funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [privacy] U.S. Senators Propose Repeal of National ID

From: "Dr. Neal Krawetz" <hf () hackerfactor com>
Date: Mon, 18 Dec 2006 23:01:05 -0700 (MST)
On Mon Dec 18 22:01:20 2006, Dennis Henderson wrote:



Dave,

Excellent rant, I fully agree, and I could not have said it any better.


Well after you're all done awarding each other honorary degrees, it would be
good to hear about a solution, not just lament the issues..

On one hand, every official entity tries to establish some form of identity
where either local, county or state authorities can make a positive ID on
someone. On the other hand the one entity that has the capability and means
to establish and unique federal credential are considered the devil
reincarnate but people are just in denial...They already have an established
system of identity, but people seem to think the SSN is just another number

As long as people refuse to let a singular entity provide a uniform, and
recognizable form of ID, the US will continue to suffer this issue.


[snip]


So whats your solution?


With all due respect, Dr., Please provide a treatment, not a diagnosis...

Its tiring to hear the seasoned citizens of academia simply hash the issue
and not at least try to shape that hash into an even vaguely recognizable
potato(e)....

:)


Hi Dennis,

There are three parts to this problem:
First, there is identification of the problem and understanding the
ramifications.
Second, there is analyzing the existing approaches -- learning what works
and what does not.  This includes comparing the solution to other scenarios.
Finally, there is proposing, adopting, and revising a new solution.

None of these steps happen over night.
It was my impression that the discussion thread focused on the first two
parts (identification and evaluation), but let's proceed to the third part:
solutions.

The current SSN system was flawed from the start.  Identify theft is not
new and neither is social security fraud.

However, the SSN system was never intended for use as a national
identification system.  It was intended for taxes and -- yes -- social
security accounts.  The adoption of an SSN in place of a universal ID
occurred because a universal ID did not exist AND because it was convenient.
This is a similar oversight that allows spam to proliferate -- email was
never designed for security and not to fit a corporate/business need.  The
lack of authentication and wide-spread use permits it to be abused.

But I digress...

We need to adapt known-good security practices to personal authentication.

The first thing people need to realize is that a single, universal ID will
never work.  This is the same situation with using one password on every
system.  If it ever becomes compromised, then everything is lost.

The second thing people need to realize is that authentication is provided
by an authority and not the other way around.  We should not start with a
government issuing an ID.  This is a flawed start because the initial
authentication starts from an assumption about the identified individual.
Instead, we need to start the authentication process at the individual, since
only you know that you are you.

Third, we need to realize that authentication is not transitive.  If I am
authenticated with my bank, then my bank authentication should only work
at my bank.

You want a solution?  How about this:

  - Start with a random unique key per person.  This is used to seed a
    system that generates additional keys.
    For sanity, we can make this biometric.  For example, DNA -- it's costly
    and time consuming right now, but rarely needs to be done.
    Fingerprints would be find for people with fingers (not amputees).
    Iris or retina patterns for people with eyes, etc.
    Heck, even the government could issue some or all of the unique seed.
    NOTE: They do NOT keep a copy -- they just generate it.

  - For each service, combine this biometric with something the person
    knows (2-part authentication) and something provided by the service.
    Together, this becomes 3-part authentication.
    E.g., combine my DNA seed with my password and the bank's keys.
    This creates a unique identifier and can generate a public/private
    key pair.  Only myself and my bank can authenticate a transaction.
    I will have a different key pair for government passports, taxes,
    hotel reservations, etc.

What about theft?
  Even if they copy my biometric values, they still need to know my
  password.  Also, there are plenty of biometric values -- I should be
  able to change from fingerprint to iris if someone copies my data.

What if they get my password?
  They compromised one authentication system, but not any other.
  Cross-validation between multiple sources can be used to reclaim a
  compromised account.
  This type of cross-validation is already in use today.  E.g., you cannot
  get a phone line without having a bank account or some other utilities.
  And you cannot get a credit card unless you have bills in your name
  (or can show that you are too young to pay off the card).

What if I forget my password?
  This is no different than having a compromised password.
  Between still having my original biometric values, and being about to
  cross-validate, I should be able to reclaim and reset keys for any accounts
  that are missing passwords.

Will this work?
  Sure it will!  Network administrators and security folks do this all the
  time!  Want to enter a secure government building?  You need multiple
  IDs.  Even my car uses a different key from my house.
  This is a known, time-tested solution.

What about implementation?
  I'm a programmer; the software is easy.
  The hardware exists today, but is expensive.  But if everyone needed it,
  then the costs would drop and demand increases.
  Usability is not too difficult as long as people get past the initial
  shock of not having a centralized authentication system.

What about the banks needing to report taxes?
  The bank can hold only the public-key component from my tax authentication
  keys.  They can use this to link my account to my taxes.  However, since
  they don't have my seed, nor my tax password, nor the tax key component,
  they cannot recreate my private tax key.  Even if the bank loses all of
  their customer data in a horrible compromise, my tax identify is secure.

And that's just one solution that I rattled off the top of my head.
I'm sure if I sit and think about this a little more, I can come up with
many other options.  This solution may not be perfect (since I didn't
ponder it very long), and I look forward to discussions about limitations,
variants, and alternatives.

                                        -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy
Previous By Date Next
Previous By Thread Next

Current thread: