Questioning the necessity of single-identity cryptographic trust models
By Kyle Hamilton
In every current discussion of cryptography and cryptographic trust models, a single theme emerges: one key belongs to one person. One person may have many keys, but all keys owned by that person are bound to a single identity – his legal identity in his sociopolitical division.
In this paper, we challenge this model as being useless for anything except political and financial affairs, and explore some of the reasons why multiple-identity cryptography (and variant levels of trust) are not only necessary, but desirable.
X.500 and its continuing saga of non-implementability
The OSI (Open Systems Institute), in conjunction with the ITU (International Telecommunications Union, formerly the CCITT or International Telephone and Telegraph Communications Committee), created a thorough and horribly overengineered set of protocols that vendors and companies could use to ensure interoperability. This led to the creation of the OSI “7-layer model” for computer networking, a suite of protocols by which each layer could request the services of the layer below, and a means of tying all user information together. This last, the X.500 Directory, was originally intended to be a single, worldwide, distributed directory (akin to the DNS, or Domain Name System, of the Internet) that would allow anyone, anywhere, to query the whereabouts and contact information of any other individual in the world.
Unfortunately, the CCITT (as it was known back then), being a branch of the United Nations, had only political and large industrial designers in its meeting and standardization procedures. The result was a protocol and structure that was geared toward the needs of governments and large corporations, but had nothing to offer those with less-sophisticated needs. As well, large corporations generally balked at making their entire internal employee directories – as well as employee lists – public. For these and other reasons (not the least being the sheer impossibility of implementing the entire OSI suite of protocols), X.500 never was and never will be fully implemented.
Along came a challenger to the previously iron-handed grip the CCITT had held on the standardization process – the Internet Engineering Task Force. Here was a much smaller, much less politically-oriented, much more adaptable form of standardization, which stole all the wind from the OSI network model with its much-more-easily implemented TCP/IP suite of protocols. The market has decided who won that particular battle, and it wasn’t the United Nations.
However, not all was lost. Within the data formats and protocols so painstakingly assembled by the CCITT lay a couple of nuggets of goodness. First was X.500 – if it were to have its interconnection requirements severed, it would make a good internal database for large corporations. (From this realization came LDAP, the Lightweight Directory Access Protocol.) The second came from a standard called X.509 – a means of exchanging identity information in small blobs, at least fairly-easily read and transformed into human readability by computer.
In its original form, X.509 didn’t have provisions for cryptographic keys… but then two projects emerged: one, an attempted implementation of encrypted mail called PEM (Privacy Enhanced Mail), and two, a little company called Netscape attempted to put businesses on the Internet and enable electronic order fulfillment. Both projects saw that the X.509 standard format had the potential to be much, much more than it then-currently appeared.
PEM was doomed to failure for many of the same reasons that X.500 was – it required a single global root that delegated trust to countries which then delegated trust to Certifying Authorities (private-sector companies that assured the validity of information contained in a certificate) which then delegated trust to companies which then delegated trust to users. Since there never was such a global root, it failed.
But the other project, by Netscape, was at that time attempting to find some way of combating the plain-text phenomenon that was the Internet at that time. Financial institutions and businesses were unwilling to trust plain-text, unencrypted transmissions with important things like credit cards and business-to-business orders. (Who could blame them? The message could be altered en-route, or could be spied upon to perform fraudulent transactions, and there would be no way that anyone could prevent the huge losses that would undoubtedly occur.)
So, Netscape used the X.500 concept of the Directory, combined with X.509 certificates (and Certifying Authorities), to raise the bar. They used the X.500 Directory format to identify companies who wanted to offer encrypted pages, and X.509 certificates to bind public keys to the servers themselves. (These X.509 certificates were signed by the Certifying Authorities, who were, literally, put into business by this practice. Verisign was the first one, and for a long while the only one. And boy, were they expensive.)
Netscape also put into play “client certificates”. These were certificates, issued by a Certifying Authority, that were limited so that they could only identify people, not specifically DNS-named servers. They were to be used during an SSL exchange to identify the user to the server. (The server certificate was to be used during an SSL exchange to identify the server to the user.)
In any case, these certificates provided assurance to the recipient that the encryption key presented belonged to the entity (natural or legal person) which it said it belonged to. Of course, the limitation of liability usually associated with these certificates made these assurances not very useful to the entity that relied upon the assurances in the first place.
