2.5 Authentication

Authentication is the ability to identify the source of the communication, both for the communicating parties and for the information itself. In other words, authentication refers to a cryptographic mechanism ensuring that the identity of communicating entities can be verified and that the source of a received message can be verified. Any two parties entering into a secure communication should authenticate each other and the data received with respect to their origin. This hints at the fact that there are actually two kinds of authentication: one to verify identities (entity authentication) and another to verify data origin (message authentication).

Authentication is one of the most important security goals in cryptography. After hash functions and digital signatures were discovered, authentication and confidentiality were classified as independent information security objectives [117]. Without authentication, however, there can be no genuine confidentiality because you can never be sure who you are talking to, even if the communication is in encrypted form. Today, confidentiality and authentication are often combined in authenticated encryption schemes (see Chapter 15, Authenticated Encryption).

It might even seem superfluous to differentiate between authentication and confidentiality. In practice, however, implementing one or the other can have fundamental implications on legal matters.

As an example, export control (legislation regulating the export of goods, software, and technology) restricts the export of items considered potentially harmful to the interest of the exporting country. Such items include arms, so-called dual-use goods with military potential, radioactive materials such as uranium, and cryptography.

In the case of cryptography, it is prohibited to export hardware or software that can be used for strong encryption to export controlled or sanctioned countries, entities, and persons. Strong encryption refers to encryption algorithms (see Chapter 4, Encryption and Decryption) deemed to be secure by national agencies and standardization bodies such as GCHQ or NIST. If the actual goal of a security system is to authenticate individual entities, such as a sensor in a car and an electronic control unit that uses the measurement data from that sensor, it might be more practical to use a cryptographic mechanism for authentication rather than encryption.

Another example where the separation of confidentiality and authentication makes sense is provided by two communicating parties located in different countries where one or both of the countries do not permit confidentiality in order to monitor all communications. While the legitimate parties are not allowed to use encryption, a mechanism for achieving confidentiality, they can still use a cryptographic algorithm to ensure the identity of each party as well as the origin of the information both parties receive.