Authentication

In computer security, authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party.

在電腦安全上，認證程序指的是，電腦、電腦程式或另一個使用者(user)⁴⁷，試圖

確認由第二者(the second party)接收通訊的電腦、電腦程式或使用者，是否為所稱的第 一者(the claimed first party)。

Again, a detailed examination of authentication processes and technologies is not required here; the objective is to introduce the concept to non-technical readers.

再一次，這裡並不需要詳細檢討認證程序與科技；這裡的目標是對非技術背景讀 者介紹認證的概念。

47 An important point for the non-technologist to understand is that when references are made to

“users” in describing computing processes, the reference can be both to a human actor or another device.

對非技術人士，有一個理解上的重點是，在描述運算過程中提到「使用者」(users)時，

可能兼指人或者是設備。

In a leading reference work on the subject, Richard E. Smith describes the five basic elements of an authentication process:

在這個主題上，⁴⁸Richard E. Smith 有一篇領導性的新近參考著作，他描述了認證 程序的五個基本要件：

“Regardless of whether an authentication system is computer based or not, there are several elements usually present and certain things usually take place. First of all, we have a particular person or group of people to be authenticated. Next, we need a distinguishing characteristic that differentiates that particular person or group from others. Third, there is a proprietor who is responsible for the system being used and relies on mechanised authentication to distinguish authorised users from other people.

Fourth, we need an authentication mechanism to verify the presence of the distinguishing characteristic. Fifth, we grant some privilege when the authentication succeeds by using an access control mechanism and the same mechanism denies the privilege if the authentication fails.”

「不論是否使用電腦，在認證系統中，有幾個經常出現的要件，以及一些常發生

Smith then illustrates these elements in a variety of contexts including entering the cave in the story of Ali Baba with the Open, Sesame password, using an automated bank teller machine (ATM), and logging onto a computer system with a password.

Smith 接著以各種情境解說這些要件，這些情境包括阿里八八以芝麻開門密語進

ATM Password Login

Person, principal ability to express the password “Open,

The forty thieves Bank Enterprise owning the system

48 Smith, Richard E.: Authentication, Addison-Wesley, 2002.

認證要件 四十大盜洞穴 ATM 密碼登入

人、主體 任何知道密語者 銀行帳戶所有人 經授權使用者

區分特徵 知 悉 且 能 夠 表 達

「 芝 麻 開 門 」 密 語 者

ATM 卡與個人識別 碼(PIN)

密碼

所 有 人 、 系 統 所 有 人、管理者

四十大盜 銀行 擁有該系統之企業

認證機制 能 回 應 正 確 密 語 的

神奇設備

卡片確認系統 密碼確認系統

取用控制機制 移動石頭的機制 允許銀行交易 登入，取用控制

The term commonly used for the distinguishing characteristic of an individual or group is “attribute”. It is important to underline that the particular attribute which a user relies on to secure authentication within a system is not necessarily created for the user by the proprietor of the system. Most commonly users select their own attributes by choosing a password which they alone know. Sometimes official attributes are required: a social security or passport number, a student identity card number.

關於個人或群體的區分特徵，通常使用的術語是「屬性」。值得注意的是，在系 統內，使用者賴以確保認證的區分特徵，並不必一定由系統所有人為使用者創造。通 常大部分使用者自行選擇他們自己才知道的密碼作為自己的屬性。有時則需要官方屬 性：如社會安全號碼、護照號碼、學生證號碼。

One area where authentication mechanisms have been in general use for some time – and which is of particular relevance to this study – is the field of higher education. A leading example is the Athens system created and run in the United Kingdom by Eduserv. This provides the authentication and access control mechanisms for the majority of higher education institutions in the United Kingdom. Once they hold the necessary authentication password teachers and students alike are able to log onto the institution’s systems providing access to its digital resources.

有一種定期性普遍使用的認證機制，而且與本研究特別相關－就是高等教育領 域。英國 Eduserv⁴⁹所創立並經營的雅典系統(Athens system)是一個具有領導性的例子。

這個系統為英國大部分高等教育機構提供了認證與取用控制機制。一旦教師與學生擁 有必要的認證密碼，他們都可以登入提供數位資源取用的機構系統。

A more recent development in this field is the Shibboleth standard.

