KAAPS Group		K. Burda
Internet Draft		KAAPS Group
			P. Drahovzal
			KAAPS Group
			O. Prikrylova
			KAAPS Group
			P. Sekanina
			KAAPS Group
Intended status: Informational		January 4, 2011
Expires: July 2011
	


Authentication Method Comparison Tool
draft-kaapsgroup-authenticationtool-00.txt

Status of this Memo

This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.

This document may not be modified,and derivative works of it 
may not be created, except to publish it as an
Internet Draft or RFC and to translate it into languages other than
English.

This document may contain material from IETF Documents or IETF

Contributions published or made publicly available before November
10,2008.The person(s) controlling the copyright in some of this material
may not have granted the IETF Trust the right to allow modifications of
such material outside the IETF Standards Process.  Without obtaining an
adequate license from the person(s) controlling the copyright in such
materials,this document may not be modified outside the IETF Standards
Process,and derivative works of it may not be created outside the IETF
Standards Process, except to format it for publication as an RFC or to
translate it into languages other than English.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html

This Internet-Draft will expire on July 4, 2011.

Copyright Notice

Copyright (c) 2011 IETF Trust and the persons identified as the document
authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions
Relating to IETF Documents (http://trustee.ietf.org/license-info)
in effect on the date of publication of this document. Please
review these documents carefully, as they describe your rights and
restrictions with respect to this document.  Code Components
extracted from this document must include Simplified BSD License
text as described in Section 4.e of the Trust Legal Provisions and
are provided without warranty as described in the Simplified BSD
License.

KAAPS Group	Expires July 4, 2011	[Page 1]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

Abstract

This document outlines and describes the metrics that are to be used for
evaluation and mutual comparison of individual computer authentication
methods and the methodology for use of such metrics by the expert
community.The metrics described in this document were tested and used by
the KAAPS Group for purposes of KAAPS science project (ID 2C08002).The
project was funded by Czech ministry of education (MSMT NPV II,ID
2C08002).

Table of Contents

1.Introduction	3
1.1.General	4
1.2.Requirements Language	4
2.Use Example	4
3.Metrics	5
3.1.Group of Fundamental Parameters	5
3.1.1.Versatility	5
3.1.2.Uniqueness,Exactness	5
3.1.3.Persistence	5
3.1.4.Ease of Telemetry	5
3.1.5.Performance	5
3.1.6.Permeability	6
3.1.7.Acceptability	6
3.1.8.Circumvention	6
3.1.9.Price	6
3.1.10.CER - Crossover Error Rate	6
3.1.11.FAR - False Acceptance Rate	6
3.1.12.FRR - False Rejection Rate	6
3.2.General Parameters Group	7
3.2.1.User Friendliness	7
3.2.2.Manageability	7
3.2.3.Preferred Vendor	7
3.2.4.Preferred Platform	7
3.2.5.Vendor/Distributor Support	7
4.Methodology for Ranking	7
4.1.Normalized Scaling for Open Interval ("hmin","hmax")	8
4.1.1.Var A - Importance 0.1	8
4.1.2.Var B - Importance 0.5	9
4.1.3.Var C - Importance 0.9	9
4.2.Boundary Occurrences "hmin" and "hmax"	9
4.2.1.Value Set at the Lowest Level	9
4.2.2.Value Set at the Highest Level	9
4.3.Methodology Advantages	10
5.Formal Syntax	10
6.Security Considerations	10
7.IANA Considerations	10
8.Conclusions	10
9.References	11
9.1.Normative References	11
9.2.Informative References	11
10.Acknowledgments	11

1. Introduction

KAAPS Group	Expires July 4, 2011	[Page 2]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

In 2007,AutoCont CZ,a leading Czech ICT company joined its resources
with academic skills of Brno University of Technology staff to apply for
a Ministry of Education,Youth and Sports of the Czech Republic grant
that would provide necessary funding for a science project in the field
of authentication.
In October 2007,the proposal for KAAPS Group formation (Czech
abbreviation for Complex Authentication and Authorization Methods for
Hard-Wired and Mobile Networks) was considered by Ministry of
Education,Youth and Sports of the Czech Republic authorities and
required financial support was granted.Works on the project begun in
April 2008,with the scope of work scheduled till the end of 2011.

