文档详细内容(约176页)
16 The Basics of Information Security Bibliography [1]U.S.Government,Legal Information Institute,Title 44,Chapter 35,Subchapter 111,$3542. Nomeber22.200aw School.wwwlaw.comell.cdu/uscode/44/3542.html (acessed: 12]E.Spafford,Quotable spaf,Gene Spafford's personal pages.<http://spaf.cerias.purdue.edu/ quotes.html>,2009(accessed:November 26,2010). 3]D.Parker,Fighting Computer Crime Wiley,1998.ISBN:0471163783. 141 D.Chmielewski.Secrecy doaked "Dark knight"Los Angeles Times <http:M/articles latimes com/2008/jul/28/business/fi-darkknight28>,July 28,2008(accessed:November 28.2010)
16 The Basics of Information Security Bibliography [1] U.S. Government, Legal Information Institute, Title 44, Chapter 35, Subchapter 111, §3542, Cornell University Law School. www.law.cornell.edu/uscode/44/3542.html (accessed: November 22, 2010). [2] E. Spafford, Quotable spaf, Gene Spafford's personal pages. http://spaf.cerias.purdue.edu/ quotes.html, 2009 (accessed: November 26, 2010). [3] D. Parker, Fighting Computer Crime, Wiley, 1998. ISBN: 0471163783. [4] D. Chmielewski, Secrecy cloaked “Dark Knight,” Los Angeles Times. http://articles.latimes. com/2008/jul/28/business/fi-darkknight28, July 28, 2008 (accessed: November 28, 2010)
CHAPTER 2 Identification and Authentication 17 Information in This Chapter: INTRODUCTION When we are developing security measures,whether on the scale of a spe- cific mechanism or an entire infrastructure,identification and authentication amn pts.In short,identification is the claim of what some something ta pd d aupe sond whether this claim of ways. One very common example of an identification and authentication transaction can be found in the use of payment cards that require a personal identification number(PIN).When we swipe the magnetic strip on the card,we are assert- ing that we are the person indicated on the card.At this point,we have given ted to nter the pin ourd but nothngmore Wheof ng the au Some of the identification and authentication methods that we use in daily life are particularly fragile and depend largely on the honesty and diligence of those involved in the transaction.Many such exchanges that involve the show- ing of identification cards,such as the purchase of items restricted to those above a certain age,are based on the theory that the identification card being displayed is genuine and accurate.We also depend on the person or system and of not only p act of authentication but also being able to detect false or fraudu lent activity
17 Introduction When we are developing security measures, whether on the scale of a specific mechanism or an entire infrastructure, identification and authentication are likely to be key concepts. In short, identification is the claim of what someone or something is, and authentication establishes whether this claim is true. We can see such processes taking place on a daily basis in a wide variety of ways. One very common example of an identification and authentication transaction can be found in the use of payment cards that require a personal identification number (PIN). When we swipe the magnetic strip on the card, we are asserting that we are the person indicated on the card. At this point, we have given our identification but nothing more. When we are prompted to enter the PIN associated with the card, we are completing the authentication portion of the transaction, hopefully meeting with success. Some of the identification and authentication methods that we use in daily life are particularly fragile and depend largely on the honesty and diligence of those involved in the transaction. Many such exchanges that involve the showing of identification cards, such as the purchase of items restricted to those above a certain age, are based on the theory that the identification card being displayed is genuine and accurate. We also depend on the person or system performing the authentication being competent and capable of not only performing the act of authentication but also being able to detect false or fraudulent activity. Identification and Authentication CHAPTER 2 Information in This Chapter: n Identification n Authentication
18 The Basics of Information Security We can use a number of methods for identification and authentication,from the simple use of usernames and passwords,to purpose-built hardware tokens that serv We will discuss several of these me e chapter IDENTIFICATION claims to be over the network,who the originating party of an e-mail claims to be,or similar transactions.It is important to note that the process of iden- tification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim.That part of the process is referred to as authentication and is a separate transaction. Who We Claim to Be Who we claim to be is a tenuous concept,at best.We can identify ourselves by our full names,shortened versions of our names,nicknames,account num- bers,usernames,ID cards,fingerprints,DNA samples,and an enormous variety of other methods.Unfortunately,with a few exceptions,such methods of iden- tification are not unique and even some of the su pposedly unique methods of identification,such as the fingerprint,can be duplicated in many cases Who we claim to be can,in many cases,be an item of information that is sub ject to change.For instance,our names can