On the Philosophy of Authentication
By Roy D. Follendore III
Copyright © 2001 RDFollendoreIII
As a Professor I must start by telling you that obvious fact that you might choose to listen to what I have to say or simply choose to avoid what I have to say. If you are my student I might have some degree of control over your learning experience, though what I have to say may be considered useful and/or a barrier to your goals and aspirations of the moment.
I say these things because I want the reader to understand that the rational concept of authentication is inherent to situations other than security. Authentication not a solution, it is a means to an end that may or may not solve any problem whatsoever. The idea of authentication begins with the concept of identity. Identity is not authentication, but it is the single thread by which security has always attempted to unravel to acquire authentication. Security typically equivocates identity with possession and knowledge of an associated ID.
An ID is a physical device that tries to prove what you are, not just who you are through a testing procedure. It is the essential tenant of good security practice that says that what you are should determine where you are allowed to go. Who you are is connected to what you are and therein is the rational means by which security ID devices operate.
Any form of ID requires authentication to the user. Fail to do that and you open up all kinds of problems that can be more difficult to respond to than the fact that the person you are considering is an unknown. The card itself is not authentication. It is the process itself that is authentication. You might be surprised to know that most people who are working in positions of security don't get that basic idea.
The problem with ID is that it short circuits the question, "Who are you?" ID is taken on face value. Years ago as a security test a security associate and I once entered a building wearing each other's ID. I am not all that tall or thin. My friend was very tall and thin. He was a very black skinned man and I am a very white skinned man. Our ID was our picture badges. We were both asked to show our ID's as we entered the building and once again as we boarded the elevator in the lobby. The security officer on duty did not notice anything out of order. Our fellow passengers on the elevator did not notice anything out of the order. I can only assume that I could have just as well had a picture of anyone on my ID badge and it would not have made a bit of difference. It was the color and shape of the badge, not my picture that the Security Officers on duty saw. The badge itself become what they thought I was.
You might think that the newer ID cards with the requirement to punch in a password or PIN number might help and it might to some extent. The problem is that such a secret associated with an ID is based on the fact that it is kept secret. If the associated password or PIN is not a secret then the action of authentication is essentially meaningless. In other words, the authentication depends both on the fact of the user's integrity and the situations by which the password of PIN could have been compromised.
Biometric solutions to acquire authentication might work better except for the fact that they are not completely reliable and they too can be compromised. A facial recognition or finger print, or retina scan can be associated with an ID. But in doing so, the authentication certification shifts to the system. Once system security is compromised, there may as well not be any authentication for that individual or anyone that individual might want in. Authentication then becomes the essence of the firewall problem. It isn't just that someone is in, it is the problem of who else is in. It is impossible to prove a negative. Once a breach in security occurs, the near impossible exists. It becomes impossible to prove that the breach does not still exist. Absolute authentication failure is identified as not just possible, but probable.
The problem is that it is the philosophy of security authentication that is the problem. Authentication is not a true barrier, it is an inconvenience that otherwise forces perpetrators to change their actions and become noticed. Authentication is kind of like using a chain link fence to protect your junkyard. If you jump the fence or cut the wire and get through, you have made some noise but have gotten though. After that, without a junk yard dog, there is no more protection. From his perspective, the fence is only a barrier to easily walking in the front door, not a form of recognition.
That is the way that we all need to think about smart cards. The idea that smart cards are in-fact 'smart' starts out with an incorrect assumption. The barrier 'process' of authentication can be made more 'intelligent' as an inconvenience but not 'smart'. It will never figure out an ever changing and unpredictable system in a Universe of unpredictability.
Copyright (c) 2001-2007 RDFollendoreIII All Rights Reserved