1.1. General
This paper is being delivered as a result of combined research work of
(so called) KAAPS Group.The computer science project KAAPS (Czech
abbreviation for Complex Authentication and Authorization Methods for
Hard-Wired and Mobile Networks) focuses in exploring new horizons in the
authentication and authorization methods,combining currently used and
popular methods of AAA with the new possibilities in the field of
network access.
The group has been considering many possibilities in this
field,exploring the benefits of various biometric solutions (including
DNA sampling etc),GPS positioning,social aspects of authentication and
many more.
The KAAPS science project is expected to come up with a new
authentication
/authorization prototype by the end of 2011,but in the process,a very
efficient method of product
/solution selection method has been developed.
It is an intention of this paper to share the metrics and evaluation of
said method with the expert community through this Internet Draft.
Any objections,new conceptions or proposals to expand findings of KAAPS
group are welcome and will be considered by the authors.
1.2. Requirements Language
The key words "MUST","MUST NOT","REQUIRED","SHALL","SHALL
NOT","SHOULD","SHOULD NOT","RECOMMENDED","MAY",and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [1].
2. Use Example
A fictional organization,named AC Offline is considering a major rebuilt
in the field of information technology.The company's primary field of
business requires not only the need to communicate securely both within
and outside of the company but also pay great attention to
authentication and authorization of respective clients to the
workstations,servers,networks,applications etc.
The decision process then begins.The decision makers within the company
are facing the challenge to choose the appropriate AAA product
/solution,weighing responsibly the Cost for Money
aspects,security,budgeting,flexibility,openness and many others.
The decision is to be made whether to search for a vendor to provide a
custom-made product
/solution or to search for an existent product on the market.The metrics
that helped KAAPS group to consider fictional customer needs may help

KAAPS Group	Expires July 4, 2011	[Page 3]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

the AC Offline evaluate and choose the right product
/solution or its combination.
3. Metrics
The design intends to compile the parameters that can be used for mutual
comparison of individual authentication methods.These parameters are
divided into two groups.
3.1. Group of Fundamental Parameters
The first group contains basic,constant parameters with a design to set
up the criteria for assessment.Said group of basic parameters consists
of the following parameters:
3.1.1. Versatility
Every person in the family of possible users of compared method shall
have assigned characteristics.
3.1.2. Uniqueness,Exactness
Assigned characteristics shall uniquely differentiate one person from
other person in the assigned family of potential users.
3.1.3. Persistence
Assigned characteristics shall not change in time.If,nevertheless,the
characteristic is subject to change in time,the fashion of the change
has to be predictable and the technique of the change has to be
programmable into the solution.
3.1.4. Ease of Telemetry
An Ease/Difficulty of acquiring the characteristics is taken into an
account.
3.1.5. Performance
Computing Power
o	Needed to acquire the characteristics,
o	Needed to verify the identity.
3.1.6. Permeability
Number of authentication attempts that the system is able to handle in a
predefined period of time.
3.1.7. Acceptability
o	From the society cultural point of view,
o	From the comfort of the end-user point of view.
3.1.8. Circumvention
Ease of circumvention of the system (e.g.according to FIPS).
3.1.9. Price
o	Expenses to acquire the authentication system,
o	Expenses to operate the authentication system,
o	Expenses to compensate for a successful attack (needed for the
method breach).
3.1.10. CER - Crossover Error Rate
Crossover Error Rate (CER) is a comparison metric for different
biometric devices and technologies.It is the error rate at which the
false acceptance rate (FAR) equals the false rejection rate (FRR).As an
identification device becomes more sensitive or accurate,its FAR
decreases while its FRR increases.The CER is the point at which these
two rates are equal,or cross over.
3.1.11. FAR - False Acceptance Rate
The false acceptance rate (FAR) is a measure of the likelihood that the
access system will wrongly accept an access attempt; that is,will allow
the access attempt from an unauthorized user.

