MIT Technology Review / Identity is the Foundation of Security
“The Internet Is Broken” proclaims the title of an MIT Technology Review cover story, while Stanford University’s Clean Slate Initiative explores the idea of scrapping the existing Net and starting over.
Spam brings us phishing attacks that deliver malware that in turn builds botnets. Fraud and predation pervade everyday online experience. Identities – and cash – are stolen in batches. As the information security industry assures us “we’re working on it,” people grow ever more wary of their Internet experience even as they come to depend upon it more and more.
Underneath our security problems are problems of inauthenticity. Our real problem, the root problem is, inauthenticity.
People are not who they say they are.
Sites are not what they claim to be.
Hackers broadcast spam and malware under your name from your computer.
How do we solve problems of inauthenticity? Very simply: We solve problems of inauthenticity with the proven tools and construction materials of authenticity.
Authenticity Works Where Information Security Technology Has Failed Us
It gets better:
When you solve problems of inauthenticity, you solve a lot of other problems as well. Security is just one of them.
With authenticity, our information systems will be much more manageable, effective, reliable, and easy to use.
Can we have authenticity?
Mankind has developed over centuries a set of methods and procedures to solve problems of inauthenticity. Those methods and procedures fit nicely with today's information technologies.
Historically, an authenticity infrastructure consisted of duly constituted public authority (e.g. notaries, justices of the peace, consular officials, building inspectors, etc.) and a means of conveying that authority (notary seals, wax seals, affidavits, oaths, jurats, professional licensing documents, etc.)
After all these years, authenticity is still the solution to problems of inauthenticity. On the Internet, however, we need a better means of conveying authenticity. And indeed we have it.
We could call it an authenticity conveyance infrastructure. Or we could call it what its late twentieth century inventors named it… It was named Public Key Infrastructure.
So if Public Key Infrastructure is so good, then why hasn't it solved all of our information technology problems? Here are seven reasons why….
(Or) Before you explain why PKI hasn't solved those problems, please explain what PKI is….
Before you go into that, what is Public Key Infrastructure?
We'll explain by way of example.
You're probably aware that thieves attempt to steal the account numbers and PINs from bank ATM cards by placing fake card slots on ATMs.
If those were PKI cards and machines, such captured information would be worthless. You see, a machine based on PKI presents a puzzle to the card, which contains a computer chip and a secret number that never leaves the card. After the user enters the correct PIN, the card tries to solve the puzzle. If the ATM receives the correct solution, then it knows the card must contain the correct secret number.
Of course, the next puzzle presented by the machine will be different, so a solution to an earlier puzzle is of no use.
If you'd like to learn more details about this fascinating thing that has been called public key infrastructure, go to authenticity.ac
If you'd like to learn why its very name is part of the reason for the problem, then click MORE ABOUT SCARCITY to see the next slide…
Why hasn't PKI solved all of our information technology problems?
1. Implementations usually omit a vital component
- By definition, PKI cannot exist without private keys. But its name and its specifications do not include them. This is truly odd. One of the twelve components of the Quiet Enjoyment Infrastructure is its Private Key Infrastructure.
2. PKI terminology can be bizarre
- PKI experts have gotten used to saying things like "the user signs the file with his certificates…"
- Now the poor newcomer who has heard that PKI is good stuff and is trying to understand how it works is left scratching her head…
- The term "certificate" refers to both a signed public key and to a certificate plus its corresponding private key.
- Suppose you were being introduced to fruit science.
- You: What is this?
- Fruit scientist: It's an apple
- You: Tell me more about this thing called an apple.
- Fruit scientist: An apple is an apple plus an orange.
- Fruit scientist: So what do you think of fruit science so far?
- You: I think I'm outta here.
- Remember being introduced in middle school to a useful type of number called an "imaginary number"? If you could get your beautiful mind around that then "a certificate is a certificate plus its private key" should present no problems for you. For the rest of us a certificate, whether digital or on paper, is an assertion that is signed by an authority, and the pen that signs the certificate is not part of the certificate.
- In QEI, the thing that signs the certificate is called a PEN® (of all things).
- The fact that this needed to be clarified says a lot about why PKI has been slow to gain traction. Of all the gobbledygook in information technology, this mangling of the term "certificate" is among the worst! (Private Encryption Number, if you must know).
3. PKI has developed a reputation for being brilliant but too complex for practical deployment
- Now wait. Every time you go to a secure web page, you know with the little lock icon and the address that starts with "https://", you are using PKI.
- You don't need to understand exponentiation in modular arithmetic to do your online banking. This undeployability stuff is nonsense.
- The good news is that your browser and email program and other software are set up to use PKI.
- The not so good news is that every product handles keys and certificates differently, and very little of it is intuitive.
- Back to the good news. The QEI community is stepping forward to guide you through the gotchas, particularly when it comes to establishing and using your own identity certificate.
- We don't care how obtuse your software is, we'll get you signing and encrypting.
- We tear our hair out so you don't have to…
- But there's another reason why PKI has gained this undeserved reputation for complexity…
- PKI is not particularly complex. It's just bigger than technology.
- PKI has always been the province of technologists. To a technologist, the important Certification Authority component of PKI is a piece of technology.
- But if you're going to do something more complex than build a tunnel between two computers who's owners have a business relationship with each other then real public authority is called for. The Certification Authority is, first and foremost, a facility where duly constituted public authority is applied to documents and procedures. It's much like the vital records department in city hall.
