Authentication

In computer security, authentication is the process by which a computer, computer program, or another user attempts to confirm that the computer, computer program, or user from whom the second party has received some communication is, or is not, the claimed first party.

在電腦安全上，認證程序指的是，電腦、電腦程式或另一個使用者 (user)⁴⁷，試圖

確認由第二者(the second party)接收通訊的電腦、電腦程式或使用者，是否為所稱的第 一者(the claimed first party)。

Again, a detailed examination of authentication processes and technologies is not required here; the objective is to introduce the concept to non-technical readers.

再一次，這裡並不需要詳細檢討認證程序與科技；這裡的目標是對非技術背景讀 者介紹認證的概念。

In a leading reference work on the subject, Richard E. Smith describes the five basic elements of an authentication process:

在這個主題上，⁴⁸Richard E. Smith 有一篇領導性的新近參考著作，他描述了認證 程序的五個基本要件：

“Regardless of whether an authentication system is computer based or not, there are several elements usually present and certain things usually take place. First of all, we have a particular person or group of people to be authenticated. Next, we need a distinguishing characteristic that differentiates that particular person or group from others. Third, there is a proprietor who is responsible for the system being used and relies on mechanised authentication to distinguish authorised users from other people.

Fourth, we need an authentication mechanism to verify the presence of the distinguishing characteristic. Fifth, we grant some privilege when the authentication succeeds by using an access control mechanism and the same mechanism denies the privilege if the authentication fails.”

「不論是否使用電腦，在認證系統中，有幾個經常出現的要件，以及一些常發生 的事情。首先，有特定的一個人或一群人需要我們進行認證。其次，我們需要這 個人或這群人與其他人有所不同的區分特徵。第三，在認證系統的使用上有一個 所有人，這位所有人依據機械化的認證，以區別獲得授權的使用者與其他人。第 四，我們需要一套認證機制確認區分特徵。第五，當認證成功之後，我們使用取 用控制機制授予某種許可，而在認證失敗時，以相同機制拒絕許可。」

Smith then illustrates these elements in a variety of contexts including entering the cave in the story of Ali Baba with the Open, Sesame password, using an automated bank teller machine (ATM), and logging onto a computer system with a password.

Smith 接著以各種情境解說這些要件，這些情境包括阿里八八以芝麻開門密語進 入山洞，使用銀行自動交易機(ATM)，以及以密碼登入電腦系統。

47 An important point for the non-technologist to understand is that when references are made to

“users” in describing computing processes, the reference can be both to a human actor or another device.

對非技術人士，有一個理解上的重點是，在描述運算過程中提到「使用者」(users)時，

可能兼指人或者是設備。

48Smith, Richard E.: Authentication, Addison-Wesley, 2002.

Authentication

The forty thieves Bank Enterprise owning the system

mechanism Mechanism to move

stone Allows banking

The term commonly used for the distinguishing characteristic of an individual or group is “attribute”. It is important to underline that the particular attribute which a user relies on to secure authentication within a system is not necessarily created for the user by the proprietor of the system. Most commonly users select their own attributes by choosing a password which they alone know. Sometimes official attributes are required: a social security or passport number, a student identity card number.

關於個人或群體的區分特徵，通常使用的術語是「屬性」。值得注意的是，在系 統內，使用者賴以確保認證的區分特徵，並不必一定由系統所有人為使用者創造。通 常大部分使用者自行選擇他們自己才知道的密碼作為自己的屬性。有時則需要官方屬 性：如社會安全號碼、護照號碼、學生證號碼。

One area where authentication mechanisms have been in general use for some time – and which is of particular relevance to this study – is the field of higher education. A leading example is the Athens system created and run in the United Kingdom by Eduserv. This provides the authentication and access control mechanisms for the majority of higher education institutions in the United Kingdom. Once they hold the necessary authentication password teachers and students alike are able to log onto the institution’s systems providing access to its digital resources.

有一種定期性普遍使用的認證機制，而且與本研究特別相關－就是高等教育領域 。 英國 Eduserv⁴⁹所創立並經營的雅典系統(Athens system)是一個具有領導性的例子。這個 系統為英國大部分高等教育機構提供了認證與取用控制機制。一旦教師與學生擁有必 要的認證密碼，他們都可以登入提供數位資源取用的機構系統。

A more recent development in this field is the Shibboleth standard.

