Tuesday, March 24, 2009

Throughput from Amazon

I just downloaded an MP3 album and a couple MP3 tracks from another album from Amazon. With the first album, download speeds were about 500kB/s (over 4Mb/s). For the other two tracks, the download speed dropped to under 200kB/s. How come? I noticed it, but didn't give it much thought until receiving the e-mail confirmation from Amazon, and then it was clear. Amazon Digital Services was the seller of the album, and Sony BMG was the seller of the other tracks. They were coming from another server, one which was slower, at least in terms of the bandwidth it was able to give me at the time.

Monday, March 2, 2009

Identity & Authentication Must be Kept Separate

In a recent newsletter, Bruce Schneier referred to an article at Microsoft TechNet by Steve Riley, a Senior Security Strategist. The article is pretty good overall, and certainly worth reading. It's also short, so I won't bother to summarize it here. Instead, I'll just make a few comments:
  • The point that basic computer science principles cannot be glossed over is quite welcome.
  • The statement that the system knows the password is usually, one would hope, incorrect. If passwords are kept anywhere in the system, that file becomes a high-value target. Passwords should have salt shaken on them and then be hashed. The salted hash can be safely stored, and used to verify the user's password.
  • Other examples of authentication with no corresponding identity include boot passwords and disk encryption pass phrases.
  • I'm happy to see anyone make the point, which Riley makes here, that biometrics are best viewed as identity, not as authentication. Biometrics are (typically) public and irrevocable, which make them bad choices for authentication.
Another place where identity and authentication are muddled is with RFID in passports, border crossing cards, or other IDs. The RFID keys are used for both identity and authentication, and most people aren't going to be able to keep them private, and under certain circumstances, no one will be able to.