6.1 Physical Identification

Previous page
Table of content
Next page
only for RuBoard - do not distribute or recompile

6.1 Physical Identification

Fly to San Francisco International Airport, flash two pieces of plastic, and you can drive away with a brand new car worth more than $20,000. The only assurance the car rental agency has that you will return its automobile is your word and the knowledge that if you break your word, they can destroy your credit rating and possibly have you thrown in jail.

Your word wouldn't mean much to the rental agency if they didn't know who you are. It's your driver's license and credit card, combined with a worldwide computer network, that allows the rental agency to determine in seconds if your credit card has been reported stolen, and that gives the firm and its insurance company the willingness to trust you.

As the rental car agency knows, the ability to identify people creates accountability, which helps to promote trust. Indeed, identification is an indispensable part of modern life. Large organizations use employee identification badges to help guards determine who should be let into buildings and who should be kept out. Governments use identification papers to help control their borders and provide taxpayer-funded benefits. And, increasingly, computers use various kinds of systems to determine the identity of their users and control access to information and services.

No identification techniques are foolproof. Fortunately, most of them don't have to be. The goal of most identification systems isn't to eliminate the possibility of impersonation, but to reduce to acceptable levels the risk of impersonation and the resulting losses. Another important goal of identification systems is to quantify the amount of risk that remains once the system has been deployed: quantifying the amount of residual risk allows an organization to make decisions about policies, the need or desirability of alternative identification systems, and even the amount of insurance coverage necessary to protect against the remaining amount of fraud.

Subtle Distinctions

Three related concepts that are often lumped together under the title "identification:"

  • Identification: associating an identity with a subject

  • Authentication: establishing the validity of something, such as an identity

  • Authorization: associating rights or capabilities with a subject

All three of these concepts are important, but they are separable you don't need to have all three in every situation. For instance, if someone presents a $20 bill to buy a loaf of bread at a grocery store, there is no need for the customer to identify or authenticate himself. If the purchase includes a six-pack of beer, then the customer's grey hair and facial wrinkles could be used to authenticate that he is over 21 years of age, without the need for identification.

As another example, if you are driving down the highway at 80 miles an hour, and a police car pulls you over, there is no immediate need to know the identity of the officer writing you a ticket. He has the authority as a uniformed patrol officer to issue a citation and his authentication is the uniform, badge, and ticket.

In both examples, the authentication can be false (e.g., a fake beard and latex face mask with wrinkles, or a costume shop police uniform). In fact, in any instance the authentication can be either falsified or incorrect. We simply set limits as to how much we will risk by accepting a particular form of authentication.

In the rest of this chapter, we may use the word "identification" as meaning both identification and authentication. But we know (and now you know) the distinction.

6.1.1 The Need for Identification Today

For much of human history, the way people proved their identity was by showing up.[1] People were born into their communities. They were educated, employed, married, and eventually buried. People had history and were known in their community by their faces, their word, and their actions. Identification was based on biometrics.

[1] Thanks to Carl Ellison for this lovely turn of phrase.

For much of the 20th century, driver's licenses, passports, and other kinds of identity cards have been the primary tools that people have used to prove their identities outside of their direct community when personal identification based on knowledge and friendship fails. We use them when cashing checks, opening accounts with new businesses, applying for jobs, and buying property. We use them when we are cited by police for speeding or jaywalking, as an alternative to being arrested, taken to a police station, and held for a hearing. By reliably identifying who we are, these physical tokens make it possible for businesses to extend credit and trust to individuals with whom they are unfamiliar.

You might think that the alternative to identification systems is to do business solely with cash. But even when cash or other articles of value are used, strong identification is often required because of the possibility of fraud. Think about it: would you take three pounds of gold as payment for a new car without knowing the name of the person handing you the bullion? Given the opportunities for counterfeiting and fraud, most people wouldn't even take a stack of crisp new $100 bills.

Identification cards don't create a stable business environment by themselves: they work hand-in-hand with the legal system. If a person bounces a check or fails to carry through on the terms of a contract, the business knows that it ultimately has the option of going to court with its grievance. But a successful outcome in court is only possible if the business knows the true identity of the customer. This is one reason why it is a crime to create false identification papers.