在這個領域的新近發展是 Shibboleth 標準。⁵⁰

Shibboleth is an initiative to develop an open, standards-based solution to the needs of organizations to exchange information about their users in a secure, and privacy-preserving manner. The initiative is facilitated by Internet2 and a group of leading campus middleware architects from member schools and corporate partners.

Shibboleth 是一個開放性、標準化的解決方案構想，以滿足在安全而維護隱私的 方式下交換使用者資訊的需求。來自 Internet2 以及其成員學校、公司領導地位的中介 軟體(middleware)設計者，促成了這個構想。

The organizations that may want to exchange information include higher education, their partners, digital content providers, government agencies, etc. The purpose of the exchange is typically to determine if a person using a web browser (e.g., Internet Explorer, Netscape Navigator, and Mozilla) has the permissions to access a resource at a target resource based on information such as being a member of an institution or a particular class. The system is privacy-preserving in that it leads with this information, not with an identity, and allows users to determine whether to release additional information about themselves.

想進行交換資訊的組織包括高等教育及其合作者、數位內容供應者與政府單位等 等。基本上，資訊交換的目的在於確定，使用網路瀏覽器(IE, Netscape, Mozilla)的某個 人，是否基於某機構成員或某團體成員資訊，而針對目標資源獲得取用許可。這個系 統之所以能維護隱私，在於它以機構或團體成員資訊，而不是個人身分資訊進行認證，

且允許使用者決定是否釋出關於自己的額外資訊。

An open solution means both an open architecture and a functioning, open-source implementation. Standards-based means that the information that is exchanged between organizations can interoperate with that from other solutions.

開放性解決方案意味著一套開放架構，以及運作上執行開放原始碼。標準化則意 味著組織之間交換的資訊，與其他解決方案的資訊具有互通性。

Key concepts within Shibboleth include:

Shibboleth 的關鍵概念包括：

– Federated Administration. The origin campus (home to the browser user) provides attribute assertions about that user to the target site. A trust fabric exists between campuses, allowing each site to identify the other speaker, and assign a trust level. Origin sites are responsible for authenticating their users, but can use any reliable means to do this.

– 聯合管理(Federated Administration)。來源校區（瀏覽器使用者所在地）

對於目標站提供關於使用者的屬性陳述。在校區之間有信任結構，使每一個 站能識別另一個發言者，並指定信任層級。來源站負責認證他們的使用者，

但可用任何可靠方法進行認證。

49Information available at <http://www.eduserv.org.uk>.

50Information available at <http://shibboleth.internet2.edu/seas.html>.

– Access Control Based On Attributes. Access control decisions are made using those assertions. The collection of assertions might include identity, but many situations will not require this (e.g. accessing a resource licensed for use by all active members of the campus community, accessing a resource available to students in a particular course).

– 基於屬性的取用控制(Access Control Based On Attributes)。取用控制是由 使用屬性陳述而決定。陳述的集合包含身分資料，但許多情況下不會要求身 分資料（例如，取用僅授權校內成員的資源，取用僅開放於特定課程學生的 資源）。

– Active Management of Privacy. The origin site and the browser user control what information is released to the target. A typical default is merely “member of community”. Individuals can manage attribute release via a web-based user interface. Users are no longer at the mercy of the target’s privacy policy.

– 主動式隱私管理(Active Management of Privacy)。來源站與瀏覽器使用者 控制了哪些資訊釋出於目標站。典型的預設僅僅是「群體成員」(member of community)。個人可以經由網路使用者介面管理屬性。使用者不再受制於目 標站的隱私政策。

– Standards Based. Shibboleth will use OpenSAML for the message and assertion formats, and protocol bindings which is based on Security Assertion Markup Language (SAML) developed by the OASIS Security Services Technical Committee.

– 標準化(Standards Based)。Shibboleth 將使用 OpenSAML⁵¹作為訊息與陳述 格式，以及 OASIS 安全服務技術委員會所發展的安全陳述標示語言(Security Assertion Markup Language, SAML)作為協定規格。

3. Revocation