Electronic authentication
Encyclopedia
Electronic authentication (E-authentication) is the process of establishing confidence in user identities electronically presented to an information system
. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network, for the purpose of electronic government and commerce.
decisions may take this into account.
E-authentication begins with registration. An applicant applies to a Registration Authority
(RA) to become a subscriber of a Credential Service Provider
(CSP) and, as a subscriber, is issued or registers a secret, called a token, and a credential that binds the token to a name and possibly other attributes that the RA has verified. The token and credential may be used in subsequent authentication events.
The subscriber’s name may either be a verified name or a pseudonym. A verified name is associated with the identity of a real person and before an applicant can receive credentials or register a token associated with a verified name, he or she must demonstrate that the identity is a real identity, and that he or she is the person who is entitled to use that identity. This process is called identity proofing, and is performed by an RA that registers subscribers with the CSP.
When a claimant successfully demonstrates possession and control of a token in an on-line authentication to a verifier through an authentication protocol
, the verifier can verify that the claimant is the subscriber. The verifier passes on an assertion about the identity of the subscriber to the relying party. That assertion includes identity information about a subscriber, such as the subscriber name, an identifier assigned at registration, or other subscriber attributes that were verified in the registration process (subject to the policies of the CSP and the needs of the application). Where the verifier is also the relying party, the assertion may be implicit. In addition, the subscriber’s identifying information may be incorporated in credentials (e.g., public key
certificates) made available by the claimant. The relying party can use the authenticated information provided by the verifier/CSP to make access control or authorization decisions.
The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber.
There is always a relationship between the RA and CSP. In the simplest and perhaps the most common case, the RA/CSP are separate functions of the same entity. However, an RA might be part of a company or organization that registers subscribers with an independent CSP, or several different CSPs. Therefore a CSP may have an integral RA, or it may have relationships with multiple independent RAs, and an RA may have relationships with different CSPs as well.
, that is protected by encrypting it under a password. An impostor must steal the encrypted key and learn the password to use the token.
Authentication systems are often categorized by the number of factors that they incorporate. The three factors often considered as the cornerstone of authentication are:
• Something you know (for example, a password)
• Something you have (for example, an ID badge
or a cryptographic key)
• Something you are (for example, a voice print
or other biometric)
s, driver’s licenses, and employee identity cards. The credentials themselves are authenticated in a variety of ways: traditionally perhaps by a signature or a seal, special papers and inks, high quality engraving, and today by more complex mechanisms, such as holograms, that make the credentials recognizable and difficult to copy or forge. In some cases, simple possession of the credentials is sufficient to establish that the physical holder of the credentials is indeed the subject of the credentials. More commonly, the credentials contain biometric information such as the subject’s description, a picture of the subject or the handwritten signature of the subject that can be used to authenticate that the holder of the credentials is indeed the subject of the credentials. When these paper credentials are presented in-person, authentication biometrics contained in those credentials can be checked to confirm that the physical holder of the credential is the subject.
Electronic identity credentials bind a name and perhaps other attributes to a token. This recommendation does not prescribe particular kinds of electronic credentials. There are a variety of electronic credential types in use today, and new types of credentials are constantly being created. At a minimum, credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber.
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network, for the purpose of electronic government and commerce.
E-Authentication Model
E-authentication is the process of establishing confidence in user identities electronically presented to an information system. Systems can use the authenticated identity to determine if that individual is authorized to perform an electronic transaction. In most cases, the authentication and transaction take place across an open network such as the Internet, however in some cases access to the network may be limited and access controlAccess control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
decisions may take this into account.
E-authentication begins with registration. An applicant applies to a Registration Authority
Registration authority
A registration authority or maintenance agency is a body given the responsibility of maintaining lists of codes under international standards and issuing new codes to those wishing to register them...
(RA) to become a subscriber of a Credential Service Provider
Credential Service Provider
A Credential Service Provider is an element of an authentication system, most typically identified as a separate entity in a Federated authentication system....
(CSP) and, as a subscriber, is issued or registers a secret, called a token, and a credential that binds the token to a name and possibly other attributes that the RA has verified. The token and credential may be used in subsequent authentication events.
The subscriber’s name may either be a verified name or a pseudonym. A verified name is associated with the identity of a real person and before an applicant can receive credentials or register a token associated with a verified name, he or she must demonstrate that the identity is a real identity, and that he or she is the person who is entitled to use that identity. This process is called identity proofing, and is performed by an RA that registers subscribers with the CSP.
