Basics of Security: Digital Identity

Having talked about the dangers of security, we can now talk about the only true basis of security.

Identity. You have to know who you are. You have to be able to communicate to others who you are. Without that, there is no basis for real security.

If you don't know who you are, you don't know what you have. If you don't know what you have, it does no good to try to put it in a safe or the bank, or to try to build walls around it.

If you don't know who you are, how can you even protect yourself?

One common rubric of the current fads in system security is

  • Something you have,
  • Something you know, 
  • Something you are.

Let's examine those.

Things that you have change. You lose things, sell them, give them away. You buy things, find them, receive them as presents. Etc. Your possessions change. You remain.

Identity is not in any thing you have.

Things you know change. You forget them. You write them down and misplace your notes, or find later than you can't read them. And you have a collection of books from which you read and learn new things that make you change your mind about things you used to think you knew. You tell other people things. Secrets slip out. And others may or may not remember what they have learned about what you know.

Identity is not in any thing you know.

What you are changes. Habits you once thought to an integral part of you get set aside as you grow older, and find them insufficient and unsatisfying. Principles and ideals come and go. Features on your face or body move and change. You may grow bald, you may grow a beard. Your natural hair color greys, and/or you may color your hair.

Identity is not in any one thing you are.

The only thing I can think of that properly equates to identity is the sum of experience, in combination with the choices you have made and make now, and the things you have desired and the things you want now. And belief colors it all, so we have to add what you believe.

But that chain of experience extends to before birth, and it extends into the future.

Yes, I'm talking about the eternity of the soul. I'm going to tell you here that you can't really obtain security without understanding something of your eternal nature, but I won't specify what you must understand. That is an individual choice, and part of one's identity.

Ultimately, security is very much a religious and individual matter.

For the sake of systems, we can't go there. We have to use proxies. Thus the rubric mentioned above.

Let's look at it again, in relation to information systems security.

In information system, the thing you are is usually your user-id. It has only tenuous connection to the real you, but the system needs a proxy token for the concept, and system administrators take the easy way out and use the user-id for the thing you are.

The thing you have is the password. If it's hard enough, it's hard to remember, and you have written it down someplace hopefully safe, so, yeah, you have it, on a piece of paper somewhere.

The thing you know is the failsafe question that you tell them to ask you when you have forgotten your password. Except, if you are smart, you don't want to tell them your private information. So you use a made-up response, which you write down with the password.

What the heck? They three are used rather independently, and the thing you know may never be used at all?

Well, the point is to have a proxy token for identity. At least they are using something, right?

In some cases, the numeric Internet Protocol address (IP address) temporally assigned to your internet modem/router is being used as the entire proxy. This is similar to using a street address or post-office box number as an identity proxy.

Considering that anyone can write any return address and drive to a different post office to mail a letter, we should definitely cry fowl on any attempt to use IP addresses as proxies for identity under any circumstances except for the delivery of data packets on the web.

In Japan and (as I understand it) in some parts of China, in place of signatures, stamps are used. Rubber stamps are used to an extent, but wood and other materials are used as well. (Some people call them seals, since they are similar in construction to the metal seals sometimes used in Europe and the Americas, substituting ink for wax.)

Old-fashioned physical keys for physical locks are more familiar proxy tokens in much of the world.

Public key encryption can provide a similar device for information systems. So can a one-time-pad. Unfortunately, if you are using software keys or OTPs and a bit of malware infects your system, the secrets on which either one functions are exposed, and the proxy fails.

Hardware encryption keys and OTPs are being manufactured now, and as long as people treat them with a little more care than they treat their safe-deposit box keys, then they work pretty well. But most cheap versions of such keys are vulnerable to nothing more than a soldering iron and a thief or spy's computer. All are vulnerable to electron microscopes.

Others have described adventures in defeating the security measures on these devices, I'll just note that many of the stories are true enough.

Consider this one point --

If a thief spends even thirty seconds jimmying the lock to your apartment, that's a total of a minute in which one of your neighbors might see him gaining access to things he is not supposed to have access to.

Your internet connection is not visible to your neighbor. If your nearest router is connected to other computers besides your own, they have a connection that even your ISP can't monitor under many internet setups. This is especially true with wireless connections.

If someone wants into your computer, they often have hours at a stretch where they can play with your internet connection completely free of observation. And computers work fast enough that mere seconds may be all it takes.

In some cases, managed physical tokens are secure enough. But, even with a very carefully managed and monitored physical, wired office network, they provide nothing beyond the old mechanical keys and locks or seals. All of the old ways to cheat with them, and some new ways peculiar to computers.

But this is all about tokens for identity. What can we do when actual identity has to be ascertained?

In the real world, we have to have human witnesses for certain kinds of transactions. In the on-line world, because of the speed of computers, we have invented new kinds of transactions that sort-of look like the old ones, but don't need witnesses. But those transactions where witnesses are required still need witnesses.

The answer?

Speed is the problem. The solution is to slow down. Do things in person. Go to the bank in person to get the One-Time-Pad device, for instance. Give your employees time off to do that. Likewise with voting.

It's the answer to a lot of problems, but we are talking about identity here.

There are other solution elements that are not yet in place. ISPs and local exchanges need more monitoring devices, and we need to make it a rule to not allow any company that controls more than 40% of a market to continue to sell infrastructure equipment and new service contracts. Too much dominance here provides too many opportunities for hidden abuse of systems.

And we need more of the network version of witnesses and scriveners (CPAs in the US), servers whose sole purpose is to record report transactions and times, with the cryptographic checksums that are the digital corollary of the seal/stamp/signature.

How those would work, I'll have to rant about some other time.

Popular Posts