BYOI is a series I’ve decided to create to “talk” about #identitymanagement so it is about #security, #governance, #management and many other aspects of the #IAM realm.
Peter Steiner –The New Yorker July 5, 1993.
This adage invented by the cartoonist and contributor of The New Yorker Peter Steiner arise a still actual questions: Do you know is who’s actually using your systems?
The ability of authenticate a party doesn’t means that you were able to identify it correctly.
Authentication and Identification are often confused because of the similitudes in the process of “allow an actor Y (aY) into a given systems X (sX) where:
with pID as phisical identity associated to one or a multiple list of digital Identities (dID) who request access to a given application/service (aPP).
Let us analyze a simple process that will lead aY to obtain the use of sX:
First of all who is aY for sX?
The filial imprinting
In the mid 1930s German ethologist Konrad Lorenz popularized filial imprinting, the process by which a newborn animal learns to recognize the unique characteristics of its parent, typically its mother. This phenomenon was termed imprinting (translated from the German word prägung) by Lorenz’s mentor, Oskar Heinroth, who believed that the sensory stimulus encountered by the hatchling was immediately, and irreversibly, "stamped" onto the animal’s brain. Lorenz demonstrated this with his famous goslings, which had spent their first hours of life with him and subsequently followed him everywhere; as adults they preferred the company of humans over fellow avians.
A mother and a newborn are always able to recognize each other by unique characteristics. The parties do not ask for a verification of the identity but leverage on a unique information that make them sure about who is approaching and which role have in the relation.
This is an example of physical identification.
The Door key
My door has two separate keys: one short for “quick” close/open and the other longer for a safer close of the door itself. If I am leaving the house I secure the access using both keys, this guarantee (well let’s pretend at least)that only people who have disposal of the two keys may enter in the house. The keys are made with a unique cut that make them, almost, impossible to reproduce.
When I “log in” into the house I use both the keys in order to “unblock” the “system” and be allowed to open the door.
The key do not guarantee I am who I “said” I am but only provide a way to access to the “system” through a recognizable process.
This is an example of physical authentication
But the question is what if I am in the digital world? Things become a little more “confused” here:
The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person’s identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.
Security research has determined that for a positive identification, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of elements of each factor are:
the ownership factors: Something the user has (e.g., wrist band, ID card, security token, software token, phone, or cell phone).
the knowledge factors: Something the user knows (e.g., a password, pass phrase, or personal identification number (PIN), challenge response (the user must answer a question)) .
the inherence factors: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifier).
wikipedia on authentication – http://en.wikipedia.org/wiki/Authentication
Said so we may define the authentication as the process to identify a entity in order to grant access to a give systems, where with the term “identify” we means that process of recognize the distinctive factors that make “unique” the entity.
The ownership factors: Something that the only the entity may have : a username related to a specific subscription (uSr)
The knowledge factor: Something that the user only knows: the password related to the above username (pWd)
The inherence factor: Something the user is or does:the role that the user have into the subscribed service (sR)
We may then define the user identification process as:
aY(sX) = uSr+pWd+sR
where aY(sX) value is the sum of the multiple dID of the pID :
where pID could be defined as aY and sX is the subscribed system.
So once we got the identification process clear become even more clear the authorization process that we may define as:
aUH= (aY(sX)) * aUH(YsH)
where aUH is the authentication system made by:
- the identification process( aY(sX))
- the protocol/service used (aUH(YsH)): where YsH is the method the authentication system is using to check the identification parameters(i.e. SAML, kerberos/LDAP,x.509,etc…).
i.e.:Security Assertion Markup Language (SAML, pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASISSecurity Services Technical Committee. SAML dates from 2001; the most recent update of SAML is from 2005.
wikipedia on SAML
now let’s back to the beginning: what do you know about who’s writing this article?
- pID: he typed or dictated to a computer this post
real example: (http://talkingpets.ca/en/speakdog.aspx)
- dID: somehow have access to this blog
real example: (http://www.livescience.com/7423-dogs-computers.html)
- sX: someone (the human me) left the computer un-blocked…if you need examples of this..just wait to be in office again.
now the question is for you…am I the dog of mine or am I who I said I am?