When a claimant successfully demonstrates possession and control of a token in an on-line authentication to a verifier through an authentication protocol
Challenge-handshake authentication protocol
In computing, the Challenge-Handshake Authentication Protocol authenticates a user or network host to an authenticating entity. That entity may be, for example, an Internet service provider. CHAP is specified in RFC 1994....
, the verifier can verify that the claimant is the subscriber. The verifier passes on an assertion about the identity of the subscriber to the relying party. That assertion includes identity information about a subscriber, such as the subscriber name, an identifier assigned at registration, or other subscriber attributes that were verified in the registration process (subject to the policies of the CSP and the needs of the application). Where the verifier is also the relying party, the assertion may be implicit. In addition, the subscriber’s identifying information may be incorporated in credentials (e.g., public key
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
certificates) made available by the claimant. The relying party can use the authenticated information provided by the verifier/CSP to make access control or authorization decisions.
Subscribers, RAs and CSPs
In the conceptual e-authentication model, a claimant in an authentication protocol is a subscriber to some CSP. At some point, an applicant registers with an RA, which verifies the identity of the applicant, typically through the presentation of paper credentials and by records in databases. This process is called identity proofing. The RA, in turn, vouches for the identity of the applicant (and possibly other verified attributes) to a CSP. The applicant then becomes a subscriber of the CSP.The CSP establishes a mechanism to uniquely identify each subscriber and the associated tokens and credentials issued to that subscriber.
There is always a relationship between the RA and CSP. In the simplest and perhaps the most common case, the RA/CSP are separate functions of the same entity. However, an RA might be part of a company or organization that registers subscribers with an independent CSP, or several different CSPs. Therefore a CSP may have an integral RA, or it may have relationships with multiple independent RAs, and an RA may have relationships with different CSPs as well.
Tokens
Tokens generically are something the claimant possesses and controls that may be used to authenticate the claimant’s identity. In e-authentication, the claimant authenticates to a system or application over a network. Therefore, a token used for e-authentication is a secret and the token must be protected. The token may, for example, be a cryptographic keyKey (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
, that is protected by encrypting it under a password. An impostor must steal the encrypted key and learn the password to use the token.
Authentication systems are often categorized by the number of factors that they incorporate. The three factors often considered as the cornerstone of authentication are:
• Something you know (for example, a password)
• Something you have (for example, an ID badge
Identity document
An identity document is any document which may be used to verify aspects of a person's personal identity. If issued in the form of a small, mostly standard-sized card, it is usually called an identity card...
or a cryptographic key)
• Something you are (for example, a voice print
Spectrogram
A spectrogram is a time-varying spectral representation that shows how the spectral density of a signal varies with time. Also known as spectral waterfalls, sonograms, voiceprints, or voicegrams, spectrograms are used to identify phonetic sounds, to analyse the cries of animals; they were also...
or other biometric)
Electronic Credentials
Paper credentials are documents that attest to the identity or other attributes of an individual or entity called the subject of the credentials. Some common paper credentials include passports, birth certificateBirth certificate
A birth certificate is a vital record that documents the birth of a child. The term "birth certificate" can refer to either the original document certifying the circumstances of the birth or to a certified copy of or representation of the ensuing registration of that birth...
s, driver’s licenses, and employee identity cards. The credentials themselves are authenticated in a variety of ways: traditionally perhaps by a signature or a seal, special papers and inks, high quality engraving, and today by more complex mechanisms, such as holograms, that make the credentials recognizable and difficult to copy or forge. In some cases, simple possession of the credentials is sufficient to establish that the physical holder of the credentials is indeed the subject of the credentials. More commonly, the credentials contain biometric information such as the subject’s description, a picture of the subject or the handwritten signature of the subject that can be used to authenticate that the holder of the credentials is indeed the subject of the credentials. When these paper credentials are presented in-person, authentication biometrics contained in those credentials can be checked to confirm that the physical holder of the credential is the subject.
Electronic identity credentials bind a name and perhaps other attributes to a token. This recommendation does not prescribe particular kinds of electronic credentials. There are a variety of electronic credential types in use today, and new types of credentials are constantly being created. At a minimum, credentials include identifying information that permits recovery of the records of the registration associated with the credentials and a name that is associated with the subscriber.