The Foundation of Online Security
CYBERSPACE IS STILL A FRONTIER WORLD, WHERE PIRATES, BRIGANDS AND SNAKE OIL SALESMEN THRIVE
We are all users and residents of this thing we can the Internet, our online world. As such we are all concerned, to a greater or lesser extent, about the security of our world. No-one pursues being the victim of crime or exploitation. It therefore behooves us to take time out to consider what is at stake, the potential for harm, the basis for any lacking in security, and what can be done to rectify the situation.
The Internet is a new world. Despite us being lulled into a false sense of security, consider that a paltry 28 years has passed since Sir Tim Berners-Lee gave us the Web. To coincide with the celebration of this, Berners-Lee gave a stark warning that we face three key threats.
- We’ve lost control of our personal data
- It’s too easy for misinformation to spread on the web
- Political advertising online needs transparency and understanding
To address these concerns, his World Wide Web Foundation has a five years strategy it is acting on.
Possibly the greatest omission in the architecture of the Web is in the area of identity and authentication. The nature of identity has always been an academic, vaporous discussion most people never even considered.
WHO ARE YOU?
When faced with this question most people will blurt out their name and reach for their passport, drivers license, or some form of government issued documentation to prove the “fact” of their identity. In reality identity is something that is existential. Simply by “being” you have an identity. The only function of any identity document is simply to attest to facts about your identity. Your government, by virtue of being the “trusted” third party, attests to your names, given to you by your parent(s) and entered into a registry, along with your date of birth and your sex.
If your government were to disintegrate overnight, would you cease to have an identity, or would it just be harder to prove certain things about yourself?
In the same way we have digital identities that we assume when we enter the online world of the Web. We can choose to use our “real” identity as a template for our online identity, using our real world names, date of birth, sex, and so forth. Or we can choose to select a nom de plume, an assumed identity, with different characteristics. There is no restriction in cyberspace, and neither should there be.
Now we come to the realities of our interactions with other people and organizations in cyberspace. The context of the interaction is important, because it determines the way in which we present and conduct ourselves. This is no different to real life, when we choose how we behave depending on the context.
The way you behave with your friends in a social setting is different from the way you behave in a formal business meeting. This involves rules such as the law, etiquette and manners, behavioral complexity we have spent many generations developing as a society. Breaking the rules can have consequences. We are held accountable for our behavior and actions.
ACCOUNTABILITY IS GOOD.
On the Web we face similar choices. We can behave a certain way in one context, and differently in another. To reinforce this choice we can assume our different identities, if the context allows it. For example, there are social networks where using a different set of characteristics attached to your nom de plume is not a problem. The manner in which you behave may be contrary to rules in a different context, but is entirely acceptable in that particular context. Breaking the rules are often not an issue simply because there are no such rules.
However, there are also contexts in cyberspace where you will be asked to behave according to stricter rules of conduct, and you are asked to present credentials from trusted third parties as to certain characteristics of the identity you are presenting. Breaking the rules may have consequences, or you could simply be rejected, unable to interact.
This paints a picture we should all be more or less comfortable with. The democracy and freedom of the Web is a positive thing.
BUT, THIS PICTURE IS BROKEN.
The fact is that is not only possible to assume someone else’s identity, but relatively easy to do so in cyberspace when compared to the real world. The incidence of identity theft is an epidemic, and rising. Massive data breaches occur regularly, and millions of users have been exposed to criminals around the world, looking for ways to masquerade as those individuals.
Many solutions to cyber security issues have been proposed and built over the 28 years of the Web’s existence. Many are complex and expensive. The latest wave of security solutions include correlation of behavior metrics across multiple domains — almost like a credit bureau — which often results in further degradation of our online experience.
- Loss of privacy or control of our data
- More difficult or costly interactions
- Increased stress
YET THE SECURITY BREACHES AND LOSSES MOUNT.
The answer to a large and complex problem can often be traced to its roots. Somewhere along the way a small mistake led to more mistakes, which get amplified over time.
The first mistake was that control of your identities, and the means of authenticating yourself are, ultimately, your own responsibility.
The second mistake authentication. Only you can authenticate that you are performing an action. It is not possible for someone else to authenticate.
IDENTITY OWNERSHIP AND AUTHENTICATION MUST BE THE RESPONSIBILITY OF THE INDIVIDUAL.
Having assumed ownership of one’s identity and authentication, it follows that one must also assume accountability for one’s actions.
ACCOUNTABILITY DERIVES FROM OWNERSHIP.
This is a reasonable premise that we uphold in the real world. Yet, in cyber space, this has not been fully upheld, simply because it is so easy for someone else to obtain identification information, and to abuse that for criminal gain.
If your identity is vulnerable, and authentication is fragile, criminals can pretend to be you, and get away with criminal action without revealing their own identities.
Conversely, how can you be held fully accountable for online actions if there is a reasonable doubt that you performed those actions?
‘TWASN’T I, YOUR HONOR……
The essential basis for security on the Web, and the trust we have in it as a world where we can interact safely, lies in our ability to own and manage our identities — real or assumed — and the manner in which we authenticate our actions.
IDENTITY AND AUTHENTICATION RE-IMAGINED
How can we provide suitable tools for individuals to use the Web from this perspective? This is a task being undertaken by a veritable army of technologists around the world. One of the most promising is the Rebooting Web-of-Trust project. This project is defining the taxonomy and the protocols of identity that will underpin the Web of tomorrow. The aims of what they are trying to achieve have been distilled down to the following.
- Flexibility / Customizability: The end-user must have exquisite control over the cagorizations, labels, algorithms for generation of composite scores, and other aspects of the ratings and reputation system.
- Simplicity of User Interface: The WoT needs to be simple for the casual or beginner end user to use, despite the complexities introduced by the various other desired features (primarily flexibility).
- Monetizability: The end user will be the one to monetize his or her data, and will have a myriad of strategies to do so.
- Privacy: The end user must have exquisite control over privacy settings.
- Portability: Identity and reputation must be readily portable between one social network and the next.
In this revised model of the Web, we will all have the ability to create as many digital identities as we desire, and potentially submit characteristics of those identities to third parties (such as government agencies) for attestation. For example, since many institutions require KYC (know your customer) information, it will be possible to submit to a KYC process once, obtain a certificate and attach the certificate of attestation to your matching digital identity. Thereafter anyone that deals with you online, in the guise of that digital identity, can simply verify the validity of the certificate. Technically they may not even have to know your real identity.
Any actions that you perform online will require you to digitally sign that action using the digital identity you are using. Since no-one but you is in control of that digital identity, only you can be credited with having performed the action.
Of course there is a lot of technology, specifically cryptography that underpins all this. There is a mathematically insignificant chance that anyone will be able to masquerade as you, or sign anything as you.
The technology is known as asymmetric key cryptography. Asymmetric because there are two dissimilar keys — a private key (which you hold) and a public key (which you can spread around like a business card).
Each identity you create consists of a private and a public key. There are two important things you can do.
- You can digitally sign something (a mathematical algorithm) using your private key, and anyone can validate that only the holder of the private key matching the specific public key performed the signature.
- Anyone can encrypt data using the data and your public key. Then only you will be able to decrypt that data using your private key.
The shiny new structure of user-controlled digital identity and authentication depends on a critical factor.
No-one must be able to steal your private keys, or intercept the process of any digital signature.
Imagine you were a merchant or a member of the nobility two hundred years ago. This would have equated to building a vault only you have access to, and storing the keys you unlock things with in the vault, along with the matching wax seals you use to sign and seal documents. You would have spent a tremendous amount of energy ensuring no-one but you could get into the vault.
Any intruder would have been able to unlock whatever your keys secured, or they could have signed and sealed instructions or contracts to defraud you.
In this new paradigm of user-controlled digital identity and authentication, the user requires a digital vault in which to:
- Securely store the private keys of any digital identities, and
- perform digital signatures without fear of surveillance or interception.
The success or failure of realizing a robust digital identity framework will eventually come down to a simple marketing truth.
WILL THE USER USE IT?
The answer lies in the most important factor for any product or service. Convenience.
Tools that use asymmetric key security have been around for a long time, and they have been used extensively by a small segment of the online community that were able to understand and navigate the complexities they entail.
To achieve ubiquitous use will require tools that are simple, yet provide the requisite security.