Schneier on Security
A blog covering security and security technology.
« The Presidential Limousine |
| New Police Computer System Impeding Arrests »
January 22, 2009
Identity, Authentication, and Authorization
Good essay on why they must remain distinct. I spent a chapter on this in Beyond Fear.
Posted on January 22, 2009 at 6:54 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
It's a shame that Microsoft doesn't follow its own advise.
Interesting reading. I do take issue with the following statement on authentication:
"Your possession of this secret is what proves that you are who you claim to be."
This isn't necessarily true. Your possession of the secret should, in theory, prove only that you're the same person to whom the secret was issued. This identity may or may not bear any resemblance to your actual identity.
I could happily sign up for a service as Bruce Schneier, and in many cases they wouldn't verify that it wasn't my actual identity.
This article makes a few faulty assumptions about biometrics. First of all, according to his definition, biometrics are not identifiers because they are not unique. If I try to add a duplicate jsmith to a system, I will get an error. However, two biometric representations may indeed be the same on the system. Otherwise, False Acceptance Rate would have no meaning.
Secondly, saying biometrics cannot be secret takes a narrow view of the problem. When people say this, they use examples of common biometric systems that exist today. This is inductive reasoning. If you make a statement that biometrics are not secret, they should prove it using something other than examples from 3 different body parts. The human body is immensely complex, and it is perfectly reasonable to assume parts of the information it contains are secret.
I mostly agree with the author. Systems where user accountability is required need proof of identity, which can be checked before providing the credentials for the system, while others some need only proof of personality (What you know: Passwords, What you have: Tokens, What you are: Eyes, Fingerprints, What you like, What you can do, What you think, Where you live, How old are you, etc). The most common example is: "Are you over 18?. A good test, used during WWII to test if someone is a native (or a spy) is to get him to do some math...it is impossible to do it fluently in any language but your own. They were testing "What you can do". Check this for more:
@Philip: "The human body is immensely complex, and it is perfectly reasonable to assume parts of the information it contains are secret."
It is also reasonable to assume that those secret parts of information are hard to measure and therefore unsuitable for biometrics.
Wow, bags of Obama's blood in case he needs a transfusion! I wonder how often he has to replace it--blood doesn't last that long, does it?--and what happens to the old stuff.
Oops, I meant to post that comment to the blog entry about Obama's car. Sorry!
@Philip: secret biometrics
Given that there is (as far as I know) no secure communications subsystem in the human body, every time you use this secret biometric, it will be measured across a non-encrypted channel.
If it can be measured, then the device doing the measuring must be trusted by the rest of the system to be reading you. Note - I'm not saying here that it must be trustworthy -- I'm saying you have to trust the device whether it is trustworthy or not!
You, in turn, are trusting that device/system not to capture and make your biometric available for replay.
"The map is not the territory" applies to every biometric I've ever seen.
@Philip: One problem with biometrics is that they need to be converted to a digital form, transmitted, and verified.
There a whole lot of things about me that can't be easily measured, a whole lot that vary significantly, and a whole lot that aren't really unique. The commonly used biometrics are likely the only really practical ones.
Then the information has to be transmitted, and once transmitted it isn't completely secure. What I can send once, a bad guy might be able to send again using a replay attack, either by interception or from one end or the other later.
Finally, it has to be verified. If I sent you a complete description of my body, you almost certainly couldn't figure out who I am. Anybody who wants to identify me, or verify my identity, by means of fingerprints has to get my fingerprints in a reliable manner, and store them. There's plenty of opportunity for problems here. Perhaps another party can copy my prints, or substitute his or her own.
There are also what might be called side-channel attacks. You won't get me to tell you my password at a party, but you might get my fingerprints off a glass. Unless I take care to cover my fingertips whenever in public, I can't consider my fingerprints absolutely secret.
Anything I have to transmit, which has to be stored out of my control, and which I can't even leave at home in social situations, cannot possibly be reliably secret.
How do you revoke a finger?
You revoke index finger and invoke ring finger. Of course there's a limit.
