I don't think the 3-factor authentication framework is nearly as well-defined as people make it out to be.
Here is what I've always taken to be the core distinctions among the three prongs:
Something you know Can be copied. If copied illicitly, you can't tell (except by noticing illicit uses).
Something you have Cannot be copied. Can be transferred (i.e., you can give it to someone else, but then you no longer have it) Hence, if transferred illicitly, you can quickly detect it.
Something you are Cannot be transferred. Cannot be changed. Inherently tied to your identity, not your role.
This classification, useful as it is, certainly doesn't cover the space of possible authentication techniques. For example, an RFID chip embedded under the skin and designed to destroy itself if removed doesn't exactly match any of these sets of properties: It's not "something you have" because it can't be transferred, but it's not "something you are" because it can be changed. Attempting to force-fit everything into an incomplete model doesn't strike me as a useful exercise.
but business rules for public(/private) key infrastructure can describe that only the associated authenticating entity is the only one in possession of the private key ("something you have") .... as a way of relating the objective of having a specific entity's exclusive ability to access and utilize a private key to three factor authentication.
almost all of the existing "something you have" authentication objects are capable of being counterfeited to a greater or lesser degree. possibly the widest deployed "something you have" authentication objects are magstripe plastic cards ... and it turns out they have been proven to be remarkably easy to counterfeit/copied. the distinction between the ease or difficulty of counterfeiting/copying a magstripe plastic card vis-a-vis a private key ... depends on the level of security used to prevent it from being copied. obviously a private key can be copied with relative ease (possibly much easier than a magstripe plastic card).
in general, you will find that almost all "something you have" authentication objects are subject to being copied ... the issue is the degree to which security processes are in place to prevent them from being copied. just because a private key ... represented by some sequence of bits can be easily copied ... when no protections are in force ... doesn't mean that there can't be security procedures put into place that would make it extremely difficult to achieve copying of a private key.
most models serve a useful purpose until somebody comes up with a better or more applicable model.
many of the 3-factor authentication implementations actually use some representation that allows the actual occurence to be implied by something else.
for instance "something you know" authentication can be done as a "shared-secret" where both the originator and the relying party are both in possession of the shared-secret. an example are keys in symmetric key cryptography.
however, it is possible to have "something you know" authentication where the secret is not shared. For instance if there is a hardware token that is certified to only operate when the correct PIN has been entered .... the PIN represents "something you know" authentication w/o having to share the secret with any other party (the relying party assumes that the correct PIN has been entered by a) being confident of the operation of the particular hardware token and b) the hardware
token having done something known & expected).
similarly, biometrics systems are frequently implemented as a form of shared-secret. an entity's biometric template is registered with some relying party .... and subsequent transactions are authenticated by
checking a new biometric template with the biometric template on file.
the x9.84 biometric standard devotes a great deal to the security for centrally stored biometric templates .... treating them as a greater security risk than traditional "something you know" shared-secrets. the threat is that somebody can obtain files of registered biometric templates and be able to subsequently retransmit them electronicly attempting to impersonate the associated person. The issue in the traditional 'something you know" shared-secret is that a PIN compromise can be reported and a new, replacement PIN/password created.
However, it is somewhat more difficult to replace a thumb or iris when there has been a reported compromise of "something you are" shared secret.
in any case, for all of the deployed existing authentication systems involving any one of the three factor authentication paradigms, all of the methods are vulnerable to copying to one degree or another. as a result, I would assert that criteria of being able to copy or not is not useful .... in all of the different three factors, it isn't whether they are copyable .... it is the difficulty with which they can be copied.
The difficulty that any of them can be copied or counterfeited can be a combination of their native characteristics and the level of security that they are wrapped in.
i would further assert that the meaningful aspects represented by the three=factor authentication model is not the native characteristic of the components but how the individual being authenticated interacts with the components .... i.e.
1) something you know .... implies that the person has to know the value
2) something you have ... implies that the person is in possession of the thing or value ... but doesn't actually know or have it memorized
3) something you are .... implies that it represents some physical characteristic of the person ... w/o the person needing to either know or otherwise possess the object or value.
all three methods can be implemented as static value or shared-secret implementations ... where the characteristic of the particular authentication mode is expressed as some static value and is vulnerable to shared-secret eavesdropping or skimming. "Something you know" shared-secrets can be eavesdropped and fraudulently used. A magstripe plastic card "something you have" is expressed as transmission of the contents of the magstripe, which can be skimmed and used to create counterfeit/copied cards. A "something you are" feature is expressed as biometric template which can be eavesdropped and used in fraudulent transmissions (or counterfeited in things like the gummy bear attack).
rather than interpreter 3-factor authentication as physical characteristics which are classified as being copyable or not-copyable ... 3-factor authentication is frequently interpreted as how the entity being authentication relates to the authentication process.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
