Cryptography Reference
In-Depth Information
that we do know the source of the voice data. This, though, is
not
an example
of data origin authentication without data integrity. Even if the speaker's voice is
recognisable, since an attacker could be inserting noise into the broken message
signal we cannot be certain that
all
the data we receive has come from the speaker
whose voice we recognise. Data origin authentication must apply to the entire
received message, not just parts of it.
Note that in almost all environments where we wish to detect deliberate
modification of data, wewill require data origin authentication. Theweaker notion
of data integrity without data origin authentication is normally only required in
situations where the sole integrity concern is accidental modification of data.
NON-REPUDIATION OF A SOURCE IS A STRONGER NOTION
THAN DATA ORIGIN AUTHENTICATION
We have to be slightly careful when making statements about non-repudiation,
since this security service can be applied in different situations. However, when
applied to the source of some data (which is the context that we will focus on
in this topic) then it is clear that non-repudiation cannot be provided without
data origin authentication (and hence data integrity) also being provided. We
can only bind the source to the data, in a manner that cannot be later denied, if
we have assurance that the data itself is from that source. As noted earlier, non-
repudiation also typically requires this binding to be verifiable by a third party,
which is a stronger requirement than that for data origin authentication.
DATA ORIGIN AUTHENTICATION AND ENTITY
AUTHENTICATION ARE DIFFERENT
Data origin authentication and entity authentication are different security
services. The best way to see this is to look at applications that require one,
but not the other.
Data origin authentication is useful in situations where one entity is forwarding
information on behalf of another, for example, in the transmission of an
email message over a public network. Entity authentication is unlikely to be
meaningful in this case since there may be significant delays between the time
that the message is sent, the time that the message is received and the time that
the message is actually read. However, whenever the message is read we would
like assurance of the identity of the creator of the email. This is provided by data
origin authentication.
On the other hand, entity authentication is the main security service required
when accessing resources. A user logging on to a computer is required to
provide real-time evidence of their identity. Normally, entity authentication is
provided either by presenting a credential (such as a password) or performing
a cryptographic computation. In both cases, entity authentication is provided by
demonstrating an ability to conduct this process correctly and does not necessarily
require the origin of any data to be checked.
