authentication and authorization ... addenda

Anne & Lynn Wheeler lynn at garlic.com
Fri Jul 2 09:57:02 EDT 2004


one of the industry groups brought my wife and me in to help work on the 
cal. and then the federal e-sign legislation. there is this intersection 
between privacy, e-sign, and fraud. in any case, one of the things that 
they had done was a study of the driving factors for legislative and 
regulatory privacy activity ... the two primary driving factors were

id-theft
(institutional) denial of service (to individuals)

the claim could be made that the id-theft issue is almost totally related 
to the use of various kinds of static data for authentication and that 
given the current pervasive electronic online world .... that it is 
effectively impossible to continue operating with static data paradigm w/o 
having to accept large amount of exploits and fraud.

the privacy legislative and regulatory mandates can try and establish rules 
for "protecting" information ... but keeping static data authentication 
information "private" is a loosing battle. in part, because traditionally 
90% of the exploits have involved insiders .... although recent study now 
only claims that at least 77% of the incidents involve insiders. All the 
internet histeria about outsiders ... in part just obfuscates and 
identifying the real sources of the problem.

one assertion is that the whole environment collapses because large scale, 
wide-spread static data based authentication paradigm has too many 
vulnerabilities ... somewhat as per the previous reference to security 
proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
if nothing else ... there isn't sufficient finances to fund the security 
necessary to protect all the authentication static data. also, this isn't 
taking into account the wide-spread education necessary for countermeasure 
to the social engineering and phishing exploits.

some sort of hardware token with non-static data (as "something you have" 
authentication) starts to address the situation. the issue isn't that the 
hardware token can't be stolen .... but it is difficult to steal 
electronically a million at a time (large scale harvesting with little 
investment and risk is one of the things that makes phshing so attractive 
... the potential fraud ROI is enormous).

If the hardware token implements a non-static data authentication paradigm 
and never exposes its internal secrets (say like a private key of 
public/private key pair) ... then no amount of phishing can convince 
somebody to divulge something that they don't know. social engineering 
might still be able to convince people to mail their authentication token 
to some far off country (that requires quite a bit more gullable populace 
.... comparable to convincing everybody that they have to mail off their 
driver's license to some far off location).

changing the paradigm from static data authentication to non-static data 
authentication would do more for reducing id-theft vulnerabilities than all 
the privacy and security regulations. one of the side issues .... is 
sometimes if all you have is a data security classification & protection 
hammer ... then the solution to all problems is protecting the data. The 
"security proportional to risk" scenario is it is impossible to protect the 
pervasive use of authentication static data ... the paradigm has to be changed.

legislative and regulatory privacy mandates would still be necessary for 
the other privacy driving factor .... (institutional) denial of service (to 
individuals).

there will still be various kinds of impersonation fraud .... if you can't 
perform fraudulent financial transactions by stealing account numbers .... 
criminals might still open accounts in victims names. However, an assertion 
is if the points of attack are reduced by several orders of magnitude ... 
aka from all transactions (because of stolen account numbers) to stolen 
hardware tokens and opening accounts ... then it is possible to better 
concentrate the security budget on the drastically reduced attack points 
and threat models.

i mentioned before that i've been one of the x9.99 (privacy impact 
assessment) standard co-authors for the last year or so .... and it is now 
out for public comment (can be bought from the ansi e-store) ... and there 
is work item proposal to move it forward to ISO.  For part of the 
background work, i started a merged privacy taxonomy and glossary .... 
similar to the merged taxonomy & glossary work that i've done in other areas:
http://www.garlic.com/~lynn/index.html#glosnote

FTC has some resources in this area:
http://www.ftc.gov/bcp/conline/edcams/gettingcredit/resources.html

I gave a talk earlier this week at treasury conference in DC on privacy and 
id-theft ... and there were some number of questions about resources for 
individuals that are victims of id-theft

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list