authentication and authorization ... addenda
Anne & Lynn Wheeler
lynn at garlic.com
Fri Jul 2 09:57:02 EDT 2004
one of the industry groups brought my wife and me in to help work on the
cal. and then the federal e-sign legislation. there is this intersection
between privacy, e-sign, and fraud. in any case, one of the things that
they had done was a study of the driving factors for legislative and
regulatory privacy activity ... the two primary driving factors were
id-theft
(institutional) denial of service (to individuals)
the claim could be made that the id-theft issue is almost totally related
to the use of various kinds of static data for authentication and that
given the current pervasive electronic online world .... that it is
effectively impossible to continue operating with static data paradigm w/o
having to accept large amount of exploits and fraud.
the privacy legislative and regulatory mandates can try and establish rules
for "protecting" information ... but keeping static data authentication
information "private" is a loosing battle. in part, because traditionally
90% of the exploits have involved insiders .... although recent study now
only claims that at least 77% of the incidents involve insiders. All the
internet histeria about outsiders ... in part just obfuscates and
identifying the real sources of the problem.
one assertion is that the whole environment collapses because large scale,
wide-spread static data based authentication paradigm has too many
vulnerabilities ... somewhat as per the previous reference to security
proportional to risk
http://www.garlic.com/~lynn/2001h.html#61
if nothing else ... there isn't sufficient finances to fund the security
necessary to protect all the authentication static data. also, this isn't
taking into account the wide-spread education necessary for countermeasure
to the social engineering and phishing exploits.
some sort of hardware token with non-static data (as "something you have"
authentication) starts to address the situation. the issue isn't that the
hardware token can't be stolen .... but it is difficult to steal
electronically a million at a time (large scale harvesting with little
investment and risk is one of the things that makes phshing so attractive
... the potential fraud ROI is enormous).
If the hardware token implements a non-static data authentication paradigm
and never exposes its internal secrets (say like a private key of
public/private key pair) ... then no amount of phishing can convince
somebody to divulge something that they don't know. social engineering
might still be able to convince people to mail their authentication token
to some far off country (that requires quite a bit more gullable populace
.... comparable to convincing everybody that they have to mail off their
driver's license to some far off location).
changing the paradigm from static data authentication to non-static data
authentication would do more for reducing id-theft vulnerabilities than all
the privacy and security regulations. one of the side issues .... is
sometimes if all you have is a data security classification & protection
hammer ... then the solution to all problems is protecting the data. The
"security proportional to risk" scenario is it is impossible to protect the
pervasive use of authentication static data ... the paradigm has to be changed.
legislative and regulatory privacy mandates would still be necessary for
the other privacy driving factor .... (institutional) denial of service (to
individuals).
there will still be various kinds of impersonation fraud .... if you can't
perform fraudulent financial transactions by stealing account numbers ....
criminals might still open accounts in victims names. However, an assertion
is if the points of attack are reduced by several orders of magnitude ...
aka from all transactions (because of stolen account numbers) to stolen
hardware tokens and opening accounts ... then it is possible to better
concentrate the security budget on the drastically reduced attack points
and threat models.
i mentioned before that i've been one of the x9.99 (privacy impact
assessment) standard co-authors for the last year or so .... and it is now
out for public comment (can be bought from the ansi e-store) ... and there
is work item proposal to move it forward to ISO. For part of the
background work, i started a merged privacy taxonomy and glossary ....
similar to the merged taxonomy & glossary work that i've done in other areas:
http://www.garlic.com/~lynn/index.html#glosnote
FTC has some resources in this area:
http://www.ftc.gov/bcp/conline/edcams/gettingcredit/resources.html
I gave a talk earlier this week at treasury conference in DC on privacy and
id-theft ... and there were some number of questions about resources for
individuals that are victims of id-theft
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list