To know, to have, or to be
There is a slogan that security is based on three kinds of things:
- what you know: passwords, digital keys…
- what you have: smartcards, physical keys…
- what you are: fingerprints, handwriting…
How do we know that there are no other kinds things? We know because there are just three ways of sharing things:
- What I know I can copy and give it to you, so that we both know it. (We call such things data.)
- What I have I cannot copy, but I can give it to you, so that you have it and I don’t. (We call such things objects or resources.)
- What I am I cannot either copy or give to you, and only I am me. (We call what such things identity or self.)
Please don’t get confused by the fact that smartcards can be cloned and that biometric properties can be faked. The point is here that copying data is essentially costless, whereas copying smartcards or cloning people is not. CDs and DVDs can also be copied, but the music and the film industries were thriving with that problem, and they have badly suffered from the costless data streams.
Basic security properties and goals
At the highest level, security research is subdivided into studying the resource security of what-you-have, and the data security of what-you-know. A crude taxonomy of the security properties studied in these two areas is on the picture below.
- Within resource security, the requirement that the good resource uses do happen is called availability; the prevention of the bad resource uses is called authorization.
- Within data security, the requirement that the good data flows do happen is called authenticity, or integrity; the prevention of the bad data flows is called secrecy, or confidentiality.
There are, of course, many different ways to use the same words, and many people use the words “confidentiality”, “integrity” etc, in ways not covered by the above taxonomy. But we need some definitions, and these seem useful. See this post for more.
What about the third branch: self security of what-you-are?
For better or for worse, that’s what they study in medicine and health sciences. Security research still didn’t really connect up with that area, although some biometric researchers of course study what-you-are. There have been various efforts towards biologically inspired security and towards viewing security as immunity. But the real relations between what-you-know and what-you-have and what-you-are are still waiting to be clarified ;)