[cryptography] Definition of Identity (was Re: key management guidelines)

Arshad Noor arshad.noor at strongauth.com
Wed Sep 15 00:23:48 EDT 2010


Marsh Ray wrote:
> 
> You know that ATM cards are frauded all the time, right?
> 
	Indeed.  However, what makes these - and many such attacks
	possible, is the fact that modern systems still rely on a
	4-decade old scheme of authentication, based on shared
	secrets - something I classified at Identity Protection
	Factor (IPF) Level 2:

http://middleware.internet2.edu/idtrust/2008/papers/01-noor-ipf.pdf

> Why wouldn't the phished customer be willing authenticate with his
> second factor as well as the first? Why couldn't the phisher be able to
> forward that credential nearly as easily as a password?

	With an authentication scheme based on SSL ClientAuth, that
	relies on a digitally-signed nonce, while a MITM attack is
	not infeasible, it is significantly more difficult to carry
	out for credentials at IPF Level-6 (see IPF paper) or higher.

> Dude, this is messed up.
> 
	You are entitled to your opinion, Marsh.

> There are a couple of influential books you might consider reading:
> http://en.wikipedia.org/wiki/Brave_New_World
> http://en.wikipedia.org/wiki/Nineteen_Eighty-Four
> 

  	However, I believe it is naive to bring up the "Orwellian
	Society" as a "bugaboo" because of a concept that enables the
	tracking of every legitimate, non-anonymous transaction through
	strong authentication/digital-signatures.  You are already
	living in an Orwellian society whether you like it or not:
	http://www.eff.org/issues/nsa-spying.  Any assumption on your
	part that you have any modicum of privacy on the internet, is
	fallacious.

>> When a child goes to enroll at a preschool or kindergarten, proof of
>> residency and the date of birth can be provided to the school by
>> having the hospital of birth e-mail a digitally signed birth
>> certificate to the school admissions office (the guardian will
>> actually request it through an application on the hospital's site,
>> after authenticating him/herself with their own healthcare
>> credential, or their child's credential).
> 
> Is there really such a problem today with preschoolers being enrolled
> with fake identities that it could possibly justify such an infrastructure?
> 
	The problem isn't about fake identities; it is about
	improving archaic business processes through the use of
	technology - and doing it securely, and across a sector,
	in one fell swoop.

>> Most people – including security-conscious professionals – resort to
>>  using similar passwords (or small set of passwords), or writing them
>>  on a piece of paper for the multitude of credentials in their
>> possession. [...] access to sensitive information, which was
>> controlled in the past, is now a mere login-screen away to anyone in
>> the world with an Internet connection. This has given rise to new
>> forms of attacks – most notably, phishing and keystroke-loggers - to
>> siphon away credentials to valuable service accounts.
> 
> All this, to fix that?
> 
	When an entire system is breaking down, there are many
	parts that need fixing; however, to stanch the problem, one
	has to begin at the point where you can slow down the rate
	of current compromises before you fix the problems inside.

> The only solution is common sense and an adaptable, organic system which
> recognizes the limitations of technology to address what are inherently
> human problems. Maybe sometimes it is a little extra work to apply good
> judgment rather than cranking the handle of some mechanistic rules
> engine. But we certainly can do without creating a machine which
> (literally) runs off the blood of newborn babies.

	Notwithstanding the hyperbole (you do know that DNA can be
	profiled based on spit), common sense is *always* necessary
	at all times.  However, events of the last decade have shown
	that there is very little of it exercised everywhere.

	The world's population is approaching 7 billion people, with
	projections of 10-billion by 2050.  The richest country in
	the world (the USA) with a mere 300M people has a trillion-
	dollar deficit, cannot fix roads, schools and is watching the
	resurgence of polio, TB and lice (aside from anti-biotic
	resistant bacteria).  Like it or not, solving problems for
	the next century is going to require some very different kind
	of thinking.

Arshad Noor
StrongAuth, Inc.



More information about the cryptography mailing list