Schneier on Security
A blog covering security and security technology.
« Detecting Liars |
| How Peer Review Doesn't Work »
March 29, 2011
New paper by Ross Anderson: "Can We Fix the Security Economics of Federated Authentication?":
There has been much academic discussion of federated authentication, and quite some political manoeuvring about ‘e-ID’. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a single logon should work everywhere . You should be able to use your identity provider of choice to log on anywhere; so you might use your driver’s license to log on to Gmail, or use your Facebook logon to file your tax return. More restricted versions include the vision of governments of places like Estonia and Germany (and until May 2010 the UK) that a government-issued identity card should serve as a universal logon. Yet few systems have been fielded at any scale.
In this paper I will briefly discuss the four existing examples we have of federated authentication, and then go on to discuss a much larger, looming problem. If the world embraces the Apple vision of your mobile phone becoming your universal authentication device so that your phone contains half-a dozen credit cards, a couple of gift cards, a dozen coupons and vouchers, your AA card, your student card and your driving license, how will we manage all this? A useful topic for initial discussion, I argue, is revocation. Such a phone will become a target for bad guys, both old and new. What happens when someone takes your phone off you at knifepoint, or when it gets infested with malware? Who do you call, and what will they do to make the world right once more?
Posted on March 29, 2011 at 6:43 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
There is no problem here that people need solved.
Linking all these iDs only serves corporations and the government.
Interesting paper, as is the paper referenced therein, "Caught in the Cloud".
It doesn't seem clear to me that Ross' system provides much to resolve the issues of privacy and state coercion given in the Soghian paper, although I can see Ross' points on the other issues of revocation and re-provisioning.
In other words, having a corporate eco-system vs a government-mandated "e-ID" in the end might not be very different if 1) the state mandates or heavily influences how things will be done by the corporations for law enforcement and state control reasons, and 2) the large corporations involved in setting these standards are a) heavily influencing the state in return for their own economic reasons, and b) have their own agendas in terms of privacy and control.
This is as important as the more mundane issues of how you get your credit and license info back if your phone or wallet gets stolen or hacked or infected.
I like to think about such things in the context of a game; specifically, Shadowrun, an RPG with a mix of high-tech and magic set in the relatively near future. (There is also the "Cyberpunk" game, which is similar without the magic and whose reference manuals also discuss the same issues.) The dystopian layout in these games is that central governments are less powerful than multinational corporations - which is not far from the present truth and is clearly headed in that direction at breakneck speed.
In the world of Shadowrun, there are two kinds of people: those with a SIN (System Identification Number) - and the "SIN-less" (presumably the acronym is ironically chosen). Those with a SIN are in "the system" - VERY tightly so. Those without a SIN are, by definition, "criminals" since they are outside "the system."
According to the Shadowrun "core" book:
"Individuals residing in the UCAS without a SIN are considered “probationary citizens,” which means they are not allowed to vote and have few to no civil rights. Nowadays, SINs are legally registered at birth—assuming the birth is legally recorded."
And as they declare:
"The SIN, or System Identification Number, can be your best friend or your worst enemy. Without one, it’s very difficult to do otherwise simple things like rent an apartment, buy a car, or check into a hotel. With one, however, the system can track almost every move you make—what you buy, where you go, what you connect to on the Matrix."
Also in Shadowrun, everyone does business using "credsticks":
"pen-sized tubes that served simultaneously as ID and credit card. Since the Matrix went wireless, however, all of this information was transferred to the commlink [mobile phone and more], and credsticks only survive as certified but relatively anonymous means of payment. In addition, all of a person’s credentials and necessary personal data (licenses, credit history, health insurance, cred accounts, etc.) are stored in encrypted form on her commlink. For privacy reasons, this information is usually not broadcast as part of their personal profile for social networking, though some high-security areas may require that key information (particularly name and SIN) be broadcast. These personal details can also be transmitted (again in encrypted format) on an as-needed basis, as authorized by the user. For example, a store may ask for your cred account information (and possibly credit history or even licensing if you’re buying restricted goods), a hospital will ask for your medical records and insurance, while a security checkpoint might demand your SIN, passport, and criminal record. For security purposes, such data can also be transmitted at a lower Signal rating, viaa short-range, line-of-sight infrared beam connection, or by physically linking the commlink to a terminal and transmitting by fiberoptic cable."
