Items in cart [0]
| [ Top of Page ] [ Home ] [ Contact Us ] [ Help ] [ The National Academies Home ] | ||
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page R1
Who Goes There?
Authentication Through the Lens of Privacy
Committee on Authentication Technologies and
Their Privacy Implications
Computer Science and Telecommunications Board
Division on Engineering and Physical Sciences
NATIONAL RESEARCH COUNCIL
OF THE NATIONAL ACADEMIES
Stephen T. Kent and Lynette 1. Millett, Editors
THE NATIONAL ACADEMIES PRESS
Washington, D.C.
www.nap.edu
OCR for page R2
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001
NOTICE: The project that is the subject of this report was approved by the
Governing Board of the National Research Council, whose members are drawn
from the councils of the National Academy of Sciences, the National Academy of
Engineering, and the Institute of Medicine. The members of the committee re-
sponsible for the report were chosen for their special competences and with re-
gard for appropriate balance.
This study was supported by Office of Naval Research Grant Number N00014-00-1-
0855, National Science Foundation Grant Number ANI-0090219, General Services
Administration Purchase Order Number GSOOCOOAM00228, Social Security Ad-
ministration Purchase Order Number 0440-01-50677, and Federal Chief Informa-
tion Officers Council Award Number GSOOCOOAM00228. The Vadasz Family
Foundation gave supplemental funding. Any opinions, findings, conclusions, or
recommendations expressed in this publication are those of the authoress and do
not necessarily reflect the views of the organizations or agencies that provided
support for the project.
International Standard Book Number 0-309-08896-8 (Book)
International Standard Book Number 0-309-52654-X (PDF)
Cover designed by Jennifer M. Bishop.
Additional copies of this report are available from the National Academies Press,
500 Fifth Street, N.W., Lockbox 285, Washington, DC 20055; (800) 624-6242 or
(202) 334-3313 (in the Washington metropolitan area); Internet, http://www.nap.edu.
Copyright 2003 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
OCR for page R3
THE NATIONAL ACADEMIES
Advisers to the Nation on Science, Engineering, and Medicine
The National Academy of Sciences is a private, nonprofit, self-perpetuating soci-
ety of distinguished scholars engaged in scientific and engineering research, dedi-
cated to the furtherance of science and technology and to their use for the general
welfare. Upon the authority of the charter granted to it by the Congress in 1863,
the Academy has a mandate that requires it to advise the federal government on
scientific and technical matters. Dr. Bruce M. Alberts is president of the National
Academy of Sciences.
The National Academy of Engineering was established in 1964, under the charter
of the National Academy of Sciences, as a parallel organization of outstanding
engineers. It is autonomous in its administration and in the selection of its mem-
bers, sharing with the National Academy of Sciences the responsibility for advis-
ing the federal government. The National Academy of Engineering also sponsors
engineering programs aimed at meeting national needs, encourages education
and research, and recognizes the superior achievements of engineers. Dr. Wm. A.
Wulf is president of the National Academy of Engineering.
The Institute of Medicine was established in 1970 by the National Academy of
Sciences to secure the services of eminent members of appropriate professions in
the examination of policy matters pertaining to the health of the public. The
Institute acts under the responsibility given to the National Academy of Sciences
by its congressional charter to be an adviser to the federal government and, upon
its own initiative, to identify issues of medical care, research, and education.
Dr. Harvey V. Fineberg is president of the Institute of Medicine.
The National Research Council was organized by the National Academy of Sci-
ences in 1916 to associate the broad community of science and technology with
the Academy's purposes of furthering knowledge and advising the federal gov-
ernment. Functioning in accordance with general policies determined by the
Academy, the Council has become the principal operating agency of both the
National Academy of Sciences and the National Academy of Engineering in pro-
viding services to the government, the public, and the scientific and engineering
communities. The Council is administered jointly by both Academies and the
Institute of Medicine. Dr. Bruce M. Alberts and Dr. Wm. A. Wulf are chair and
vice chair, respectively, of the National Research Council.
www. nationa l-academies.org
OCR for page R4
PRE-PUBLICATION VERSION
SUBJECT TO FURTHER EDITORIAL CORRECTION
96
97 Page intentional;ly left blank
98
6
3/20/2003
P-4
OCR for page R5
COMMITTEE ON AUTHENTICATION TECHNOLOGIES AND
THEIR PRIVACY IMPLICATIONS
STEPHEN T. KENT, BBN Technologies, Chair
MICHAEL ANGELO, Compaq Computer Corporation
STEVEN BELLOVIN, AT&T Labs Research
BOB BLAKLEY, IBM Tivoli Software
DREW DEAN, SRI International
BARBARA FOX, Microsoft Corporation
STEPHEN H. HOLDEN, University of Maryland, Baltimore
DEIRDRE MULLIGAN, University of California, Berkeley
rUDITH S. OLSON, University of Michigan
rOE PATO, HP Labs Cambridge
RADIA PERLMAN, Sun Microsystems
PRISCILLA M. REGAN, George Mason University
rEFFREY SCHILLER, Massachusetts Institute of Technology
SOUMITRA SENGUPTA, Columbia University
TAMES L. WAYMAN, San rose State University
DANIEL J. WEITZNER, Massachusetts Institute of Technology
Staff
LYNETTE I. MILLETT, Study Director and Program Officer
rENNIFER M. BISHOP, Senior Project Assistant (beginning October
2001)
SUZANNE OSSA, Senior Project Assistant (through September 2001)
v
OCR for page R6
PRE-PUBLICATION VERSION
SUBJECT TO FURTHER EDITORIAL CORRE CTION
124
125
26DAV ID D. CLARK Massachusetts Institute of Technology, Chair
127ERIC BENHAMOU,3Com Corporation
128DAV ID BORTH, Motorola Labs
129JOHNM. CIOFFI, Stanford University
MEL AINE COHEN, University of Utah
3 TW. BR UCE CROFT, Univ. of Massachusetts, Amherst
132THOMAS E. DARCIE, AT&T Labs Research
133JOSE PH FARRELL, University of California, Berkeley
34JOAN FEI GENBAUM, Yale University
135WENDY KELLOGG, IBM T.J. Watson Research Center
136HECTOR GARCIA-MOLINA, Stanford University
137B UTLER LAMPSON (emeritus), Microsoft Corporation
138DAV ID LIDDLE, U.S. Venture Partners
139TOM M. MITCHELL, Carnegie Mellon University
ID A. PATTERSON, University of California, Berkeley
Y (HANK) PERRITT, Illinois Institute of Technology
IEL PIKE, Classic Communications
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
.,
3/20/2003
P-6
140DAV
141HENR
142DAN
143FRED B . SCHNEIDER, Cornell University
144ERIC SCHMIDT, Google, Inc.
145BU RTON SMITH, Cray Inc.
146LE E S. SPROULL, New York University
147WILL IAM STEAD, Vanderbilt University
148JE ANNETTE M. WING, Carnegie Mellon University
149
150
15 iMARJOR Y S. BLUMENTHAL, Director
152HERB ERT S. LIN, Senior Scientist
153ALAN S. INOllYE, Senior Program Officer
54JON E ISENBERG, Senior Program Officer
55LYNETT E I. MILLETT, Program Officer
56C YNTHIA A. PATTERSON, Program Officer
57STE VEN WOO, Dissemination Officer
58JANET BRISCOE, Administrative Officer
159RENEE HAWKINS, Financial Associate
160DAVI D PADGHAM, Research Associate
~ 61KR ISTEN BATCH, Research Ass ociate
162PHIL HILLIARD, Research Associate
63MARGA RET HUYNH, Senior Project Assistant
64DAV ID DRAKE, Senior Project Assistant
65JANICE SABUDA, Senior Project Assistant
66JE NNIFER M. BISHOP, Senior Project Assistant
67BR AND YE WILLIAMS, Staff Assistant
168
169_
170
17INOTE: F or more information on CSTB, see its Web site at ; write to
172C STB, National Research Council, 500 Fifth Street, N.W., Washington, DC 20418; call at (202)
173334 -2605; or e-mail the CSTB at cstb~nas.edu.
OCR for page R7
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
DAVID D. CLARK, Massachusetts Institute of Technology, Chair
ERIC BENHAMOU, 3Com Corporation
ELAINE COHEN, University of Utah
THOMAS E. DARCIE, University of Victoria
MARK E. DEAN, IBM Thomas I. Watson Research Center
rOSEPH FARRELL, University of California, Berkeley
rOAN FEIGENBAUM, Yale University
HECTOR GARCIA-MOLINA, Stanford University
RANDY H. KATZ, University of California, Berkeley
WENDY A. KELLOGG, IBM Thomas I. Watson Research Center
SARA KIESLER, Carnegie Mellon University
BUTLER W. LAMPSON, Microsoft Corporation, CSTB member
emeritus
DAVID LIDDLE, U.S. Venture Partners
TERESA H. MENG, Stanford University
TOM M. MITCHELL, Carnegie Mellon University
DANIEL PIKE, GCI Cable and Entertainment
ERIC SCHMIDT, Google Inc.
