Authentication: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{{For|other uses of the terms "authentication", "authentic" and "authenticity"|Authenticity (disambiguation)}} |
{{For|other uses of the terms "authentication", "authentic" and "authenticity"|Authenticity (disambiguation)}} |
||
{{clean up}} |
|||
{{how to}} |
|||
{{refimprove}} |
|||
'''Authentication''' (from {{Lang-el|''αυθεντικός'' }}; real or genuine, from ''authentes''; author) is the act of establishing or confirming something (or someone) as ''authentic'', that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its [[packaging and labeling]] claims to be, or assuring that a computer program is a trusted one. |
'''Authentication''' (from {{Lang-el|''αυθεντικός'' }}; real or genuine, from ''authentes''; author) is the act of establishing or confirming something (or someone) as ''authentic'', that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its [[packaging and labeling]] claims to be, or assuring that a computer program is a trusted one. |
||
Revision as of 16:54, 18 September 2010
You must add a |reason= parameter to this Cleanup template – replace it with {{Cleanup|reason=<Fill reason here>}}, or remove the Cleanup template.
 | This article contains instructions, advice, or how-to content. |
 | This article needs additional citations for verification. |
Authentication (from [αυθεντικός ] Error: {{Lang-xx}}: text has italic markup (help); real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). This might involve confirming the identity of a person, tracing the origins of an artifact, ensuring that a product is what its packaging and labeling claims to be, or assuring that a computer program is a trusted one.
Authentication methods
In art, antiques, and anthropology, a common problem is verifying that a given artifact was produced by a certain famous person, or was produced in a certain place or period of history.
There are two types of techniques for doing this.
The first is comparing the attributes of the object itself to what is known about objects of that origin. For example, an art expert might look for similarities in the style of painting, check the location and form of a signature, or compare the object to an old photograph. An archaeologist might use carbon dating to verify the age of an artifact, do a chemical analysis of the materials used, or compare the style of construction or decoration to other artifacts of similar origin. The physics of sound and light, and comparison with a known physical environment, can be used to examine the authenticity of audio recordings, photographs, or videos.
Attribute comparison may be vulnerable to forgery. In general, it relies on the fact that creating a forgery indistinguishable from a genuine artifact requires expert knowledge, that mistakes are easily made, or that the amount of effort required to do so is considerably greater than the amount of money that can be gained by selling the forgery.
In art and antiques certificates are of great importance, authenticating an object of interest and value. Certificates can, however, also be forged and the authentication of these pose a problem. For instance, the son of Han van Meegeren, the well-known art-forger, forged the work of his father and provided a certificate for its provenance as well; see the article Jacques van Meegeren.
Criminal and civil penalties for fraud, forgery, and counterfeiting can reduce the incentive for falsification, depending on the risk of getting caught.
The second type relies on documentation or other external affirmations. For example, the rules of evidence in criminal courts often require establishing the chain of custody of evidence presented. This can be accomplished through a written evidence log, or by testimony from the police detectives and forensics staff that handled it. Some antiques are accompanied by certificates attesting to their authenticity. External records have their own problems of forgery and perjury, and are also vulnerable to being separated from the artifact and lost.
Currency and other financial instruments commonly use the first type of authentication method. Bills, coins, and cheques incorporate hard-to-duplicate physical features, such as fine printing or engraving, distinctive feel, watermarks, and holographic imagery, which are easy for receivers to verify.
Consumer goods such as pharmaceuticals, perfume, fashion clothing can use either type of authentication method to prevent counterfeit goods from taking advantage of a popular brand's reputation (damaging the brand owner's sales and reputation). A trademark is a legally protected marking or other identifying feature which aids consumers in the identification of genuine brand-name goods.
Product authentication
Counterfeit products are often offered to consumers as being authentic. Counterfeit consumer goods such as electronics, music, apparel, and Counterfeit medications have been sold as being legitimate. Efforts to control the supply chain and educate consumers to evaluate the packaging and labeling help ensure that authentic products are sold and used.
Information content
The authentication of information can pose special problems (especially man-in-the-middle attacks), and is often wrapped up with authenticating identity.