Customers also need to be able to determine the identity of businesses when they are engaging in financial transactions. In the physical world, the assurance is usually provided by physical location: if Sara buys a book in Harvard Square and then for some reason decides that she has been cheated (she may take the book home only to discover that the book was water damaged and has become a moldering growth medium), she knows that she can walk back to Harvard Square and demand a replacement or a refund. And she knows that she can trust the bookstore, at least within reason, because the store has obviously spent a considerable amount of money on the accoutrements of business: books, shelves, carpets, cash registers, and so on. It's unrealistic to think that the bookstore would spend so much money and then cheat a few dollars on paperback purchases that would damage the store's reputation. And if the bookstore were a scam, at least Sara knows where the bookstore is based. In the worst case, Sara can always go to City Hall, look up the store's owner, and take him to court.

Things are not so neat and tidy on the Internet. Sara might go to an online auction and purchase a slightly used cell phone for $200. After she sends the check and receives the phone, Sara discovers that she can't get it activated because it has a "revenue lock" and can only be used in Seattle. When she sends email back to the person who sold her the phone, her mail bounces. When she contacts the email provider, she learns that the email address was for a web-based email system and that the company has no idea of the name or the address of the person who signed up. When Sara gets back her check, she finds that it was cashed at a large out-of-state bank that refuses to help her identify the perpetrator because $200 is below their "fraud limit."

Things can be just as difficult for online businesses attempting to determine the names of their customers or trying to verify that the person at the other end of the web browser is actually the person that he or she claims to be. Consider an online stock trading company that gets an order from one of its customers to sell 500 shares of a stock. How does the trading house know that the "sell" order came from a bona fide customer and not from the customer's 10-year-old son or from the son's best friend who happens to be visiting for the afternoon? What sort of proof is possible, when your only connection with your customer is over a 28.8-kbps modem?

6.1.2 Paper-Based Identification Techniques

The most common way of determining the identity of a person in the physical world is to examine documents that are issued from a trusted authority. Consider passports and driver's licenses. Governments issue these documents to show affiliation (e.g., citizenship) or privileges (e.g., the right to drive), but these documents are also commonly used to authenticate identity, because the issuing of these documents is carefully controlled, they show a person's name, and they are difficult to forge.

6.1.2.1 Verifying identity with physical documents

Paper-based identification systems are so commonplace that we rarely think about how they work. Consider a U.S. passport: this document has a photograph of the holder, the person's hair and eye color, date and place of birth, the person's a signature, and the seal of the United States government. (Figure 6-1 shows Simson's own passport.)

Figure 6-1. A driver's license, passport, or gym membership card is a credential that can be used to prove identification
figs/wsc2_0601.gif

To verify the identity of a U.S. citizen, you start by examining the passport itself to see if it looks authentic. U.S. passports now have laminations with special seals, so you would check to make sure the lamination hasn't changed, and the markings are present as expected. If the passport looks good, the next step is to compare the person described by the passport with the person who is standing before you. Does the photograph in the passport look like the person? Because looks can be deceiving, this is actually a more difficult task than it seems.

If you have reason to be suspicious of the person standing before you, you can ask him to sign his name on a piece of paper and compare that signature with the one on the document. Or you can ask the person questions based on the information that the document contains for example, you might ask him to describe the town where his passport says he was born.

However, it is possible that the picture on the passport is eight years old, the passport holder now has a tan and has lost a lot of weight (and hair), his hand is in a cast, and his family moved away from his town of birth when he was six months old. At some point, you need to make a decision based on what you have available to you.

6.1.2.2 Reputation of the issuing organization

One of the key items contributing to the success of paper-based identification systems is the reputation of the organization that issues the documents. How much care does the organization exercise before it issues an identification document? How carefully does the organization safeguard the stock of blank identification materials? Does the organization have internal controls to account for blank documents? How easy is it to bribe a member of the organization to produce a fraudulent document? If such documents are produced, what is the likelihood that they will be discovered? Is there a legal or extra-legal penalty for using fraudulent documents from the organization?