There are also "certified credsticks" defined as:
"The most common method of handling payment in the shadows is via certified credstick. Similar to a cash or bearer bond, a certified credstick
is not registered to a specific person and is worth the amount of credit encoded on it. It requires no identification to use, and can’t be used as ID. The financial institutions that issue them encode them with raw funds so that anyone can use them—not just the person to whom it was originally issued. Banks usually charge a small percentage to create a certified credstick."
By the way, these games also extensively cover the problems with living with ubiquitous RFID tags on everything you own or touch.
Where this gets interesting is this entire issue of privacy and control. In the corporate world of Shadowrun, there is no privacy: corporations have access to everything - except that hidden in competing corporations, which is where the game gets its name - from the "shadowrunners" - criminals who steal data and resources from the corps, frequently in the pay of other corps. And what the corps don't have, the state has. If you have a SIN, they know absolutely everything about you, including your physical location at any given time (given the massive amount of computerized video surveillance in this fictional world).
The Shadowrun game manuals go into considerable detail on how the player characters as "shadowrunners" can possibly conduct their business without being nailed by corporate security forces or state law enforcement or their other enemies.
It's worth a read for a detailed exposition of the kinds of issues that can arise when you have a society which is totally dependent on a Net-based economic and social infrastructure which is totally controlled by faceless corporations and power hungry politicians for their own interests.
It's considered "dystopian" for a reason.
Ah, federated authentication: if you're the same person to all people, you've got nothing to lose.
Richard Steven Hack at March 29, 2011 7:53 AM:
"...central governments are less powerful than multinational corporations..."
There's a difference?
(Admittedly, specifically speaking of the US) Chartered by government, special unelected reps to lobby Congress, special privileges and exemptions, empowered to take land etc. from individuals, and so on and so forth? How do you tell the government agencies from the corporate ones? And if you can't, aren't they all tentacles of the same o/c/t/o/p/u/s/ squid (possibly more appropriate, this being Bruce's blog :^) )?
Aside: Been a LONG time since I played Shadowrun; and we must have been a suspicious and paranoid bunch since most characters went out of their way to avoid the "official" credit systems for certain transactions. Gold and silver (and certain... shadowy exchangers) were well thought of.
The last thing we want is the government being able to efficiently track and identify us.
Systems like this make it easy for the government to identify people--which is a bad thing. It means they can more readily link behaviors, notice patterns, pick people to put under surveillance, and even justify it. This is not what you want.
The primary need for privacy is for criminals--and trust me, you shouldn't care about the government knowing anything "private" you do. They truly do not care about your embarrassing shit, and you don't know these people so you shouldn't care that they know. The only concern for privacy is for hiding criminal activity.
A society where everyone is a criminal is a good thing, though. We need this. Anyone who stands against their government is by nature a criminal: our founding fathers were all guilty of high treason. The harder it becomes to hide, the more the government can corrupt, disrupting the small pockets of dissenters before they turn into treasonous mobs.
More basically, a society where everyone is a criminal basically shows that society does not approve of certain things (drugs, petty theft, trespassing, etc); yet that we're not only willing to let you get away with it to keep our freedoms, but also willing to let the mostly-harmless stuff go away. You made mistakes, you grew marijuana for a year, you stole a pack of cigarettes, you slept with a 15 year old when you were in college... these are all things you'll eventually get caught doing, but "I did it once or twice" can easily turn into "I used to do that 15 years ago but I grew up."
If they knew everything you did, you'd just be in jail, and your life would be fucked--that's a huge cost to society when you consider how much petty crime people commit and how meaningless those crimes are to society. A world-class drug dealer is a problem; a guy growing weed for him and his friends is a smaller problem, and if he does it for 6 months and then stops and never gets caught then the problem is solved and we have no imperative to retrospectively catch him. Prosecuting these people isn't wrong and I'm not saying we shouldn't; but society is strongly advantaged by "being able to get away with shit."
For non-UK readers - the AA in "AA card" above is presumably Automobile Association (like the US AAA or CA CAA), and not Alcoholics Anonymous. Though it could be either...