Literary forgery can involve imitating the style of a famous author. If an original manuscript, typewritten text, or recording is available, then the medium itself (or its packaging - anything from a box to e-mail headers) can help prove or disprove the authenticity of the document.
However, text, audio, and video can be copied into new media, possibly leaving only the informational content itself to use in authentication.
Various systems have been invented to allow authors to provide a means for readers to reliably authenticate that a given message originated from or was relayed by them. These involve authentication factors like:
- A difficult-to-reproduce physical artifact, such as a seal, signature, watermark, special stationery, or fingerprint.
- A shared secret, such as a passphrase, in the content of the message.
- An electronic signature; public key infrastructure is often used to cryptographically guarantee that a message has been signed by the holder of a particular private key.
The opposite problem is detection of plagiarism, where information from a different author is passed of as a person's own work. A common technique for proving plagiarism is the discovery of another copy of the same or very similar text, which has different attribution. In some cases excessively high quality or a style mismatch may raise suspicion of plagiarism.
Factual verification
Determining the truth or factual accuracy of information in a message is generally considered a separate problem from authentication. A wide range of techniques, from detective work to fact checking in journalism, to scientific experiment might be employed.
Video authentication
With closed circuit television cameras in place in many public places it has become necessary to conduct video authentication to establish credibility when video CCTV recordings are used to identify crime. CCTV is a visual assessment tool. Visual Assessment means having proper identifiable or descriptive information during or after an incident. These systems should not be used independently from other security measures and their video recordings must be authenticated in order to be proven genuine when identifying an accident or crime. [1]
Authentication factors and identity
The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something you know, something you have, or something you are. Each authentication factor covers a range of elements used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.
Security research has determined that for a positive identification, elements from at least two, and preferably all three, factors be verified.[1] The three factors (classes) and some of elements of each factor are:
- the ownership factors: Something the user has (e.g., wrist band, ID card, security token, software token, phone, or cell phone)
- the knowledge factors: Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question))
- the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).
Two-factor authentication
When elements representing two factors are required for identification, the term two-factor authentication is applied. . e.g. a bankcard (something the user has) and a PIN (something the user knows). Business networks may require users to provide a password (knowledge factor) and a random number from a security token (ownership factor). Access to a very high security system might require a mantrap screening of height, weight, facial, and fingerprint checks (several inherence factor elements) plus a PIN and a day code (knowledge factor elements), but this is still a two-factor authentication.
History and state-of-the-art
Historically, fingerprints have been used as the most authoritative method of authentication, but recent court cases in the US and elsewhere have raised fundamental doubts about fingerprint reliability.[citation needed] Outside of the legal system as well, fingerprints have been shown to be easily spoofable, with British Telecom's top computer-security official noting that "few" fingerprint readers have not already been tricked by one spoof or another.[2] Hybrid or two-tiered authentication methods offer a compelling solution, such as private keys encrypted by fingerprint inside of a USB device.
In a computer data context, cryptographic methods have been developed (see digital signature and challenge-response authentication) which are currently not spoofable if and only if the originator's key has not been compromised. That the originator (or anyone other than an attacker) knows (or doesn't know) about a compromise is irrelevant. It is not known whether these cryptographically based authentication methods are provably secure since unanticipated mathematical developments may make them vulnerable to attack in future. If that were to occur, it may call into question much of the authentication in the past. In particular, a digitally signed contract may be questioned when a new attack on the cryptography underlying the signature is discovered.
Strong authentication
The U.S. Government's National Information Assurance Glossary defines strong authentication as
- layered authentication approach relying on two or more authenticators to establish the identity of an originator or receiver of information.
In litigation electronic authentication of computers, digital audio recordings, video recordings analog and digital must be authenticated before being accepted into evidence as tampering has become a problem. All electronic evidence should be proven genuine before used in any legal proceeding.[2]
Authentication vs. authorization
The process of authorization is sometimes mistakenly thought to be the same as authentication; many widely adopted standard security protocols, obligatory regulations, and even statutes make this error. However, authentication is the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given principal (person, computer, process, etc.). Authorization, on the other hand, involves verifying that an authenticated subject has permission to perform certain operations or access specific resources. Authentication, therefore, must precede authorization.