change,as in the case or women who change their last name upon getting married,people who legally change their name to an entirely different name,or even people who simply elect to use a different name.In addition,we can generally change logical forms of identification very easily,as in the case of account numbers,usernames, and the like.Even physical identifiers,such as height,weight,skin color.and eye color,can be cha ed one of the m nost crucial factors to realize when we are wo ion is that an unsubstantiated claim of identity is Identity Verification Identity verification is a step beyond identification,but it is still a step short of tication,which we will discuss in the nex section When we are asked Social Se ard,birth certificate ther similar form of ide h s generally purpo se of ident ty verifica tion,not authentication.This is the rough equivalent of someone claiming the identity "John Smith,"us asking if the person is indeed John Smith,and being satisfied with an answer of "Sure I am"from the person (plus a little paper- work).As an identity verification,this is very shaky,at best. We can take the example a bit further and validate the form of identification- against a database holdins an additional copy of tion that it contains,and matching the photograph and physical specifications
18 The Basics of Information Security We can use a number of methods for identification and authentication, from the simple use of usernames and passwords, to purpose-built hardware tokens that serve to establish our identity in multiple ways. We will discuss several of these methods and how they are used throughout the chapter. Identification Identification, as we mentioned in the preceding section, is simply an assertion of who we are. This may include who we claim to be as a person, who a system claims to be over the network, who the originating party of an e-mail claims to be, or similar transactions. It is important to note that the process of identification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim. That part of the process is referred to as authentication and is a separate transaction. Who We Claim to Be Who we claim to be is a tenuous concept, at best. We can identify ourselves by our full names, shortened versions of our names, nicknames, account numbers, usernames, ID cards, fingerprints, DNA samples, and an enormous variety of other methods. Unfortunately, with a few exceptions, such methods of identification are not unique, and even some of the supposedly unique methods of identification, such as the fingerprint, can be duplicated in many cases. Who we claim to be can, in many cases, be an item of information that is subject to change. For instance, our names can change, as in the case of women who change their last name upon getting married, people who legally change their name to an entirely different name, or even people who simply elect to use a different name. In addition, we can generally change logical forms of identification very easily, as in the case of account numbers, usernames, and the like. Even physical identifiers, such as height, weight, skin color, and eye color, can be changed. One of the most crucial factors to realize when we are working with identification is that an unsubstantiated claim of identity is not reliable information on its own. Identity Verification Identity verification is a step beyond identification, but it is still a step short of authentication, which we will discuss in the next section. When we are asked to show a driver’s license, Social Security card, birth certificate, or other similar form of identification, this is generally for the purpose of identity verification, not authentication. This is the rough equivalent of someone claiming the identity “John Smith,” us asking if the person is indeed John Smith, and being satisfied with an answer of “Sure I am” from the person (plus a little paperwork). As an identity verification, this is very shaky, at best. We can take the example a bit further and validate the form of identification— say, a passport—against a database holding an additional copy of the information that it contains, and matching the photograph and physical specifications
Identification and Authentication CHAPTER 2 19 Identity verification is used not only in our personal interactions but also in computer systems.In many cases,such as when we send an e-mail,the identity we provide is taken to be true,without any additional steps taken to authen- ticate us.Such gaps in security contribute to the enormous amount of spam traffic that we see,which is estimated to have accounted for 89.3 percent of all e-mails sent om June to November 2010 [1]. Falsifying Identification As we have discussed,methods of identification are subject to change.As such, they are also subject to falsification.We have all heard of the commonly used fraudulent driver's license,often used by minors to buy items for which they ing to to into bar or nichtb when theyno do o.On a slightly er note of ide fication are als ed by criminals and te or a van ety c s of a nefa ous natur Certain primary means identification,such as birth certificate also provide a way to gain additional forms of identification,such as Social Security cards or driver's licenses,thus strengthening the false identity. Identity