Cryptography Reference
In-Depth Information
2. Almost all of these approaches require a cryptographic protocol (the subject of
Chapter 9) as part of their implementation.
We now review the main categories of identity information that are used when
providing entity authentication.
SOMETHING THE CLAIMANT HAS
For human users, identity information can be based on something physically
held by the user. This is a familiar technique for providing access control in the
physical world, where the most common identity information of this type is a
physical key. This technique can also be used for providing identity information
in the electronic world. Examples of mechanisms of this type include:
Dumb tokens
. By 'dumb' we mean a physical device with limited memory that
can be used to store identity information. Dumb tokens normally require a
reader that extracts the identity information from the token and then indicates
whether the information authenticates the claimant or not.
One example of a dumb token is a plastic card with a magnetic stripe. The
security of the card is based entirely on the difficulty of extracting the identity
information from the magnetic stripe. It is quite easy for anyone determined
enough to either build, or purchase, a reader that can extract or copy this
information. Hence this type of dumb token is quite insecure.
In order to enhance security, it is common to combine the use of a dumb
token with another method of providing identification, such as one based on
something the user knows. For example, in the banking community plastic
cards with magnetic stripes are usually combined with a PIN, which is a piece
of identity information that is required for entity authentication but that is not
stored on the magnetic stripe.
Smart cards
. A smart card is a plastic card that contains a chip, which gives the
card a limited amount of memory and processing power. The advantage of this
over a dumb token is that the smart card can store secret datamore securely and
can also conduct cryptographic computations. However, like dumb tokens, the
interface with a smart card is normally through an external reader.
Smart cards are widely supported by the banking industry, where most
payment cards now include a chip as well as the conventional magnetic stripe
(see, for example, Section 12.4). Smart cards are also widely used for other
applications, such as electronic ticketing, physical access control, identity cards
(see Section 12.6.3), etc.
Smart tokens
. Smart cards are special examples of a wider range of technologies
that we will refer to as
smart tokens
. Some smart tokens have their own user
interface. This can be used, for example, to enter data such as a challenge
number, for which the smart token can calculate a cryptographic response. We
will discuss an application of this type in Section 8.5.
All types of smart token (including smart cards) require an interface to
a computer system of some sort. This interface could be a human being or