Consider a membership card for a local gymnasium. This card might have a photograph and name on it. But despite the fact that the card identifies the holder, few merchants would allow a person to cash a check using the gym membership card as the sole source of identification. That's because gymnasiums use lower standards of scrutiny when they issue membership cards than do governments when they issue passports and drivers licenses; it's easier to get a gym card with a bogus name than to get a fake passport.[2]

[2] Although, realistically, many U.S. health clubs may actually exercise more due care issuing ID cards than many third-world government passport offices do in issuing passports. Furthermore, many U.S.businesses do not accept passports as identification because their clerks and cashiers are unfamiliar with the documents.

An identification document without an issuing organization is worthless anybody can make an "identification card" that has a name, photograph, and signature.

6.1.2.3 Tamper-proofing the document

As is the case with U.S. passports, good identification credentials are tamper-proof (or at least tamper-resistant) so that the person who holds them can't change them. They should also be forgery-proof to prevent anyone other than the appropriate government or organization from issuing them. And in the case of important documents, they should also be tamper-evident to signal that attempts have been made to change them.

In the physical world, tampering and forgery are usually prevented by using exotic materials. Consider U.S. passports: the binding, paper, printing, and lamination used in their manufacture are quite expensive, which has the effect of making them more difficult to forge or alter.

Exotic materials are not only the province of governments. The Polaroid Corporation, for example, makes a wide variety of materials for corporations and states that need to issue physical identification cards. Polaroid's Polacolor ID Ultraviolet Film is imprinted with a pattern in ultraviolet ink. This pattern can be seen and verified by waving an identification card printed with the Polacolor UV film underneath an ultraviolet light. If the identification photo or card is tampered with, the pattern is destroyed. To further improve security, the card can be sealed with PolaSeal laminate, which is designed to form a molecular bond with the top surface of the Polacolor UV film.

Tamper-proof systems are never perfect; they simply raise the cost of making a passable forgery. The Polaroid products make it very difficult to replace the photograph on an existing ID card, but it's still possible to issue fraudulent cards if the forger can get hold of his own UV film, laminate, and appropriate production equipment.

Another exotic material that has become commonplace is the security hologram. Originally used exclusively on credit cards, today you can find these metallic patches on software boxes, compact disks, and even some books and cereal boxes. Although it's fairly easy to make a hologram with film you can make one in your basement for less than $1000 the equipment required to press a hologram onto a thin strip of aluminum is comparatively expensive. As the businesses that operate these machines tend to have close relationships with the banking industry, they don't look kindly on counterfeiters.

6.1.3 Computer-Based Identification Techniques

For more than fifty years, computers have been programmed with various means to identify their users. Users of the earliest punch-card systems were given account numbers so that each user's time spent on the computer could be automatically recorded and billed. Passwords were employed so that one user couldn't inadvertently (or intentionally) run up another's account. Usernames and passwords have been a part of large-scale computer systems ever since. Even personal computers, which lacked passwords for the first two decades of their existence, now come equipped with software that can control access using usernames and passwords.

There is a key difference that separates username/password systems from the document-based systems discussed earlier in this chapter. Whereas most identification documents are printed with the true name of the individual being identified, username/password-based systems are only interested in establishing that the person who is sitting at the keyboard is the authorized user of a particular account. Traditional paper-based systems concern themselves with absolute identification, whereas username/password systems are concerned with relative identification or the continuity of identification. Rather than proving that the person sitting at the keyboard is in fact John Smith, Jr. of Boston, MA, and having a database that says John Smith, Jr. of Boston is an authorized user, these systems avoid the absolute identification step.

Absolute identification is an extraordinarily difficult task for the typical computer system to perform. Instead, a plethora of relative identification systems have been fielded. Computer security professionals usually describe these systems as relying on "something that you know," "something that you have," or "something that you are." The following sections describe these three traditional approaches, as well as a newer one: "someplace where you are."

6.1.3.1 Password-based systems: something that you know

The earliest digital identification systems were based on passwords. Every user of the system is assigned a username and a password; to "prove" your identity to the computer, you simply type your password. If the password that you type matches the password that is stored on the computer, then the assumption is that you must be who you claim to be (see Figure 6-2).

