Skip to main content

From a secrecy model of information security to a usage authentication model

We continue to be plagued by data breaches, password and credit card dumps, healthcare records...etc.

One of the reasons many of these breaches continue to be devastating and effective
for cyber criminals is because our current information use infrastructure/architecture
relies on secrecy as the primary mode for preventing the misuse of information.

Secrecy simply means only the people who have the right to use a bit of information have access to it, when that assumption breaks down as it does with data breaches, the related information can lose some or all its value. For instance a compromised credit/debit card number means getting a new number. A compromised password database means changing the passwords...etc

Secrecy has its use as a privacy preserving mechanism but is fairly flawed as an information usage
authentication mechanism.

The idea of secrecy as the mechanism for controlling the use of information is deeply ingrained, so
much so that even people who should know better often have a reflexive reaction if you propose solution ideas that seem to not consider the secrecy of information. 

With the Certisfy service, when I tell people that a social security number is the best sort of
IRL identity anchor, the initial reaction is often incredulity because they assume my solution proposal is relying on the supposedly secrecy of social security numbers. Of course it doesn't, social security numbers as excellent as IRL identity anchors because they are unique to a person & immutable, their secrecy is irrelevant in this context.

The solution is information usage authentication at time of use, meaning proving you have the
right to use a certain bit of information at the moment you need to use. Cryptographic certificates
provide one mechanism for implementing such approaches. 

If you need to generate a cryptographic signature for a bit of information before you can use it, then it doesn't matter whether the information is in your secret vault in Iron Mountain or printed on a time square billboard, the information's user's authority is no longer based on it being secret but rather based on near real-time proof of the right to use that information.

If you get a certificate for your social security number to anchor your online identity to IRL identity for instance, it doesn't matter that the number is widely used (and misused), what matters is that before you got the certificate someone did verification to confirm it belongs to you and that no one else would be able to get a certificate for that number.

If you have a certificate for your credit/debit card, the number is just a unique identifier and
secrecy for that number might matter for privacy but no longer relevant to prevent unauthorized use.

For passwords we're slowly moving in that direction with solutions like passkey. With a cryptographic signature as the actual authentication token, the password becomes just a pass-phrase and could be
the legendary "123" without having any impact on security. 

In fact pass word/phrase becomes unnecessary with cryptographic signatures, your login client (browsers,apps...etc) can just generate a random string and sign it then forward it to the target without user involvement. If the database holding user id is compromised, the compromised system gets fixed but otherwise nothing changes in terms of the security of said information. 

Of course user device compromise would necessitate replacing keys but a user's device is such a small attack surface compared to a company's database that on net this is a non-issue.


Popular posts from this blog

The dubiousness of digitized signature services

Notice I referred to "digitized" instead of digital, this is a very important distinction. These services essentially offer ways to transport handwritten scribbles into digital processes. They can be anything from attaching a Microsoft paint scribble or a scan of one written on a piece of paper, to custom font generation that makes  your signature look like you are a former president of the united states. I wont mention any such services by name but if you've purchased a house or engaged in any sort of contract paperwork activity (leases..etc) you have likely encountered these services. Last I checked, one of these companies is worth north of $40B, no doubt reflecting the size of the market for such services. First, what is the purpose of any signature? as the name suggests, it is primarily to ascribe provenance to something, be it an abstract thing such as a legal agreement expressed in writing or a physical object such as a painting. We also use the notion of signature

Making Internet Information Trust An Inexpensive Commodity

  Certisfy is a service that makes internet information trust a commodity. Think of all the services that entrepreneurs could create if it was easy and inexpensive to integrate information trust without first having a billion people sign-up to build organic trust or loads of VC money. Want to test drive? If you have a website, we can issue you a free sample certificate for personal use!!...Contact us via the info on the sticker above, we'll hand you a code to put on your site (domain validation!!) then issue you a cert once validated. Each certificate comes with the ability to create a free sticker that is good for a month or less; if you want longer lived stickers you'll need to get a payment method certificate and use that to pay for it. Let us know if there are questions!!