 3
A compound authenticator can be an "elementary" authenticator in most complex compound authenticator and so on. In symbolic notation we can denote a compound authenticator with help parentheses, as in the following example:

magnetic_card OR (warrant AND key AND code)

Obviously, I denote the conjunction by AND, the disjunction by OR. I suppose farther that an expression of a compound authenticator can be converted into an expression in the disjunctive normal form.

Properties of a compound authenticator

If authenticators share the property "it is changeless in a changing environment", then the conjunction and the disjunction of these authenticators have the same property. But it does not hold generally, consider the conjunction of many authenticators having the property "it is easy and fast to use".
But there is an interesting problem: What are the properties of an compound authenticator if one authenticator has the property "it eliminates a concrete threat of false acceptance or false rejection" and second one has not?
False rejection.

If a compound authenticator of valid entity is recognized, then false rejection does not set in. We consider, for instance, the threat of the forgetting of an authenticator at home. The fingerprint eliminates this threat. Yes, only partly if "the forgetting of an authenticator at home" has somewhat a horrible sense. But any chip card has not this property. The conjunction of the fingerprint with the chip card does not eliminate the threat of the forgetting of an authenticator at home. Generally, the following proposition holds:

Proposition 1

The conjunction eliminates the concrete threat R of false rejection if and only if each of its authenticators has the property "it eliminates the threat R".

The user who forget the card can submit his fingerprint as the alternative authenticator. Hence, the following proposition holds:

Proposition 2

Disjunction eliminates the concrete threat R of false rejection if and only if at least one authenticator has property "it eliminates the threat R".

False acceptance.
If a compound authenticator of invalid entity (intruder) is not recognized, then false acceptance does not set in. We consider, for example, the threat of copying or theft of authenticators apart from the process I&A. An action eliminates this threat but parameter does not. Hence, their conjunction has this property. An intruder can easy copy parameter but the conjunction with an unknown action will not recognized. Generally, the following proposition holds:

Proposition 3

The conjunction eliminates the concrete threat A of false acceptance if and only if at least one authenticator has the property "it eliminates the threat A".

In case of the disjunction an intruder submits only the copying parameter and this will recognized. Therefore:

Proposition 4

The disjunction eliminates the concrete threat A of false acceptance if and only if each of its authenticators has the property "it eliminates the threat A".

You can test of the validity of the propositions by the examples of the properties: "it does not changed with a stress", "it is long-life" (the sphere of the elimination of false rejection) or "it is high specific", "it can be easy changed" (the sphere of the elimination of false acceptance).
Complex properties
The property of an authenticator "it can be used by an irresponsible person" has a influence upon false acceptance and false rejection. I.e. we have to consider instead the complex property "it can be used by an irresponsible person" two simple properties "it cannot be forgotten or lost" (the sphere of the elimination of false acceptance) and "it cannot be stolen, duplicated or handed over" (the sphere of the elimination of false rejection).
Conclusion
In literature, e.g. [1], is informally described only the description of the conjunction of authenticators usually named a combination of methods or principles, which is applied to the elimination of the threat of false acceptance. In practice we use the disjunction of authenticators, too. If we use an additional authenticator, then we have to be careful not to lose some from the importance properties of the compound authenticator (see on the propositions 1 and 4). At the same time the propositions confirm that the following rule holds in all cases: A defense against false acceptance can weaken a defense against false rejection and vice versa.
Literature

1. Guide to Understanding I&A. NCSC-TG-017 Library No. 5-235,479. Version 1.