1 An icsa white Paper

IA&A on the WWW 
_____________________________________________________________________________________________ 
_____________________________________________________________________________________________ 
Copyright © 1997 M. E. Kabay & ICSA. All rights reserved. Page 8 of 33
The classic methods for correlating virtual and physical identities in cyberspace are parallel to 
methods used for authenticating human beings in the physical world. The four categories of 
authenticating information are: 
What you know -- the password or passphrase, for example; 
What you do -- e.g., how one signs one's name or speaks; 
What you are -- e.g., one's face or other biometric attributes such as fingerprints; 
What you have -- e.g., a token such as a key or a certificate such as a driver's license. 
All of these categories of authentication are used in cyberspace. The last example is particularly 
interesting: certificates play a crucial role in authenticating people (or programs or machines) in 
the world of e-commerce. The driver's license, for example, if assumed to be real, tells a 
merchant that at some time in the past, a certification authority -- the issuing department of 
motor vehicles -- has undertaken some measures to ensure that the information on the license is 
(or was) correct. In cyberspace, verifying the legitimacy of a certificate can be easier than in real 
space. 
Authentication leads to an related concept, that of 
non-repudiation.
A formal definition of non-
repudiation is "Method by which the sender of data is provided with proof of delivery and the 
recipient is assured of the sender's identity, so that neither can later deny having processed the 
data." Non-repudiation, as we shall see in the section below on encryption, depends on asserting 
that authenticity has not been violated when identifying the source of that transaction or 
message.

Download 250,94 Kb.

Do'stlaringiz bilan baham: