A Taxonomy of Access Control

My personal definition of a brilliant idea is one that is immediately obvious once it’s explained, but no one has thought of it before. I can’t believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key—or an account, or anything similar—can be in one of four states:

safe Only the user has access,
loss No one has access,
leak Both the user and the adversary have access, or
theft Only the adversary has access.

Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It’s a truly elegant way of conceptualizing the problem.

Posted on August 12, 2022 at 6:38 AM22 Comments


Miguel Farah August 12, 2022 6:51 AM

This is indeed elegant.

I also wonder if it would be worthwhile to add an intermediate state between “safe” and “leak”, to describe a {key,whatever else} that’s officially “safe”, but that the user has shared with a trusted (*) actor. For example, the Netflix password that’s supposed to be only mine but that I shared with my… uhhh… grandmother, so she can watch her favorite series on her place. Such a password would be at a heightened risk of being leaked (and if I treated her as an “adversary”, I would be in deep shiRt, so that’s not a good option).

(*) For varying, non-zero valuations of trust.

Matt S August 12, 2022 7:39 AM

Miguel I thought the same thing, but these states are equally valid for N number of trusted/not trusted users of an account.

Clive Robinson August 12, 2022 9:48 AM

@ Bruce, ALL,

The order as given,

“safe, loss, leak, theft”

Is not right it sgould be,

“loss, safe, leak, theft”

And have another state added,

“loss, safe, leak, theft, disclosed”

Which covers the knowledge of a secret key from

“Nobody knows, to Everybody knows”

This idea by the way is not knew. I remember the problem of trying to explain the difference between a “state of event” and the “probability” of an event state and the probabilities arising from a given event state here some years ago.

At the risk of igniting it all again…

A Jumbo jet has four engines, each engine can be in one of two states “functional” and “not functional”

Therefor there is 2^4 or 16 event states.

Some event states are more likely than others such as one outer engine failed than two engines failed. So each event state has a probability of occuring.

But the outcome of each event state has very different probabilites. Take two engines failed as an example, there are six seperate event states. If the failed engines are both on the same wing the outcome of not being able to maintain flight is higher than if they are on different wings.

As an “engineering” design tool this has been used atleast as long as the 747, and that started back in 73 😉 But it actually goes back more than a century, the New York Telephone Company used it to design “higher availability” phone networks. They did this by putting systems in parallel and using auto detect and voting circuits to switch out faulty modules. Also by making things modular repairs were in effect “hot swaps”. So increasing the “Mean Time To Fail”(MTTF) and reducing the “Mean Time To Repair”(MTTR). This then made it’s way into military electronics design and so into NASA that took it into the software world.

Tim Stevens August 12, 2022 12:35 PM

Yes, the variant of leak in which everyone has access is significant enough to deserve its own state of disclosed. One can still have probabilities of transitions from leak to disclosed, safe to disclosed and so on.

A Nonny Bunny August 12, 2022 2:56 PM

There’s more states missing than just “disclosed”.

For example:
* A key may also be shared (in whole) with trusted third party (e.g. as backup).
* Or the user may have the whole key, but shared it in parts with a trusted group of people that can reconstruct the key if they bring all parts together (e.g. as a safer kind of backup).
* Or the key may only be shared in parts. Like the two-man rule for launching nukes.

Clive Robinson August 12, 2022 7:25 PM

@ SpaceLifeForm, ALL,

Re : Phishing

As the author acknowledged,

“The most important defense is remaining humble and not falling into the mindset that we would never get pulled in by a phisher.”

Or any other attacker / enemy / opponent…

But there is a way to not get Phished,

“Don’t have an account”

But for many that is impractical, as work etc requires them to have accounts on systems that are either internal or external[1] thus they become vulnerable.

So the next best thing is to minimise the vulnerability,

“Don’t have accounts reachable by attackers.”

After that “It’s all bets off”. Because the other idea people have of,

“Make accounts worthless.”

Actually does not work. Because if there is a reason for something to exist then logically it has value to one or more people…

There is unfortunately a level of “organisational stupidity” that goes back some time and it’s down to those neo-con inspired MBA mantras. Two of which are,

“Conectivity is good”

And worse,

“Data is good”

Neither is true except under carefully controled and policed circumstances and policies. Which as they have a high cost are rarely if ever put in place…

In fact in most cases, it’s “Open House” and thus way to many people rather quickly find that,

“Data and Connectivity are toxic”

That’s why Ransomware Operatives, espionage agents, and many more attackers love them and see them ad “enablers” for their often unlawful activities.

There is a saying in the British Military,

“Don’t leave ammunition for the enemy”

Or as has been observed,

“A pile of stones next to a glass house is asking for trouble.”

