Chapter 2 - Identification and Authentication Flashcards
What is identification?
The claim of what someone or something is.
What is authentication?
Establishes whether this claim is true. We can see such processes taking place on a daily basis in a wide variety of ways.
What is identity verification?
Is a step between identification and authentication, in which the identity is verified in some way. This is a step better than just a claim, but not an authentication. For example, a driver’s license is an identity verification, to help in showing the name given is true.
What else is identity verification used in, besides in personal interactions?
Computer systems. In many cases, such as when we send an email, the identity we provide is taken to be true, without any additional steps taken to authenticate us.
What are authentication factors?
There are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use.
What is the benefit of using more factors?
When attemting to authenticate a claim, the more we use, the more positive our results will be.
What are the five factors?
Something you know
Something you are
Something you have
Something you do
Where you are
This factor is very common.
It can include passwords, PINS, passphrases, etc.
Which one is it?
Something you know
This factor includes an item or device, although this factor can extend into some logical concepts as well. We can see such factors in general use in the form of ATM cards, state of federally issued identity cards, or software based security tokens.
Which is it?
Something you have: A factor generally based on the physical possession of an item or device.
This factor can be based on simple attributes, such as height, weight, hair color, or eye color.
More reliable methods include fingerprints, iris or retina patterns, or facial characteristics.
Something you are: A factor based on the relatively unique physical attributes of an individual.
What are biometrics?
Another name for “something you are”.
What factor is based on physical presence at a location or locations?
Where you are: A geographically based authentication factor. This factor operates differently than the other factors, as its method of authentication depends on the person being authenticated being present at a particular location.
What method is based on actions or behaviours of an individual?
Something you do, sometimes considered a variation of something you are, is a factor based on actions or behaviours.
This includes a person’s gait, measurement of multiple factors in his or her handwriting, the time delay between keystrokes as he or she types a pass phrase, or similar factors.
What is multifactor authentication?
Uses one or more of the factors we discussed in the preceding section. This practice is also referred to in some cases, as two-factor authentication.
What is mutual authentication?
Refers to an authentication mechanism in which both parties authenticate each other.
in the standard process, which is a one-way authentication, the client authenticates to the server to prove that it is the party that should be accessing the resources the server provides.
In mutual authentication, not only does the client authenticate to the server, but the server authenticates to the client as well.
Digital certificates are often used to accomplish mutual authentication.
Without mutual authentication, what do we leave ourselves open to?
Impersonation attacks, often referred to as “man-in-the-middle” attacks. In these, the attacker inserts himself between the client and the server and impersonates the server to the client, and the client to the server.
This becomes considerably more difficult when mutual authentication is in place.
Reversing the process of verifying an identity with biometrics, we can do what?
We can use biometrics as a method of identification.
When using biometrics as a method of identification or verification, we need to do what beforehand?
We must put the user through the enrollment process. This involves recording the chosen biometric characteristic from the user, so that it can be later matched in the system.
What are the seven characteristics of biometric factors?
Universality Uniqueness Permanence Collectability Performance Acceptability Circumvention
The biometric factor characteristic “universality” is defined by what?
Universality stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system.
For example, use of a fingerprint may be hindered if someone does not have a particular finger anymore.
The biometric factor characteristic “uniqueness” is defined by what?
Uniqueness is a measure of how unique a particular characteristic is among individuals. For example, if we choose to use height or weight as a biometric identifier, we would stand a very good chance of finding several people in any given group who are of the same height or weight.
What is permanence?
Permanence is a characteristic of a biometric factor:
Permanence tests show how well a particular characteristic resists change over time and with advancing age. If we choose a factor that can easily vary, such as height, weight, or hand geometry, we will eventually find ourselves in the position of not being able to authenticate a legitimate user.
What is collectability?
Collectability is a characteristic of a biometric factor:
Collectability measures how easy it is to aquire a characteristic with which we can later authenticate a user. Most commonly used biometrics, such as fingerprints, are relatively easy to acquire, and this is one reason they are in common use. If we choose a characteristic that is more difficult to acquire, such as a footprint, the user will need to remove his show and sock in order to enroll.
What is performance?
Is a characteristic of biometric factors:
Performance is a set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate. We will discuss the performance of biometric systems at greater length later in this section.
What is acceptability?
Acceptability is a characteristic of a biometric factor:
A measure of how acceptable the particular characteristic is to the users of the system. in general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user. Systems that require users to remove their clothes, touch devices that have been repeatedly used by others, or provide tissue or bodily fluids will likely not enjoy a high degree of acceptability.
What is circumvention?
Circumvention is a characteristic of a biometric factor:
Circumvention describes the ease with which a system can be tricked by a falsified biometric identifier. The classic example of a circumvention attack against the fingerprint as a biometric identifier is found in the “gummy finger”. In this type of attack, a fingerprint is lifted from the surface, potentially in a covert fashion, and is used to create a mold with which the attacker can cast a positive image of the fingerprint in gelatin.
What do we use to measure performance of a biometric system?
False acceptance rate FAR
False Rejection Rate FRR
Equal Error Rate EER
What is a False Acceptance Rate?
Occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.
What is a False Rejection Rate?
Is a problem of rejecting a legitimate user when we should have accepted her. This type of issue if commonly known outside the biometrics world as a false negative.
What is an Equal Error Rate?
What we try to achieve with biometric systems is a balance between false positives and false negatives, this is found in ERR, which is the intersection of FRR and FAR.
What are the issues found in biometric systems?
Biometrics can be easily forged.
Privacy issues
False biometrics left in systems.
What is a hardware token?
A standard hardware token is a small device, typically in the general form factor of a credit card or keychain fob. The simplest hardware tokens look identical to a USB flash drive and contain a small amount of storage holding a certificate or unique identifier, and are often called dongles. More complex hardware tokens incorporate LCD displays, as shown in Figure 2.4, keypads for entering passwords, biometric readers, wireless devices, and additional features to enhance security.
Hardware tokens represent the something you have authentication factor.
If we are using an identity card as the basis for our authentication scheme, what steps might we add to the process in order to allow us to move to multifactor authentication?
Different factors are: (1) something you know, (2) something you are,
(3) something you have, (4) something you do, and (5) the place you are.
So the answers might be:
– identity card (factor-3) and pin numbers (factor-1)
– identity card (factor-3) and different types of biometrics (factor-2 or factor-4)
– identity card (factor-3) and location information (factor-5)
– or any combination of the above.
If we are using an 8-character password that contains only lowercase characters, would increasing the length to 10 characters represent any significant increase in strength?
For this question, it should be discucsed that the strength of the password increases
as one increases the number of characters. However this is not a significant increase
because it is just one dimension, i.e. we only play with the number of characters. To
make it significantly stronger, we need to bring in other dimensions such as the case used
(lower case vs upper case), the use of not only letters but numbers and/or symbols etc
What factors might we use when implementing a multifactor authentication scheme for users who are logging on to workstations that are in a secure environment and are used by more than one person?
For this question, look for some creativity in terms of the 5 factors used. Again the
factors are: (1) something you know, (2) something you are, (3) something you have, (4)
something you do, and (5) the place you are.
If we are developing a multifactor authentication system for an environment where we might find larger-than-average numbers of disabled or injured users, such as a hospital, which authentication factors might we want to use or avoid? Why?
: For this question, again look for some creativity in terms of the 5 factors used.
There should be a good discussion of what to avoid in terms of factors. Of course this
should depend on the unique solution presented.
