Authentication versus Identification
Talking to a friend over a pint this weekend, the subject of authentication versus identification came up. I was surprised that he didn't know the difference so here's a brief explanation of how I see it: authentication tells you something (or someone) is what (or who) you have been told it (or they) are; identification tells you what (or who) something (or someone is).
When you apply this to the farcical National ID Card scheme the gubmint is intent on implementing you can start to see why authentication is more secure than identification. Suppose I have one of these ID cards and someone steals it. Assuming they will be able to read the data on the card (and seeing as the gubmint can, they will) they will know my name, address, age, height and so on. What if that someone steals it off me at the airport? They will then have a fair guess that nobody will be home for a week or so. So they cruise around, break in, and take their pick of all my belongings.
Now imagine the card can only authenticate who I say I am. Someone steals it. What will they know? They'd have to guess triliions of names, addresses, ages etc. combinations and keep testing the card to see which one authenticates. In fact, it'd take them so long to ever come up with the right combination they are more likely to be dead from old age than extracting all my possessions from my house.
Authentication instead of Identification is entirely possible: you take all the vital details that form your identity and you encrypt them (one way encryption, of course) and maybe encrypt that several times more. No feasible way to go backwards from an encrypted key to the original data that the key represents, you now have a magic key that only you can turn.
This is one of the many things that is wrong with the National ID Card scheme. We are going to be made to pay hundreds each to have a piece of card that makes your identity less secure. All the substantial benefits touted in favour of the scheme can be achieved with authentication, and some of the major problems can be avoided with authentication instead of identification.
When you apply this to the farcical National ID Card scheme the gubmint is intent on implementing you can start to see why authentication is more secure than identification. Suppose I have one of these ID cards and someone steals it. Assuming they will be able to read the data on the card (and seeing as the gubmint can, they will) they will know my name, address, age, height and so on. What if that someone steals it off me at the airport? They will then have a fair guess that nobody will be home for a week or so. So they cruise around, break in, and take their pick of all my belongings.
Now imagine the card can only authenticate who I say I am. Someone steals it. What will they know? They'd have to guess triliions of names, addresses, ages etc. combinations and keep testing the card to see which one authenticates. In fact, it'd take them so long to ever come up with the right combination they are more likely to be dead from old age than extracting all my possessions from my house.
Authentication instead of Identification is entirely possible: you take all the vital details that form your identity and you encrypt them (one way encryption, of course) and maybe encrypt that several times more. No feasible way to go backwards from an encrypted key to the original data that the key represents, you now have a magic key that only you can turn.
This is one of the many things that is wrong with the National ID Card scheme. We are going to be made to pay hundreds each to have a piece of card that makes your identity less secure. All the substantial benefits touted in favour of the scheme can be achieved with authentication, and some of the major problems can be avoided with authentication instead of identification.
Leave a comment