The Aftermath
VERY few places actually use client certificates, even ten years after they were first conceived and implemented. There are several reasons for this; the reasons I list here are merely within my own experience. There are undoubtedly others.
1) There is no way to verify that the client certificate presented has been issued to the correct entity instance of the name. (My apologies for the strange wording.)
Basically, what this means is if there are two or more people named ‘Jose Ferdinand Rodriguez’, and both of them obtain credentials from a given Certifying Authority, it is impossible to determine which of them is presenting his credential at any given access attempt. There is no uniqueness in names within the sociopolitical foundations of our society – and for merchants and banks, with no way to differentiate between people with the same name, this is a disastrous flaw.
In an attempt to redress this, one CA (by the name of Thawte Consulting, Pty, based in South Africa) offered the ability for their institutional clients to associate a unique identifier with a given individual, through the use of an extension embedded into certificates issued to that individual. The process by which this was to be set up was very cumbersome, rife with technical issues, and expensive to set up and maintain. The security that would have thus been provided would be not cost-effective – and so, most financial institutions have elected to keep passwords as their main authentication mechanism.
2) The existing mechanisms to implement such authentication are not general enough.
The software that exists (Apache with mod_ssl, Windows IIS, virtually any HTTP server software) does not make it easy to figure out what is really in the certificate that has been presented by the user. Unfortunately, some of that information (including the aforementioned extensions that Thawte Consulting would embed in the certificates issued to its individual end-users) is downright vital to properly reacting to the client’s authentication credentials.
Apache/mod_ssl does have the capability of handling this circumstance: the entire PEM-encoded client certificate is put into an environment variable for its CGI or PHP programs to be able to decode, and the status of the client verification is put into another variable. However, in order to get the extension and the value of the extension, a PEM/DER decoding library must be linked into the CGI (it can’t just use the library that’s already part of the webserver), thus causing decoding to happen more than once per request. This is inefficient at best.
With Windows IIS, it’s even worse – I have yet to be able to figure out how to get the client certificate data from subprocesses. (ASP might be able to get it, or extension DLLs – but if it’s possible for any non-component to get it, I haven’t been able to figure it out at all.)
Others? I have not used them. I don’t know how easy it is to get the information that’s needed… but if Apache with mod_ssl doesn’t make it easy, chances are there hasn’t been anything that’s made it a selling point.
(As an aside: what I would like to see is a file descriptor opened that had the entire certificate decoded, which could then be read on a line-by-line basis until the extension(s) of interest came up.)
3) Very few things actually use SSL, and those that do only use it for its server authentication, encryption, and tamper-resistance.
This is a bigger problem than most people think. There is no security without proper authentication. Passwords are not good authentication. (We’ve been using passwords for more than two thousand years. We know what all the problems are with them, and there are a
Even more importantly, encryption is not useful unless you know, with certainty, who you are talking to. Someone could encrypt a conversation that he’s having about being frustrated with whatever government makes laws that he is subject to, and how he wishes that certain members of government were removed from office – but without any knowledge of who he’s talking to, he could just as easily be talking to an agent of that government (perhaps through a man-in-the-middle attack) as the person he thinks he’s talking to.
4) In order to use client authentication certificates, it is mandatory that the server have a certificate of its own.
This is simply because the SSL protocol mandates it. (Which makes sense for currency transactions, but which makes no sense for other kinds of interactions.) And, there are several reasons why this is a stumbling block:
a. The management overhead to get authenticated, and thus certified, is simply too onerous for any but the most demanding situations.
When applications such as SSH use unverified keypairs for those most necessary of functions – authentication of a user to the system that he’s using, and authentication of the system to the user who’s trying to use it – it is obvious that there’s a severe problem. Certification should be just a matter of common sense, and it is – but even if the management overhead were a surmountable hurdle, the next reason most certainly is not:
b. Identity certification is simply too expensive for any entity that isn’t either a financial institution or transacting commerce.
Certifying Authorities all charge slightly different amounts for verification of identity, and issuance of certificates. This doesn’t change the fact that it ALWAYS costs at least $100, and often $250 or $300, for a single year of certification. (This is on top of the business costs, and the Dunn & Bradstreet listing, and everything related – since no Certifying Authority that’s accepted into, say, Microsoft’s Certifying Authority program, will issue a server certificate to an individual who isn’t also a sole proprietor. Microsoft’s program – as well as the other, similar programs for other browsers – relies upon audits of CA business practices performed by an association of Certified Public Accountants, each audit costing upward of $10,000.
Because of this, in order to recoup the initial costs, the CAs have no choice but to charge exorbitant fees.
All of these reasons point to a simple, but hard-to-swallow fact: The current identity structure is priced far outside of the realm of what most people can afford, and doesn’t meet even the most cursory needs of the function it was supposed to support.
On top of this, though, there are other issues at play.
Reality Strikes
On the Internet, which is where all of this technology is supposed to be used, there is a very peculiar phenomenon: people are known more by what they wish to be known as than as their legal names.
As an example: The author of this piece has several identities, in various places around the ‘net. For the software that he helps write, he’s known as “winged”. For interactions on various IRC networks, he’s known as “Winged” or “Aerowolf”. On MUCKs and MUDs, he’s known as “Aero”, “Aryd”, “Elrick”, “Greybolt”, “Winged”, and “Jarek”. On various web forums, he’s “aerowolf”, “aerolupus”, “aeroloup”, or even “wolfoftheair”. And his email addresses start with “wingd_wolf”, “aerowolf”, and “kyle_a_hamilton”.
As well, when he meets up with people he knows from projects on the Internet, they tend to call him “Winged” or “Aero”.
Other people he knows from the Internet exhibit the same phenomenon.
Very few people intentionally obscure their legal identities. However, constraints within the systems pretty much demand that alternate names – “nicknames” – be chosen and adhered to. (Some systems are for role-playing, and thus all but demand different names. Some systems are limited to 8-character names. Some systems are for games, or for other not-serious purposes, and no transactions occur with the chosen nicknames.) These nicknames are perfectly, completely valid as unique identifiers within the systems that they’re chosen within.
However… the current identity structure (where everything devolves to the legal name) is almost useless within these contexts. (If I interact with someone as, say, “Dweezil” for a number of years, that person’s legal name is going to stick less for me than the nickname I’ve used all these years. Thus, if I suddenly receive a certificate that contains only the legal name, I’m not going to map it to the individual properly.)
As well, there’s a more economically and reputationally damaging issue at stake: If the CEO of a major corporation wanders around online, and comes across a discussion about something of interest that could damage her reputation, should she need to use an identity that can be traced back to her professional identity? This isn’t as far-fetched of a question as it might seem – already, executives are placed under scrutiny by their peers, and if any hint of impropriety is found they are summarily dismissed. Impropriety often means ‘having an interest in romance with another person of the same gender’, or “having a family member who is autistic”, or other such personal affairs.
Since there are circumstances under which it makes less sense to use a legal name for authentication (remember, ‘authentication’ is basically ‘making sure you’re talking to who you think you’re talking with’), there should be a way to assure a name that is not the legal name (and a context within which the name is valid and unique).
(If you think about it, the current ‘single-identity’ model essentially attempts to assure a name within the context of ‘legal names’… and, as mentioned earlier, fails horribly because individual names just aren’t unique. In the
Now, normal Certifying Authorities can’t assure names in contexts that they aren’t equipped to deal with. This is partly because there is, literally, no way to specify a context other than “legal names” in the current X.509 model, which is what all current Certifying Authorities use… but it’s also partly because it would make no sense for them to do so, from a business standpoint. (The only way, other than name recognition, that CAs can increase their server subscriber base is by having more clients that can be authenticated through their assurance. This is a problem, though, for the reasons I outlined above.)
What is the solution to this? How can any of these names be assured if the commercial CAs can’t do it?
Well, what is needed is some entity that is able to assure each name. Fortunately, there are entities within each and every context who can provide such assurance, and models under which these assurances can be asserted.
Specifically: The creator/owner/maintainer of each context is completely authoritative for the assurance of names within that context. (Basically, the creator/owner/maintainer has absolute access to the database which holds the names, and can verify where each request for assurance comes from. If a request for assurance for a name comes from a connection authenticated as that name, then it’s a fair bet to state that the request can be assured.)
If the creator/owner/maintainer of the context is unwilling to assert its authority in assuring identities (they’re unwilling to code the assurance service, for example, or they don’t have time to add another layer to their maintenance work), then other people within the same context can make the assertions. (This “web-of-trust model” works well within the PGP/GPG community.) It’s not necessarily more or less secure, though many people are less likely to be in collusion than a few people.
Multiple-Identity/Tightly Bound versus Multiple-Identity/Loosely Bound
There’s a subtext to the single-identity concept that currently exists in its current usage: “I have not seen this name before, therefore I have not interacted with this entity.” There’s also the opposite concept: “I have seen this name before, so I have previously interacted with this entity.”
This is (obviously) bunk, but a lot of importance seems to be placed on unique identification. The typical way this has been done in the past was to associate every identity with a main (usually legal) identity, and use that identity linkage to determine prior interaction.
I’ve explained all the reasons why this fails, above… including the lack of pseudonymity necessary when interacting in places and with groups that could have undesirable repercussions.
The current terminology doesn’t really have a good description for identity binding. So, I’m going to introduce a couple new terms here: “Tightly-bound” and “loosely-bound”. And, for the sake of argument, I’m even going to try to find decent, useful definitions for both:
Tightly-bound identities are associated with each other in a way that is impossible to ignore – the knowledge of the binding is encoded within the credential itself.
Loosely-bound identities stand on their own, and are not associated with each other unless the holder of the identities wish for them to be in some manner.
For purposes of pseudonymity, loosely-bound identities are much more desirable (it’s impossible to have a useful pseudonym if it’s inherently tied, in every instance, to one’s legal identity). Tightly-bound identities are desirable for any organization which desires absolute knowledge of every identity used by an individual… but they leak information that the identity holder may not wish revealed (sometimes, as in the case of the CEO with an autistic child, with very good reason).
Since the current state of identity management revolves around single identities, or secondary identities tightly bound to those single identities, most of the issues with those types of paradigms are already known. For the rest of this paper, then, I’m going to focus on the issues within a loosely-bound multiple identity system.
Inherent Attributes of Loosely-Bound Multiple Identity Systems
Since we’re looking at a completely different way of managing identity, we’re going to have to throw out everything that we thought we knew about it. Starting from zero-principles, then:
An ‘identity’ is an addressable way of referring to a specific entity within a context.
An ‘entity’ is an addressable interactive structure with all the capabilities that any person has within the context. (i.e., a user account. Note that there is nothing prohibiting a single entity from being used by multiple persons.)
A ‘context’ is any kind of administrative division within which one or more entities may be created and used in manners that lead to the assertion of identity.
A ‘person’ is an individual who has the ability to interact within the context as an entity.
‘authentication’ is the process by which one entity proves its identity to an acceptable level of assurance to another identity.
As an example, think of a Linux-based server that has many user accounts. This server is in a single administrative division (the division maintained by the owner and administrators of the server hardware), and every user account has a unique name and user ID. These accounts are only accessed by the respective persons that they are assigned to. However, there are a couple of user accounts that are used by several different persons, for various reasons. As well, there are two user accounts that are used by other computers in order to transfer data back and forth.
Within this example, the Linux server is the ‘context’. Every user account is an ‘entity’ – at the very least, the rights and privileges of the account are asserted to the operating system and its administrators. This makes every account name and user ID an ‘identity’. Each human being that accesses the system is a person, even those who only access the shared group accounts – and, the other computers that use those two other user accounts? Those are persons too. (They interact with the system the way people do, asserting their rights and privileges in a highly specialized manner in order to perform their functions.)
Now, within this system (and even sometimes when one side of the exchange is not interacting from within the same system) there are ways of asserting identity to other entities within the context, or who trust the context. (Take the case of email – the system ensures that the identity of the user is well-known in the message header, even if the From: line says something else.)
But, what happens when entityA wants to verify that someone he’s interacting with, outside of the system, is actually entityB inside the system? Traditionally, there have been passwords or passphrases or codewords or other fairly-weak authenticators exchanged between entities within a system for offline authentication. The problem is, these are fairly weak, and it’s easy for them to fall into the wrong hands.
2006-02-12 2006-02-19 2006-02-26 2006-03-05 2006-03-12 2006-03-19 2006-03-26 2006-04-02 2006-04-09 2006-04-16 2006-04-23 2006-07-23 2008-01-13 2008-01-20 2008-02-03 2008-02-17 2008-03-16 2008-04-06 2008-05-11