I touched on this in my earlier post. I would argue that it is the lock, rather than the key, that authorizes you - it maintains the Access Control List (of which there's only one ACE entry: permit full access to particular key).
The key is the authenticator, however there's no concept of Identity. Since there's no concept of identity, you need to ensure through "out of band" mechanisms that only trusted identities ever have physical possession of the key. This solves the issue of someone duplicating it, as they can't do that if they never have access to the key in the first place. And there's other issues with traditional keys/locks beyond lack of identity - no auditability, no non-repudiation, no revocation etc. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of James M. Popoca Sent: Thursday, 31 July 2014 2:36 PM To: [email protected] Subject: RE: [NTSysADM] This was inevitable, but it's still a good reminder Hi Ken, That solution does work however it does not address the primary issue of using keys as a trusted authorization mechanism. In order for an authentication-authorization process to be secure, there needs to be a trust relationship between both mechanisms. If I have a physical key, I am by all means authorized to the doors and areas it opens, however it completely skips the step of having to authenticate first (who am I, my identity, am I really the intended owner of the key, etc.). Physical keys are not an authentication mechanism whatsoever. Locks will always authorize entry with the correct key regardless of who you are; they are essentially authentication-less authorization mechanisms. Regards, James Chicago, IL, United States From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Wednesday, July 30, 2014 11:14 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] This was inevitable, but it's still a good reminder So, what's wrong with my proposal? You didn't address that anywhere, unless I've missed it somehow. (leaving aside the issue of traditional lock picking, which has been an issue, or non-issue, for years) From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 1:34 PM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder I'm referring specifically to the standard types of keys that are used by consumers for thier private property. Current common door locks/keys are decreasingly viable as a security solution, and have been for years. If a common key can now be duplicated via automation simply by a series of pictures, then its really time to put this antiquated system to rest. Keys need to become more complex. Its not that I have issue with the concept of physical keys - its a problem with the low-tech variations of common locks that are still so prevalent around the world. "Authentication" issues aside, the typical mechanical systems are still not complex enough to prevent basic lock-picking methods. And now, we are subject to duplication by photograph? I think this is a horrendous turn of events. Cool tech, but how utterly exploitable on a massive scale. People are already subject to video-based types of identity theft. Now, I would speculate, that we can welcome breaking and entering. -- Espi On Wed, Jul 30, 2014 at 7:14 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: Why do they "have to go"? Keys are a physical authenticator (something you have). You give it to someone else, and you run the risk of it being cloned or otherwise compromised. A simple solution would be not to give your keys out to untrusted parties... I think the fundamental issues with using current keys is that there's no separation between identity and authenticator. Just like using your CC number online: http://technet.microsoft.com/en-us/library/cc512578.aspx is an old article, but still applies. Not to mention the lack of simple revocation mechanisms, audit capabilities etc. :) Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Micheal Espinola Jr Sent: Thursday, 31 July 2014 11:11 AM To: ntsysadm Subject: Re: [NTSysADM] This was inevitable, but it's still a good reminder It was inevitable. Locks and keys as they have existed for decades simply have to go. -- Espi On Tue, Jul 29, 2014 at 7:17 AM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: Physical security is just as important as computing security http://www.wired.com/2014/07/keyme-let-me-break-in/ IMPORTANT: This message may contain confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure as information can be intercepted, lost, arrive late or incomplete. The sender therefore does not recommend total dependence on e-mail for secure and timely communication.
