Date: Sun, 17 Dec 2017 14:21:22 -0500 From: "Denny O'Breham" <obreham@...il.com> To: passwords@...ts.openwall.com Subject: Re: Authentication vs identification «if we roll back a little to: auth is a mutual activity (all parties are actively involved) then the principal difference really shines: i am the only man knowing my password (secret key) therefore my active participation is REQUIRED for auth.» Maybe we don't have the same definitions of "mutual activity" and "active participation", but I can't see how this doesn't apply to identification. I will revise my previous definitions of identification and authentication: Identification: A user shares a piece of information with a server that will recognize it. It MUST be unique to the user. Others can be aware of that piece of information, but it is not a requirement (It can be kept secret by both the user and the server). Authentication: An identified user shares a piece of information with a server that will recognize it. It MUST be known to only the user and the server. It SHOULD be very difficult to guess. It can be unique, but that is not a requirement. Note how the server MUST know the secret piece of information too, not only the user. The fact that it is usually one-way encrypted has nothing to do with it. It just better guarantees the secrecy, but you can still authenticate with password written in clear in a database. If someone can guarantee no one will access the database and that steps have been taken to prevent guessing a password, then it is still a valid authentication. (Although, I don't think there are any methods that can do it better than encryption right now.) If a single piece of information is both unique to the user and kept secret by both the user and the server, then it can identify and authenticate in a single action, like in this case you presented: «some idiots love "password only" auth, which makes the entire system vulnerable to password guessing, as the system will match my guessed password against ALL known passwords, thus doing the bulk of the attack in my stead.» An authentication process that is vulnerable is still authentication. It just has a lower level of confidence. So the fact that passwords are easy to guess (easy for whom?) is irrelevant for what defines authentication. The ID part is easy (linking a unique piece of information to a user). The problems related to authentication is keeping the information secret (by both the user and server) and/or making this information impossible to guess. Some methods of authentication are just better than others with that regard and it seems that none are perfect.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