Authentication

Biometrics
Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utlization of passwords or personal identification numbers (PINs). The goal is to determine whether the person or object is who or what they claim to be.

Computer security
In the field of computer security, the term authentication refers to a

"[s]ecurity measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information."

Authentication mechanisms can help ensure that online transactions only involve trustworthy data, hardware, and software for networks and devices.

The principal forms of authentication include static, dynamic, and multiple factor.

Authorization mechanisms fall into four major categories: local, network, single sign-on, and single log-on.

Authentication technologies associate a user with a particular identity. People are authenticated by three basic means:


 * by something they know (e.g., PIN number or password)
 * by something they have (e.g., key, dongle, smart card), or
 * by something they are such as a biological characteristic (e.g., fingerprint, retinal signature), a location (e.g., Global Positioning System (GPS) location access), the time a request is made, or a combination of these attributes.

In general, the more factors that are used in the authentication process, the more robust the process will be.

People and systems regularly use these means to identify people in everyday life. For example, members of a community routinely recognize one another by how they look or how their voices sound &mdash; by something they are.

Authentication for individuals involves independent confirmation of identity using one or more methods. Typically, multi-factor approaches provide greater security than single factor methods. These might be retinal scans, DNA, fingerprints, voiceprints, etc.

Automated teller machines recognize customers because they present a bank card &mdash; something they have &mdash; and they enter a personal identification number (PIN) &mdash; something they know. Using a key to enter a locked building is another example of using something you have. More secure systems may combine two of more of these approaches.

While the use of passwords is an example of authentication based on something users know, there are several technologies based on something users have. Security tokens can be used to authenticate a user. User information can be coded onto a token using magnetic media (for example, bank cards) or optical media (for example, compact disk–like media). Several smart token technologies containing an integrated circuit chip that can store and process data are also available.

Biometric technologies automate the identification of people using one or more of their distinct physical or behavioral characteristics &mdash; authentication based on something that users are. The use of security tokens or biometrics requires the installation of the appropriate readers at network and computer access points.

Once a user is authenticated, authorization technologies are used to allow or prevent actions by that user according to predefined rules. Users could be granted access to data on the system or to perform certain actions on the system. Authorization technologies support the principles of legitimate use, least privilege, and separation of duties. Access control could be based on user identity, role, group membership, or other information known to the system.

Most operating systems and some applications provide some authentication and authorization functionality. For example, user identification codes and passwords are the most commonly used authentication technology. System administrators can assign users rights and privileges to applications and data files based on user IDs. Some operating systems allow for the grouping of users to simplify the administration of groups of users who require the same levels of access to files and applications.

CSS (Content Scramble System)
In connection with the Content Scramble System (CSS), authentication is a process for a DVD drive and CSS decryption module to recognize (or authenticate) each other. It is necessary before reading data from DVDs. An authentication key is used for this process.

Evidence
To be admissible at trial, the evidence offered must be authenticated, that is, shown to be what its proponent claims it is. The proponent is not required to rule out all possibilities that are inconsistent with authenticity. The standard for admission is a reasonable likelihood that the evidence is what it purports to be. As stated by one court:

"Authentication is a condition precedent to admissibility. . . . `If, upon consideration of the evidence as a whole, the court determines that [it] is sufficient to support a finding by a reasonable juror that the matter in question is what its proponent claims, the evidence will be admitted.' State v. Hager, 325 N.W.2d 43, 44 (Minn.1982). When evidence is not unique or readily identifiable, the integrity . . . of the evidence must be authenticated by establishing the chain of custody."

Images
Images used to illustrate a witness’s testimony are easy to authenticate, usually requiring only the witness’s testimony that, based on personal knowledge, the image is a fair and accurate portrayal of what it represents. Digital photographs offered as pictures of a crime scene should normally be authenticated as conven­tional photographs would be, unless some real concern arises regarding alteration.

For example, enhancing digital images may raise authentication issues. Re-cre­ations and simulations that accompany expert testimony may require the same foundation as the expert testimony itself to support the assumptions on which such evidence rests. Testimony that the input and output parameters were correct may also be needed. For example, simulations are commonly used in civil cases to portray airline disasters and automobile crashes.

Authentication issues in such cases focus on the extent to which input data corre­spond to actual events (in terms of accuracy and completeness) and the scientific validity of the mathematical model underlying the simulation.

Authentication of computer-stored substantive evidence
Key authentication issues for computer-stored evidence usually center on identifying the author or authors of the computer-stored record and showing that it has not undergone significant change in any respect that matters in the case. Both of these points can often be shown through the chain of custody and other circumstantial evidence.

Illustration (b)(1) of Fed.R.Evid. 901 provides for authentication through “testimony of [a] witness with knowledge” that “a matter is what it is claimed to be.” Many courts have recognized that, while the witness called to establish authenticity must have personal knowledge of the facts about which he or she testifies, the wit­ness need not have been the programmer of the computer in question, have knowl­edge of its maintenance and technical operation, or have seen the data entered. For example, computer-stored records of illegal drug transactions, found on a computer seized from a defendant’s possession, could be authenticated by testimony from both the investigating officer who seized the computer (showing that the computer was indeed found in the defendant’s possession and that names used in the files matched those associated through other evidence with the drug transactions) and the examiner who recovered the files (showing that the records are actually those found on the computer).

In some cases, because of the relative anonymity of some computer-stored records (such as those involving Internet-related crimes), establishing authorship may depend largely on circumstantial evidence. For example, in a child pornography case involving Internet chat rooms, evidence obtained from the defendant’s residence that linked him to his postings to the chat room, information he gave to an undercover officer, and infor­mation obtained from the ISP were sufficient to show authorship.

Authentication of digital evidence under the Federal Rules of Evidence is often a simple and straightforward matter. Defendants will sometimes challenge authenticity by alleging that the computer records could have been altered after they were created. Such arguments emphasize the ease with which computer records may be modified. Under the “reasonable likeli­hood” threshold for authentication, however, courts have generally not been receptive to such claims in the absence of specific evidence of alteration. Moreover, authentica­tion of data may not necessarily be precluded by the use of examination software that alters nonessential data but does not effect significant changes to substantive data. For example, alteration of time and date stamps may not preclude admission in a given case.

Other issues that may be raised, apart from the possibility of tampering, include the completeness of the record, the input procedures, and the input method (accurate data conversion). If these matters are genuinely at issue, the proponent of the evidence should be prepared to present witnesses to address them.

In the majority of cases, a combination of circumstantial evidence provides the key to establishing the authorship and authenticity of a computer record.

Authenticating E-mail
Common ways to authenticate e-mail include:


 * The chain of custody following the route of the message, coupled with testimony that the alleged sender had primary access to the computer on which the message originated.


 * The content of the e-mail refers to matters of which the writer would have been aware.


 * The recipient used the reply function to respond to the e-mail; the reply may include the sender’s original message.
 * After receiving the e-mail, the sender takes action consistent with its content.

Authentication of preexisting substantive evidence generated by a computer
Because computer-generated records are created directly by computer programs rather than by human input, authentication issues do not include identity of the records’ author. Rather, the central authentication concerns are the reliability of the processing and output functions. Particularly pertinent to these concerns is Fed.R.Evid. 901(b)(9), which provides for authentication by “[e]vidence describing a process or system used to produce a result and showing that the process or system produces an accurate result.”