Intro to Authentication

• Chapter 2 is huge. I will treat it as three chapters.
• The first will be 2.1 Authentication.
• They start off by defining authentication and identification
  • Identification is the act of asserting who a person (or item) is.
  • Authentication is the act of proving that asserted identity: the person (or item) is who they say they are.
• Identification is often a publicly known quantity
  • Your name.
  • Your phone number.
  • Your address.
  • Your user name.
  • Your bank account number.
• In many cases, the public knowledge of this identification is required.
  • Sending mail, physical or electronic
  • providing services
  • Other communications.
• Sometimes these identifications are hard to guess, but sometimes not.
  • What is your pennwest user id?
  • Why is it constructed this way? Why is it not some pattern off of your name and year you entered?
  • What is the problem with a more obscure id?
• Authentication needs to confirm identification
  • Therefore authentication tokens are secret.
  • What authentication tokens do you use?
  • Answer
    • Password
    • PIN
    • Physical card with a chip in it
    • Secure phone with software.
    • Fingerprint
  • Generally
    • Something you know
    • Something you have
    • Something you are
• This chapter is filled with great examples.
  • Sidebar 2-1
    • Sarah Palin used a yahoo email account when she was running for vice president.
    • Identification: gov.palin@yahooo.com
    • Authentication: a password
    • But
      • Yahoo used a series of "personal" questions to reset passwords.
      • Palin had selected
        • What is your birthday?
        • What is your zipcode?
        • Where did you meet your spouse?
      • Unfortunately these were all based easily accessible information.
    • Apparently he then
      • Changed her password
      • Sent email as her
      • posted email she had sent and received.
  • In this case, the something you know was not private enough.
    • You could blame yahoo for not having secure enough questions.
    • Or Palin for selecting easy questions.
    • Or the hacker
    • Or all three.
  • The hacker was sent to prison for a year followed by three years of supervised release.
  • Wikipedia Article
• We will look at each of the three categories in more details.