Authentication Basics
An authentic object is genuine and not a counterfeit or an alteration. Authentication is the process of establishing or proving that something is genuine and not a counterfeit or an alteration.
An examination of currency, a bank check or other financial instrument may lead to the conclusion that a financial instrument appears to be authentic and is not a counterfeit. An examination of a ticket may lead to a conclusion of authenticity and an examination of a package or container that carries a product may also lead to a conclusion of authenticity. And based on a picture or physical description an examination of a person may lead to a conclusion of authenticity.
But what is an examination? And what should be examined?
The basis for all authentication is information and it is information about an object which must be examined during authentication. What should a financial instrument, product package or an individual look like? Should there be something unique about a particular financial instrument, ticket, product package or individual? And how thoroughly should or can an object be examined?
Here are the major authentication options:
| |
1) An imprecise Authentication
2) Authentication using a Standard
3) Authentication using Duplicate Information
4) Authentication using a Database of Information
5) Authentication using Authentication Codes
6) Authentication using Digital Signatures
|
1) An Imprecise Authentication
Currency is routinely accepted as
payment based on its look and feel without an extensive analysis of
all of the currency’s security features. Bank checks have many
different formats, styles and appearances but bank checks are also
routinely cashed or accepted for payment if they look like bank
checks.
Packages and containers that carry products are routinely accepted if they look like product packages
and people with an ID card without a picture or physical description are assumed to be legitimate.
This type of authentication may be
acceptable for low value transactions but sometimes a more precise
authentication is required.
2) Authentication using a Standard
Currency's security features are public information and readily available to everyone. So this is the standard for currency authentication.
Before accepting currency one might look for the
expected watermarks, intaglio printing, fluorescent ink and other
known security features.
A person cashing a payroll check might know what that company’s payroll checks
look like and so a comparison between the presented check
and the company’s standard payroll check can be made. Perhaps
the check should contain a “copy protection” feature as well as a
digital watermark or invisible fluorescent ink.
Ticket collectors know what tickets should look like and can accept or reject presented tickets based on that knowledge. One may be aware of an organization's identification cards and product packages and
compare any presented ID card or product package to that standard before completing a
particular transaction.
In some cases however additional
security that can be authenticated may be desirable.
3) Authentication using Duplicate Information
Specific or unique information about
individual payment instruments, packages and containers as well as identification cards can be printed two or more times and this
information can be used for authentication. For example, the payment
instructions printed on a bank check can also be printed on the
check in a two-dimensional barcode. When the check is presented for
payment a comparison of the payment instructions printed on the
check with those contained in the two-dimensional barcode can be
made. If equal the check has passed this authentication test; if not
equal the check has not passed this authentication
test.
This same method can also be used with
other payment instruments, tickets, packages and containers as well as identification cards. The duplicate information can also be
printed with other types of barcodes and other machine readable
languages. The duplicate information can also be hidden in graphics,
pictures and other printing. It can also be printed with invisible
or other specialty inks.
A duplicate information system might
prevent most counterfeits but a professional counterfeiter will probably
be able to create counterfeit duplicate information that will
pass authentication. So additional security that can be
authenticated may be desired.
4) Authentication using a Database of Information
The serial numbers printed on currency might be compared to a list of serial numbers that have already been used on counterfeit currency. If the serial number printed on the currency matches a serial number in the database then the currency might be given a very thorough examination or it might not be accepted.
The information on a bank check might be compared to the check isssuer's record of issued bank checks and if there is no match in the database the check might not be accepted.
Information about tickets and people as well as packages and
containers can also be compared to information contained in
a database.
But sometimes it is not desirable to develop and maintain databases and so authentication systems that don't require databases might be desired.
5) Authentication using Authentication Codes
Instead of comparing an object's actual information to the object's actual information stored in a database it is possible to use authentication codes that are calculated using an object's actual information.
For example a bank check contains
printed payment instructions like the check number, account/bank
number, dollar amount and payee. An authentication code, calculated
using a mathematical algorithm (and key) and the check number,
account/bank number, dollar amount and payee, can also be
printed on that check.
Then when the check is presented
for payment the check number, account/bank number, dollar amount and
payee can be entered into the same algorithm (and key) used to
calculate the authentication code and a ‘new authentication code’ can be
calculated. This ‘new authentication code’ can then be compared to
the authentication code printed on the check. If equal the
check has passed this authentication test; if not equal the check
has not passed this authentication test and is probably a counterfeit or alteration.
Thus when authentication codes are calculated and printed on bank checks it is not necessary to develop and maintain a database of
actual check transaction information; only the algorithm (and
key) is necessary for authentication. See Ethent Views: "Shared Secret Key Authentication" for a more detailed discussion.
Authentication codes can also be
calculated and printed on tickets, packages and containers as well as
identification cards and the information used to calculate the
authentication codes can be authenticated at the appropriate time -
without need of information databases.
For security reasons the algorithm (and
key), used for authentication, should reside on a single secure server or
computer, which can be accessed at the time of authentication. If multiple copies of the algorithm (and key) resided on multiple computers or servers there would be an increased possibility that someone might use one of the copies to create counterfeit authentication codes which would pass the authentication tests.
If it is necessary or desirable to have multiple authentication sites then a different authentication
system where the algorithm (and key) can reside on an unlimited
number of computers or servers without fear that someone will create counterfeit authentication codes which will pass the authentication tests.
6) Authentication using Digital Signatures
Digital signatures, in place of authentication codes, can be calculated
and then printed on financial instruments, tickets, packages and containers as well as
identification cards. Digital signatures, rather than authenication codes, can then be used to authenticate information.
In a Digital Signature system the key used to calculate a digital
signature is different from the key used to authenticate a digital signature and the authentication key cannot be used to calculate a digital signature which will pass the authentication tests. Therefore the authentication key can be available to everyone because no one with the authentication key can create a digital signature which will pass authentication.
See Ethent Views: "Public Key
Authentication" for a more complete
discussion of the use of multiple keys in authentication systems.
Ethent Views
1) The probability of attempted fraud, the cost of adding
security and the cost of authentication must be considered before an
authentication system is selected.
2) Security systems that include multiple layers of authentication can be used to secure
financial instruments, tickets, packages and containers as well as identification systems.