Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 10 Jun 2016 13:17:14 +0200
From: "e@...tmx.net" <e@...tmx.net>
To: passwords@...ts.openwall.com
Subject: Authentication vs Identification

Once again I have to return to the topic of strict antagonism between 
the authentication and the identification, meaning these very processes 
and the tokens involved as well. Before I indulge into boring you with 
tedious decomposition of entities you used to perceive as atomic, I 
present you a synthetic illustration of the difference in question. A 
bad guy tries to get a false-negative outcome of identification, and a 
false-positive outcome of authentication. This is not explanatory, yet 
very indicative, I hope it gives you an idea of the magnitude of the 
difference, and we are going to dig into this now.

(a html formatted version is available ithipster.com/30.html, if you like)

Would you use your passport number as a password?
Too obvious? Why?!
Do you think too many people know your passport number?
Then why do you allow them to use your fingerprints as your password? 
...Or any other piece of biometric data, or DNA…

Your fingerprints are everywhere! in every restaurant you ever visited,
in every embassy (which effectively means: in every legal institution on 
Earth, ALREADY!!!) Your DNA is everywhere… physically. Go pee and enjoy 
your DNA floating Gulf Stream. Is this a kind of destiny you wish for a 
password of yours?

On the other hand, would you like to be identified with your 
password?Uncertain?
Let's ask it other way around: Can you identify someone with his password?

  — Look! It's him! He knows his password.
— Perhaps, but I can not verify your claim.

How can you know that someone knows his password without knowing this 
password? You can not. In order to verify a password knowledge claim you 
need to know the password, but in the very moment you learn it you 
compromise it, so this password can not be used for authentication 
purposes any longer.

A token (such as a password) can not serve both the authentication 
purpose and the identification purpose simultaneously, either it serves 
the authentication purpose or the identification purpose.

FOOTNOTE: this thought experiment (if taken a little further) reveals 
that a knowledge claim of any kind can not be used for identification 
purposes either, but it is an entirely separate and fully independent topic.

FOOTNOTE: The authentication can be construed as a special case of 
identification: a user wants to establish (prove) the association 
between him and his account within a previously established relationship 
between him and a service provider — this association itself constitutes 
an identity relation — if you want to define the «identification» as a 
procedure of establishing ANY identity relation, then my definition of 
the «identification» is this one minus the subset of the authentication. 
With this exclusive definition of identification we proceed, as we are 
interested in drawing a strict line between the authentication and all 
the rest identification cases (in other words what makes the 
authentication special).

An identification procedure is founded on the assumption that nobody 
(besides a legal user) knows/owns the authentication token. An 
identification procedure is based on the opposite assumption: everybody 
knows the identification token, so that we can establish a consensus 
associating a token owner with the token.

  — Look! It's him! I know his face.
— Indeed! I know this face too.

The core property of this process is that these people share the 
information about a 3rd person identification token — precisely this 
property allows them to identify this 3rd person, and essentially it 
defines the process itself. The identification (as opposed to the 
authentication) is all about a consensus, it is not your private matter 
by any stretch of imagination, whereas the authentication is strictly 
private.

Thus we can ask: if a given token can be used for identification 
purposes? If yes, then it can not be used for authentication purposes.

The opposition between the authentication and the identification can 
also be formulated from a pragmatic perspective thusly: I am the passive 
participant of my identification and the active participant of my 
authentication. In an authentication procedure I act in my own interest, 
whereas in an identification procedure the interested party is not 
myself. Well, this statement is not trivial, nevertheless is 
surprisingly easy to prove: you are NEVER interested in identifying 
yourself because you are constantly aware of your identity.

This «private/public» opposition between the identification and the 
authentication leads to a practical question: who controls the token 
used for auth or ID?

Why do you think the police loves your fingerprints?
Exactly because you do not control their dissemination — your 
fingerprints betray you in every cafeteria, this is why they are used by 
investigators ever since the typographic ink is discovered.

What do we require from an authentication system?
Full and complete control over the authentication token, its 
dissemination, and its revocation.

These are the characteristic properties of the authentication and the 
identification:
full and complete control over the authentication token, controlled and 
monitored dissemination, easy and unconditional revocation;
NO control over the identification token, it should be unalterable, 
undeniable, unalienable, and visible to EVERYONE, and also reasonably 
unique.

These characteristic properties are completely mutually exclusive (can 
you imagine something more mutually exclusive than that?!), this is why 
you must send to hell everyone who dares to propose you any piece of 
biometric data as your auth token.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.