Deutsche
Version
Three categories are known:
The simpliest method is widely known and everyone working with computers uses it everyday. With passwords or pins one identifies itself to services like teller machine cards, cellular phone cards, credit cards or computer terminals.
But everyone also knows the weakness of passwords: If you can remember it, others could remember it too or compromise it easily. If you write it down, others could read it. A secure password, on the other hand, is difficult to remember.
Many computer users tend to work with "easy" and, thus, weak passwords,
e.g. names of friends, lovers, dogs, parrots, literature heroes, tv or
movie stars. Even erotic terms are used widely, but try a guess: what would
a hacker test first? A good password is a random string of digits and letters,
even special characters like "!", ",", or others.
A password can be eavesdropped while typing it in or telling it
to someone other.
Mainly credit card users are victims while paying a bill in a crowded
mall or at a gas station at weekend. Paying as a head of a queue, one can
hardly avoid being eavesdropped. And, zap, your pin has a new owner. The
same applies to passwords of computer terminals in offices. Visitors or
collegues can observe you typing in the password, the line can be scanned.
In todays LANs are several POEs (points of eavesdropping) to listen to
transferred passwords or other data. A huge amount of security testing
software helps you to crack weak security. Modern systems therefore encrypt
such data before transferring it over a line.
To test a password, it has to be stored somewhere. Such password-files
are POEs (points of eavesdropping).
Stored passwords have generally to be encrypted and locked from normal
user access. After input a password is encrpyted and tested against the
stored pattern. But weak passwords can be found with crack programs through
a brute force attack.
1.2 ID cards (possession)
The next step is the ID card. The base thought is, that it is very difficult to reproduce a similar card. Presently magnetic cards and different smart cards (chip) are in use. To identify oneself to an instance, the data on the card are read out. Because such devices could be lost or stolen easily, the owner has to identify itself to the card using a password or pin. And at that point all difficulties with passwords apply once again. The problem is not solved, but shifted one level above. The success of ID cards security can be verified in the headlines of news papers or magazines.
Therefore we are looking for a method, that is able to identify a person
itself, not testing her knowledge or possession. The solution are biological
or physiological properties of the owner, biometrical properties.
1.3 Finger print systems, retina scan systems (biometric properties)
There are finger print systems in use, securing computer terminals or buildings/rooms. Those systems not only scan the lines on your thumb but they analyze the haemoglobin concentration (color intensity). Otherwise one could use a dead finger or a wax specimen. This method is used in high security areas, and nowadays for restricted access to computer terminals.
Even if this sounds like James Bond (TM), also retina scans or iris
scans could provide personal identification. An eye can be less manipulated,
so it is less probable to break security.
1.4 voice analysis (biometrical properties)
Another element of human personality is her voice. Identification systems analize therefore characteristical patterns of spoken phrases. POEs are taped specimens. Because of this reason the method is recently combined with video analized mouth movement. The success is granted: That combination is more reliable than voice analysis alone.
Thus: It is less important how secure the methods are in theory, the user is the problem. If one cannot use her password in a correct way, if my ID device is stolen or stored insecure, then every security system is weakened in a significant way.
One example of such a device is HESY (Baltus, Bonn, Germany). It is reliable, cheap and can be combined with other securing methods. The diagram 2 shows different patterns during the writing process in a 3-dimensional vector space. Even a perfect faked signature with similar shape would be recognized, because the other properties cannot be copied be human.
(A report on more details will be coming in the early 1998.)
Demoprogram "3-D-Signature" (MS-DOS): baltus.zip
(20 kB)