Schneier on Security
A blog covering security and security technology.
« Random Bag Searches in Subways |
| 1963 FBI Fingerprint Book on Project Gutenberg »
August 17, 2006
A futile attempt to improve the security of Japan's hanko identification system.
Posted on August 17, 2006 at 8:15 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Hanko seems about comparable to our signature, more ceremonial than an actual authentication device as it can be easily faked. In that context it is fine.
Of course, real identity seems elusive too. My passport, DL, SS, etc all go back to a single typed birth certificate, but I have absolutely no way to prove that I am the named person .. that is the big hole. My dog has a similar identity hole with her license and rabies shot certificate, it merely says that a dog roughly matching her description was given a shot by a vet.
I'm not sure that real identification exists in our society.
I'd say futile is the right word Bruce.
I find myself agreeing with the last comment to some extent.
A generation ago in my country, a lot of people would have been personally known by their local bank branch, post office and postman. In those "good old" days, a token authentication like a scribbled signature would have been fine for most situations.
Today, we use cash machines, travel frequently and may not even now our neighbours so a signature, or Hanko, is not much use.
Regarding jayh's comment about the lack or "real" identification, what about DNA and biometrics? Where I come from, the police are busy building the biggest DNA database in the world - even kids cautioned for nuisance offences are DNA sampled and photographed for facial recognition. Even people taken in for questioning who are found to have nothing to answer for have their DNA recorded!
Personally, I'd rather live with the fundamental problems about establishing identity than be on Big Brother's database.
I agree with Pat Sutlaw that true identification is not necessarily a good thing. But in that case, we must accept the alterntive, that identification and identity will remain a bit fuzzy.
They're so close!! Check out this ... mainly for the pictures unless you read Japanese.
It's a QR Code hanko -- so that, once scanned, information could be read from the stamp.
Now -- if someone could just build a dynamic hash coding QR code hanko, so that I can enter a challenge and stamp the response on a document -- THAT would be interesting, and at least somewhat of an advance.
>"The joker scans this image and prints it on the withdrawal slip with color printer. The bank >teller accepts this slip and passbook as authentic, and victim's account will be emptied. >Sometimes, the scanned digital image goes to hanko carving machine, too."
>It's the stamped image of one's hanko that is stored in the databases of goverment offices, >banks and other public institutions. Not the particulars of physical hanko itself! And any >image can be flawlessly reproduced in this era of digital processing.
To me, I do not see the security here. If you stamp a cheque or other document with your Hanko in the 'correct dial' position, it still gives the 'Joker' the ability to scan the document and reproduce a static Hanko, without ever needing to have the device.
Could one create an encrypted hanko stamp that changes with the date? Officials would decode using a 'public key'...
Adopted children often have forged birth certificates. The "official version" has the adoptive parents listed, but there is often a sealed, nonpublic version that lists the birth parents.
The profile for a serial killer in Louisiana a few years ago was so general it basically matched every white male in the state. The police rounded up a rather large sample of innocent white people that fit the mold and DNA swabbed them. Turns out the killer was actually black, but the DNA samples are still in the database.
I think that the real problem is that essentially all identification is falsifiable. When you walked into your local bank of yesteryear and the teller knew you, that was immediate biometric identification, and it wasn't easy for someone to impersonate you (outside of Mission:Impossible). Now we have common, affordable technology to make gummi-fingerprints to fool fingerprint sensors. "Gattaca" showed an extensive use of bypassing biometrics.
I think that it is a different problem betwen being on a centralized government database and being "known" well enough to reliably make transactions without being defrauded. The problem with the hanko system is that someone snuck in and purloined the hanko image. The identification token is duplicated, and fraudulent transactions are allowed. The problem with the centralized identification database is a corruptible (or abusable) authority keeping tabs on people.
A workable hanko system might require the hanko and a password or an issued one-time pad of some sort (wax transfers?). Anyways, it's still a problem with only using a single identification token, where any bearer has the identity conferred by the token.
As an actual piece of identification, the hanko is pretty much the same as a signature, except that signatures are about 1000x worse, because they never look the same anyway.
The hanko, much like the signature isn't supposed to (any more) verify that the correct person did it, but rather that if YOU do it, you have taken a formal, hopefully witnessed, action.
It's not effective for "Oh this signature is correct, this contract is binding." It IS effective for, "That guy right there put his signature down on this document, this contract binds THAT guy." Everything else is just the land of make-believe. If you sign a credit-card slip and then tell your credit-card company that you didn't, you're lying. If you're not asked to sign a slip then you have to ask a lot more questions to establish the required facts.
conceal your hanko in an unguessable place in your home so that joker can't find it!
One thing that I like about the Hanko system is that it does not involve a centralized identity database. An method of managing absolute identity without centralizing that information is definitely desirable- of course, it needs to be a system that makes use of a secure token- the Hanko ain't it.
"[...] Matsushita Shuji is a retired professor of African linguistics from the Tokyo University of Foreign Studies."
Maybe he should stick to his field, then. He seems to know about as much about security as Bruce (or anyone here) knows about African linguistics. :)
I put this into the public domain, not seeking a patent.