I don't buy the bypass-authentication-in-a-hospital idea. Nurses and doctors have to wash/sanitize their hands and change their gloves over and over every day. It's a pain, but it's required to avoid cross-contamination everywhere - between patients, handshakes, doorknobs, pens, everything.
The notion of avoiding the keyboard at login time doesn't even make sense - what are they doing in front of the computer? Entering data. They have to touch a mouse or keyboard anyway.
This essay is bad (only the second time I have seriously disagreed with Bruce Schneier).
1) There is no reason getting "access to a system" should always involve identity, it's just convenient and traditional. Think of numbered bank accounts, vending machines and movie theatres. Heck, think of cash. Think of shibboleth. Think of "you must be at least this tall". The author describes an identity-authentication-authorization cycle but leaves out the step where the system assigns authority to an identity. As Vicente Aceituno points out, accountability usually requires identity, but otherwise there's no reason but convenience to have it in there at all. (And in some cases identity greatly weakens security, but that's another essay.)
2) If we drop identity we must rethink authentication (see examples above). But even if we keep identity, authentication does not have to involve a secret, that's just a traditional method, and a good one if done right. If done wrong (e.g. transmitting passwords in the clear) it's worthless. Likewise, biometrics (which are not secret) are just fine if done right; if done wrong (e.g. trusting a fingerprint scanner without human oversight) they're worthless.
3) Password collisions. *SIGH* If you use a password (or any secret) it behooves you to be a little smart about it. If you use a system that uses a password but no public ID, choose a good password, or accept some salt from the server. The lesson isn't "YOU MUST HAVE A PUBLIC ID", it's "YOU CAN BE ANONYMOUS OR LAZY, BUT NOT BOTH".
Just to play devil's advocate:
1. Biometrics are unique for all practical purposes, therefore they do not face the problem as in the case of using password for identification and authentication purposes.
2. As for revocation of biometrics, multi-factor biometric authentication can be used to solve the problem. The idea is to have at least on biometric that is difficult to obtain. If one is compromised, it will not open up the system
3. And if someone if willing to resort to extreme violence to get your biometric, then all bets are off. Someone who can cut your finger can as well obtain the password associated with the biometric by threatening to cut of the whole arm!
@Beta: "1) There is no reason getting "access to a system" should always involve identity"
You're right - but that's not a fair criticism of this essay. The concern expressed is for overmixing of identity and authentication. The article doesn't really address systems that can authorize without identity at all.
The simplest example I can think of is a vending machine - it regularly authorizes dispensing of a product without any identity (or authentication) check at all.
> 1. Biometrics are unique
You didn't understand the article. An email address is also unique. Both work great for claimed Identity, both are lousy for Authentication.
>3. And if someone if willing to resort to extreme violence
That was an extreme and impractical example. The same attack could be done more practically by lifting the person's fingerprint from a wineglass or doorknob.
So just because a camera reads a pattern of pixels similar to what it saw when it first scanned your retina doesn't prove it's the actual you trying to enter the lab. It just means something that could be you is trying to enter the lab.
> Someone who can cut your finger can as well obtain the password
That doesn't prove biometrics should serve as Authentication.
@Chris S: You're right [about identity] but that's not a fair criticism of this essay. The concern expressed is for overmixing of identity and authentication. The article doesn't really address systems that can authorize without identity at all.
My criticism is fair because the author doesn't start with "in systems that need identity", he starts with: "[You want] to access a system... you need to make a declaration of who you are.... A notable characteristic of identity is that it is public, and it has to be this way: identity is your claim about yourself, and you make that claim using something that's publicly available."
In other words, it's not just that he doesn't address systems that don't use identity, he assumes and implies from the start that no such systems can exist (and justifies that later with a weak argument about password collision). I agree with his argument that people confuse identity with authentication, but in fighting this misconception he introduces others.
"3) Password collisions. *SIGH* If you use a password (or any secret) it behooves you to be a little smart about it. If you use a system that uses a password but no public ID, choose a good password, or accept some salt from the server. The lesson isn't "YOU MUST HAVE A PUBLIC ID", it's "YOU CAN BE ANONYMOUS OR LAZY, BUT NOT BOTH"."
Strength or length of password doesn't matter; there is a probability that two entities could arrive at the same password in any scenario, and any such event is always going to result in weakened security. For some systems, you could declare a suitably large minimum length for passwords and accept the very minor risk, but not for all. Not for most.
Even then, the design helps brute-force attacks by eliminating the need to check each identity individually.
Hm. I suppose it could be used to make a specific account harder to breach via brute-force, though.
"A good test, used during WWII to test if someone is a native (or a spy) is to get him to do some math...it is impossible to do it fluently in any language but your own. "
I'll bet you I can do math in English a lot better than a good number of native English speakers. A lot of people aren't very good at it; regardless of the language it's in.
Bio-metrics have some significant problems that are obvious with a little thought but are not talked about.
First off they usually need direct physical contact with the human. This means they cannot be used in a whole host of environments where the likes of a keypad or token will work quite effectivly. So they are far from universal in use.
Secondly they usually do not use raw but processed information for comparison purposes. The algorthms used are usuall a form of hash that reduces the total information available down to a finite set for storage in a database.
This has implications not just for uniquness of the hash but quite a few other things such as distribution across the set. Often the algorthms are overly sensitive and quite small changes in the assumptions used radicly changes the outputs.
Thirdly there is little or no practical testing with regards the potential data set. That is the number of human test subjects is so small compared to the population it is not currently possible to make statisticaly sound inferences about the reliability of bio-metric systems.
There are other issues on top of these but with the issues above would you seriously look at bio-metrics as a practical universal identifier?
Separating these three functions is the same problem that accountants call "internal control" -- and are supposed to verify when auditing a public company's books.
Perhaps the purview of the accounting profession should be expanded beyond financial matters.
There's a related (somehow) essay/commentary by Scott Wright:
"How should authorities prove they’re legitimate when THEY call YOU?"
FTR: To answer Scott's question: you look up the phone number in a hard-to-produce generally available source: the phone book and call THAT number, rather than whatever number is left on the phone...
@Zith: "Strength or length of password doesn't matter; there is a probability that two entities could arrive at the same password in any scenario, and any such event is always going to result in weakened security."
Have you done the numbers?
"Even [with strong passwords], the [non-identity] design helps brute-force attacks by eliminating the need to check each identity individually."
You haven't done the numbers. Putting a padlock on a door makes it a little more secure, but if the door is a vault door, a meter thick with a dozen steel throw-bolts as thick as your leg, you can dispense with the padlock. Arguing that removing the padlock helps burglars by eliminating their need for a hacksaw isn't very insightful.
This article mistakenly assumes that personal identification and authentication are fundamental to accessing goods and services.
We advanced beyond that stage in pre-history, with the invention of money.
Could this be a case where orangutans are ahead of security researchers?
Re: Doing math in a different language
Back when I was taking German classes in high school, one of the things we did in class a few times was play 'fizz-buzz'. The idea is that the teacher would point to each student in turn, getting them to count upward, reciting the number one higher than the previous student's number. Two exceptions: if the number contained a '5' or was a multiple of 5, you would say 'fizz' instead of the number. Also, if the number contained a '7' or was a multiple of 7, you would say 'buzz'. This got repeated, so 35, 57, 70, and 75 were 'fizz-buzz', 25 and 55 were 'fizz-fizz', etc. (und so weiter.)
The game isn't always easy in your native language once you get up into the 50s and 70s, much less a foreign one. Made for good training in trying to think in a foreign language, though.
@Beta: "There is no reason getting "access to a system" should always involve identity."
Unfortunately, you're confusing the term 'identity.' An identity doesn't have to be something that can be issued with a passport; it can be something as simple as a PIN, non-de-plume etc.
The whole process of Identity:Authentication relies on the user of the identity confirming their ability or permission to assert that identity. Nothing more, nothing less.
The 'strength' and 'value' of the transaction will therefore impose limits on how well-defined the identity should be.
Hi, this post is really interesting which provides good insight about Identity Authentication. Highly recommended for all!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.