@John: "A society where everyone is a criminal is a good thing, though. We need this. Anyone who stands against their government is by nature a criminal: our founding fathers were all guilty of high treason."
I'm going to have to disagree with you on that point. It is entirely possible to disagree with portions of your government or its policy, but still support the overall goals and beliefs.
Governments are formed out of society and should reflect the common will of a people. Our government is reasonably good, in particular, about being flexible enough to change as society's beliefs change, instead of having a revolution every 50 years or so. There are, however, many ways in which it could be improved.
In a society where everyone is a criminal, then the government, via way of its police force (a necessary and vital function of society) is able to politically suppress anyone. Imagine if you vote against your local sheriff in an election and he takes umbrage against it, and then get ticketed for the next few days for every single traffic violation you commit. I'm sure I broke several on the way to work this morning, even though I'm a very careful driver - the guide on when to use turn signals is contradictory in some places. But even something as simple as that can be used to ticket you - quite legitimately - for breaking the law, and even remove your license. For many people, losing their license would also mean losing their job.
Society can show that it doesn't approve of something such as obesity without making it a criminal offense to be fat. (Some debate about this elsewhere, nobody knows if being fat was made illegal in the new health care bill.) In a society where everyone is a criminal, anyone can be arrested legitimately - even if the underlying reason doesn't have to do with the actual law.
The way that corporations can twist this into becoming ubiquitous monopolies leads inevitably to fascism. It also ensures that vulnerabilities in a pervasive, homogeneous network will have the ability to cause damage on a massive scale. Read your Heinlein, people.
"The only concern for privacy is for hiding criminal activity."
No there are many other reasons for privacy.
The simplest one is personal control, often to avoid prejudice.
If you wish to be anonymous that is your choice nearly all activities in the past have been effectivly anonymous and you have to seriously question the motives of those that seek to strip anonymity from people.
You have to first accept that the first reason a government exists is to raise money, (supposadly for the comman good).
There are a number of ways they can raise money but most have been not cost effective or to easily avoided.
As an example in the UK we currently see many corporations paying as little as 1% tax on their incomes yet also being major users of the civil infrastructure. That is the major source of "income" tax is nolonger falling on major business but increasingly on individuals as more and more organisations seek to use communications technology to put their incomes beyond the reach of governments where their main economic activities are.
The solution to this was always considered to be "purchase tax" or as it is more normaly called "value added tax". Which as it is paid by the purchaser not the vendor is a tax that mainly effects the individual (dependent on the number of exchanges in the supply chain and how well they are hidden).
However VAT has a dark side in that the vendor acts as a proxie tax collector, and it is more in the vendors interest to take a chance on deception than it is of the purchaser. Thus at the bottom we see "VAT free cash payments" by market traders and door to door trades and craftsman where the purchaser "thinks" they are getting a discount at the expense of the taxman. As we move up we see the likes of larger businesses being run deliberatly to commit fraud such as "Missing Trader fraud" or "Carousal fraud" ( http://en.wikipedia.org/wiki/Missing_trader_fraud ), and also in a more subtal form originaly seen around gold coins. Basicaly all these frauds relate to having some transaction that is "zero rated" for VAT and another transaction that is not and either the Government pays the fraudsters the VAT or the purchasors do which the trader then does not hand on to the Government.
However there are other more legitimate versions of "zero rated" fraud, where by large traders deliberatly exploit "tax loop holes" set up to alow certain types of trade (such as "cut flowers" from the Channel Islands). One such major offender has been Tesco's using the loop hole to reduce the prices of CD's and other items bought from their "on line" stores but "shipped from" the Channel Islands.
However as we have seen in the UK the part of Government (Inland Revenue / Customs and Excise) is not particularly adept at carrying out it's job against the large corporations who can afford the like of the best tax advisors and lawyers to fight court action (for instance in the UK we have Vodafone owing about 12Billion Euros). The basic idea is to find new tax loop holes as they are created and put vast amounts of revenue or profit through them then once the slow acting HM Revenue start taking interest the companies filibuster through the legal process for year after year. Usually the HM Revenue "give up" and settle for a small percentage as their record in court has been quite appaling when faced by large corporate lawyers.