Something many more business executives and every day individuals should ponder and act on[4], before a subpoena gets served or the doors get kicked in… After that it’s generaly to late to avoid becoming a criminal[3].

[1] Though I’m not ever going to work for someone who requires employees to do “Cloud Working”, “Social Media”, “Secure Messaging” or similar[2] as it shows they either do not understand security in the broader form, or perhaps worse they are stupid enough not to care (due to being self entitled, short term, upside only thinkers).

If they are the latter then you can be sure that they are not going to be a good employer and trouble with authorites most probable. And… if push does comes to shove, they will be at the head of the que with their lawyer, busy throwing everybody else under the bus to save their own skin.

[2] I’ve been through this before but just to highlight,

2.1, Security end points incorrectly placed.
2.2, “End to End Encryption”(E2EE) not correctly implemented.
2.3, False sense of security.
2.4, Not betrayal proof / deniable.
2.5, Not “Electronic Discovery” proof.

The last three are in the news at the moment with Twitter issuing “Electronic Discovery” subpoenas[3] to Elon Musk, his backers and friends.

If you’ve never been hit by “Electronic Discovery” then trust me it’s an invitation to not just a world of pain, but also to commit perjury[3] by even the most honest of hands. Somethin the French Cardinal and Joe Stalin etc would have been real fans of.

As I’ve said in the past, and still say today,

“PAPER Paper NEVER data”

If you set your self up correctly then you will not suffer “Electronic Discovery” because there will be no electronic records to hand over, just photo copies of paper documents at worst (and even those can be very dangerous so where posible to be avoided as well).

Oh and most “encryption” is not your friend as it’s not deniable, thus leaves you open to betrayal by a second party, or long jail time for not handing over keys (see UK “Regulation of Investigatory Powers Act”(RIPA) brought in by David Blunket under the Tony Blair PM term and worse more recently in Australia).

[3] From the Latin “sub poena” that translates to “under penalty”. It is a method of “compulsion” and “Rights Stripping” that is unavoidable if you are in the issuing authorities juresdiction because it’s about “evidence that exists” not “verbal or written testimony” you might or might not chose to give. The real problem is you do not know what the party behind it being issued already knows. So if you do not disclose something they already have without good cause you are either committing purjury or you have willfully destroyed evidence[4]. Either one carries quite significant criminal penalties, or worse unlimited “contempt” proceadings. All of which can also lead unexpectedly for many to “malfeasance in public office” charges that in some places still have “whole life tarrifs”. The definition of “Public Office” is very broad in scope and can cover between a third to a half of the working population and the definition of working is likewise broad.

[4] The way to avoid much of the “Discovery” or “Seizure” nonsense is not have anything to giveup. That is,

4.1, Do not create any type of records your are not legaly required to make.
4.2, Keep content of required records to the bare minimum.
4.3, Ensure records are stand alone and do not refrence any other records.
4.4, Keep only one copy of required records, and in a secure repository.
4.5, Have a clear “sanitizing” policy in place before you start your organisation. That is you actually not just delete but “scrub / Shred” electronic and paper records at the end of the month or six months etc as clearly defined and automatically enforced primary organisational policy.
4.6, If you have to store records electronically, make them “unsearchable” image files with sanitized / nulled meta-data.
4.7, Never make the records attributable or traceable and sanitize any audit records when a record is sanitized.

kiwano August 12, 2022 10:22 PM

I’ve been saying for 5 years now that if cryptocurrency accomplishes nothing else, it has dramatically improved the accessibility of concepts in public key cryptography by popularizing the use of address/key terminology to refer to public/private keys. It looks like this safe/loss/leak/theft taxonomy is enough to stop me from adding a parenthetical suggesting that it might be on track to accomplishing nothing else (well that and getting a few more businesspeople interested in non-blockchain applications of public key cryptography, and also reminding some of us to revisit ideas we had in the ’80s and ’90s about how PK crypto could protect a whole bunch of insecure processes, but which we dismissed back then because they’d require everyone to basically carry a supercomputer around in their pocket all the time).

Clive Robinson August 13, 2022 4:51 AM

@ kiwano,

Re : Public Key

“… getting a few more businesspeople interested in non-blockchain applications of public key cryptography”

Unfortunately the noise over “Post Quantum Cryptography”(PQC) and “Quantum Computing”(QC) in general presents a very real risk of scaring people away from Public Key / asymetric cryptography based on “Trapdoor One Way Functions”(T-OWF) based on obscure mathmatical functions.

But the underlying issues as to why asymetric cryptography became so important not just to cryptography but to the whole First World Economy in less than thirty years still need to be resolved.

Which brings us to your point of,

“… also reminding some of us to revisit ideas we had in the ’80s and ’90s about how PK crypto could protect a whole bunch of insecure processes”

Yes we do need to revisit them if for no other reason than to find other ways to do them that do not use maths based T-OWF asymetric cryptography.

