[cryptography] Definition of Identity (was Re: key management guidelines)
arshad.noor at strongauth.com
Wed Sep 15 00:23:48 EDT 2010
Marsh Ray wrote:
> You know that ATM cards are frauded all the time, right?
Indeed. However, what makes these - and many such attacks
possible, is the fact that modern systems still rely on a
4-decade old scheme of authentication, based on shared
secrets - something I classified at Identity Protection
Factor (IPF) Level 2:
> Why wouldn't the phished customer be willing authenticate with his
> second factor as well as the first? Why couldn't the phisher be able to
> forward that credential nearly as easily as a password?
With an authentication scheme based on SSL ClientAuth, that
relies on a digitally-signed nonce, while a MITM attack is
not infeasible, it is significantly more difficult to carry
out for credentials at IPF Level-6 (see IPF paper) or higher.
> Dude, this is messed up.
You are entitled to your opinion, Marsh.
> There are a couple of influential books you might consider reading:
However, I believe it is naive to bring up the "Orwellian
Society" as a "bugaboo" because of a concept that enables the
tracking of every legitimate, non-anonymous transaction through
strong authentication/digital-signatures. You are already
living in an Orwellian society whether you like it or not:
http://www.eff.org/issues/nsa-spying. Any assumption on your
part that you have any modicum of privacy on the internet, is
>> When a child goes to enroll at a preschool or kindergarten, proof of
>> residency and the date of birth can be provided to the school by
>> having the hospital of birth e-mail a digitally signed birth
>> certificate to the school admissions office (the guardian will
>> actually request it through an application on the hospital's site,
>> after authenticating him/herself with their own healthcare
>> credential, or their child's credential).
> Is there really such a problem today with preschoolers being enrolled
> with fake identities that it could possibly justify such an infrastructure?
The problem isn't about fake identities; it is about
improving archaic business processes through the use of
technology - and doing it securely, and across a sector,
in one fell swoop.
>> Most people – including security-conscious professionals – resort to
>> using similar passwords (or small set of passwords), or writing them
>> on a piece of paper for the multitude of credentials in their
>> possession. [...] access to sensitive information, which was
>> controlled in the past, is now a mere login-screen away to anyone in
>> the world with an Internet connection. This has given rise to new
>> forms of attacks – most notably, phishing and keystroke-loggers - to
>> siphon away credentials to valuable service accounts.
> All this, to fix that?
When an entire system is breaking down, there are many
parts that need fixing; however, to stanch the problem, one
has to begin at the point where you can slow down the rate
of current compromises before you fix the problems inside.
> The only solution is common sense and an adaptable, organic system which
> recognizes the limitations of technology to address what are inherently
> human problems. Maybe sometimes it is a little extra work to apply good
> judgment rather than cranking the handle of some mechanistic rules
> engine. But we certainly can do without creating a machine which
> (literally) runs off the blood of newborn babies.
Notwithstanding the hyperbole (you do know that DNA can be
profiled based on spit), common sense is *always* necessary
at all times. However, events of the last decade have shown
that there is very little of it exercised everywhere.
The world's population is approaching 7 billion people, with
projections of 10-billion by 2050. The richest country in
the world (the USA) with a mere 300M people has a trillion-
dollar deficit, cannot fix roads, schools and is watching the
resurgence of polio, TB and lice (aside from anti-biotic
resistant bacteria). Like it or not, solving problems for
the next century is going to require some very different kind
More information about the cryptography