Cryptography Reference
In-Depth Information
a processor connected to a reader. As with dumb tokens, smart tokens are
often implemented alongside another identification method, typically based
on something that the user knows.
SOMETHING THE CLAIMANT IS
One of the highest profile, and most controversial, methods of providing identity
information is to base it on physical characteristics of the claimant, which in this
case is normally a human user. The field of
biometrics
is devoted to developing
techniques for user identification that are based on physical characteristics of the
human body.
A biometric mechanism typically converts a physical characteristic into a
digital code that is stored on a database. When the user is physically presented
for identification, the physical characteristic is measured by a reader, digitally
encoded, and then compared with the template code on the database. Biometric
measurements are often classified as either being:
Static
, because they measure unchanging features such as fingerprints, hand
geometry, face structure, retina and iris patterns.
Dynamic
, because they measure features that (slightly) change each time that they
are measured, such as voice, writing and keyboard response times.
Identification based on biometrics is a compelling approach for human users
because many biometric characteristics appear to be fairly effective at separating
individuals. However, there are many implementation issues, both technical,
practical and sociological. Hence biometric techniques need to be adopted with
care.
We will not discuss biometrics any further here since they are of peripheral
relevance to cryptography. We recognise biometrics primarily as a potentially
useful source of identity information.
SOMETHING THE CLAIMANT KNOWS
Basing identity information, at least partially, on something that is known to the
claimant is a very familiar technique. Common examples of this type of identity
information include PINs, passwords and passphrases. This is the technique most
immediately relevant to cryptography since identity information of this type, as
soon as it is stored anywhere on a device, shares many of the security issues of a
cryptographic key.
Indeed, in many applications, identity information of this type often
is
a
cryptographic key. However, strong cryptographic keys are usually far too long
for a human user to remember and hence 'know'. There is some good news and
some potentially bad news concerning the use of cryptographic keys as identity
information:
1. Most information systems consist of networks of devices and computers. These
machines are much better at 'remembering' cryptographic keys than humans!