You can give everybody in the world a secretary, some person who knows you by sight. Well, actually four people assuming 24/7.
Then they authenticate that you are you, as a service that everybody buys, from your bank to your gas station, over the internet.
They say that you are authorised to sell a house, or a car, or sign adoption papers, or get a passport, etc. And charge the people who want authorisation, or you.
No more ID necessary.
The original meaning of 'secretary' was 'secret keeper'. These people will know every thing you do, every purchase you make.
Who would you select to be your secretary?
futile - yes, but the device
You've just transformed the problem of authenicating you to a problem of authenticating (one of) your secretaries, and I don't see how it improves authenication. Plus it adds several new attack vectors.
Maybe we need to do the six degrees problem.. whenever Alice wants to authenicate herself to Bob, she needs to provide a full chain of people (Christine, Dave, Emma, Fred, Gail,...) each of whom knowns the previous person and will vouch for that person, until you get to somebody whom Bob knows and trusts. Means you need a rather large entourage every time you want to take some cash out of a non-local branch.
I'm surprised that a native Japanese would so miss the point. Bank hanko do not identify people; they identify authority to make transactions on the bank account. It's quite normal and common for somone who is not the owner of an account (the adult child of an aged parent, company staff who are not principals in the company, etc.) to be delegated the authority to use the account; this is done by giving them the passbook and hanko.
When looked at in that way, this hanko is a valuable improvement in the current security system; it protects against casual loss or theft. Passbooks do not have an image of the hanko in them (at least, none of mine do, and I have several), and hanko impressions are checked very carefully by the bank, so if this hanko is stored in an invalid configuration someone picking it up will not be able to use it to access the account. This looks good to me; I may well get one for my business account.
Despite the impression he gave in the article, they are not particularly expensive. My last bank hanko for my current company cost around 10,000 yen, so this is only about twice the price.
One can discuss whether the whole system as it stands is now becoming less secure than the signature system due to the ease of forging hanko or their impressions, but it's only been in the past ten years that hanko impressions have become this easy to forge; it's my feeling that, until recently, signatures were easier to forge due to how much more variation in them would be accepted, not to mention how much easier they are to get hold of. (A company bank hanko is typically used only for banking, and individuals can use a separate hanko as well; getting other documents, such as contracts, would not give you access to a bank hanko image.)
@ Curt Sampson
Yes, "paper" signatures are easy to forge through methods like copying the graphic, tracing, etc. Anybody's paper signature can be easily captured by high resolution scanning, extracted and subsequently pasted onto another document of choice. Notarized documents aren't even safe because it is reasonably easy to get a fraudulent notary seal made.
However, true biometric electronic signatures are next to impossible to forge. A biometric signature captures information such as acceleration characteristics, points in your signature where you lift your pen, how you cross "t"'s, etc. You can't even trace a biometric eSig because the biometric characteristics won't match.
With correct implementation of the electronic signature holding package and attachment to the document, you will be able to tell whenever the document has been tampered with and respond by invalidating the original signature event. See www.cic.com for more info on this subject.
Signatures can be much more easily forged simply by practicing copying one for a while. No special tools are required, beyond a pen and paper. Biometric signatures are pretty much irrelevent in the comparison, since they're generally used neither in Japan nor in the Western world.
As for fradulent notary seals, the notarization security model deals with that quite handily. Just go back and contact the notary and see if he really did notarize the document.
Hanko play a significant role in a good Japanese comedy about a battle between a businessman and a tax inspector. ("A Taxing Woman" in English - IMDB link in my URL) . One of the goals of the tax police is to find the hankos for the secret bank accounts. (Disclaimer - it is a long time since I saw the movie, so memories are a bit vague.)
Biometric signatures are pretty much irrelevent in the comparison, since they're generally used neither in Japan nor in the Western world.
They are used in the "western world" much more than you think by many large corporations, both customer facing and internally. Go into any Wells Fargo bank and open an account. They use biometric signatures for this function. Or buy an insurance policy from Prudential, State Farm or American General Life. Open an account at Charles Schwab. Same there. The U.S. Navy uses biometric signatures on all their engineering drawings. There are many more examples. Big companies are moving to eSigs because they are a lot more secure and a lot less costly than paper.
Given Japan's seeming love affair with all things technical, one would expect that they would be more advanced in this area.
Japan may sell a lot of technology, but there is an inherent distrust of it. Adding to the problem, with the culture discouraging thinking for oneself and the low level of crime, the healthy distrust doesn't exist. Since the early 90's, non-Japanese have been able to open bank accounts with signatures instead of hanko, but this is easier to forge than a hanko since no one looks at them!
Nice price on that Stamkey (1260 yen), compared to the Dial Bank Hanko!
Hanko have been used traditionally to thwart forgery in an interesting way.
In many Japanese schools of martial arts, the certificates of rank are stamped by three different Hanko.
1) The school's official hanko (overlapping some of the written text)
2) The chief instructor's hanko (overlapping some of the written text)
3) Another school hanko that overlaps the edge of the paper. The other half of the this hanko is in the school's official record book that contains a copy of the information on the certificate. This provides an easy human verification method by just matching the edge of the certificate up with the record book.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.