Do You Need a Digital ID?

Anne & Lynn Wheeler lynn at garlic.com
Tue Mar 15 14:40:59 EST 2005 

R.A. Hettinga wrote:
> <http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp>
>  

i've been asked to flush out my merged security taxonomy and glossary
http://www.garlic.com/~lynn/index.html#glosnote

to  highlight the distinction between identity theft and account theft. 
  typically identity theft is that enuf information is obtained to 
fraudulently be able to open new accounts in the victim's name (among 
other things) while account theft is that the thief has enuf information 
to perform fraudulent transactions against an existing account of the 
victim.

account theft tends to be attacks on poor authentication procedures by 
account institutions and/or use of social engineering or phishing to 
obtain the victim's account authentication information (which shares a 
lot in common with straight identity theft).

a common exploit is the use of skimming/sniffing of static 
authentication verification data that enables creating counterfeit 
tokens/cards that enables fraudulent transactions.

given 3-factor authentication:

* something you have
* something you know
* something you are

there can be a great deal of confusion whether a token/card represents 
"something you have" or not. If a token/card contains valid 
authentication information and if that token/card is lost/stolen and a 
new account has to be created .... then it is likely the token/card 
represents "something you have" authentication.

however, some infrastructure just utilize a token/card to provide the 
equilvalent of userid (say an account number which isn't required to be 
secret) and the actual authentication is in the form of a password/PIN 
... i.e. "something you know" authentication. just because a token/card 
is involved along with a PIN/password doesn't automatically imply that 
two-factor authentication is involved.

if a re-issued a new token/card (to replace a lost/stolen token/card) is 
identical to the lost/stolen token/card ... then it is likely that there 
is no "something you have" authentication involved (even tho a 
token/card is involved in the process) ... and therefor the 
infrastructure is just single factor authentication.

at the basics, a digital signature is an indirect indication of 
"something you have" authentication .... aka the existance of a digital 
signature implies that the originator accessed and utilized a private 
key in the generation of the digital signature. a digital signature by 
itself says nothing about the integrity of that "something you have" 
authentication ... since the digital signature doesn't carry any 
indication of the integrity measures used to secure and access the 
associated private key.

there is some temptation to claim that the a lot of the problems with 
establishment of digital signature technology is that the basic trust 
building blocks haven't been established. numerous institutions have 
spent a lot of time focusing on the trust infrastructures associated 
with certification authority operation and digital certificates .... 
which have nothing directly to do with any form of 3 factor authentication.

the basic building block is that a financial (or other) institutions 
have ongoing relationships represented by established accounts and that 
the entities associated with those accounts have established 
authentication material. In the case of digital signatures, that would 
be public keys. To the degree that a relying party institution 
(financial or other) can trust what is represented by a digital 
signature is the integrity level of the environment that protects the 
access and use of the associated private key .... w/o additional 
knowledge, the relying party only knows that some entity accessed and 
utilized a specific private key ... as in a simple, single factor, 
"something you have" authentication.

A digital signature by itself has no indication of the security and 
integrity level associated with the private key protection, access and 
use ... and/or if there is anything more than simple, single factor, 
"something you have" authentication.

Furthermore, in the great majority of the transactions involving 
established relationships, there is no need for digital certificates to 
establish identication information .... straight-forward authentication 
tends to be sufficient.

misc. past 3-factor authentication posts
http://www.garlic.com/~lynn/subpubkey.html#3factor





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list