KAAPS Group	Expires July 4, 2011	[Page 4]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

3.1.12. FRR - False Rejection Rate
False rejection rate (FRR) is one of the most important specifications
in any biometric system.The FRR is defined as the percentage of
identification instances in which false rejection occurs.
3.2. General Parameters Group
Within the second group,supplemental universal parameters are laid
out.Said parameters can be used to select a solution for a specific
company
/individual.Designed methodology of this group is so universal that
enables the selectee to add any other parameter and submit the values
within any interval.Such soft
/subjective parameters can vary.
Group of universal parameters can contain any of the following
parameters:
3.2.1. User Friendliness
A technique of use in order to offer user comfort is taken into an
account.
3.2.2. Manageability
An administrative comfort and ease of management are taken into an
account.
3.2.3. Preferred Vendor
Most of the large companies maintain a list of preferred
vendors/suppliers.
3.2.4. Preferred Platform
Most of the large companies maintain a list of preferred solution
platforms,with some of the platforms being "prioritized".
3.2.5. Vendor/Distributor Support
A fair vendor support or an existence of local vendor is
beneficial,especially with security solutions.
4. Methodology for Ranking
To assess
/measure individual authentication methods,a method of multi-criterion
analysis has been selected as most suitable.Said method provides the
possibility to rate individual variants by a single number.This number
is then used to linearly sort out the set of solutions.The method is
universal and suitable for evaluation of any solution,moreover not only
in the field of data security.
The method works with monitored parameters "n",while up to "m" variants
of solutions can be evaluated.
The set of variants "V" is represented by V
= {V_1,...,V_m }.The variant "V_i" that is represented by V_j
= (h_1j,h_2j,...,h_nj ) carries individual values of parameters h_ij.The
body of variants forms n-proportional cuboid ?
={?h_ip,h_is ?}_(i
=1)^n,where h_ip is the abject value of i-th parameter and h_is is the
prime value of i-th parameter.
The user selects a point of suitable solution Z=(h_1z,
h_2z,...,h_nz) ,where the value of h_iz equals the value of i-th
parameter,which represents a limiting point (still suitable).This point
defines the significance of individual parameters.The significance is,at
the same time,determined by the relation to the implemented solutions in
general.Its value is defined by the user in native manner.

KAAPS Group	Expires July 4, 2011	[Page 5]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

In the subsequent step,the entire solution is standardized to form a n
dimensional cube ?0,
1?^n using the equivalence relation of:
h ?_ij=  (h_ij- h_ip)/(h_is- h_ip )
The solution value u(V_j ) is formulated by the equivalence relation:
u(V_j )=?_(i=1)^n {v_i? u_i (h_ij )}
Where v_i is a coefficient of importance of i-th parameter and u_i is a
function of evaluation of i-th parameter.
v_i=h ?_iz/(?_(q=1)^nh ?_qz )
Partial function u_i classification is defined by:
u_i (h ?_ij )=  (k_i?h ?_ij)/(1+h ?_ij (k_i-1))
Where:
k_i=  (1-h ?_iz)/h ?_iz

4.1. Normalized Scaling for Open Interval ("hmin","hmax")
4.1.1. Var A - Importance 0.1
Equals to suitable value of the parameter selected as LOW.Example: the
user selected a value "1" on the scale "0" to "10" (as a value very
close to the abject value of the parameter).That means that he
/she considers the quality that the parameter represents to be of a very
low importance in the scope of general decision making.
4.1.2. Var B - Importance 0.5
Equals to suitable value of the parameter selected as AVERAGE.Example:
the user selected a value "5" on the scale "0" to "10" (as a parameter
value that is average).That means that he
/she considers the quality that the parameter represents to be of an
average importance in the scope of general decision making.
4.1.3. Var C - Importance 0.9
Equals to suitable value of the parameter selected as HIGH.Example: the
user selected a value "9" on the scale "0" to "10" (as a value very
close to the maximum value of the parameter).That means that he
/she considers the quality that the parameter represents to be of a high
importance in the scope of general decision making.
Resulting value of the parameter is derived from the ratio to the sum of
normalized values of all parameters.
4.2. Boundary Occurrences "hmin" and "hmax"
4.2.1. Value Set at the Lowest Level
User selected value "0",on the scale "0" to "10" (as a value that equals
the abject value of the parameter).That means that he
/she considers the quality that the parameter represents irrelevant,thus
accepting any value of the parameter delivered in the solution.
This parameter is then left out of the considerations and respective "n"
dimensional cube is reduced to (n-1) dimensional cube.A multi-criterion
analysis is applied to that subspace.
4.2.2. Value Set at the Highest Level
User selected value "10",on the scale "0" to "10" (as a value that
equals the maximum value of the parameter).That means that he
/she considers the quality that the parameter represents most
important,thus accepting only those parameters delivered in the solution
that reached maximum values.
From the geometry point of view,the optimal value is searched for in the
hyperplane of the original "n" dimensional cube that is vertical to the

KAAPS Group	Expires July 4, 2011	[Page 6]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

axis of the maximal value parameter.
4.3. Methodology Advantages
o	It enables the user to set up and change the significance levels
for multi-criterion analysis intuitively - by setting the value of given
parameter to existing product/
solution,
o	It enables the user to change the significance of respective
parameters according to his/
her own needs,
o	It enables the user to add/
remove individual parameters that are needed to decide on the
product/solution,
o	It enables the user to add/remove additional products/solutions,
o	The "Result List" provides the user with not only "Winner" that
has successfully and most appropriately met all criteria,but also lists
the "Runner Ups",
o	It enables the user to gain important information about rank and
"quality gaps" of the respective products/
solutions,
o	It provides the template for independent evaluation of
individual parameters within the authentication methods.
5. Formal Syntax
The following syntax specification uses the augmented Backus-Naur Form
(BNF) as described in RFC-2234 [2].
6. Security Considerations
This paper as a whole refers to new methods of authentication
comparison,as an essential security task.There are no further security
considerations.
7. IANA Considerations
This paper has no IANA considerations.
8. Conclusions
KAAPS Group focused solely on new methods of authentication that had
been previously neither considered nor tried to apply in real life,to
the best of knowledge of KAAPS Group.
The authentication comparison tool that is a subject of this paper
appeared as a side product of the group effort to come up with a
proprietary authentication tool.
Works of so called KAAPS Group continues to reach common goal in
presenting fully functional prototype authentication tool by the end of
2011.
Comments to this paper are highly appreciated and welcome.
9. References
9.1. Normative References
[1]	Bradner,S.,"Key words for use in RFCs to Indicate Requirement
Levels",BCP 14,RFC 2119,March 1997.
[2]	Crocker,D.and Overell,P.(Editors),"Augmented BNF for Syntax
Specifications: ABNF",RFC 2234,Internet Mail Consortium and Demon
Internet Ltd.,November 1997.
[RFC2119]	Bradner,S.,"Key words for use in RFCs to Indicate
Requirement Levels",BCP 14,RFC 2119,March 1997.
[RFC2234]	Crocker,D.and Overell,P.(Editors),"Augmented BNF for
Syntax Specifications: ABNF",RFC 2234,Internet Mail Consortium and Demon

KAAPS Group	Expires July 4, 2011	[Page 7]

Internet-Draft	Authentication Method Comparison Tool 	January 2011

Internet Ltd.,November 1997.
9.2. Informative References
This paper is a result of independent science project.As such,the
authors did not base its findings on any informative paper.
10. Acknowledgments
This work is financially supported by the Ministry of Education,Youth
and Sports of the Czech Republic in 2C08002 Project - KAAPS Research of
Universal and Complex Authentication and Authorization for Permanent and
Mobile Computer Networks,under the National Program of Research II.
This document was prepared with strong support provided to its authors
by AutoCont CZ,a.s.and Brno University of Technology.
This document was prepared using 2-Word-v2.0.template.dot.


Authors' Addresses
Karel Burda
Brno University of Technology
Department of Telecommunications
Purkynova 118
612 00 Brno
Czech Republic
	
Email: burda@feec.vutbr.cz

Petr Drahovzal
AutoCont CZ
Sochorova 23,
61600 Brno
Czech Republic
	
Email: pjd@autocont.com

Olga Prikrylova
AutoCont CZ
Sochorova 23,
61600 Brno
Czech Republic
	
Email: olgap@autocont.com

Pavel Sekanina
AutoCont CZ
Sochorova 23,
61600 Brno
Czech Republic
	
Email: pavels@autocont.com

Internet-Draft	Authentication Method Comparison Tool 	January 2011




KAAPS Group	Expires July 4, 2011	[Page 8]