So increasingly the tax take has fallen on those least able to defend themselves, but even this has failed to produce the sort of revenue required. So the trick has been to raise revenue in other ways.
One such system is "fines" for breaking local effectivly civil laws (bylaws) that is you get an on the spot fine for say 80GBP if you pay it without question within 14 days, it then doubles if you are late or question it. For these systems to work you need to have "positive proof of identity" which is why various parts of Governments want this sort of ID system, where even failing to carry the ID gets you find (say 2000GBP).
However there is a secondary reason nearly all "black economies" need ways to launder money and we have a whole load of EU legislation to make money laundering difficult. Likewise in the US however they can often be ineffective (it has actually been said that the US economy during the banking crises was actually only kept afloat by money laundering...)
The problem is money laundering is a very very good business for all those involved (other than the tax man) and preventing it is also very expensive. The Banks in the UK were a major reason why E-ID was pushed, because the UK Gov said "do something about illegal bank accounts or we will fine you" and the banks turned around and said "it costs several hundred pounds per bank account to check the details, you pay or we won't play". As usual the UK Gov "blinked first" and the bankers got their way. So the "policy unit at Number 10" came up with an idea to push out the National ID / Universal Benifit / Employment / Bank card. It would be very expensive but the contracts they could put out would get many many businesses sniffing for business and in turn putting income via a number of shady methods into the then bankrupt Labour Party coffers (see "cash for questions" and "corporate sponsorship" of events at party confrences etc etc etc).
As far as the Gov is concerned the main driver behind National ID is about extracting money out of individuals as cheaply as possible as quickly as possible. If they can also turn it into a profit center as well so be it.
However don't in any way think it won't be used for political coercion or other illegal activities that will keep the "gravy train express running". On the contrary the past (including the very recent past) will show that absolut power corupts and that those in charge will either be in it upto their eyebrows or will be complicit in sweeping it under the carpet.
The equation is simple,
Political power gives rise to an increase in personal power which in turn can be capitalized upon. To maintain your income you need to maintain your position of political power, thus you must appear to be better than any other contenders. As an incumbrant you have an unfair advantage in that you have access to information and tax income, both of which can be used for "political persuasion".
In essence this is what politics is about for many political candidates, the others they can in turn manipulate to do their biding either by political persuasion (hang out the hope of a more influential postion) or by legitimate blackmail (removal of the whip) or all sorts of other means.
@Tony H - of course if all the Id is joined up then they are the same thing. If your car insurance company can check how much alcohol you buy on your store loyalty card when deciding your premium
>> In other words, having a corporate eco-system vs a government-mandated "e-ID" in the end might not be very different if [...]
There is in fact a huge difference, it's administration. If the government runs it, the cost would be absorbed by tax-payers (whether they use it or not) while Mr. Anderson's scheme place the financial burden on corporation (which ultimately will be the users paying for it); with a government e-ID, any problems and I must deal with government bureaucracy to get it resolved while all corporation involve have a vested interest in a quick resolution, they don't want to lose my business.
Excellent explanation. I completely agree that you can openly and thouroughly disagree or oppose a government in place without being a criminal.
I'd be more worried of the government having the monopoly on identification (most jurisdiction have their hands full with driver's license, yet this is the first place that fails on identity thefts). Corporation have a vested interest in making it work and under Mr. Anderson's scheme you even get to pick which bank will handle the problems.
Richard Steven Hack, SIN is what they call an SSN in Canada, for Social Insurance Number.
Long ago folks like William Gibson used the same play (e.g. "Sixteen and SINless," from Mona Lisa Overdrive) though I have never heard a Canadian citizen note the abbreviation in any but a straight sense. I assume Shadowrun, et. al. copy from Gibson's use.
@Marc, I'm not talking about the end-user applications such as banks. I'm talking about the implementation of the technology itself.
For example, a couple of years back, Scott McNealy was trying to push a ring encoded with Java that would serve as an ID card for the US government and military. Talk about jumping the shark... he was pushing it so hard that he actually went out and got a "high & tight" haircut, which made him look really ridiculous. That haircut was absolutely perfect karma - especially when the government didn't take the bait, and he was stuck with it. :D
How badly can this fail? See previous blog post on stolen CA signer. Who validates me and how do you not only trust me, but my authenticator?