Bob Paddock August 15, 2022 9:50 AM

@Clive Robinson

Known as ’The Rule of 26’, which is sometimes given as a reason not to keep engineering notebooks etc. By Federal Rule 26 you are guilty if you did not volunteer the records before they are requested. Including any backups.

From Cornel Law:

LII Federal Rules of Civil Procedure Rule 26. Duty to Disclose; General Provisions Governing Discovery

Rule 26. Duty to Disclose; General Provisions Governing Discovery

(a) Required Disclosures.

(1) Initial Disclosure.

(A) In General. Except as exempted by Rule 26(a)(1)(B) or as otherwise stipulated or ordered by the court, a party must, without awaiting a discovery request, provide to the other parties:

(i) the name and, if known, the address and telephone number of each individual likely to have discoverable information—along with the subjects of that information—that the disclosing party may use to support its claims or defenses, unless the use would be solely for impeachment;

(ii) a copy—or a description by category and location—of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody, or control and may use to support its claims or defenses, unless the use would be solely for impeachment; …

[Removed the link to Cornel and HTML to get out of the moderation blackhole.]

Mike Smith August 15, 2022 10:16 AM

The model seems to assume either that “users” and “adversaries” are mutually exclusive, or that “we” trust the “user”. What state is an account in if the user is also an adversary (i.e., malicious insider)? (Who are “we”? Who’s perspective are we taking when we identify the account state? The account owner? The system owner?)

Does the model work for a shared account, that is, an account for which there are two or more authorized users? Does the model depend on how keys are distributed to account users (e.g., shared [all users have an identical copy of the key and any copy can access the account], split [all users have different keys, but all keys must be presented to access the account, unique-per-user [all users have different keys, but any one key can access the account])?

Clive Robinson August 15, 2022 1:15 PM

@ Bob Paddock, ALL,

“By Federal Rule 26 you are guilty if you did not volunteer the records before they are requested. Including any backups.”

And that’s the easy one to deal with.

Then there are the conspiracy rules…

Basically if two people are in a room speaking a language you have no knowledge of, but the prosecution decide it is something criminal… And you are say a waiter emoloyed by one of them even indirectly…, serving food or similar then guess what you are going to jail for…

Oh and the prosecution will also assume that you could some how understand the two people… Thus you are also guilty of lying to federal agents…

Those are the easy two to see because the FBI tacks them on everything tgey hwve a live body for in their grasp.

Heven help you if you are foreign or have a parent ir grand parent who is forign. As far as the FBI is concerned that automatically makes you guilt for a minimum actual tarrif of 25years so charges have to make more than 100years…

To be found guilt as a “foreigner” for a whole life tarrif then just send your foreign parent or grand parent a little money not even $100 and they you were funding terrorism or some such nonsense…

Oh and if you are a foreign businessman and you “off shore” money as all sensible US corporate business men do, have a look at the “Racketeer Influenced and Corrupt Organizations”(RICO) Act…

When a UK lawyer who specialises in US business related legislation showed me not just how the US Courts could interpretet it but actualy had interpreted it with some foregin businessmen it came as a bit of a shock. Especially as it was pointed out that certain legal orotections US Citizens have, foreigners loose simply because US Customs and Boarder decide you are not in the US even though you are standing in Times Sq or even the Capitol Building let alone 1600 Pennsylvania Ave, by invitation of the boss…

Lets just say “Land of the Free” does not stand up to even a smidgen of scrutiny.

Clive Robinson August 15, 2022 1:43 PM

@ Mike Smith,

“Who’s perspective are we taking when we identify the account state? The account owner? The system owner?”

We are taking an “Observers” POV about the authentication token.

Therefore it does not realy matter who the other parties are if they are insiders or outsiders or if they hsve betrayed… Those are “human issues” not “technical issues”.

To see why consider the issue of if some technology or use of a technology is “good or bad” there are realy only two answers that are correct,

1, Both (or neither).
2, It’s the choice of the observer.

To see why, lets say you stick a kitchen knife in someones guts and they die.

Is that good or bad?

Most would say bad. But what if the person was a home invader and it was your kitchen knife and it happened in your kitchen…

Is that good or bad?

The act is the same but the context has started to change…

Thus rather more would start thinking if not saying good.

What if the home invader was holding a sawn off shotgun that they had already fired at you?

I suspect that most would say it was good, and some might say you should recieve an honour of sone kind, because you not onky saved your own life, but also the lives of others the home invader would almost certainly have gone on to invade…

Nothing in the technical side has changer, but the human side has changed rather a lot.

In Security we generaly try to ignore the human side unless it presents a vulnerability.

kiwano August 15, 2022 3:31 PM

@Clive Robinson

But the underlying issues as to why asymetric cryptography became so important not just to cryptography but to the whole First World Economy in less than thirty years still need to be resolved.

