Re: [privacy] U.S. Senators Propose Repeal of National ID

["Dennis Henderson" <hendomatic () gmail com>]

Hi Dennis,

There are three parts to this problem:
First, there is identification of the problem and understanding the
ramifications.
Second, there is analyzing the existing approaches -- learning what works
and what does not.  This includes comparing the solution to other scenarios.
Finally, there is proposing, adopting, and revising a new solution.

None of these steps happen over night.
It was my impression that the discussion thread focused on the first two
parts (identification and evaluation), but let's proceed to the third part:
solutions.

The current SSN system was flawed from the start.  Identify theft is not
new and neither is social security fraud.

However, the SSN system was never intended for use as a national
identification system.  It was intended for taxes and -- yes -- social
security accounts.  The adoption of an SSN in place of a universal ID
occurred because a universal ID did not exist AND because it was convenient.
This is a similar oversight that allows spam to proliferate -- email was
never designed for security and not to fit a corporate/business need.  The
lack of authentication and wide-spread use permits it to be abused.

But I digress...

We need to adapt known-good security practices to personal authentication.

The first thing people need to realize is that a single, universal ID will
never work.  This is the same situation with using one password on every
system.  If it ever becomes compromised, then everything is lost.

The second thing people need to realize is that authentication is provided
by an authority and not the other way around.  We should not start with a
government issuing an ID.  This is a flawed start because the initial
authentication starts from an assumption about the identified individual.
Instead, we need to start the authentication process at the individual,
since
only you know that you are you.

Third, we need to realize that authentication is not transitive.  If I am
authenticated with my bank, then my bank authentication should only work
at my bank.

You want a solution?  How about this:

- Start with a random unique key per person.  This is used to seed a
  system that generates additional keys.
  For sanity, we can make this biometric.  For example, DNA -- it's costly
  and time consuming right now, but rarely needs to be done.
  Fingerprints would be find for people with fingers (not amputees).
  Iris or retina patterns for people with eyes, etc.
  Heck, even the government could issue some or all of the unique seed.
  NOTE: They do NOT keep a copy -- they just generate it.

- For each service, combine this biometric with something the person
  knows (2-part authentication) and something provided by the service.
  Together, this becomes 3-part authentication.
  E.g., combine my DNA seed with my password and the bank's keys.
  This creates a unique identifier and can generate a public/private
  key pair.  Only myself and my bank can authenticate a transaction.
  I will have a different key pair for government passports, taxes,
  hotel reservations, etc.

What about theft?
Even if they copy my biometric values, they still need to know my
password.  Also, there are plenty of biometric values -- I should be
able to change from fingerprint to iris if someone copies my data.

What if they get my password?
They compromised one authentication system, but not any other.
Cross-validation between multiple sources can be used to reclaim a
compromised account.
This type of cross-validation is already in use today.  E.g., you cannot
get a phone line without having a bank account or some other utilities.
And you cannot get a credit card unless you have bills in your name
(or can show that you are too young to pay off the card).

What if I forget my password?
This is no different than having a compromised password.
Between still having my original biometric values, and being about to
cross-validate, I should be able to reclaim and reset keys for any accounts
that are missing passwords.

Will this work?
Sure it will!  Network administrators and security folks do this all the
time!  Want to enter a secure government building?  You need multiple
IDs.  Even my car uses a different key from my house.
This is a known, time-tested solution.

What about implementation?
I'm a programmer; the software is easy.
The hardware exists today, but is expensive.  But if everyone needed it,
then the costs would drop and demand increases.
Usability is not too difficult as long as people get past the initial
shock of not having a centralized authentication system.

What about the banks needing to report taxes?
The bank can hold only the public-key component from my tax authentication
keys.  They can use this to link my account to my taxes.  However, since
they don't have my seed, nor my tax password, nor the tax key component,
they cannot recreate my private tax key.  Even if the bank loses all of
their customer data in a horrible compromise, my tax identify is secure.

And that's just one solution that I rattled off the top of my head.
I'm sure if I sit and think about this a little more, I can come up with
many other options.  This solution may not be perfect (since I didn't
ponder it very long), and I look forward to discussions about limitations,
variants, and alternatives.

                                      -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)







To mangle a line from your previous missive

> > Excellent rant, I fully agree, and hardly a soul could have said it any
better.

Thanks Doc.

Dennis

_______________________________________________
privacy mailing list
privacy () whitestar linuxbox org
http://www.whitestar.linuxbox.org/mailman/listinfo/privacy