CHAPTER 28

IDENTIFICATION AND AUTHENTICATION

Ravi Sandhu, Jennifer Hadley, Steven Lovaas, and Nicholas Takacs

28.1 INTRODUCTION

28.2 FOUR PRINCIPLES OF AUTHENTICATION

28.2.1 What Only You Know

28.2.2 What Only You Have

28.2.3 What Only You Are

28.2.4 What Only You Do

28.3 PASSWORD-BASED AUTHENTICATION

28.3.1 Access to User Passwords by System Administrators

28.3.2 Risk of Undetected Theft

28.3.3 Risk of Undetected Sharing

28.3.4 Risk of Weakest Link

28.3.5 Risk of Online Guessing

28.3.6 Risk of Off-Line Dictionary Attacks

28.3.7 Risk of Password Replay

28.3.8 Risk of Server Spoofing

28.3.9 Risk of Password Reuse

28.3.10 Authentication Using Recognition of Symbols

28.4 TOKEN-BASED AUTHENTICATION

28.4.1 One-Time Password Generators

28.4.2 Smart Cards and Dongles

28.4.3 Soft Tokens

28.5 BIOMETRIC AUTHENTICATION

28.6 CROSS-DOMAIN AUTHENTICATION

28.7 RELATIVE COSTS OF AUTHENTICATION TECHNOLOGIES

28.8 CONCLUDING REMARKS

28.9 SUMMARY

28.10 FURTHER READING

28.11 NOTES

28.1 INTRODUCTION.

Authorization is the allocation of permissions for specific types of access to restricted information. In the real world, authorization is conferred on real human beings; in contrast, information technology normally confers authorization on user identifiers (IDs). Computer systems need to link specific IDs to particular authorized users of those IDs. Even inanimate components, such as network interface cards, firewalls, and printers, need IDs. Identification is the process of ascribing an ID to a human ...