Sunday, September 03, 2006, 11:35 PM

At the Core of Authentication

Authentication is the process of an entity proving it's identity to a system, typically to get access to certain resources managed by the system.

The industry typically talks about authentication in terms of:
     o  what you know
     o  what you have, and,
     o  who you are
and, occasionally,
     o  how you do something
is also included.

In this article, I want to get to the real core operation of authentication, and make the case, again, for focusing on asymmetric key exchanges for strong authentication. If you look at what constitutes authentication, it is as simple as proof of identity based on information exchange.

.  "What you know" is, of course, information. However, "what you have", "who you are", and "how you do something" is also information in the following senses:

.  "What you have" is information stored in an object (eg. a smart card), as opposed to your brain.

.  "Who you are" is information stored somewhere in/on your body (eg. your thumb, your retina), as opposed to the neurons in your head.

.  "How you do something" is a reflection of learned or innate pattern in your muscular system (e.g. your typing cadence). It is less direct, but authentication in this form is just the computer extrating your body's parameters on the action you are taking.

Conclusion #1: Authentication can be reduced to using "the information you have" to identity yourself to a system.

(BTW, "you" could be an entity other than a human.)

There are two fundamental ways you can use information to uniquely prove an entity's identity to a system:
     o  Shared secrets
     o  Asymmetric key exchange

The bulk of authentication system use shared secrets. From passwords (shared between the system and your brain), to thumbprint readers (the system and your thumb), to most card key systems (the system and the access card). The biggest problem with shared secrets is that the identifying secret needs to be exchanged during the authentication process. This means that it is vulnerable to attacks that can sniff out the shared secrets during the exchange.

The advantage asymmetric key exchange (i.e. PKI) is the only way we know to establish identity of an entity (i.e. that the entity has a certain unique secret, a private key in this case) without the exchange of the secret. The identifying secret never has to be exposed by the entity (see Physicalization).


Conclusion #2: The most secure form of authentication has to utilize asymmetric key exchange.