Authentication
Authentication (Greek αυθεντικός authentikós, real ',' leader '; stem form connected with Latin facere, make ' ), the evidence (verification) of an alleged property of an entity, which may for example be a person, a device, a document or information, and doing that by their contribution performs its authentication.
In the English -speaking world is not syntactically distinguish between the actions of the involved entities. In German-speaking countries, this distinction is usually not to be found.
The authentication of an entity with respect to the alleged property of authenticity, which can be, for example, granting an " existing access authorization " or " authenticity " of the authenticated entity allows for further actions. The entity is considered to be authentic.
The authentication final confirmation also known as authorization, if it is limited by certain permitted modes and / or in a particular context. An authentication is valid until the context in question leave or modified or vacated by the relevant mode or changed.
- 3.1 Literature
The process in the context
When an authentication between two entities to authenticate the A, while the other authenticates the former.
Authentication is a verification of the claim of authenticity. Often the authentication of an opponent this is used as its identification and is also in the sense of establishing identity conceivable. Can Authentication is thus in principle to prove that it is the original, with an authentication may be not only to people but to any tangible or intangible items, electronic documents or works of art, Relate.
In the example of a computer program, which can provide access to a secure area, the user claims his first admission by entering a user name. In addition, it authenticates itself by specifying its password. The program then identifies the user based on this information and then performs the authentication, ie the verification of the services claim about the authenticity. Only when this verification is successful, the user credentials specified are usually assigned as part of the authorization for the duration of a session. This means either the Program the identity of the communication partner is established, although that may change over time can have (for example, during a MITM attack ) or even from the beginning failed ( for example, after phishing). Whether the authenticated user may be granted access, the program will decide in the context of authorization. Even if this is successful, the program grants the user access to the secure area.
Methods
The authentication ( proving one's identity ), a user can achieve in three different ways:
- Demonstrate knowledge of information, he knows something, for example a password;
- Use of possessions, he has something, for example a key;
- The presence of the user himself, he is something, for example in the form of a biometric.
The choice of authentication methods leads depending on the application to various advantages and disadvantages of practicality for the user in everyday life and security needs of the protected Guts. Careful consideration prior to implementation and commissioning in this case ensures the actual safety levels.
Knowledge
Characteristics:
- Can be forgotten
- May be duplicated, distributed, forwarded and betrayed
- May be possible to guess
- The disclosure of knowledge can be compromised
Examples of knowledge -based authentication:
- Password
- PIN
- Answer to a particular question ( security question)
Possession
Characteristics:
- Creation of the feature (even if the check points) is subject to comparatively high cost (often requires a special manufacturing process and a physical distribution process )
- Management of the property is unsafe and associated with costs ( must be accompanied )
- May be lost
- Can be stolen
- Can pass, passed, or be duplicated ( in some cases)
- May be replaced
- Can store user-specific data
- Can protect themselves and actively change (Smart Card, SecurID )
Examples of authentication based on ownership:
- Chip Card also known as smart card or signature card
- Magnetic stripe card
- RFID card
- Physical key
- Key codes on a hard drive
- SIM card when mTAN procedure
- Certificate, for example, for use with SSL
- Tan and iTAN list
- One Time PIN token (eg, SecurID )
- USB flash drive with password vault
- USB Hard Drive with integrated PIN entry keypad
Physical Characteristics / Biometrics
Characteristics:
- Is a public information
- Is always carried by people
- Can not be passed to any other person
- By observing the characteristic distribution of the data collected on the balance of control points is necessary
- Required to detect a special device (technology)
- Can I.A. successfully matched not sure, but only with a probability (<1) with a reference pattern erroneous recognition ( False Acceptance )
- False rejection is possible ( False Rejection )
Examples of authentication based on biometric features:
- Fingerprint
- Face Detection
- Typing behavior
- Voice recognition
- Iris Recognition
- Retina characteristics ( eye)
- Handwriting (signature)
- Hand geometry ( palm scanner )
- Hand line structure
- Genetic information (DNA )
Secure the transmission
During the authentication data is transmitted. If this data is intercepted, it can be used by an attacker to feign a false identity. To reduce the risk of disclosure, methods such as challenge-response authentication and zero-knowledge are used in which the subject is no longer authenticating identifying data transmitted itself, but only a proof that it has these identification data beyond doubt. An example of the challenge-response authentication is that a task is given, the solution can only come from a counterpart, which has a specific knowledge or a particular property. Thus, a comparison to be authenticated without this had to divulge his knowledge or his property. It should be noted however that there are also such methods of attack.
Other systems solve the problem by the identification data to be used only once. An example of this is the TAN system. However, heard or spying identification data can be used later when the first use, and thus the invalidation of the data can be prevented during the listening process. One-time password systems alleviate this problem by coupling the identification data of the current time.
Another way of securing the transmission is the so-called " second- channel " communication, where a part of the identification data is transferred via a second channel. An example is sending an SMS with the mobile TAN ( mTAN ) system.
In the context of cryptographic protocols additional random numbers as so-called " nonce " or "Salt" values are often used to prevent the recurrence of identification.
Combination of methods
By a suitable combination of the methods deficits can be reduced in the process of authentication. On the other hand, combinations of several methods are associated with higher costs and / or higher costs. Dynamic systems, automatically select depending on the value and thus the risk of a transaction or the security of the online connection used stronger or weaker authentication methods, however, increase user acceptance and avoid low-risk transactions productivity -reducing steps.
In a combination of two methods is called a two-factor authentication or two- factor authentication. A typical example of the combination of knowledge and possession is a money machine: It has the bank card and know the personal identification number (PIN). A similar principle, there are already in the field of mobile security hard drives. For special high-security hard drives while the access is secured by smartcard and 8-digit PIN. The Internet and the access via a password is often granted in a first step. However, to gain full access to a unique code to the mobile phone via SMS will be sent, which must then be entered on the website to confirm. This is for example often used in online banking to authenticate a transaction.
Under the four-eyes principle is understood to be a separate authentication by two people. Such authentication is usually used for systems with high protection requirements: for example, requires the opening of safes in banks sometimes two people, authenticated by the possession ( two separate keys).
A master key is a secure and backed by knowledge ( hidden ) property, which still provides an authentication option in case of total loss of all other authentication features.