Date: Fri, 10 Jun 2016 13:17:14 +0200 From: "e@...tmx.net" <e@...tmx.net> To: passwords@...ts.openwall.com Subject: Authentication vs Identification Once again I have to return to the topic of strict antagonism between the authentication and the identification, meaning these very processes and the tokens involved as well. Before I indulge into boring you with tedious decomposition of entities you used to perceive as atomic, I present you a synthetic illustration of the difference in question. A bad guy tries to get a false-negative outcome of identification, and a false-positive outcome of authentication. This is not explanatory, yet very indicative, I hope it gives you an idea of the magnitude of the difference, and we are going to dig into this now. (a html formatted version is available ithipster.com/30.html, if you like) Would you use your passport number as a password? Too obvious? Why?! Do you think too many people know your passport number? Then why do you allow them to use your fingerprints as your password? ...Or any other piece of biometric data, or DNA… Your fingerprints are everywhere! in every restaurant you ever visited, in every embassy (which effectively means: in every legal institution on Earth, ALREADY!!!) Your DNA is everywhere… physically. Go pee and enjoy your DNA floating Gulf Stream. Is this a kind of destiny you wish for a password of yours? On the other hand, would you like to be identified with your password?Uncertain? Let's ask it other way around: Can you identify someone with his password? — Look! It's him! He knows his password. — Perhaps, but I can not verify your claim. How can you know that someone knows his password without knowing this password? You can not. In order to verify a password knowledge claim you need to know the password, but in the very moment you learn it you compromise it, so this password can not be used for authentication purposes any longer. A token (such as a password) can not serve both the authentication purpose and the identification purpose simultaneously, either it serves the authentication purpose or the identification purpose. FOOTNOTE: this thought experiment (if taken a little further) reveals that a knowledge claim of any kind can not be used for identification purposes either, but it is an entirely separate and fully independent topic. FOOTNOTE: The authentication can be construed as a special case of identification: a user wants to establish (prove) the association between him and his account within a previously established relationship between him and a service provider — this association itself constitutes an identity relation — if you want to define the «identification» as a procedure of establishing ANY identity relation, then my definition of the «identification» is this one minus the subset of the authentication. With this exclusive definition of identification we proceed, as we are interested in drawing a strict line between the authentication and all the rest identification cases (in other words what makes the authentication special). An identification procedure is founded on the assumption that nobody (besides a legal user) knows/owns the authentication token. An identification procedure is based on the opposite assumption: everybody knows the identification token, so that we can establish a consensus associating a token owner with the token. — Look! It's him! I know his face. — Indeed! I know this face too. The core property of this process is that these people share the information about a 3rd person identification token — precisely this property allows them to identify this 3rd person, and essentially it defines the process itself. The identification (as opposed to the authentication) is all about a consensus, it is not your private matter by any stretch of imagination, whereas the authentication is strictly private. Thus we can ask: if a given token can be used for identification purposes? If yes, then it can not be used for authentication purposes. The opposition between the authentication and the identification can also be formulated from a pragmatic perspective thusly: I am the passive participant of my identification and the active participant of my authentication. In an authentication procedure I act in my own interest, whereas in an identification procedure the interested party is not myself. Well, this statement is not trivial, nevertheless is surprisingly easy to prove: you are NEVER interested in identifying yourself because you are constantly aware of your identity. This «private/public» opposition between the identification and the authentication leads to a practical question: who controls the token used for auth or ID? Why do you think the police loves your fingerprints? Exactly because you do not control their dissemination — your fingerprints betray you in every cafeteria, this is why they are used by investigators ever since the typographic ink is discovered. What do we require from an authentication system? Full and complete control over the authentication token, its dissemination, and its revocation. These are the characteristic properties of the authentication and the identification: full and complete control over the authentication token, controlled and monitored dissemination, easy and unconditional revocation; NO control over the identification token, it should be unalterable, undeniable, unalienable, and visible to EVERYONE, and also reasonably unique. These characteristic properties are completely mutually exclusive (can you imagine something more mutually exclusive than that?!), this is why you must send to hell everyone who dares to propose you any piece of biometric data as your auth token.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.