I wonder, will the real answer be how much money am I willing to spend to fix the problem after it occurs? Alternatively, how much of my personal history is already public (and has been so) and can I show that it's my history (I know my history, I demonstrate knowledge and expertise I've acquired), thereby proving I am me.
Single sign-in makes sense within an organization, and federated login makes sense for accessing related services across multiple organizations.
Accessing a diversity of heterogeneous organizations and services with, say, a mobile phone creates: 1) a dangerous single point of failure, and 2) the economics problem of who to call if the phone is stolen.
@John "The primary need for privacy is for criminals"
Bahahaha, what a joke! Democracies and panopticons are mutually exclusive concepts bud, sorry to break it to you. WTF do you think a secret ballot is for?
Remember the famous saying, "Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him."
Being able to remain anonymous is necessary for peaceful dissent.
Another problem with single ID is you don't have a single role in life.
I've mentioned before of the problems of ID systems that don't alow for independent as well as unique ID's for the multiple roles an individual has.
Most people don't realise it but they have multiple roles in life over and above son/daughter father/mother husband/wife that the normal social conventions apply. Each and every job you've had each course you have taken each club or association you belong to are differing roles which may require you to have an ID and none of the roles should be linkable to you accept by your choice.
There are ID cards in the world where race and religion are included and this immediatly allows for the person to be discriminated against.
Ask yourself a question would you employ somebody who worked for Enron? how about Lehman Brother's?
The simple fact is people should have the right not to disclose information about themselves unless it is relevant to a new role.
We talk about how some youngsters who have appeared in compromising photos on facebook etc might not get jobs etc because of them...
Many people have things in their past that they are not proud of but likewise should not have them hung around their necks like millstones for the rest of their lives.
Single ID systems are the rope on which each and every millstone will be hung and will drag society down to some fearfull lowest common denominator where people will be shackled by the fear of how others may view them twenty thirty or fifty years from now.
Do you realy want to be refused life changing surgury because somebody identifies a photo of you from fifty years ago and says that it shows you are not suitable because of past behaviour?
Bruce Himself blogged about why privacy is a fundamental human need and right, and, no offense to the other responders, more thoroughly and strongly:
Doesn't the recent hacking of SecurID show that *no* such scheme will ever be foolproof?
I had intended to write up a short paper or long post some day, with this as the basic theme:
"Adding security layers isn't the only way to improve security. You can also improve it by reducing the value of what's behind the wall." (Less motivation for attacker, etc. -- won't go into the whole thing now.)
This universal authenticator becomes incredibly valuable. Dividing your "assets" (login creds, etc.) among many places or passwords makes each less valuable to an attacker. The issue of retaining multiple login creds was solved very nicely by Password Safe. (Thank you, Bruce, for your contributions to that - been using it for a long time.)
This correlates well with the recent debate here about whether one person (POTUS) should have the ability to destroy the world with one push of a button or command or whatever. Not a stretched analogy at all. Don't put all your eggs in one basket, regardless of whether the basket is your investments, your authenticators, your desire not to have nuclear war ...
Marc: "If the government runs it, the cost would be absorbed by tax-payers (whether they use it or not) while Mr. Anderson's scheme place the financial burden on corporation (which ultimately will be the users paying for it);"
In other words, taxpayers will pay or users will pay. How is that distinguishing government from corporations? Well, it distinguishes me since I might use but I don't pay taxes. :-) Otherwise, it's the same deal - YOU pay!
"with a government e-ID, any problems and I must deal with government bureaucracy to get it resolved while all corporation involve have a vested interest in a quick resolution, they don't want to lose my business."
Yeah, we see that "vested interest in a quick resolution" every day in the support world over there in India...
Might want to look up those cases where companies have been hacked and funds transferred from their bank accounts to hackers and how fast the banks were willing to replace those funds. In a lot of cases, they balked saying it was the company's poor IT security at falk, not their poor authentication practices.
