First published: 28th February 2001
By Allan Dyer (based on an article for the IMIS Journal)
Strong authentication is important for securing our networks, but people often make mistakes resulting in inappropriate application of the methods. The mistakes can be characterized as failing to (correctly) answer the questions, "What should we authenticate?" and "What is doing the authentication, and do we trust it?".
Sometimes I have heard (usually from biometric vendors) that biometrics will be the great enabler for e-Commerce. We imagine customers shopping online, and, at the "checkout", they place their finger (or hand, or eyeball) on the reader attached to their PC, authenticating their authority to transfer the funds and complete the purchase. The first question, "What should we authenticate?" is correctly answered. It is the customer who is making the purchase, and e-Commerce is still between people. The second question, "What is doing the authentication, and do we trust it?" is more complex, but an essential component is the reader on the customer's PC. That is responsible for reading the finger and checking it has a pulse (unless you want to do business with corpses). A thief could copy someone's fingerprint data and use a modified reader (which falsely reported a pulse) to introduce the data to the system. Essentially, the fingerprint data is a unique identifier, but it is not useful for authentication until we also have trusted information that the finger is there now, and alive.
Can e-Commerce get around this problem? A tamper-proof fingerprint reader with a secure communications protocol could be built, but then an e-Commerce site will have to provide these for its customers. Inter-operability between sites and vendors will become an issue and this becomes not an enabler, but a recipe for complexity and confusion.
Machine and Software Identifiers
Another case where authentication requirements have been confused is with the Pentium III serial number. It has been suggested that this will be useful for e-Commerce, for example, from Intel's website, "System identification can enable certain benefits, such as authenticating participants in a secure chat room or enhanced security in e-commerce situations" (see http://support.intel.com/support/processors/pentiumiii/psu.htm ).
This fails both of the questions: The processor is identified, but we chat and do e-Commerce with people. Commerce is about people, not processors, making agreements. This will cease to be a problem when we get chips implanted directly into our brains, but until then, processors are used by different people and people use different processors at different times.
For the second question, Intel's Pentium III serial number is not an authentication method it is an identification method. The example of a passport illustrates the difference: I can authenticate my identity using my passport. I present myself at the border with my passport, and the official can verify that the passport is real, and it has my photo in it. No border would accept me without a passport if I said, "My passport number is...". In computing terms, the serial number verification program could be executed in a virtual machine that can be configured to report any desired serial number. Strong authentication must assume a hostile environment. Is the serial number totally useless? No, if you assume a non-hostile environment, it is a useful identifier, for example for asset tracking and management.
An example of software identification is the Microsoft Office GUID. This is also not an authentication mechanism. The GUID identifies the installation of Office the document was originally created on. Also, it does not fulfil another important function required for verifying a document: integrity. It does not guarantee that the document has not been modified since leaving that Office installation (for example, by the addition of a virus).
The last two examples have been used to illustrate how privacy advocates were obstructing strong authentication. I disagree - these identifiers cannot be used for strong authentication, but they can erode privacy and anonymity. In order to achieve anonymity, the communication must have no identification of its source. Therefore, an identifier like the PIII serial number or Office GUID is sufficient to destroy anonymity but they are insufficient for the non-repudiation required of authentication.
The situation was particularly bad for the Pentium III serial number in its' original form, because it could not be disabled. Users, therefore, could not choose whether their processor was identified.
These are both cases where the inclusion of an identifier without the user's consent makes it more difficult for people to choose anonymity. Anonymity does have an important role in a free society - Watergate is just one example where the whistle-blower required anonymity, and just the same newspaper that would refuse to publish an unsigned letter published a properly investigated story that came from an anonymous tip-off.
We need an infrastructure that allows us to choose between authentication and anonymity. The examples of the Pentium III serial number and the Office GUID are not examples of authentication or of governments seeking to suppress authentication. They are certainly not a worrying trend for those who hope to see smartcards employed as a universal authentication feature because smartcards are fundamentally different from these examples.
Smartcards and similar tokens do not have this flaw of enforced identification or authentication. In the best implementations, the private key never leaves the card. The user therefore has a simple, physical method to prevent unwanted authentication: remove the card from the reader, or better, only insert it when authentication is desired. Of course these implementations involve the use of strong public key cryptography, which is the technology the US Government has been trying to restrict.
This does not imply that smartcards and tokens are a perfect solution for authentication. One vulnerability is that, when the user reads the agreement on screen, enters the card password and clicks "sign", they trust the software to present the same agreement to the card as they saw on screen. Nevertheless, smartcards and tokens do solve several problems and I expect them to become more common.
Total online anonymity is like a city of masked people; the opposite extreme is a city of people with their names tattooed on their foreheads. The reality is somewhere in-between, and much more complex: we have no way of identifying the vast majority of people we pass on the street, but in some situations we identify and authenticate ourselves by much stronger methods. We need the same choice in cyberspace.