Resolving that sounds very tricky when said first world economy is rooted in a culture which reveres a historical (borderline) crank, who insisted that the christian world completely revamp its cosmology because of what he saw after he used a mysterious stick from the muslim world that had only been first introduced to the christian world in the preceding year. This culture teaches its children that his having been placed under house arrest was completely unjust, primarily because its/our current cosmology vindicates his observations (that there are more than 7 planets, and that planets can have satellites) — and says nothing of the haste of his cosmological demands.

I mean who wants to go down in history like one of Galileo’s naysayers, when T-OWF-based asymmetric cryptography has been around for nearly 50 times as long as telescopes had been!

And although QC seems like a really serious threat to T-OWFs because it enables massively parallel brute force of inputs to a wide range of T-OWFs, that range is not exhaustive. There are some operations that simply cannot be done on a QC, the simplest of which is duplication of a qbit (something about collapsing the wave function in the process of making said duplicate), so it appears to be entirely possible to use these limitations to construct QR T-OWFs.

(My recollection of the duplication problem is a little fuzzy on account of it having been something that I heard at a talk in a conference 15 years ago on QM and C-algebras — which is probably even fuzzier on account of my having been a participant on the C-algebra side)

Yiannis Pavlosoglou August 16, 2022 3:14 AM

The theft and loss categories have a whole dimension of known unknowns and known knows that does not allow for the taxonomy to be mutually exclusive and collectively exchaustive. It’s a good start, but needs some work to reach a usable taxonomy level.

vicente aceituno August 16, 2022 3:25 AM

That is a pretty classification, but misses some points. Not only secrets have security requirements. For example public information and intellectual property have security requirements, and that only the owner can access it is not one of them. Also, data can be current or expired. When it is expired and we want to destroy, not only no one has access but no one should have access. In this scenario “loss” is not a good way to describe what happened to the data, as the data not being destroyed as expected would represent an incident. Sorry to blow my own trumpet but I think understanding properly ownership, control and use of data is what leads to understanding thoroughly security requirements as I explain here: https://medium.com/the-ciso-den/simple-classification-of-information-6552589c8b7c?sk=7143a6e340226f0eb961d1d5dd514da5

Clive Robinson August 16, 2022 7:50 AM

@ Yiannis Pavlosoglou,

Re 1D and 2D taxonomies.

“It’s a good start, but needs some work to reach a usable taxonomy level.”

At the moment the taxonony suffices for the basic classes of key security as it represents only a range of disclosure a one dimentional structure suffices.

However the additions you are proposing requires an extra dimension.

That said the earliest taxonomies of note were for flora developed by Swedish scientist Carl Linnaeus in the 18th century.

As such they were not just two dimensional –later more– they were hierarchical.

Although modern thinking is he got the hierarchy wrong to some extent he was doing the right thing.

We now know that taxonomies can be multidimensional but almost always have in effectct an origin to the hierarchy that forms the last dimension (think of a net laid out flat on the ground as a 2D grid, and some one ties the rope of a crane to just one of the net knots and lifts to see a 2D graph become a 3D hierarchy).

Clive Robinson August 16, 2022 8:05 AM

@ vicente aceituno,

“Sorry to blow my own trumpet but I think understanding properly ownership, control and use of data is what leads to understanding thoroughly security requirements”

I think you missed the point that what is proposed is not about ownership or even access to information / intellectual property but the access tokens be they keys or passwords.

Ownership of information is at the end of the day an artificial construct originally designed in Tudor England to reward an inventor for being the winner of a race.

Back then and still in much of the world the information protected was about tangible physical products that came about from the information.

Undortunately now in some parts of the world people want to claim ownersgip of,

1, Numbers
2, How to interpret them.

Neither of which is realy sensible, but it does keep some of the legal bretherin in fancy cars, swanky yachts and even private jets for no good reason.

Lise Andreasen August 16, 2022 7:15 PM

So, this could also be written as

Access No Yes

No Loss Theft

Yes Safe Leak

Making it easier to see state changes, and also to ask, are 2 dimensions enough?

Adlai February 16, 2023 7:51 AM

Those definitions are perhaps nice for arbitrary ontological waffling, where you have the joy and priviledge of creating entire systems from unformed clay, although it is simply not how lots of existing cryptocurrency systems work. You could fix the definitions by shifting focus to the objects — coins, non-fungible cat photos, train tickets, whatever — controlled by unspecified keys, rather than talking about control of specific keys.

n.b. – I’ve not been reading each whitepaper barfed by the “pig slaughtering” firehose, and it’s entirely possible that some numerical majority of blockchain projects are structured such that control of keys dances around and old copies get deleted; however, that is not how the first movers worked.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.