authentication and authorization (was: Question on the state of the security industry)

John Denker jsd at av8n.com
Thu Jul 1 14:26:46 EDT 2004


Ian Grigg wrote:
> The phishing thing has now reached the mainstream,
> epidemic proportions that were feared and predicted
> in this list over the last year or two. 

OK.

 > .... For the first
> time we are facing a real, difficult security
> problem.  And the security experts have shot
> their wad.

The object of phishing is to perpetrate so-called "identity
theft", so I must begin by objecting to that concept on two
different grounds.

1) For starters, "identity theft" is a misnomer.  My identity
is my identity, and cannot be stolen.  The current epidemic
involves something else, namely theft of an authenticator ...
or, rather, breakage of a lame attempt at an authentication
and/or authorization scheme.  See definitions and discusions
in e.g. _Handbook of Applied Cryptography_
   http://www.cacr.math.uwaterloo.ca/hac/about/chap10.pdf
I don't know of any "security experts" who would think for a
moment that a reusable sixteen-digit number and nine-digit
number (i.e. credit-card and SSN) could constitute a sensible
authentication or authorization scheme.

2) Even more importantly, the whole focus on _identity_ is
pernicious.  For the vast majority of cases in which people
claim to want ID, the purpose would be better served by
something else, such as _authorization_.  For example,
when I walk into a seedy bar in a foreign country, they can
reasonably ask for proof that I am authorized to do so,
which in most cases boils down to proof of age.  They do
*not* need proof of my car-driving privileges, they do not
need my real name, they do not need my home address, and
they really, really, don't need some "ID" number that some
foolish bank might mistake for sufficient authorization to
withdraw large sums of money from my account.  They really,
really, reeeally don't need other information such as what
SCI clearances I hold, what third-country visas I hold, my
medical history, et cetera.  I could cite many additional
colorful examples, but you get the idea:  The more info is
linked to my "ID" (either by writing it on the "ID" card or
by linking databases via "ID" number) the _less_ secure
everything becomes.  Power-hungry governments and power-
hungry corporations desire such linkage, because it makes
me easier to exploit ... but any claim that such linkable
"ID" is needed for _security_ is diametrically untrue.

===

Returning to:

 > .... For the first
 > time we are facing a real, difficult security
 > problem.  And the security experts have shot
 > their wad.

I think a better description is that banks long ago
deployed a system that was laughably insecure.  (They got
away with it for years ... but that's irrelevant.)  Now
that there is widespread breakage, they act surprised, but
none of this should have come as a surprise to anybody,
expert or otherwise.

Now banks and their customers are paying the price.  As
soon as the price to the banks gets a little higher, they
will deploy a more-secure payment authorization scheme,
and the problem will go away.

(Note that I didn't say "ID" scheme.  I don't care who
knows my SSN and other "ID" numbers ... so long as they
cannot use them to steal stuff.  And as soon as there
is no value in knowing "ID" numbers, people will stop
phishing for them.)

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list