For example, when you show proper identification credentials to a bank teller, you are asking to be authenticated to act on behalf of the account holder. If your authentication request is approved, you become authorized to access the accounts of that account holder, but no others.
Even though authorization cannot occur without authentication, the former term is sometimes used to mean the combination of both.
To distinguish "authentication" from the closely related "authorization", the short-hand notations A1 (authentication), A2 (authorization) as well as AuthN / AuthZ (AuthR) or Au / Az are used in some communities.
Normally delegation was considered to be a part of authorization domain. Recently authentication is also used for various type of delegation tasks. Delegation in IT network is also a new but evolving field[3].
Access control
One familiar use of authentication and authorization is access control. A computer system that is supposed to be used only by those authorized must attempt to detect and exclude the unauthorized. Access to it is therefore usually controlled by insisting on an authentication procedure to establish with some degree of confidence the identity of the user, thence granting those privileges as may be authorized to that identity. Common examples of access control involving authentication include:
- A captcha is a means of asserting that a user is a human being and not a computer program.
- A computer program using a blind credential to authenticate to another program
- Entering a country with a passport
- Logging in to a computer
- Using a confirmation E-mail to verify ownership of an e-mail address
- Using an Internet banking system
- Withdrawing cash from an ATM
In some cases, ease of access is balanced against the strictness of access checks. For example, the credit card network does not require a personal identification number for authentication of the claimed identity; and a small transaction usually does not even require a signature of the authenticated person for proof of authorization of the transaction. The security of the system is maintained by limiting distribution of credit card numbers, and by the threat of punishment for fraud.
Security experts argue that it is impossible to prove the identity of a computer user with absolute certainty. It is only possible to apply one or more tests which, if passed, have been previously declared to be sufficient to proceed. The problem is to determine which tests are sufficient, and many such are inadequate. Any given test can be spoofed one way or another, with varying degrees of difficulty.
See also
{{Top}} may refer to:
- {{Collapse top}}
- {{Archive top}}
- {{Hidden archive top}}
- {{Afd top}}
- {{Discussion top}}
- {{Tfd top}}
- {{Top icon}}
- {{Top text}}
- {{Cfd top}}
- {{Rfd top}}
- {{Skip to top}}
If an internal transclusion led you here, you may wish to change it to point directly to the intended page.
{{Template disambiguation}} should never be transcluded in the main namespace.
- Classification of Authentication
- Athens access and identity management
- Atomic Authorization
- Authentication OSID
- Authorization
- Basic access authentication
- Biometrics
- CAPTCHA
- Chip Authentication Program
- Closed-loop authentication
- Diameter (protocol)
- Digital Identity
- Encrypted key exchange (EKE)
- EAP
- Fingerprint Verification Competition
- Geo-location
- Global Trust Center
- HMAC
- Identification (information)
- Identity Assurance Framework
- Java Authentication and Authorization Service
- Kerberos
- Multi-factor authentication
- Needham-Schroeder protocol
- OpenID – an authentication method for the web
- Point of Access for Providers of Information - the PAPI protocol
- Public key cryptography
- RADIUS
- Recognition of human individuals
- Secret sharing
- Secure remote password protocol (SRP)
- Secure Shell
- Security printing
- Tamper-evident
- TCP Wrapper
- Time-based authentication
- Two-factor authentication
References
- ^ >Federal Financial Institutions Examination Council (2008). "Authentication in an Internet Banking Environment" (PDF). Retrieved 2009-12-31.
- ^ Register, UK; Dan Goodin; 30/3/08; Get your German Interior Minister's fingerprint, here. Compared to other solutions, "It's basically like leaving the password to your computer everywhere you go, without you being able to control it anymore," one of the hackers comments.
- ^ A mechanism for identity delegation at authentication level, N Ahmed, C Jensen - Identity and Privacy in the Internet Age - Springer 2009