And that's precisely what Ross' paper is about. In other words, corporations will never have a vested interest in keeping your business - unless there's a mass exodus of customers, a couple percent loss will simply be used to justify a price increase on the rest.
Banks are banks - they couldn't care less about you as a customer. Either you put your money under your bed or in gold in a storage unit or they have your money. The same will be true, even more so if they have your money on their wallet.
It doesn't have to be foolproof - See the U.S. DMCA - It just has to be legally required. When everyone's a criminal, quietly "disappearing" anyone you don't like gets so much easier...
I've been coming to like the internet "security and ID" situation the way it is, today. Yes, there are problems, including identity theft. But there's also a fairly general understande that identity on the internet can't be trusted, and therefore significant transactions are only allowed to take place under limited circumstances.
Increase perceived trust and the potential for damage goes waaaay up.
SSO is definitely a problem area in all areas of application. For me, there is too much security and privacy risk in both eID and web schemes like OpenID. Plus companies have a poor track record implenting security protocols and internal controls on both their assets and ours. Why should we trust that they will do it all correctly with the next scheme?
On secure mobile auth., this is doable to a degree. The TPMs, techs like Intel TXT, improved side channel resistance, and RTOSs like OKL4 indicate we can build a mobile platform that is secure against cheap or easy attacks. The platform would have isolated execution, signed app loading, and attestation during transactions. This trick will be getting banks and mobile vendors to standardize on necessary hardware and software. Might be easier to standardize on architecture, features and protocol than a specific implementation. Would allow suppliers & users to make tradeoffs.
I am appalled at the backdoor this paper implies exists in Mozilla and other popular browsers (the list of Certificate Authorities they force you to accept).
Individual users and sites need the ability to choose whose security
certificates to trust to verify a site's identity, or https:// is worthless.
We need not only the ability to add our own homemade certificates, but also
the ability to delete those of others, or better yet, to accept only those
we've personally okayed, preferably after they've been vetted by trustworthy
third parties, which Verisign and those browser vendors clearly are not.
I've sent this to EFF as well, in the hope that they can refer people to (or help create) both a browser that doesn't have this flaw, and a list of certifiers that can be trusted not to act as stooges for nasty governments, or at least not for those outside their own countries.
@ John David Galt
It should be easy enough to do this. IceWeasel is an example where Firefox was modified and Mozilla's updates and changes are merged into their source tree, if justified. So, privacy advocates could create a derivative of Firefox that included stronger user controls for CA's. Iceweasel might be a nice place to start as they've given Firefox a few security extras already.
@tommy - Re: no offense
None taken!! Bruce usually says it better than us. Likely cause he's got a flair for diplomacy, haha, unlike some of us ;)
LOL, but the "obvious" is that Bruce has an entire article space to blog, while comments should "try" to be concise. ;)
@ Nick P.:
Supposedly, there's some dev toolkit with which you can modify the nss*.dll's (in ProgFiles\Mozilla) and the cert*.db's in your profiles at will. Not for moi, thanks. Would you care to do us all a great service and create a set of files with the proper CAs (Versign, etc., and not Turktrust, etc.), that we could just swap in?
Or a simple GUI that enables the user to delete CAs at will, by modifying the involved files appropriately?
We'd all love you forever, and I, for one, would buy you a cup of non-Star$-coffee (i. e., donate a couple of bucks.)
Does it make sense to suggest an "oligarchy" of registrars? I mean to say two factor authentication, but not necessarily from one registrar. More than one, but less than "many." This slightly complicates revocation, but actually improves adaptability to multiple rolls. Conceptualize the phone company as a registrar of residence info, and the utility as another. My driver's license/state ID is a third and so on. If the # of registrars is small enough that Turkish Intelligence still raises a red flag, individuals could possibly develop a somewhat fungible ID, by choosing a selection of registrars. Would this be good enough to face the problem of "too much value behind the wall," but address problems of differing roles? I fully believe a universal ID is a bad thing, but this argument FOR it is one in which I do not see the obvious problem... it's half-way to a bad solution. How would you shoot it down?
@shane "panopticons" is not a word. W'pedia documents it as a local project somewhere. Did you misspell or other?
Thx... now I read the article, it's spooky how actually real this is!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.