1) For starters, "identity theft" is a misnomer. My identity is my
identity, and cannot be stolen. The current epidemic involves something else, namely theft of an authenticator ... or, rather, breakage of a lame attempt at an authentication and/or authorization scheme. See definitions and discusions in e.g. _Handbook of Applied Cryptography_ http://www.cacr.math.uwaterloo.ca/hac/about/chap10.pdf
Then Anton Stiglic wrote:
Identity has many meanings. In a typical dictionary you will find several definitions for the word identity.
That's true but unhelpful. In a typical dictionary you will find that words such as -- heat -- elastic -- blue -- etc. etc. have many, many non-technical meanings that are radically divergent from the technical meanings.
We should assume that the participants on this list have a goodly amount of technical expertise. We should use the established technical definitions, unless there is a good reason not to.
Note that terminology has at best secondary importance. Concepts are primary. Terminology is important only to the extent that it helps us think clearly and speak clearly about the concepts.
A digital identity is usually composed of a set of identifiers (e.g. Unix ID, email address, X.500 DN, etc.) and other information associated to an entity (an entity can be an individual, computer machine, service, etc.). "Other information" may include usage profiles, employee profiles, security profiles, cryptographic keys, passwords, etc.
That is very unhelpful, because it lumps together two types of things that really ought to be treated differently. -- I want my email address to be widely known. I want my public keys to be widely known. -- I want my password to be secret. I want my private keys to be secret.
Failure to make this distinction exacerbates the problem significantly. For example, originally a SSN was supposed to be a database-key, used for indexing into databases, and as such it needed to be unique but it didn't need to be secret. Then some bozos started using it as if it were a password. Just because it is "something you know" doesn't make it useful as a password; a password ought to be something you know that nobody else knows!
Nevermind the terminology; we've got to start thinking clearly about this concept: Is your SSN merely a database-key, or is it a password? How about your credit-card number?
Identity can be stolen in the sense that this information can be copied, revealed to someone, and that someone can use it in order to identify and authenticate himself to a system and get authorization to access resources he wouldn't normally be allowed to.
The following document has a nice diagram on the first page of appendix A: http://www.ec3.org/Downloads/2002/id_management.pdf
Again that (including the reference) misses the point and blurs things that really need to be kept distinct.
The US government makes available to the public databases that contain my SSN, height, weight, home address, and other _identifying_ information.
I really don't care if everybody knows how to _identify_ me, so long as they don't _impersonate_ me. Maybe you know my address, but that doesn't mean you live in my house. Maybe you know my height and weight, but that doesn't mean you look like me (and even if you look sorta like me, that doesn't mean you _are_ me).
We are talking about the uttermost foundations of cryptology here. Yes, ID information can be copied. Virtually all of cryptology starts from the assumption that at the transport layer, everything is subject to passive attacks (copying) and perhaps active attacks (tampering). Crypto is something we do at higher layers to make sure such attacks don't pay off. As a corollary, this means good crypto imposes a high cost on the bad guys but only a small cost on the good guys.
Ian G. put his finger on the problem when he spoke of
identity being the root key to all power
Anybody who knows anything about security knows that relying on an all-powerful root privilege is the path to perdition.
But I don't approve of the rest of his paragraph:
>>> So the reality of it is, the predeliction with >>> identity being the root key to all power is the >>> way society is heading. I don't like it, but >>> I'm not in a position to stop the world turning.
First of all, not everything is heading the wrong way. The Apache server has for eons had privilege separation features. The openssh daemon acquired such features recently. As far as I can see, the trend (in the open software world at least) is in the right direction.
Resignation and fatalism isn't going to get us anywhere. We ought to take the lead in making sure that ID does *not* become the root key to all power. Contact your elected representatives and explain to them that an ID-based system is a baaad idea. It is not even a security-versus-liberty tradeoff; it is bad for security and bad for liberty both.
The focus _must_ be on the transaction, not on the ID. Suppose I carry out a transaction with the jewellery store. Did I authorize a $3.00 payment for a new watch battery, or a $30,000.00 payment for diamond necklace? Collecting more and more ID information about me is at best marginally helpful to the relying party; "ID" might tell the RP whether I *could* have authorized a particular transaction (was it within my account limit?) but "ID" cannot possibly tell the RP whether I *did* authorize a particular transaction. And (!!) don't forget the converse: If the transaction is legit, there is no reason why my ID needs to be involved. Cash transactions are still legal!
The proper use of _identification_ is obvious: In some exceptional circumstances it is important to be able to connect a real meat-space _identity_ with a particular event. For instance, if there is a hit-and-run accident, it really helps if a witness notes the license number of the car. (Been there, done that.)
I don't know whether to laugh or cry when I think about how phishing works, e.g. http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm The so-called "ID" is doing all sorts of things it shouldn't and not doing the things it should. The attacker has to prove he knows my home address, but does not have to prove he is physically at that address (or any other physical place) ... so he doesn't risk arrest.
Earlier Ian G. wrote:
>>> the security experts have shot their wad.
I do not see any basis for such an assertion. Look again at the exploits described in http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm After a few minutes thought, I can see at least three ways to defend against these particular exploits, including one way of proactively making the crime uncommittable, plus two ways of stinging anybody who dares commit the crime. I imagine there are people on this list who can do even better.
It doesn't even take a "security expert" to figure out easy ways of making the current system less ridiculous.
Note that on the page http://www.esmartcorp.com/Hacker%20Articles/ar_Watch%20a%20hacker%20work%20the%20system.htm one of the crooks repeatedly characterizes -- the Feds as "lazy" -- AOL as "stupid"
which is consistent with what I've been saying. I don't think people have tried and failed to solve the phishing problem --- au contraire, I think they've hardly tried.
I've seen estimates that the losses due to phishing are roughly one billion dollars per year, and rapidly rising. This can be compared to "Nigerian" 419 advance fee scams, which reportedly run about two gigabucks per year.
If the industry devoted even a fraction of that sum to anti-scam activities, they could greatly reduce the losses.
I've been to the Anti-Phishing Working Group site, e.g. http://www.antiphishing.org/resources.html They have nice charts on the amount of phishing observed as a function of time. But I haven't been able to find any hard information about what they are actually doing to address the problem. The email forwarded by Dan Geer was similarly vaporous.
Here's an interesting link, describing the application of actual cryptology to the problem: http://news.zdnet.co.uk/0,39020330,39159671,00.htm IMHO it's at a remarkable place in the price/performance space: neither the cheapest quick&dirty solution, nor the ultimate high performance solution. At least it refutes the assertion about security experts' wads having been shot. This is one of the first signs I've seen that real security experts have even set foot in this theater of operations, let alone shot anything.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]