Thursday, April 28, 2005


When does a key become an identifier?

A quick quiz:

Is a passport an "identifier"?
Is a drivers licence an identifier?
Is a credit card an identifier?
Is a professional membership card an identifier?
Is a building access card an identifier?
Is a house key an identifier?
Is a car key an identifier?

Or putting the questions another way ...

Is a car key a "key"?
Is a house key a key?
Is a building access card a key?
Is a professional membership card a key [to access an association]?
Is a credit card a key [to a payments system]?
Is a drivers licence a key [to access the privileges of road usage]?
Is a passport a key [to enter another country]?

I look in my wallet and see a bunch of plastic cards that are viewed by many people as identity documents. In Australia we have regulations that actually score the strength of most of my cards as proof of identity.
But I look at my keyring and see, well, keys. To my cars, to my houses, my offices. None of these can be presented as identities to third parties. But there are some gadgets on my key ring that are pushing the envelope, like a USB dongle and a SecurID I use for various logons. In the near future I might have an Internet banking key fob too (though personally I would prefer not!).
The boundary between a key and an identifier is clearly blurry.
It would help the authentication debate if we could see that many of our valued identifiers actually represent different identities. I have an identity as a qualified professional, which is different from my identity as a Director of Lockstep, which is different from my identity as a personal banking customer of my bank, which is different from my identity as a citizen. Then we might see that a single all-purpose digital certificate (or a single master PKI) isn't just very very difficult to achieve; more importantly it's just plain silly!

Monday, January 17, 2005


Fingerprint gimmicks

A number of cellphones are on the market incorporating a fingerprint reader as a safeguard against theft. Several laptop computers, the odd mouse, even some experimental smartcards now have this "security" feature. Some see it as the way of the future; see

Yet it is a worrying gimmick, closely equivalent to writing the PIN on the back of your credit card!

A majority of commercial fingerprint detectors can be fooled by replica prints. In 2002, Japanese cryptographer Tsutomu Matsumoto devised the infamous "Gummi Bear Attack", in which a gelatin candy moulded with latent fingerprints transferred from a drinking glass proved effective against 80 per cent of readers tested (see

So if you lose your fancy phone, a clever thief will find your biometric security information very conveniently left behind all over the keypad.

One wonders whether disposable latex gloves will become the next weapon in the war on identity theft?

If we're going to do biometrics -- and many of us urge caution in any case -- and if we're going to store templates within devices, then let's use any method other than fingerprinting.

Wednesday, December 22, 2004


X.509 Certificate Suspension is such a bad idea

Two reasons are commonly given for the perceived need to offer certificate suspension.

1. "I might have compromised by private key but I am not sure. If I can just have a day to sort it out, and get suspended in the meantime, that would be great".


2. "I'm going on leave for six weeks and I'd like to be sure nobody can use my private key while I'm away".

The first reason is not something that credit card companies support. I actually tried it once; I mislaid my wallet, was optimistic it would turn up, and rang the card company to ask for a 'suspension'. They said there was only the option to cancel the card, and if my wallet did in fact turn up, well that was nice but I'd need to get a new card. You can see their position; who would take the liability if a 'suspended' credit card was in fact abused?

The second reason is really poor security practice. If you have to leave any valuable asset unattended for some time, then you must make efforts to ensure they're protected. Either that or take them with you. It would be pretty slack to leave a private key lying around on the basis that it couldn't be misused while suspended. What if an attacker simply copied the key and waited till you unsuspended?

No, suspension is a really bad idea. And finally a technicality. The standard form of words in almost any CP/CPS is that revocation is required in the event of compromise or suspected compromise of your private key. How on earth should we re-word this clause if we were to permit suspension for reason 1 above? "You can suspend if you think your private key might turn up; but if you are really sure it won't, then you must revoke".

This page is powered by Blogger. Isn't yours?