- Technology experts consider PKI to be complex because this central element - the establishment and management of duly constituted public authority - is outside their expertise.
4. Reliable identities of users, necessary for effective PKI, have been scarce
- After spending millions of dollars on network security, corporations still have major security problems.
- Meanwhile, your ATM card allows your bank to dispense cash with confidence from a machine on a city sidewalk.
- The technology used by your ATM card is more ancient than the floppy disk.
- So why are bank ATM networks generally secure, while corporate information networks, in spite of continuous investment in the latest security technology, are barely able to keep ahead of intruders?
- The difference is not about technology. The difference is about assumptions and architecture.
- Your bank's ATM network starts with the premise that knowing who you are is the foundation of security.
- If a trusted co-worker asked you to share your ATM card and associated PIN, what would you say? Of course you’d say no, but they wouldn’t even ask in the first place.
- But if that co-worker asked you for your network password, what would you say? In many companies collaborative work routinely gets done by sharing access credentials, in spite of rules against it.
5. Attempts at reliable PKI identity have not adequately protected users' privacy
- Once you have created an identity credential that you can use anywhere, how do you keep nosy organizations from tracking everything you have done with it?
- Some say we have already lost that battle, that everything we do is tracked by a few powerful organizations, that in fact personal privacy is gone forever.
- Indeed, universal identity done wrong is a threat to personal privacy.
- But there is a very important other side of the coin:
- Done right, universal identity is a fortress of personal privacy, reversing the erosion of privacy we’ve seen in recent years.
- QEI actually accomplishes that elusive goal, long sought by privacy activists, of putting people in real control of the disclosure and use of information about themselves.
- We invite you to thoroughly examine QEI’s Personal Information Ownership Infrastructure component to see what we mean
6. PKI has conveyed authenticity without requiring a legitimate source of authenticity.
- How do you convey authenticity without first establishing authenticity?
- PKI has been the domain of technologists. If we regard PKI as a set of excellent construction materials (which it is) then those who created it are like materials scientists.
- Putting well-engineered materials at work requires architects and building inspectors and others whose professional licenses are issued by public authority and whose actual reliable identity is attested by vital record department, an agency with duly constituted public authority.
- QEI ensures that the word “authority” in Certification Authority component of every PKI actually means something.
7. PKI, when done right, works too well.
- Our computers, operating systems, and application software have been designed to let their makers help themselves to information about you, your habits, your purchases… your life.
- QEI puts information about you under your control. Nosy organizations can no longer help themselves to whatever they want to know about you. That doesn’t make them happy, despite their proclamations about how much they care about your privacy.
- QEI also calls for digital signatures everywhere, while keeping the personal information about the signer private. That yields accountability while maintaining privacy—and some organizations seems to be threatened by the accountability.
- And so those organizations tend to lose the ability to snoop, while being held accountable for their actions. No wonder they’ve been slow to embrace PKI.
- Some information technology departments have their own reasons for avoiding PKI…
- Organizations avoid PKI because it calls for new assumptions.
- Imagine telling your receptionist “Please determine the intentions of everyone who enters the building, and also determine whether they are good or bad people.”
- If you think that’s an unreasonable request, and if you know how a building works, then you are better prepared to judge information security approaches than are the information security experts.
- The current practice of information security is mostly about determining the intentions and character of the sender of a stream of bits.
- Problem: in most cases that is impossible.
- When it is possible, it’s because the intruder lacks skills or funding. In other words, information security products tend to deter the least threatening attacks. That renders many information security efforts ineffective or even useless. They treat your information facilities as a commando outpost, rather than the online facilities that they really are.
- PKI, if done right, offers something better…
- If you apply reliable identities, building codes, professional accountability and architecture to PKI, you can build a very secure and effective online office building where you can keep your confidential information and have your meetings in quiet confidence.
- Are very old concepts. Information technologists are not used to relying upon the concepts from the 19th century.
- Involve things that are way outside of what information technologists are used to judging and managing.
- Imply a complete departure from the examine-the-bit-streams approach to security. Complete departures can be seen as risky to careers.
- The application of some very old concepts to PKI can make it solve big problems. If you’re a stockholder in a company with an information technology department, you may want to call your company’s attention to QEI.
Over the centuries we have learned a lot about how to make our homes secure and reliable.
Let’s see how we can apply that knowledge to those online spaces where we spend more and more of our time- our information homes if you will…
Suppose your home had been built with secret passageways that you didn’t know about
Suppose that every day, various intruders would enter through those passageways, open your file cabinets and place files in your folders. Sometimes they’d install devices in your rooms that would report back to them what you’re up to.
That could never happen in your physical home, of course. City hall’s building codes, building inspectors and occupancy permits would never permit such an obvious breach of the principle of quiet enjoyment in our homes.
But in an information home where you spend more and more of your time – your computer or phone – that’s exactly the way it works. The title files are called “cookies.” (Could they have chosen a friendlier, less alarming, sneakier word than “cookies”…?)
It’s true, we often let trusted cleaners, childcare people, and neighbors caring for our pets and others enter our homes when we’re not there.
It’s also true that cookies and automatic software updates in our information homes can be helpful.
But what set of ordinances and rules govern the placing of cookies and nosy software in our information homes?
And where do we find a city hall to make and enforce them?
And how would we know that those claiming to be trusted friends and service providers are who they say they are?
Take a look at the answers to these other questions in
Individual Membership Section of The Authenticity Alliance