General Categories of Identification Information

One of the prerequisites for achieving entity authentication is that there are some means of providing information about the identity of a claimant (the entity we are attempting to identify). There are several different general techniques for doing this:

• Providing identity information isn’t normally enough to achieve entity authentication. Entity authentication also requires a notion of freshness.

• Different techniques that provide identity information can be, and often are, combined in simple security systems.

• Cryptography has a dual role in helping provide entity authentication:

  1. Some of these approaches involve identity information that may have little to do with cryptography (such as possession of a token or a password). Cryptography can still be used to support these approaches. For example, as we discussed earlier, cryptography can play a role in the secure storage of passwords.

  2. Almost all of these approaches require a cryptographic protocol as part of their implementation.

We now review the main categories of identity information used when providing entity authentication.

Something the claimant has

For human users, identity information can be based on something physically held by the user. This is a familiar technique for providing access control in the physical world, where the most common identity information of this type is a physical key. This technique can also provide identifying information in the electronic world. Examples of mechanisms of this type include:

• Dumb tokens: By ‘dumb’ we mean a physical device with limited memory that can be used to store identity information. Dumb tokens normally require a reader which extracts the identity information from the token and then indicates whether the information authenticates the claimant or not.

  One example of a dumb token is a plastic card with a magnetic stripe. The card’s security is based entirely on the difficulty of extracting identity information from the magnetic stripe. It’s quite easy for anyone determined enough to build or purchase a reader that can extract or copy this information, which is why this type of dumb token is quite insecure.

  In order to enhance security, it is common to combine the use of a dumb token with another method of providing identification, such as one based on something the user knows. For example, in the banking community, plastic cards with magnetic stripes are usually combined with a PIN, a piece of identity information required for entity authentication but not stored on the magnetic stripe.

• Smart cards: A smart card is a plastic card containing a chip, which gives the card a limited amount of memory and processing power. The advantage of this over a dumb token is that the smart card can store secret data more securely and conduct cryptographic computations. However, like dumb tokens, the interface with a smart card is normally through an external reader.

  Smart cards are widely supported by the banking industry, and most payment cards now include a chip as well as the conventional magnetic stripe. Smart cards are also widely used for other applications such as electronic ticketing, access control, identity cards, etc.

• Smart tokens: Smart cards are special examples of a wider range of technologies we’ll refer to as smart tokens. Some smart tokens have a user interface. This can be used, for example, to enter data such as a challenge number for which the smart token can calculate a cryptographic response.

  All types of smart tokens (including smart cards) require an interface to a computer system of some sort. This interface could be a human being or a processor connected to a reader. As with dumb tokens, smart tokens are often implemented alongside another identification method, typically based on something the user knows.

Something the claimant is

One of the highest-profile and most controversial methods of providing identity information is to base it on the physical characteristics of the claimant, which in this case is normally a human user. The field of biometrics is devoted to developing techniques for user identification based on the physical characteristics of the human body.

A biometric mechanism typically converts a physical characteristic into a digital code stored in a database. When the user is physically presented for identification, the physical characteristic is measured by a reader, digitally encoded, and then compared with the template code on the database. Biometric measurements are often classified as either of the following:

• Static because they measure stable features such as fingerprints, hand geometry, face structure, and retina and iris patterns.

• Dynamic because they measure features that (slightly) change each time they are measured, such as the voice, handwriting, and keyboard response times.

Identification-based biometrics is a compelling approach for human users because biometric characteristics appear to be fairly effective at separating individuals. However, there are many technical, practical, and sociological implementation issues, which is why biometric techniques need to be adopted with care.

We won’t discuss biometrics further here since they are of peripheral relevance to cryptography. We recognize biometrics primarily as a potentially useful source of identity information.

Something the claimant knows

Basing identity information, at least partially, on something known by the claimant is a very familiar technique. Common examples of this type of identity information include PINs, passwords, and passphrases. This is the technique most immediately relevant to cryptography since identity information of this type, as soon as it is stored anywhere on a device, shares many of the security issues of a cryptographic key.

Indeed, in many applications, identity information of this type often is a cryptographic key. However, strong cryptographic keys are usually far too long for a human user to remember and hence ‘know.’ There’s some good news and some potentially bad news concerning the use of cryptographic keys as identity information:

1. Most information systems consist of networks of devices and computers. These machines are much better at ‘remembering’ cryptographic keys than humans! So if the claimant is a machine, then it’s possible a cryptographic key can be something ‘known.’

2. When humans are required to ‘know’ a cryptographic key, they normally activate the key by presenting information that’s easier to remember such as a PIN, password, or passphrase. Of course, this reduces the effective security of this cryptographic key from that of the key itself to that of the shorter information used to activate it.