计算机专业时文选读之三十一

Biometric authentication

In this computer-driven era, identity theft and the loss or disclosure of data and related intellectual property are growing problems. We each have multiple accounts and use multiple passwords on an ever-increasing number of computers and Web sites. Maintaining and managing access while protecting both the user's identity and the computer's data and systems has become increasingly difficult. Central to all security is the concept of authentication——verifying that the user is who he claims to be.

We can authenticate an identity in three ways: by something the user knows (such as a password or personal identification number), something the user has (a security token or smart card) or something the user is (a physical characteristic, such as a fingerprint, called a biometric).

All three authentication mechanisms have drawbacks, so security experts routinely recommend using two separate mechanisms, a process called two-factor authentication. But implementing two-factor authentication requires expensive hardware and infrastructure changes. Therefore, security has most often been left to just a single authentication method.

Passwords are cheap, but most implementations offer little real security. Managing multiple passwords for different systems is a nightmare, requiring users to maintain lists of passwords and systems that are inevitably written down because they can't remember them. The short answer, talked about for decades but rarely achieved in practice, is the idea of single sign-on.

Using security tokens or smart cards requires more expense, more infrastructure support and specialized hardware. Still, these used to be a lot cheaper than biometric devices and, when used with a PIN or password, offer acceptable levels of security, if not always convenience.

Biometric authentication has been widely regarded as the most foolproof —or at least the hardest to forge or spoof. Since the early 1980s, systems of identification and authentication based on physical characteristics have been available to enterprise IT. These biometric systems were slow, intrusive and expensive, but because they were mainly used for guarding mainframe access or restricting physical entry to relatively few users, they proved workable in some high-security situations. Twenty years later, computers are much faster and cheaper than ever. This, plus new, inexpensive hardware, has renewed interest in biometrics.

Types of Biometrics

A number of biometric methods have been introduced over the years, but few have gained wide acceptance.

Signature dynamics. Based on an individual's signature, but considered unforgeable because what is recorded isn't the final image but how it is produced——i.e., differences in pressure and writing speed at various points in the signature.

Typing patterns. Similar to signature dynamics but extended to the keyboard, recognizing not just a password that is typed in but the intervals between characters and the overall speeds and pattern. This is akin to the way World War II intelligence analysts could recognize a specific covert agent's radio transmissions by his “hand”——the way he used the telegraph key.

Eye scans. This favorite of spy movies and novels presents its own problems. The hardware is expensive and specialized, and using it is slow and inconvenient and may make users uneasy. In fact, two parts of the eye can be scanned, using different technologies: the retina and the iris.

Fingerprint recognition. Everyone knows fingerprints are unique. They are also readily accessible and require little physical space either for the reading hardware or the stored data.

Hand or palm geometry. We're used to fingerprints but seldom think of an entire hand as an individual identifier. This method relies on devices that measure the length and angles of individual fingers. Although more user-friendly than retinal scans, it's still cumbersome.

Voice recognition. This is different from speech recognition. The idea is to verify the individual speaker against a stored voice pattern, not to understand what is being said.

Facial recognition. Uses distinctive facial features, including upper outlines of eye sockets, areas around cheekbones, the sides of the mouth and the location of the nose and eyes. Most technologies avoid areas of the face near the hairline so that hairstyle changes won't affect recognition.

Because of its convenience and ease of use, fingerprint authentication is becoming the biometric technology of widest choice. A growing number of notebook PCs and computer peripherals are coming to market with built-in fingerprint readers. Scores of products are available, including keyboards, mice, external hard drives, USB flash drives and readers built into PC card and USB plug-in devices. Most of these units are relatively inexpensive.

These devices allow the user to maintain encrypted passwords that don't need to be remembered but instead are invoked after the user puts his finger on the reader. This can also be used with a separate PIN or password to offer true two-factor authentication.

生物特征认证

在计算机驱动的时代，身份失窃、数据暴露和与有关知识产权的损失越来越成为问题。我们每人都有多个账号，在数量不断增加的计算机和网站上使用多个口令。在保护用户身份和计算机的数据和系统的同时，维护和管理接入已经越来越困难。而所有安全的核心就是“认证”这个概念——验证用户就是他所声称的人。

我们能以三种方式认证身份：用户知道的东西(如口令或个人身份证号码)、用户拥有的东西(安全令牌或智能卡)或用户本身就是的东西(物理特征，如指纹，称作生物特征)。

所有这三种认证机制都有缺陷，因此安全希赛网通常推荐(同时)使用两种不同的机制，这个过程称作双重认证。但是，实施双重认证需要昂贵的硬件和改动基础设施。因此，最常见的安全只剩下了单一的认证方法。

口令很便宜，但大多数实现几乎没有提供真正的安全。管理不同系统的多个口令，也是件可怕的事情，需要用户维护口令和系统的列表，由于记不住它们，不可避免地要把它们一一写下来。一个已经谈论了几十年但在实践中很难做到的简单答案，就是单一登录。

使用安全令牌或智能卡需要更贵、更多的基础实施支持和专用硬件。但大量使用它们仍比生物特征设备便宜。当与PIN或口令一起使用时，即使不是很方便，但也提供了能接受的安全保证。

生物特征认证已被广泛地认为是最安全的，或者至少是最难伪造或欺骗的。自上世纪八十年代初，基于物理特性的识别和认证系统已可供企业的IT部门使用。这些生物特征系统比较慢、烦人和昂贵，但由于它们主要用于保护大型机的接入或者对为数不多的用户限制物理进入，所以在某些高安全情况下业已证明它们是能工作的。二十年以后，计算机变得更快、也更便宜。此情况加上新的廉价硬件，重新引起人们对生物特征的兴趣。

生物特征的类型

多年来已经推出了许多不同的生物特征方法，但几乎没有一个获得广泛认可。

签名动力学 它是基于一个人的签名，但被认为是不可伪造的，因为它所记录的不是最后的图像，而是如何产生图像，即在签名的各个点上的压力和书写速度是不同的。

敲键模式 它与签名动力学相似，但扩展到键盘，它不仅识别敲入的口令，而且还识别字符之间的间隔和总的速度与模式。这很像二战中的情报分析，通过他的“手”(即他使用电报按键的方法)识别特定谍报人员的无线电发射。

眼睛扫描 这种间谍电影和小说里喜欢用的方式有其自己的问题。其硬件昂贵、专用，使用起来很慢，不方便，还有可能造成用户不安。实际上，利用不同技术，眼睛有两个部分可以扫描—视网膜和虹膜。

指纹识别 人人都知道，指纹具有惟一性。它们也容易取得，就阅读硬件或存储的数据而言，几乎不需要空间。

手或手掌几何学 我们习惯于用指纹，但很少想到利用整个手做单独的识别物。该方法依赖于测量各个手指的长度和角度。虽然比起视网膜扫描该方法更加用户友好，但仍很麻烦。

声音识别 它不同于语音识别。此概念是对照储存的声音模式来验证说话者，而不是来理解他说了什么。

面部识别 利用面部与众不同的特点，如眼窝上部轮廓线、颧骨范围、嘴巴边缘线和眼鼻位置等。多数技术避开靠近发际的面部位置，从而<