Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Top Technology Initiatives > Top 10 Technologies Archive > Top 10 Technologies 2005 > Authentication Technologies > Authentication Technologies
Authentication Technologies
By: Timothy L. Stull, CPA.CITP

Halt! Who Goes There?

Public Key Infrastructure (PKI)

The Real Deal

 

Authentication, a cornerstone of information security (and this year's top technology), is the process of verifying the identity of a person or object, so this individual or entity can be granted access to the system at a certain level. The act of verification implies that you making certain, to as high a degree as possible, that you are not dealing with an imposter.

 

Halt! Who Goes There?

 

To successfully verify identity, authentication falls into four categories:

 

1.      Knowledge: Passwords and phrases.

 

2.      Materials: Passkeys, dongles, physical keys, smartcards.

 

3.      Static Biometrics: Fingerprints and face recognition.

 

4.      Dynamic Biometrics: Voice recognition or signatures.

 

Once the user produces one of these attributes, the system can verify/map to the person's known identity, the person is cleared into the system and becomes the verified user. Simple, right?

 

For a very long time, and through many iterations of input technology, the idea has remained the same. In order to verify an identity, you have to know, have, be or do something that the system can recognize and map to your identity. It is a strong methodology that is growing increasingly more robust due to technological leaps into biometrics. However, as long as any of the four categories above exist, an identity can be lost, stolen or duplicated.

 

Back to top

 

Public Key Infrastructure (PKI)

 

Much has been written or said about creating systems' infrastructure with a secure architecture. In general. the methods, techniques and technologies to support this notion has been dubbed PKI, or Public Key Infrastructure. PKI has had a difficult time growing for several reasons; primarily, it is confusing because it is used to mean several things.

 

PKI infrastructures were developed principally to support secure information exchange over non-secure networks (like the Internet). The same technology can, of course, be used over secure networks, including Virtual Private Networks (VPNs). PKI uses cryptographic keys to verify the identity of the sender, and encryption to ensure privacy. PKI infrastructures should:

 

·         provide certainty that the quality of information sent or received is exactly what was sent is what is received;

·         verify the source and destination of what is sent;

·         ensure the data remained private; and

·         if the time source of the data is known, then verify the time the data was sent and received.

 

Public and private key pairs authenticate and prove content. A pair of mathematically related cryptographic keys is used; one to encrypt your information and the other as the only key that can decrypt it. The nature of the keys is such that if you have one of them, you cannot use it to easily generate the other. This scenario is better known as the "public key system." One of the keys, the public key, can be seen by everyone, and the other, the private key, cannot. It is the private key that authenticates its bearer.

 

Back to top

 

The Real Deal

 

Even a small amount of research on the current state of authentication technologies will yield a broad range of vendors, as well as many authoritative sources with broadly divergent opinions. This is a simple problem with no 100 percent absolutely airtight solution. As such, those of us who are trying to protect ourselves have to first ask the question, "What level of authentication security do I really need?" Is it enough to merely password protect my system? Should I let the users come up with their own passwords or should I generate them? If passwords are not enough, should I consider PKI? Biometrics?

 

Cost and maturity of the technology chosen are also major considerations. Passwords, passkeys, smart cards and physical keys are mature technologies that cost less. Biometrics and dynamic biometrics, are the other hand, are expanding areas that promise to be very effective, but tend to be more expensive, complex solutions. PKI can get so complex that even the technologists can get confused.

 

Authentication in one form or another has been around since the early days of computing and will be around for the foreseeable future. Users are seeking increasingly sophisticated means of authentication, and the technological community is providing those solutions. "Who are you" is a simple question to ask and a simple question to answer . . . if you are who you say you are.

 

Back to top

AICPA's Top Technologies 2005 is a project of the AICPA's Information Technology (IT) Membership Section and led by the Top Technologies Task Force. For more information on the AICPA's technology initiatives, including the Top Technologies, the CITP credential and the IT Membership Section, visit the Membership section.

 

Tim Stull, CPA/CITP, is an Air Traffic Manager for United Parcel Services in Louisville, Kentucky. He was a systems planning manager for the Operations Planning group in Continental Airline's Systems Operation Coordination Center (SOCC), Houston, Texas, from 1996 to 2005. Prior to joining Continental in 1996 he was the chief financial officer for DBA Systems, Inc. and a group controller for Science Applications International Corporation's (SAIC) Applied Software/Systems Engineering Technology Group. Tim is a member of the Top Technologies Task Force.  
Copyright © 2005 by American Institute of Certified Public Accountants, Inc., New York, New York.