theft,based on falsified information,is a major concern today,costing consumers and businesses an estimated $54 billion in 2009 [21.This type of attack is unfortunately common and easy to execute given a minimal am oun sually a and Social sec i ficient-it is possible to impers omeo degree to be able to act as that person in many cases.Victims of identity theft may find that lines of credit,credit cards,vehicle loans,home mortgages,and other transactions have taken place using their stolen identity. Such crimes occur due to the lack of authentication requirements for many of the activities in which we engage.In most cases,the only check that takes place is identity verification,as we discussed in the preceding section.This process is a small obstacle at best and can easily be cir vented usi ing falsified forms of identification.To r ctify this tuatior complete the process identifying and authenticating the people involved in th transactions,in order to at least more conclusively prove that we are actually interacting with the people we believe we are.In the case of individuals,this is not an unsolv- able technical problem by any extent,but it is more of a people problem. When we look at similar issues for computer systems and environments we can see many of the same difficulties.It is entirely possible to send an e-mail from an address that is different from the actual sending address,and this actic is used by spammers on a reg gular basis. We ca n see the same proble many c tems and protocol at are in daily use and are part the functionality of the Internet.We will discuss such issues at greater length in Chapter 8
Identification and Authentication CHAPTER 2 19 with the person standing in front of us. This may get us a bit closer, but we are still not at the level of surety we gain from authentication. Identity verification is used not only in our personal interactions but also in computer systems. In many cases, such as when we send an e-mail, the identity we provide is taken to be true, without any additional steps taken to authenticate us. Such gaps in security contribute to the enormous amount of spam traffic that we see, which is estimated to have accounted for 89.3 percent of all e-mails sent from June to November 2010 [1]. Falsifying Identification As we have discussed, methods of identification are subject to change. As such, they are also subject to falsification. We have all heard of the commonly used fraudulent driver’s license, often used by minors to buy items for which they are too young to purchase, or to get into bars or nightclubs when they are not of age to do so. On a slightly more sinister note, such falsified means of identification are also used by criminals and terrorists for a variety of tasks of a nefarious nature. Certain primary means of identification, such as birth certificates, also provide a way to gain additional forms of identification, such as Social Security cards or driver’s licenses, thus strengthening the false identity. Identity theft, based on falsified information, is a major concern today, costing consumers and businesses an estimated $54 billion in 2009 [2]. This type of attack is unfortunately common and easy to execute. Given a minimal amount of information—usually a name, address, and Social Security number are sufficient—it is possible to impersonate someone to a sufficient degree to be able to act as that person in many cases. Victims of identity theft may find that lines of credit, credit cards, vehicle loans, home mortgages, and other transactions have taken place using their stolen identity. Such crimes occur due to the lack of authentication requirements for many of the activities in which we engage. In most cases, the only check that takes place is identity verification, as we discussed in the preceding section. This process is a small obstacle, at best, and can easily be circumvented using falsified forms of identification. To rectify this situation, we need to complete the process of identifying and authenticating the people involved in these transactions, in order to at least more conclusively prove that we are actually interacting with the people we believe we are. In the case of individuals, this is not an unsolvable technical problem by any extent, but it is more of a people problem. When we look at similar issues for computer systems and environments, we can see many of the same difficulties. It is entirely possible to send an e-mail from an address that is different from the actual sending address, and this tactic is used by spammers on a regular basis. We can see the same problems in many other systems and protocols that are in daily use and are part of the functionality of the Internet. We will discuss such issues at greater length in Chapter 8