Figure 6-2. Using a username and a password to prove who you are
figs/wsc2_0602.gif

Because they are simple to use and require no special hardware, passwords continue to be the most popular authentication system used in the world today. As a result of this popularity, most of us now have dozens of passwords that we need to remember on an almost daily basis, including PINs (personal identification numbers) or passwords for accessing ATM cards, long-distance calling cards, voicemail systems, and answering machines, and for disabling "V-Chips" installed in modern televisions, unlocking cell phones, unlocking desktop computers, accessing dialup Internet service providers, downloading electronic mail, and accessing web sites.

As Table 6-1 shows, there are a number of problems with passwords, and many of these problems have no good solutions. However, despite these problems, passwords continue to be used because they do not require any special hardware or exotic programming.

Table 6-1. Problems with passwords and the commonly-used solutions

Password problem

Typical solutions

Risk of the solution

Before you can use a device, a computer, or an online service, you need a password.

Many systems are delivered with a default password or PIN (e.g., "0000" or "1234").

Default PINs are frequently not changed.

Some systems are configured so that the first person who turns on the device can set a password.

There is no way to assure that the person who first turns on the device is in fact an authorized user. For example, a teenager might be the first person to turn on a family's television and program the V-Chip.

Your password can be intercepted when you send it to the computer. Somebody else who learns your password can impersonate you.

Encryption can be used to scramble a password as it is transmitted from one computer to another.

In practice, encryption is rarely used.

No solution: in many cases it is impossible to use encryption!

There is no way to "encrypt" the PIN that a person types on the keypad of an automatic teller machine so that it cannot be deciphered by a second person looking over the first person's shoulder.

People forget passwords.

Give the user the option of creating a second password that is harder for him to forget. For example, many web sites will ask for both a password and a "security question," such as "What is your mother's maiden name?" If the password is forgotten, the answer to the question may be provided.

These systems reduce the problems of lost passwords, but they also invariably reduce the security of the service, because an attacker who cannot guess the password may be able to discern the answer to the "security question."

Offer to send the person's password by paper mail or email.

The mail may be intercepted. If the same password is used at multiple services, other services may be compromised. (This risk can be avoided by changing the person's password to a new, randomly-generated password and then sending the new password.)

People choose easily guessed passwords.

Require that passwords contain letters, numbers, and symbols. Do not allow passwords that contain a person's username or a word that is in the dictionary.

People are frequently angered or frustrated when they cannot choose a password that they wish to use. Many people use the same password for multiple purposes; if they cannot use their standard password, it is more likely that they will forget it.

People tell their passwords to other people so that others can access a restricted service.

Monitor the service for signs of use by more than one individual (e.g., simultaneous use from more than one location). If such use is detected, shut down the password or otherwise punish the user.

There may be a legitimate need for multiple people to access the same service at the same time, but there may be technical, political, or institutional reasons that prevent all of these people from obtaining their own usernames and passwords.

6.1.3.2 Physical tokens: something that you have

Another way that people can authenticate their identities is through the use of tokens physical objects whose possession somehow proves identity. Figure 6-3 shows the Robocard sold by CryptoCard, Inc.

Figure 6-3. Using a token-based system to prove who you are (reprinted with permission)
figs/wsc2_0603.gif

Door keys have been used for centuries as physical access tokens; in many modern buildings, metal keys are supplemented with either magnetic or radio-frequency-based access card systems. To open a door, you simply hold the card up to a reader. Systems that use radio frequencies to sense the card are generally more secure than magnetic-strip-based systems because the cards are more difficult to forge or copy.

Access card systems are superior to metal-key-based systems because every card can have a unique number that is tied to an identity. The system, in turn, has a list of the cards authorized to open various doors. Time-based restrictions can be added as well, so that a low-level clerk's card can't be used to gain access to an office after-hours. One of the nice features of token-based systems is that they tend to be self-policing: users quickly report cards that are lost or stolen because they need their cards to gain access; when a card is reported missing, that card can be deactivated and a new card issued to the holder. This is an improvement over a keypad-based system, where individuals can share their PIN codes without losing their own access.

As with passwords, tokens have problems as well:

  • The token doesn't really "prove" who you are. Anybody who has physical possession of the token can gain access to the restricted area.

  • If a person loses a token, that person cannot enter the restricted area, even though that person's identity hasn't changed.

  • Some tokens are easily copied or forged.

Token-based systems don't really authorize or identify individuals: they authorize the tokens. This is especially a problem when a token is stolen. For this reason, in high-security applications token systems are frequently combined with some other means of identification: this is often referred to as two-factor authentication . For instance, to gain access to a room or a computer, you might need to both present a token and type an authorization code. This is the technique used by automatic teller machines (ATMs) to identify bank account holders.

6.1.3.3 Biometrics: something that you are

A third technique becoming more commonly used by computers to determine a person's identity is to make a physical measurement of the person and compare the measurement with a profile that has been previously recorded. This technique is called a biometric, because it is based on measuring something about a living person. (Figure 6-4 shows an iris identification system.)

Figure 6-4. Using a biometric-based system to prove identity (reprinted with permission of Iridian)
figs/wsc2_0604.gif

Many kinds of biometrics are possible:

  • Images of a person's face, retina, or iris

  • Fingerprints

  • Hand geometry

  • Footprints and walking style

  • Patterns of blood vessels in the retina

  • DNA patterns

  • Voice prints

  • Handwriting characteristics

  • Typing characteristics

Biometric techniques can be used for both ongoing identification and absolute identification. Using these techniques for ongoing identification is the simplest approach: the first time the user accesses the system, his biometric information is recorded. On subsequent accesses, the new biometric is compared with the stored record.

To use biometrics for absolute identification, it is necessary to construct a large database matching names with biometrics. The Federal Bureau of Investigation has such a database matching fingerprints to names, and another that matches DNA material.

Compared with passwords and access tokens, biometrics have two clear advantages:

  • Under normal circumstances, you can't lose or forget your biometric.

  • Biometrics can't readily be shared, copied, or stolen.

But biometric technology has been difficult to bring from the laboratory to the market. All biometric systems exhibit a certain level of false positives, in which the system erroneously declares a match when it shouldn't, and false negatives, in which the system erroneously declares that two biometrics are from different people, when in fact they are from the same person. To reduce the possibility of false matches, some biometric systems combine the biometric with a password or token. In the case of passwords, a user is typically asked to type a secret identification code, such as a PIN, and then give a biometric sample, such as a voice print. The system uses that PIN to retrieve a specific stored profile, which is then compared with the sample from the profile. In this manner, the system only needs to compare the provided biometric with a single stored measurement, rather than with the entire database.

Biometrics involve complicated technologies, but after nearly three decades of research, they are finally making their way into mainstream computing and access control systems. Voice prints, iris prints, and hand geometry systems for access control are increasingly being installed to safeguard high-security areas such as computer rooms. Low-cost fingerprint readers can now be purchased on PCMCIA cards for use with laptops; some laptops even have fingerprint readers built into them.

It's important to remember, however, that biometrics are not perfect:

  • A person's biometric "print" must be on file in the computer's database before that person can be identified.

  • If the database of biometric records is compromised, then the biometric identification is worthless.

  • Unless the measuring equipment is specially protected, the equipment is vulnerable to sabotage and fraud. For example, a clever thief could defeat a voice-recognition system by recording a person speaking his passphrase and then playing it back.

6.1.3.4 Location: someplace where you are

With the development of computer systems that can readily determine the location of their users, it is now possible to deploy position-based authentication systems. For example, such a system might allow people in New Jersey to access a New Jersey bank but might deny access to others unless special arrangements have been previously made.

Although the Global Positioning System (GPS) can be readily used for obtaining location information, there are two serious hindrances for GPS in this application: the fact that GPS doesn't usually work indoors, and the fact that there is no way to securely get the positional information from the GPS receiver to the remote service that needs to do the verification. A better choice for position-based authentication is the positional services offered by some mobile telephone networks. With these systems, the network can determine the user's location and then directly report this information to the service, without risking that the information may be compromised while the user is authenticated.

A simple form of location-based authentication is to have a particular terminal or computer that is authorized to perform a special function. People who are in other locations are prohibited from exercising privilege. To date, location has not been used as a general system for authentication.

only for RuBoard - do not distribute or recompile

Previous page
Table of content
Next page
Web Security, Privacy & Commerce
Web Security, Privacy and Commerce, 2nd Edition
ISBN: 0596000456
EAN: 2147483647
Year: 2000
Pages: 194
Authors: Simson Garfinkel
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
An Introduction to Design Patterns in C++ with Qt 4
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy