About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Let's make crime illegal | Main | My new mantra »

They must have been cuckoo

By Dave Birch posted Aug 11 2010 at 10:31 PM

[Dave Birch] Where are we going with authentication? Bruce Schneier made me think about this again with a post about the breaking of the Russian "spy ring" operating in the US.

Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches.

[From Schneier on Security: Cryptography Failure Story]

The Russian equivalent of "M" must be furious! "Doh! -- if it wasn't for those darn kids" etc. The idea that making a password 27 characters long (probably a pass phrase, in fact, since there are relatively few 27-letter words even in Russian) makes it secure is hilarious, since any user security expert would have absolutely predicted the scheme's doom. But this led to muse in another direction, which is about how much time and money must be wasted messing around with these pointlessly long passwords that don't actually add any real security, that are just another kind of performance art in the great security theatre. I looked back through some of my notes on that topic and came across an actual figure (for the US).

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.

[From Boston.com]

So, in other words, if you made a law to stop everyone in the US from using passwords to log in to their bank accounts and insisted that they instead use some kind of 2FA that takes a minute (eg, look up OTP on mobile phone then type it in to web site -- which wouldn't actually protect against MITM attacks) then it would have to save $16 billion per annum to make it worthwhile. According to the FBI, US cyber-bank robbery is running about $100 million per month, or only about $1.2 billion per annum, so we're better off doing nothing.

What? Hold on, there must be a flaw with this approach, and it must be that the overall cost of having the security must factor in potential losses and costs to rectify as well as user time. Anyway, the point is we need to make some strides in authentication.

One way forward would be for governments to implement some form of modern identity management infrastructure that includes strong authentication and then have businesses use it. I pointlessly reiterated this idea over and over again in the case of the UK's ill-fated national identity management scheme (aka ID card). But in developed countries, such an idea is considered a perfectly sound way forward.

The economics ministry has launched a chip card aimed at simplifying and making online commerce and electronic transactions with local authorities safer... the introduction of the SuisseID card, which is also available as a USB stick, makes the use of multiple passwords unnecessary and saves time and money with a safe system for electronic transactions.

The card acts as a secure digital signature for correspondence, forms and purchases. It can help guarantee that emails are from who they say they are and allow users to sign documents digitally. It can also keep children from making inappropriate purchases online, such as age-restricted video games. Seco hopes up to 300,000 cards will be sold by the end of the year. The card costs SFr33 ($30.50) annually and the whole project benefits from a SFr17 million financial subsidy from the government.

[From The economics ministry has introduced SuisseID, a chip card aimed at making online purchases and transactions safer. - swissinfo]

So, basically, provided that your USB key is in your laptop, then you can go and log on to your bank or to do your taxes and instead of having to remember hundreds of 27-letter pass phrases, you only need to remember one, shorter pass phrase. The pressure for such a two-factor solution seems to be building. Once the tamper-resistant devices needed to store private keys are widespread, then new business models appear, with one of the most obvious ones being to provide what the USTIC calls digital identities: that is, virtual identities with attributes provided by third parties.

QuoVadis is the first provider to rollout the new Swiss national electronic ID called SuisseID, signing up the Swiss Bar Association and its 9,000 lawyers.

[From QuoVadis is First to Launch for SuisseID]

The Swiss government overall expects to issue 300,000 credentials this year. This sounds like a good topic for discussion at the forthcoming Intellect ID management workshop the UK situation that I'm rather looking forward to.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8341c4fd753ef0133f301cd0b970b

Listed below are links to weblogs that reference They must have been cuckoo:

Comments

Mmmmm. 27-char passwords are clearly insane. But who cares about digital signatures for correspondence, outside some extremely specific situations? And who cares about authentication beyond "this payment is authorised" or "this user is authorised for access to this resource" ? I hope QuoVadis's business model doesn't quickly come to resemble that of some other certification authorities we could mention.

It should be "under the hood". So I can set my e-mail to automatically delete e-mail that isn't digitially-signed or where the signature doesn't match the sender but I shouldn't need to know anything about certificates or keys.

The comments to this entry are closed.