Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 17 Dec 2017 14:21:22 -0500
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

«if we roll back a little to:
auth is a mutual activity (all parties are actively involved)
then the principal difference really shines:
i am the only man knowing my password (secret key)
therefore my active participation is REQUIRED for auth.»

Maybe we don't have the same definitions of "mutual activity" and
"active participation", but I can't see how this doesn't apply to
identification.

I will revise my previous definitions of identification and authentication:

Identification:  A user shares a piece of information with a server
that will recognize it.  It MUST be unique to the user.  Others can be
aware of that piece of information, but it is not a requirement (It
can be kept secret by both the user and the server).

Authentication: An identified user shares a piece of information with
a server that will recognize it.  It MUST be known to only the user
and the server.  It SHOULD be very difficult to guess.  It can be
unique, but that is not a requirement.

Note how the server MUST know the secret piece of information too, not
only the user.  The fact that it is usually one-way encrypted has
nothing to do with it.  It just better guarantees the secrecy, but you
can still authenticate with password written in clear in a database.
If someone can guarantee no one will access the database and that
steps have been taken to prevent guessing a password, then it is still
a valid authentication. (Although, I don't think there are any methods
that can do it better than encryption right now.)

If a single piece of information is both unique to the user and kept
secret by both the user and the server, then it can identify and
authenticate in a single action, like in this case you presented:

«some idiots love "password only" auth,
which makes the entire system vulnerable to password guessing,
as the system will match my guessed password against ALL known
passwords, thus doing the bulk of the attack in my stead.»

An authentication process that is vulnerable is still authentication.
It just has a lower level of confidence.  So the fact that passwords
are easy to guess (easy for whom?) is irrelevant for what defines
authentication.

The ID part is easy (linking a unique piece of information to a user).
The problems related to authentication is keeping the information
secret (by both the user and server) and/or making this information
impossible to guess.  Some methods of authentication are just better
than others with that regard and it seems that none are perfect.

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