20 The Basics of Information Security AUTHENTICATION Authentication is,in an information security sense,the set of methods we use to esta whether the an to n tha authentication only es claim of identity tha has beer made is correct.Authentication does not infer or imply anything about what the party being authenticated is allowed to do;this is a separate task known as authorization.We will discuss authorization at greater length in Chapter 3,but the important thing to understand for now is that authentication needs to take place first. Factors In terms of authentication,there are several methods we can use,with each cat egory referred to as a factor.Within each factor,there are a number of possible methods we can use.When we are attempting to authenticate a claim of iden- tity.the m ore factors we use,the more positive our results will be.The factors you are,something you have something you do,and v re you are. ng you know is a very common authentication factor.Thi can include passwords,PINs,passphrases,or most any item of information that a person can remember.We can see a very common implementation of this in the pass- words we use to log in to our accounts on computers.This is somewhat of a weak factor because if the information the factor depends on is exposed,this can nullify the uniqueness of our authentication method. Somethin you are is a factor based on the relatively unique physical attributes d to as bior etrics.This fac simple attri tes such as h ht,w ight,hai r colo or eye colo but these not tend to be unique enough to make very secure identifiers.M ore commonly used are more complex identifiers such as fingerprints,iris or retina patterns,or facial characteristics.This factor is a bit stronger,as forging or stealing a copy of a physical identifier is a somewhat more difficult,although not impossible, task.There is some question as to whether biometrics truly is an authentica- tion factor,or whether it really only constitutes verification.We will discuss this again later in the chapter when we cover biometrics in greater depth Something you have is a facto generally based on the physical possession of an m or a device,although this factor can extend I into some logical concepts as well.We can see such factors in general use in the form of ATM cards,state or federally issued identity cards,or software-based security tokens,as shown in Figure 2.1.Some institutions,such as banks,have begun to use access to logical devices such as cell phones or e-mail accounts as methods of authentication as well.This factor can vary in strength depending on the implementation.In the case of a security token,we would actually need to steal a specific device in order to falsify the uthenticatio method In th -mail addre eing used as this type of factor,we have a measure of considerably less strength
20 The Basics of Information Security Authentication Authentication is, in an information security sense, the set of methods we use to establish a claim of identity as being true. It is important to note that authentication only establishes whether the claim of identity that has been made is correct. Authentication does not infer or imply anything about what the party being authenticated is allowed to do; this is a separate task known as authorization. We will discuss authorization at greater length in Chapter 3, but the important thing to understand for now is that authentication needs to take place first. Factors In terms of authentication, there are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use. When we are attempting to authenticate a claim of identity, the more factors we use, the more positive our results will be. The factors are something you know, something you are, something you have, something you do, and where you are. Something you know is a very common authentication factor. This can include passwords, PINs, passphrases, or most any item of information that a person can remember. We can see a very common implementation of this in the passwords we use to log in to our accounts on computers. This is somewhat of a weak factor because if the information the factor depends on is exposed, this can nullify the uniqueness of our authentication method. Something you are is a factor based on the relatively unique physical attributes of an individual, often referred to as biometrics. This factor can be based on simple attributes, such as height, weight, hair color, or eye color, but these do not tend to be unique enough to make very secure identifiers. More commonly used are more complex identifiers such as fingerprints, iris or retina patterns, or facial characteristics. This factor is a bit stronger, as forging or stealing a copy of a physical identifier is a somewhat more difficult, although not impossible, task. There is some question as to whether biometrics truly is an authentication factor, or whether it really only constitutes verification. We will discuss this again later in the chapter when we cover biometrics in greater depth. Something you have is a factor generally based on the physical possession of an item or a device, although this factor can extend into some logical concepts as well. We can see such factors in general use in the form of ATM cards, state or federally issued identity cards, or software-based security tokens, as shown in Figure 2.1. Some institutions, such as banks, have begun to use access to logical devices such as cell phones or e-mail accounts as methods of authentication as well. This factor can vary in strength depending on the implementation. In the case of a security token, we would actually need to steal a specific device in order to falsify the authentication method. In the case of access to an e-mail address being used as this type of factor, we have a measure of considerably less strength
