Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 17 Dec 2017 14:21:22 -0500
From: "Denny O'Breham" <obreham@...il.com>
To: passwords@...ts.openwall.com
Subject: Re: Authentication vs identification

«if we roll back a little to:
auth is a mutual activity (all parties are actively involved)
then the principal difference really shines:
i am the only man knowing my password (secret key)
therefore my active participation is REQUIRED for auth.»

Maybe we don't have the same definitions of "mutual activity" and
"active participation", but I can't see how this doesn't apply to
identification.

I will revise my previous definitions of identification and authentication:

Identification:  A user shares a piece of information with a server
that will recognize it.  It MUST be unique to the user.  Others can be
aware of that piece of information, but it is not a requirement (It
can be kept secret by both the user and the server).

Authentication: An identified user shares a piece of information with
a server that will recognize it.  It MUST be known to only the user
and the server.  It SHOULD be very difficult to guess.  It can be
unique, but that is not a requirement.

Note how the server MUST know the secret piece of information too, not
only the user.  The fact that it is usually one-way encrypted has
nothing to do with it.  It just better guarantees the secrecy, but you
can still authenticate with password written in clear in a database.
If someone can guarantee no one will access the database and that
steps have been taken to prevent guessing a password, then it is still
a valid authentication. (Although, I don't think there are any methods
that can do it better than encryption right now.)

If a single piece of information is both unique to the user and kept
secret by both the user and the server, then it can identify and
authenticate in a single action, like in this case you presented:

«some idiots love "password only" auth,
which makes the entire system vulnerable to password guessing,
as the system will match my guessed password against ALL known
passwords, thus doing the bulk of the attack in my stead.»

An authentication process that is vulnerable is still authentication.
It just has a lower level of confidence.  So the fact that passwords
are easy to guess (easy for whom?) is irrelevant for what defines
authentication.

The ID part is easy (linking a unique piece of information to a user).
The problems related to authentication is keeping the information
secret (by both the user and server) and/or making this information
impossible to guess.  Some methods of authentication are just better
than others with that regard and it seems that none are perfect.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.