Monday, March 2, 2009

Identity & Authentication Must be Kept Separate

In a recent newsletter, Bruce Schneier referred to an article at Microsoft TechNet by Steve Riley, a Senior Security Strategist. The article is pretty good overall, and certainly worth reading. It's also short, so I won't bother to summarize it here. Instead, I'll just make a few comments:
  • The point that basic computer science principles cannot be glossed over is quite welcome.
  • The statement that the system knows the password is usually, one would hope, incorrect. If passwords are kept anywhere in the system, that file becomes a high-value target. Passwords should have salt shaken on them and then be hashed. The salted hash can be safely stored, and used to verify the user's password.
  • Other examples of authentication with no corresponding identity include boot passwords and disk encryption pass phrases.
  • I'm happy to see anyone make the point, which Riley makes here, that biometrics are best viewed as identity, not as authentication. Biometrics are (typically) public and irrevocable, which make them bad choices for authentication.
Another place where identity and authentication are muddled is with RFID in passports, border crossing cards, or other IDs. The RFID keys are used for both identity and authentication, and most people aren't going to be able to keep them private, and under certain circumstances, no one will be able to.

No comments: