As Winston Smith, the protagonist of 1984’s big brother
dominated world, falls asleep his last thought is “Sanity is not Statistical” (Orwell, 1949). There are multitudes of varied analysis that
have accompanied this poignant quote from the George Orwell classic. At their root they break down to a single
common theme, everything is objectively true or false. Depending on what side of the societal fence
you reside this could mean truth is what is reported by Fox News or MSNBC, or
America is represented by the Occupy movement or the Tea Party. The reality is that fundamental truths or
untruths lie someplace in between the extremes.
Things do not become true just because the majority believes in them or
false because the minority believes in them.
Ask 100 people leaving the local chain
pharmacy if they need to have their loyalty card scanned or provide their email
or phone number to complete their purchase and the majority will say yes. Ask them why and you will likely be treated
to some blank and or puzzled stares.
The problem
If you ask 100 people
on the street if HTTPS is secure it is likely that half of them will ask you
what HTTPS is. The majority of the
remaining half will insist it is safe based on their tertiary experiences. HTTPS begins "my banks" URL, Amazons URL etc.,
so of course it is safe or they would not use it. A small minority will tell you nothing is
secure or make a statement that includes a variation on that theme. It is true that HTTPS is a lot more secure
than HTTP. It is also true that is
possible to break into HTTPS/TLS/SSL even when websites do everything
correctly. Most people think of HTTPS as
a bank vault when in fact they should equate it to the lock on the door of
their house. A locked door will keep
the honest people honest and the casual thief forewarned but it will not stop a
determined attack. Determined attacks
like breaking into a CA, compromising a web site, compromising a DNS or a
router are all paths around the HTTPS security.
The United States population is one of the most open,
information centric demographics in the world.
Tens of millions of people voluntarily expose the most intimate details
of their lives through the pervasive world of social networking. More than 88% of consumers have made
purchases online spending more than 142 billion dollars in 2010 with a 14%
increase continuing to trend upwards through the 2nd quarter of 2011 (comScore,
Inc., 2011).
Within a few years this trend will represent hundreds of billions of dollars of
transactions conducted with the barest of security protections. The bulk of these transactions can be
characterized as the modern equivalent of giving your checking account number,
routing number, and driver’s license information to a 16 year old supermarket
customer service worker in return for a check cashing card. A FTC-sponsored survey estimated that the
annual total loss to businesses due to ID theft approached $50 billion with the
total annual cost of identity theft to victims at $5 billion (H CMTE on Ways and Means, 2012). This means more than a third of annual gross
cyber revenue is lost to business or more likely the losses are passed to the
consumers. Yet those same hordes of
consumers who willingly play this financial Russian roulette on a regular basis
are the doppelgänger vocal detractors of government sponsored identity systems. The paradox of an individual who will
surrender his or her credit card, credit history, and identity to a faceless
cyber organization but balk at providing their government-issued social
security numbers to either state or federal government program is astounding.
The fundamental issue is one of trust - not trusted identity
but trusted government. Winston, in
1984, represented a tacit prediction of the lack of trust people would have in their
governments and the total control that governments would impose in their people
in the future. Although we have thus far
escaped turning America into a totalitarian state public trust is at an all
time low according to the Pew Research Center.
Nearly eighty percent of Americans do not trust their own
government. In fact, the only time since
1975 that government trust broke 50% was in the months following 9/11 (Thompson,
2010). To summarize, eighty eight percent of
Americans trust the internet with their identity and their hard earned money
while eighty percent of Americans distrust their government. Given this situation, it is not surprising
that government sponsored identity trust models have struggled to get off the
ground unless they are thus elevated by significant amounts of funding.
The best possible solution?
Granted there are a number of security programs that offer
trust to some degree, the most common of these are digital certificates. A digital certificate is an electronic signature
that establishes your credentials when doing business or other transactions on
the Web. It is issued by a certification authority (CA). It contains your name,
a serial number, expiration dates, a copy of the certificate holder's public
key (used for encrypting messages and digital signatures), and the digital
signature of the certificate-issuing authority so that a recipient can verify
that the certificate is real. It is not
just individuals who can possess digital certificates. In fact digital certificates are a byproduct
of the secure sockets layer protocol developed in 1994 by Netscape for sending
information over the relatively new internet.
It is this specific solution that we have put under the magnifying
glass.
SSL was created in the infancy of the internet and designed
to prevent passive attacks. When SSl was
developed there was no such thing as e-commerce and “credentials” were seldom
if ever transmitted other than in and through government networks. At the time the internet had less than five
million users but growth at nearly a hundred percent per year beginning in the
late 1990’s resulted in to the four billion publicly facing hosts of today. (Coffman & Odlyzko, 1998) However the development of the SSL protocol
recognized a potential vulnerability known as “Man in the Middle Attacks”. A man in the middle attack is carried out by
an attacker making independent contact with the victims, e.g. user and host,
and relays information between them so that it appears as though they are
communicating directly when in fact the data can be both modified and/or
stolen. In order to guard against this
[at the time] perceived threat Certificate Authorities (CA’s) providing public
key encryption was introduced. Public
Key Encryption was described as follows during the development of the AAL
protocol;
“Public key encryption is a technique that leverages asymmetric ciphers. A public key system consists of two keys: a public key and a private key. Messages encrypted with the public key can only be decrypted with the associated private key. Conversely, messages encrypted with the private key can only be decrypted with the public key. Public key encryption tends to be extremely computing intensive and so is not suitable as a bulk cipher”. (Hickman, 1995) In an interview with Moxie Marlinspike, CTO and co-founder of Whisper Systems, SSL designer Kipp Hickman said the addition of CA’s was “thrown in at the end” …”the whole CA thing was a bit of a hand wave” (Marlinspike, 2011)
In 2011, Comodo, the 2nd largest certificate
authority in the world was hacked resulting in nine certificates for seven
domains being issued. Among the domains affected
were Google, Yahoo, Skype, Mozilla and Microsoft’s Live. Originally thought to be an action of “cyber
terrorism” by a city state (Iran) based on the IP address trace (212.95.136.18)
it later appeared to be the work of a single individual without a great deal of
technical experience. (Marlinspike, 2011)
So given what appears to be a less than auspicious track
record and questionable parentage why would the educated consumer turn to a CA
to help establish their identity and more importantly trust the identity of the
cyber entity to which they are surrendering their financial information. Historically digital certificates can lay
claim to a twenty plus year history of trust and effectiveness. Each time you log into your bank account
online or make a purchase with your Amazon account the transactions and
parities involved are authenticated using digital certificates. As is obvious from our previous examples the
technology is not without its detractors and its very public failures. These however need to be balanced against its
success stories.
Why Government?
Government sponsored
PKI, more specifically US government sponsored PKI has not yet been
compromised. Like most of the rest of
the PKI world the US government PKI is built around the International
Telecommunication Union (ITU) X.509 standard.
Program policy is overseen and managed through the Federal Public Key
Infrastructure (FPKI) Policy Authority.
FPKI is an interagency body set up under the CIO Council to enforce
digital certificate standards for trusted identity authentication across the
federal agencies and between federal agencies and outside bodies, such as
universities, state and local governments and commercial entities. The United States has adopted a Federal PKI
policy and program as a response to the Paperwork Elimination Act of 1998 which
required electronic government services by October 21, 2003. The law itself is technology agnostic but the
consensus is that PKI combined with biometrics, multi factor authentication,
and hardware tokens, is the best available option. In and of itself PKI is superior to the
physical inked signature on a document and when used with the previously
described accoutrements are superior to other existing electronic signature.
The senior advisor to the chair of the Federal PKI steering
committee sums up the US government program thusly;
“The goals of the U.S. Federal PKI are to create a cross-governmental, ubiquitous, interoperable Public Key Infrastructure and the development and use of applications which employ that PKI in support of Agency business processes. In addition, the U.S. Federal PKI must interoperate with State governments and with other national governments. Our goals recognize that the purpose of deploying a PKI is to provide secure electronic government services utilizing Internet technology, not only to satisfy the little hearts of a dedicated cadre of techno-nerds and paranoiac security gurus but to serve the citizenry.” (Alterman, 2012)
Who are you? In
Orwell’s 1984 Winston Smith was a clerk in the records department of the Ministry
of Truth where is job is to rewrite historical documents so that they can match
the ever changing party line. This job
involves removing photographs and altering documents generally for the purpose
of removing “un-persons” that have crossed the party and are eliminated both
physically and virtually. The hesitancy
for people to “share” information with the government is strongly influenced by
an Orwellion fear that the more information the government has on you the more
control they will have over your life.
The purpose of this paper is not to debate the right or wrong of that
statement rather to clarify just what the government already knows and why it
is necessary in the Identity management world.
Who and what you are digitally is broken down into a series
of attributes that define your person and lead to the rights and privileges
that are based on those defining attributes. Standardizing what these attributes are and
how they are vetted leads to trust in the identities, a requirement for
interoperability. The best example of
this trust model across multiple jurisdictions is RealID. Real ID has some controversial elements but
we are just focusing on the Identity, vetting, and information sharing
elements. These are the same elements
required for you to open and use an Amazon.com® account and contain what is
known as Personally Identifiable information or PII
“The REAL ID Act of 2005, Pub.L. 109-13, 119 Stat. 302, enacted May 11, 2005, was an Act of Congress that modified U.S. federal law pertaining to security, authentication, and issuance procedures standards for the state driver's licenses and identification (ID) cards, as well as various immigration issues pertaining to terrorism.The law set forth certain requirements for state driver's licenses and ID cards to be accepted by the federal government for "official purposes", as defined by the Secretary of Homeland Security. The Secretary of Homeland Security has currently defined "official purposes" as presenting state driver's licenses and identification cards for boarding commercially operated airline flights and entering federal buildings and nuclear power plants”. (Wikimedia Foundation, Inc., 2012)
The American Civil Liberties Union, a strong opponent of
Real ID and its variants consistently claims that these types of programs are a
severe detriment to privacy rights. The
ACLU states that there are “real security concerns with creating a federal
identity document every American will need in order to fly on commercial
airlines, enter government buildings, or open a bank account” and that “tens of
thousands of people will have access to our information in a massive government
database. The national database could
well become a one-stop shop for identity thieves.” (ACLU , 2008) It can be successfully argued that it is
the hard sell, or the phrase required by law, that defines government programs
that causes the dissension.
Who are you really?
PII is any information about an individual
maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual‘s identity, such as name, social security
number, date and place of birth, mother‘s maiden name, or biometric records;
and (2) any other information that is linked or linkable to an individual, such
as medical, educational, financial, and employment information.‖ Examples of
PII include, but are not limited to:
- Name, such as full name, maiden name, mother‘s maiden name, or alias
- Personal identification number, such as social security number (SSN), passport number, driver‘s
- license number, taxpayer identification number, or financial account or credit card number
- Address information, such as street address or email address
- Personal characteristics, including photographic image (especially of face or other identifying characteristic), fingerprints, handwriting, or other biometric data (e.g., retina scan, voice signature, facial geometry)
(McCallister, Grance, & Scarfone, 2010)
The problem with PII is that it is personally identifiable,
and we live in a world where we have identities both physically and in
cyberspace. Twenty first century
interaction requires we have a digital identity but the digital ecosystem has
not yet balanced out. As a result you
can have multiple digital identities.
The real problem is that that your identity could be stolen from you or
even created without your knowledge. Why
is this? Millions of Americans who do
not trust local, state, or federal government to keep a database of PII
willingly give it to any cyber entity who asks for it. Consider all of the social networking sites,
game and entertainment sites, browsers, cloud applications and others all
requiring you to fill out a simple form which most people do without
questions. Without more than a few
seconds consideration many people give up their information to a faceless
entity because that entity has something they want, information, a purchase, a
connection, a relationship. In goes your
name, alias, address, bank or credit card information. Now that your basic information is in you
will nearly always be prompted for answers to secret questions and in goes your
mother’s maiden name, place of birth, fathers middle name etc. Now that you have your account how often do
you fill in a profile with your age, gender, personal preferences and
more. All of this data it not used for
making sure travel and government buildings are secure. It is not protected in FISMA compliant data
centers or secured and encrypted with federally regulated PKI. Rather it is collected for the sole purpose
of generating revenue either directly or indirectly for the social networking
or e-commerce web site you registered with.
The final blow comes with the social networking sites that flood you
with a number of options for sharing your information.
Who do you want to be?
The vast majority of Americans feel that the internet offers
anonymity. The old adage “On the
internet, nobody knows you’re a dog” (Steiner, 1993) was published as part of a satirical
cartoon in a 1993 addition of the magazine New Yorker. The message that the cartoon was originally
meant to convey was that internet users could send and receive messages in
relative anonymity. 1993 was before
social networking and e-commence, a time when cyber anonymity equated to
privacy. That same anonymity is now a
looming specter of privacy infringement and fraudulent identity creation because
there is no requirement to prove you are you who claim to be in order to
establish a cyber identity. Try the
20-20 experiment. Spend twenty minutes
and twenty dollars researching yourself on the internet. Even the layperson is likely to develop
enough information that would allow them to establish a cyber identity to
include finding their social security number and financial history. From this point ecommerce is but a shot step
away.
Winston Smith rewrote identity history for the totalitarian
government in Orwell’s 1984. It is not
the government that is the nameless faceless predator stalking the dark paths
of our cyber world but the opportunistic hacker or the casual yet
technologically savvy cyber mugger.
Stealing your purse or wallet used to be an intimate physical act. Today
it is accomplished with the stroke of a keyboard. It is time for the cyber world to recognize
its inhabitants as unique individuals.
Contrary to popular belief this uniqueness can be achieved in near
complete anonymity as compared to the publicly facing methods currently in
use. Moreover the uniqueness can vastly
increase the level of trust possible in a cyber identity while greatly reducing
fraud and identity theft. Your cyber
identity need be nothing more than a digitally signed public and private key
pair, an encrypted series of numbers that represent you. Rather than repeatedly creating an untested,
un-vetted cyber identity on every site you visit you
create a single profile for a single certificate authority. Given the private sectors track record it is
logical that that authority be, or be regulated by and overseen by
government. This does not require any
information beyond what you have already provided to the government throughout
your life in the form of Birth certificates, social security card applications,
tax records, vehicle registrations, and license applications of all types. The difference is that this time the
information will be cross checked and a cyber alias, a series of numbers, will
be created for and associated with that information. The cyber alias can be tied to you through
any number of physical unique identifiers which make it virtually impossible
for anyone to co-opt or use without your express permission and physical
presence. This process is in reality the
exact opposite of the claims of its detractors.
It locks up your cyber identity and provides you with the sole key to
unlock and use it.
Google your own name and ask yourself the question, is this
really me? Are you really willing to
play the odds? Nine million Americans
were victims of Identity theft in 2011.
Just how sane is that statistic?
Works Cited
ACLU . (2008, April 29). ACLU Testifies before
Senate against Real ID. Retrieved May 15, 2012, from ACLU:
http://www.aclu.org/technology-and-liberty/aclu-testifies-senate-against-real-id
Alterman, P. (2012). The
U.S. Federal PKI and the Federal Bridge Certification Authority. Retrieved
May 15, 2012, from Federal PKI Policy Authority:
http://www.idmanagement.gov/pages.cfm/page/Federal-PKI-Policy-Authority-home-page
Coffman, K. G., &
Odlyzko, A. M. (1998). The size and growth rate of the Internet.
AT&T Labs - Research (2 Oct 1998).
comScore, Inc. (2011,
August 8). comScore Reports $37.5 Billion in Q2 2011 U.S. Retail E-Commerce
Spending, Up 14 Percent vs. Year Ago. Retrieved March 1, 2012, from
comScore, Press & Events :
http://www.comscore.com/Press_Events/Press_Releases/2011/8/comScore_Reports_37.5_Billion_in_Q2_2011_U.S._Retail_E-Commerce_Spending
H CMTE on Ways and
Means. (2012, February 29). Committee on Ways and Means Facts and Figures:
Identity Theft. Retrieved March 2, 2012, from Committee on Ways and Means:
http://waysandmeans.house.gov/media/pdf/ss/factsfigures.pdf
Hickman, K. E. (1995,
April). The SSL Protocol. Internet Draft . CA: Netscape Communications
Corp. Retrieved May 154, 2012, from http://tools.ietf.org/html/draft-hickman-netscape-ssl-00
Marlinspike, M.
(2011). SSL And The Future Of Authenticity. Las Vegas, NV, USA. Retrieved May
15, 2012, from http://www.youtube.com/watch?v=Z7Wl2FW2TcA
McCallister, E.,
Grance, T., & Scarfone, K. (2010, April). Special Publication 800-122. Guide
to Protecting the Confidentiality of Personally Identifiable Information
(PII), . Gaithersburg, MD, USA: US Dept of Commerce National Institute of
Standards and Technology.
Orwell, G. (1949). 1984.
(E. Fromm, Ed.) New York, New York: Harcourt.
Steiner, P. (1993,
July 5). On the internet nobody knows your a dog. The New Yorker . (D.
Remnick, Ed.) New York City, New York, USA: Condé Nast. Retrieved May 16,
2012, from http://en.wikipedia.org/wiki/On_the_Internet,_nobody_knows_you%27re_a_dog
Thompson, D. (2010,
Aril 19). 80 Percent of Americans Don't Trust the Government. Here's Why.
Retrieved March 1, 2012, from The Atlantic Business Archive:
http://www.theatlantic.com/business/archive/2010/04/80-percent-of-americans-dont-trust-the-government-heres-why/39148/
Wikimedia Foundation,
Inc. (2012, May 10). The Real ID Act. Retrieved May 16, 2012, from
Wikipedia.org: http://en.wikipedia.org/wiki/REAL_ID_Act
Thanks for this interesting blog. At last I understood what are the digital certificated, how they work and how it is important to use them in order to secure the my SW.
ReplyDelete