Jason Andrade: Software Developer / Technical Writer / Research Analyst

Illustrated Technical Writing

When you need the impact of an extra thousand words.
When someone with a science background yields the best results.
See the talent, experience the difference:

Great Security With More Privacy: A Rebuttal To Mat Honan

November 21st, 2012

A lot of what was said by Mat Honan in his November 15th, 2012 editorial "Kill the password" is absolutely correct.   I most vehemently disagree however with his last three paragraphs.   I can assure you that it is very possible to replace the usage of passwords with a robustly secure system which is in fact easier to use and actually provides the consumer with more privacy, not less!

The rub of course is that it would cost the government well over a billion dollars to implement.   What we are talking about here is not only identity authentication but also implementing true digital signatures using both symmetric and asymmetric encryption.   Just to be clear, a digital signature is not what you provide when a courier arrives on your doorstep and asks you to sign your name on a touch screen with a stylus!   When a transaction or document is digitally signed it's first encrypted with a common symmetric key, and then with the signer's private key.   No-one, not even the recipient, can duplicate the signature because they merely have the public key which can only be used to decrypt the digitally signed document.

A system like this would require a central authority to provide three separate electronic services.   One for device authentication, a second for identity confirmation, and the third for chronological verification.   It would also need all users to be given free of charge their own tamperproof personal transaction authentication device (PTAD).   Such a device is absolutely necessary for any kind of truly secure authentication system which doesn't infringe an individual's right to privacy.   You can't use a readily available consumer device, such as a computer or cellphone, because all such devices are relatively easy to hack.

The PTAD would need to be little more than a simple display, a numeric keypad, and an SD Card slot/bay.   It would have to be physically durable, waterproof, and as small as possible.   Perhaps a scaled back version of Pranav Mistry's "Sixth Sense" technology would prove useful here.   The idea here is to have a uniquely identifiable PTAD be a secure point of access with its own CPU and internal flash memory.   All firmware updates would be digitally signed (encrypted) and specific for use on an individual unit, thus preventing a repeat of the Sony master key cracking fiasco.   No external software of any kind would be loadable onto the device by the consumer.

Multiple identities could be loaded onto the device simultaneously, with the user selecting the appropriate identity for each transaction.   All transactions would happen wirelessly, probably via a Bluetooth or WiFi connection.   Every transaction performed by the device would be logged, with the log being exportable.   This would finally replace paper receipts from monetary transactions with digital copies that are tamper proof, virtually impossible to falsify, and ridiculously easy to keep track of.   A swappable SD Card could be used to make backups, or perhaps to facilitate swapping identities via a physical mechanism.   A simple white noise generator would also be needed in the creation of a random number stream used by the encryption protocols.

The PTAD itself would be responsible for creating an identity.   You could even create one named "Mickey Mouse" if you wanted.   The server of any website you log into would also have its own PTAD.   When you log into that website both your consumer device (PC, cellphone, etc) and the web server would merely act as relays for the transaction process which occurs between the two PTADs and a central authority.   Communication with the central authority would only be necessary for the two PTADs to verify each others authenticity, and possibly for chronostamping (more on this later).   A PTAD's ID and authentication keys would be registered with this central server at the time of its manufacture.   The data stream of the transaction process would be encrypted and thus completely unintelligible by any third party machine.   It is important to note that most transactions will not involve the authentication of the identity with the central server, because these identities are anonymous!   The web server would merely have an ID number and name, but not the encryption keys (not even the public one) associated with that identity.

The identities stored on the PTAD would themselves be encrypted with a numeric codekey as an added precaution.   This wouldn't be a password in the traditional sense, since it isn't stored anywhere, but rather is used in an algorithm to make the keys associated with an identity usable.   Furthermore the codekey is only used with the consumer's own PTAD which they are (possibly metaphorically) holding in their hands, and it's never transmitted.   There is one more important detail I should point out; the exact same process can not only be used as a simple access authorization, but also to digitally sign all kinds of entire documents.

So far we have a system which uses anonymous identities and is good enough for non-critical transactions, but not for financial transactions or signing legally binding contracts.   For that you will need brick and mortar, government run, identity offices in every major city.   A teller at one of these offices would register an identity created on a PTAD after verifying that the identity's information matched a different verifiable source (eg a passport, using the same system as used by immigration).   Once validated by a teller you would now have a core identity stored on the central server.   The central server would however only have the public key associated with your core identity, and not the private key.   This means that trusting the government or its employees doesn't even enter the picture because they can only authenticate, not duplicate, your digital signature.   This core identity could now be used for critical transactions, though I'm sure some legal hoops would have to be jumped through before it could be considered legally binding in a court of law.   I'm going to leave that part of the problem to those in the legal profession.   The implementation of core identities should allow the government to discontinue almost all forms of physical ID, including your driver's license.   It will of course still be necessary to have a passport for the immediate future, but decades down the road even that might be phased out.

Not bad so far, but still incomplete.   Corporations, by their very nature, will do anything they can get away with to make a profit.   This behaviour serves a useful purpose, but should be constantly kept in check through the implementation of additional privacy measures in new technologies.   It is for this reason that pseudonymous identities must also be implemented.   Anyone should be able to bind anonymous identities to their core identity.   Such bindings would have to be permanent.   A pseudonymous identity could then be used for critical transactions.

The government would give an authenticating agency (eg your bank) the right to see the true value of specific fields in your core identity instead of the corresponding one in your pseudonymous identity.   This field piercing facility would be granted on a case by case basis for only those fields which the government deems that an authenticating agency has the right to know.   The authenticating agency would not know if you provided a core identity or a pseudonymous one, the process is completely transparent.   The PTAD's interface would however indicate to the user in advance which fields the authenticating agency has field piercing premissions for.   This is the perfect solution to protect the consumer from the predatory habits of corporations.   They would no longer be able to dictate what information you must provide in order to receive customer service.

There are many technical details I've not gone into because they wouldn't really improve the average person's understanding of how a proper identity authentication system should work.   I did however mention at the start of this post the necessity of a chronological verification service.   It is often not enough to know that the correct person authorized something.   A lot of times it's just as important to know when the authentication occurred.   The best way to do this is to have a central authority designate a specific set of encryption keys, a chronostamp, for a single short time period (eg 5 minutes).   A PTAD that is signing a transaction with an identity would have the central authority sign it with the current chronostamp twice, once just before the identity signing and once immediately after.   This guarantees that the transaction occurred during the period of time that chronostamp was active.   The central authority is of course constantly receiving requests for transaction chronostamping and continually changes the active chronostamp as time marches on.   The system would of course allow anyone to inquire not only when a given chronostamp was active but also who else chronostamped a transaction during that time period.   This would allow third parties to verify at any time that the chronostamping system hasn't be compromised, and makes it very difficult for someone in a position of power to undetectably falsify a chronostamp.

Now let's get back to the reason behind Mat Honan's editorial.   In a world which implements a system similar to what I've described the hackers would have a very hard time victimizing Mat.   Social engineering won't work because companies like Apple won't need to use a verbal challenge/reponse questionnaire for an account reset.   Assuming they were given field piercing rights to the ID field you could simply provide a pseudonymous ID stored on a different SD Card.   The wisest thing to do of course would be to make multiple SD Card backups of your identities and keep them in different physical locations.   Assuming the worst happens and you lose everything, an identity office could create a new core identity for you and disable the old one.   A facility would be provided to an authenticating agency (like Apple) that allows them to check if a provided core identity is equivalent to one in their database, but it would require a user's digitally signed authorization to do so.

The truth is a system like I've described was technologically feasible over a decade ago.   The up front expense would be more than offset by the elimination of costs associated with maintaining archaic physical systems.   I'm not just talking about eliminating physical drivers licenses, but paper documentation of all kinds.   The total savings per year would simply be staggering.   So why hasn't it been done?   Probably because the up front cost is a large one, and because there is a huge political minefield involved.   Think about it; all of these archaic physical systems are at some level run by government bureaucrats whom have spent years accumulating political power by protecting their own private fiefdoms.   They will do everything in their power to prevent such a revolution from ever occurring.   Then there's the sabotage of the economy, but that's another issue altogether.

The primary reason why I've responded to Mat Honan's editorial though, is that his knee-jerk reaction to the terrible crime that was inflicted upon him bears striking similarity to the U.S. government's frame of mind after 9/11.   I am referring to the false notion that giving up more of our privacy and civil rights is not only acceptable but in fact necessary to guarantee our security.   Benjamin Franklin said it best, "he who sacrifices freedom for security deserves neither".   The U.S. government currently spends over 2 trillion dollars on its military; mostly to fund its engagements overseas.   Spending of this kind just disappears down a black hole.   A bunch of military contractors pocket most of the money and go buy another villa in Switzerland or a yacht.   Redirecting some of these funds to the creation of a freely available secure digital authentication system instead would generate a huge return on investment.   People need to demand of their government the kind of radical policy shift which makes projects like this happen.   A paradigm shift like this must occur if the U.S. and Canada are to have any real chance for a bright economic future.

I believe I have proven that it is very possible to not only obtain more security, but to do so in a way that protects our freedom as well.   Yes I am a Canadian, not an American, but what happens down in the U.S. invariably affects how things unfold up here.   Who knows, maybe the Canadian government will surprise me and implement this first, but somehow I doubt it.

Math Libraries
Showcase Builder
Javascript Pseudo-Compiler
This website is published under the Creative Commons Attribution 3.0 License