FRED B. SCHNEIDER, Cornell University
BURTON SMITH, Cray Inc.
WILLIAM STEAD, Vanderbilt University
ANDREW I. VITERBI, Viterbi Group, LLC
rEANNETTE M. WING, Carnegie Mellon University
ALAN S. INOUYE, Interim Executive Director
rON EISENBERG, Interim Assistant Director
KRISTEN BATCH, Research Associate
rENNIFER M. BISHOP, Senior Project Assistant
rANET BRISCOE, Administrative Officer
DAVID DRAKE, Senior Project Assistant
RENEE HAWKINS, Financial Associate
PHIL HILLIARD, Research Associate
MARGARET MARSH HUYNH, Senior Project Assistant
HERBERT S. LIN, Senior Scientist
LYNETTE I. MILLETT, Program Officer
DAVID PADGHAM, Research Associate
CYNTHIA A. PATTERSON, Program Officer
rANICE SABUDA, Senior Project Assistant
. .
v''
OCR for page R8
OCR for page R9
OCR for page R10
OCR for page R11
OCR for page R12
OCR for page R13
OCR for page R14
OCR for page R15
OCR for page R16
OCR for page R17
OCR for page R18
BRANDYE WILLIAMS, Staff Assistant
STEVEN WOO, Dissemination Officer
For more information on CSTB, see its Web site at
Preface
The broadening use of the Internet implies that, more and more,
people are communicating and sharing information with strang-
ers. The result is growth in different kinds of demand to authenti-
cate system users, and the different motivations for requiring authentica-
tion imply different trade-offs in evaluating technical and nontechnical
options. Motivations range from those related to system security (for
example, the ability to access critical systems or medical records) to those
related to business development (for example, the ability to use "free"
Web-based resources or to have access to elements of electronic com-
merce). The key questions surrounding these issues relate to what data
about a person are shared, how they are shared (including whether overtly
and cooperatively as well as by what technique), why they are shared
(fitting the purpose to the nature and amount of data), and how the data
are protected.
Concerns that arise about adverse impacts on personal privacy from
particular approaches to authentication may reflect judgments about the
rationale (e.g., how much information about a person is really needed to
authorize access to a particular system) as well as concern about the
soundness of the technical and procedural steps taken to protect the per-
sonal information gathered in the process of authentication. Those con-
cerns are heightened by the growing ease of aggregation of information
collected from multiple sources (so-called data matching), the observed
tendency to collect information without an individual's knowledge, and
1 ~
x
PREFACE
the ease of publicizing or distributing personal information, like any other
information, via the Internet.
THE COMMITTEE AND ITS CHARGE
In September 1999, the U.S. government's chief counselor for privacy,
Peter Swire, met with the Computer Science and Telecommunications
Board (CSTB) in Washington, D.C., and described his need for studies of
biometrics and authentication. Enthusiastic support by CSTB members,
given the importance of the topic and the ability to build on past CSTB
work, led to further discussion about initiating a project. Richard Guida,
former chair of the Federal Public Key Infrastructure (FPKI) Steering
Committee and now with Johnson and Johnson, provided insight into
federal agency thinking about authentication and encouraged FPKI mem-
bers to be interested in and involved with the project. The scope of the
project was broadened to encompass a range of authentication technolo-
gies and their privacy implications. Funding for the project was obtained
from the National Science Foundation, the Office of Naval Research, the
General Services Administration, the Federal Chief Information Officers
Council, and the Social Security Administration.
The task of the committee assembled by CSTB the Committee on
Authentication Technologies and Their Privacy Implications was to ex-
amine the interaction of authentication and privacy. The committee
sought to identify the range of circumstances and the variety of environ-
ments in which greater or lesser degrees of identification are needed in
order to carry out governmental or commercial functions. It also ad-
dressed ways in which law and policy can come to grips with the flaws
that are likely in the technology or its implementation. It considered how
the federal government can deploy improved authentication technologies
consistent with the desire to protect privacy. It also examined the broad
implications of alternative approaches to selecting and implementing au-
thentication technologies by the federal government and others inter-
ested in their use.
Consisting of 16 members from industry and academia (see Appen-
dix A), the committee was designed to have a range of technical expertise
relating to different kinds of authentication technologies and information-
system security technologies generally, to applications, and to the privacy
impacts of information technology and related policy. The members
possess a range of computer science expertise (e.g., information system
security, cryptography, networking and distributed systems, human-
computer interaction) and associated nontechnical expertise (e.g., privacy
policy and law) as well as user perspectives (including organizations seek-
ing to employ authentication and end users with various concerns in such
PREFACE
Xl
i
sectors as banking/finance and health). One original committee member,
David Solo of Citigroup, was unable to continue his participation in the
project because of unforeseen time constraints.
PROCESS
Empanelled during the winter of 2000, the committee met seven times
between March 2001 and August 2002 to plan its course of action, receive
testimony from relevant experts, deliberate on its findings, and draft its
final report. It continued its work between meetings and into the fall and
end of 2002 by electronic communications. During the course of its study,
the committee took briefings from information and authentication tech-
nology researchers and developers in industry and universities and from
leaders in government agencies involved in the development and deploy-
ment of authentication technologies. It also heard from privacy and con-
sumer protection experts and representatives from various sectors of in-
dustry that use authentication technologies for business processes and
e-commerce. The committee also went to VeriSign in California for a site
visit. (See Appendix B for a complete list of briefers to the committee.)
More than half of the committee's meetings were held and most of
this report was written after the events of September 11, 2001. At its
October 2001 meeting, the committee decided, with CSTB's encourage-
ment, to develop a short report addressing the concept of nationwide
identity systems a topic that has received much media and policy atten-
tion since the terrorist attacks. Given that many of the committee's dis-
cussions and briefings were closely related to issues of identity and iden-
tification, the committee was well positioned to comment in a timely
fashion on the topic. Supplemental funding for that activity was pro-
vided by the Vadasz Family Foundation. That report was released in
April 2002 and is available from the National Academies Press.
ACKNOWLEDGMENTS
As with any project of this magnitude, thanks are due to the many
individuals who contributed to the work of the committee. The commit-
tee thanks those who came to various meetings to provide briefings and
Warwick Ford for arranging the site visit at VeriSign in January. Thanks
are also due to those who sponsored the study: the National Science Foun-
~Computer Science and Telecommunications Board, National Research Council. IDs-
Not That Easy: Questions About Nationwide Identity Systems. Washington, D.C., National Acad-
emy Press, 2002.
X11
PREFACE
cation (George Strawn and Aubrey Bush), the Office of Naval Research
(Andre van Tilborg), the General Services Administration (Mary Mitchell),
the Federal Chief Information Officers Council (Keith Thurston and Roger
Baker), and the Social Security Administration (Sara Hamer and Tony
Trenkle). We are grateful to Peter Swire for commissioning the project, to
Richard Guida and Denise Silverberg for helping to muster support
through the FPKI Steering Committee, and to Kathi Webb of Rand for
providing early access to its biometrics study project.
Finally, the committee thanks David D. Clark, chair of the CSTB, and
Marjory S. Blumenthal, CSTB's director when this study was being car-
ried out, for valuable insights. The committee also thanks the following
members of the CSTB staff for their contributions. lanes Briscoe provided
crucial administrative support, especially with the October 2001 work-
shop. Suzanne Ossa was the initial senior project assistant for this project.
lennifer Bishop took over as senior project assistant and provided signifi-
cant help with report preparation and editing; she also designed the cov-
ers of both this report and the earlier committee report and developed
many of the diagrams. David Padgham provided background research
and descriptions of various pieces of legislation. Wendy Edwards, an
intern with CSTB in the summer of 2002, also provided some background
research. Steven I. Marcus made an editorial pass through an earlier draft
of the report, and Dorothy Sawicki and Liz Fikre made significant edito-
rial contributions in preparation for publishing. Special thanks are due to
Lynette I. Millett, the study director for this project. She worked very
closely with the chair and other committee members, transforming their
inputs into a coherent report that attempts to explain a complex topic in
an understandable fashion.
Stephen T. Kent, Chair
Committee on Authentication
Technologies and Their Privacy
Implications
Acknowledgment of Reviewers
This report has been reviewed in draft form by individuals chosen
for their diverse perspectives and technical expertise, in accordance
with procedures approved by the National Research Council's Re-
port Review Committee. The purpose of this independent review is to
provide candid and critical comments that will assist the institution in
making its published report as sound as possible and to ensure that the
report meets institutional standards for objectivity, evidence, and respon-
siveness to the study charge. The review comments and draft manuscript
remain confidential to protect the integrity of the deliberative process.