在這個領域的新近發展是 Shibboleth 標準。⁵⁰

Shibboleth is an initiative to develop an open, standards-based solution to the needs of organizations to exchange information about their users in a secure, and privacy-preserving manner. The initiative is facilitated by Internet2 and a group of leading campus middleware architects from member schools and corporate partners.

49 Information available at <http://www.eduserv.org.uk>.

50 Information available at <http://shibboleth.internet2.edu/seas.html>.

Shibboleth 是一個開放性、標準化的解決方案構想，以滿足在安全而維護隱私的 方式下交換使用者資訊的需求。來自 Internet2 以及其成員學校、公司領導地位的中介 軟體(middleware)設計者，促成了這個構想。

The organizations that may want to exchange information include higher education, their partners, digital content providers, government agencies, etc. The purpose of the exchange is typically to determine if a person using a web browser (e.g., Internet Explorer, Netscape Navigator, and Mozilla) has the permissions to access a resource at a target resource based on information such as being a member of an institution or a particular class. The system is privacy-preserving in that it leads with this information, not with an identity, and allows users to determine whether to release additional information about themselves.

想進行交換資訊的組織包括高等教育及其合作者、數位內容供應者與政府單位等 等。基本上，資訊交換的目的在於確定，使用網路瀏覽器(IE, Netscape, Mozilla)的某個 人，是否基於某機構成員或某團體成員資訊，而針對目標資源獲得取用許可。這個系 統之所以能維護隱私，在於它以機構或團體成員資訊，而不是個人身分資訊進行認 證，且允許使用者決定是否釋出關於自己的額外資訊。

An open solution means both an open architecture and a functioning, open-source implementation. Standards-based means that the information that is exchanged between organizations can interoperate with that from other solutions.

開放性解決方案意味著一套開放架構，以及運作上執行開放原始碼。標準化則意 味著組織之間交換的資訊，與其他解決方案的資訊具有互通性。

Key concepts within Shibboleth include:

Shibboleth 的關鍵概念包括：

– Federated Administration. The origin campus (home to the browser user) provides attribute assertions about that user to the target site. A trust fabric exists between campuses, allowing each site to identify the other speaker, and assign a trust level. Origin sites are responsible for authenticating their users, but can use any reliable means to do this.

– 聯合管理(Federated Administration)。來源校區（瀏覽器使用者所在地）對於 目標站提供關於使用者的屬性陳述。在校區之間有信任結構，使每一個站能 識別另一個發言者，並指定信任層級。來源站負責認證他們的使用者，但可 用任何可靠方法進行認證。

– Access Control Based On Attributes. Access control decisions are made using those assertions. The collection of assertions might include identity, but many situations will not require this (e.g. accessing a resource licensed for use by all active members of the campus community, accessing a resource available to students in a particular course).

– 基於屬性的取用控制(Access Control Based On Attributes)。取用控制是由使 用屬性陳述而決定。陳述的集合包含身分資料，但許多情況下不會要求身分 資料（例如，取用僅授權校內成員的資源，取用僅開放於特定課程學生的資 源）。

– Active Management of Privacy. The origin site and the browser user control what information is released to the target. A typical default is merely “member of

community”. Individuals can manage attribute release via a web-based user interface. Users are no longer at the mercy of the target’s privacy policy.

– 主動式隱私管理(Active Management of Privacy)。來源站與瀏覽器使用者控 制了哪些資訊釋出於目標站。典型的預設僅僅是「群體成員」(member of community)。個人可以經由網路使用者介面管理屬性。使用者不再受制於目 標站的隱私政策。

– Standards Based. Shibboleth will use OpenSAML for the message and assertion formats, and protocol bindings which is based on Security Assertion Markup Language (SAML) developed by the OASIS Security Services Technical Committee.

– 標準化(Standards Based)。Shibboleth 將使用 OpenSAML⁵¹作為訊息與陳述格 式，以及 OASIS 安全服務技術委員會所發展的安全陳述標示語言(Security Assertion Markup Language, SAML)作為協定規格。

3. Revocation