We wish to thank the following individuals for their review of this report:
Ross Anderson, University of Cambridge,
Scott Charney, Microsoft,
Carl Ellison, Intel Corporation,
Joel S. Engel, JSE Consulting,
Michael Froomkin, University of Miami School of Law,
John D. Halamka, Harvard Medical School,
Jerry Kang, University of California, Los Angeles,
Sally Katzen, Independent Consultant,
Deborah T. Mayhew, Deborah T. Mayhew and Associates,
Jeffrey Naughton, University of Wisconsin-Madison,
Marek Rejman-Greene, BTexaCT Technologies, and
Barbara Simons, IBM.
. . .
x'''
xIv
ACKNOWLEDGMENT OF REVIEWERS
Although the reviewers listed above have provided many construc-
tive comments and suggestions, they were not asked to endorse the con-
clusions or recommendations, nor did they see the final draft of the report
before its release. The review of this report was overseen by Mildred S.
Dresselhaus and Randall Davis, both at the Massachusetts Institute of
Technology. Appointed by the National Research Council, they were
responsible for making certain that an independent examination of this
report was carried out in accordance with institutional procedures and
that all review comments were carefully considered. Responsibility for
the final content of this report rests entirely with the authoring committee
and the institution.
Contents
EXECUTIVE SUMMARY
1 INTRODUCTION AND OVERVIEW
Definitions and Terminology, 18
Authentication in Daily Life, 21
Current Tensions, 28
Four Overarching Privacy Concerns, 30
What This Report Does and Does Not Do, 31
2 AUTHENTICATION IN THE ABSTRACT
What Is Authentication and Why Is It Done?, 33
Three Parties to Authentication, 36
Authenticating to Authorize, 37
Authenticating to Hold Accountable, 38
What Do We Authenticate?, 41
Identifiers, 42
Attributes, 43
Statements, 44
How Do We Authenticate?, 45
Authenticating Physical Identity, 47
Authenticating Psychological Identity, 47
Authenticating Possession of an Artifact, 49
xv
1
16
33
xv!
Identification, 50
The Relationship Between Authentication and Identification, 51
3 PRIVACY CHALLENGES IN AUTHENTICATION SYSTEMS
Privacy Impact of the Decision to Authenticate, 56
Access Control and Information Systems, 57
The Legal Foundations of Privacy, 62
Constitutional Roots of Privacy, 63
The Common Law Roots of Privacy Law, 68
Statutory Privacy Protections, 69
Information Privacy and Fair Information Practices, 71
Privacy of Communications, 75
Concluding Remarks, 78
4 SECURITY AND USABILITY
Threat Models, 81
Threats, 81
Dealing with Threats, 84
Authentication and People User-Centered Design, 86
Lessons from User-Centered Design, 87
Lessons from Cognitive and Social Psychology, 90
Factors Behind the Technology Choice, 95
Systems and Secondary Use, 97
Concluding Remarks, 101
5 AUTHENTICATION TECHNOLOGIES
CONTENTS
80
104
Technological Flavors of Authentication, 104
Basic Types of Authentication Mechanisms, 106
Something You Know, 107
Something You Have, 110
Something You Are, 120
Multifactor Authentication, 123
Centralized Versus Decentralized Authentication Systems, 125
Security Considerations for Individual Authentication
Technologies, 132
Cost Considerations for Individual Authentication Technologies, 135
Concluding Remarks, 136
CONTENTS
6 AUTHENTICATION, PRIVACY, AND THE ROLES
OF GOVERNMENT
Regulator of Private Sector and Public Agency Behaviors
and Processes, 140
Government-wide Law and Policy, 141
Agency- or Program-Specific Law and Policies, 145
Regulation of Private Sector Information Management
Activity, 149
Policy Activity in the Early 2000s, 151
Summary, 155
Government as Issuer of Identity Documents, 155
The Tangled Web of Government-Issued Identity Documents, 162
Threats to Foundational Documents, 165
Government as Relying Party for Authentication Services, 169
Access Certificates for Electronic Services, 170
The Internal Revenue Service Electronic Tax Filing, 172
The Social Security Administration and PEBES, 175
Nationwide Identity Systems, 176
Concluding Remarks, 177
7 A TOOLKIT FOR PRIVACY IN THE CONTEXT OF
AUTHENTICATION
Privacy-Impact Toolkit, 181
Attribute Choice, 182
Identifier Selection, 186
Identity Selection, 189
The Authentication Phase, 190
Concluding Remarks, 192
APPENDIXES
A Biographies of Committee Members and Staff
B Briefers to the Study Committee
C Some Key Concepts
What Is CSTB?
. .
XVII
138
179
197
207
209
213