Trust and Identity: A better way to sign?
Being a techie I often reflect on the fact that while a lot of COOL things happen ALL THE TIME in the tech world…A lot of it is either useless in a practical sense, or actually detrimental to our society as a whole. Those that know me have heard me remark many times “I hate technology!”
Technology pushes us forward sometimes in such ways that make the world MORE frustrating instead of less. I feel as though this is fundamentally backwards, but in regards to such things as security, it becomes obvious very quickly that some of these frustrating choices are because there are assholes out there doing things they shouldn’t. As is the case in most of society: A few bad apples have to ruin it for the rest of us.
My cousin recently put up on his Facebook a video of a machine that can hold any pen/pen-like-device and print things like a printer. One of the demo’d abilities was the ability to store/sign your signature. Great from an “ease of use” standpoint, but combined with a decent high dpi-scanner and some light work, it’s an instantly easy way to forge a signature. Go team.
That got me thinking of the overall security/practicality of a signature in today’s society anyway. I think it’s time to start considering a cryptographic signature in our day to day lives.
For those that either have never worked in a smart-card/PKI driven environment, or are otherwise un-informed about PKI (public key infrastructure)…Here is the breakdown:
In a Public Key infrastructure, there exists such a thing as a “key pair.” One key is considered private, the other is considered public. The Algorithm that generates this key pair generates it in such a way that three things are true: 1) The private key cannot be derived from the public key, 2) The private key can un-encrypt things encrypted by the public key, 3) the public key can VERIFY things that are signed by the private key.
Let me explain. Essentially the private key becomes a representation of “you” in the digital sense. It’s something you keep safe, and secure. Often it’s kept on a smart card, or some other device in such a way that the key cannot be directly accessed by the outside world, only in “secure” methods(as a side note, this is essentially what the new “chip” credit cards are doing). The public key on the other hand…is just that. It’s public. In a grand infrastructure environment, such as at a work place, will have all the employee’s public keys stored in a centralized location that can be easily accessed when emailing/interacting with people. There is also the idea of a decentralized web of trust, in which we all upload/provide our public keys to different places on the internet, or hand them out, and we sign each other’s keys to verify that we know each other, and that is how the key gains “identity.” Because I know my sister, and I know my friends, so people that know me, by extension can trust the signature of my sister. I wrote about this in my thoughts on GPG keys, but it’s worth restating.
So how is it actually used? Well it’s very simple.
Someone with my public key, can use my key to encrypt a file in such a way that only my private key can un-encrypt it. Thus they can be sure that I am the only one that can actually read it.
On the other hand, if i have a document that I need to “sign” I can “sign” it with my private key, and anyone can use my public key as verification that the signature on that document is indeed mine.
So now that we have the premise in place, let’s ask ourselves: Is this practical? You may be saying “computers are pretty unsafe sometimes, isn’t this insecure?” To which I’d reply….Actually yes, there are a lot of flaws with the system. It is not impossible to steal a private key. But at the end of the day we have to ask ourselves: Is our current method of signature currently in anyway valid?
Let’s look at a couple examples:
- In a store. You walk in a store with your credit card, and buy something. One of three things happens.
- (Most commonly) The person asks for your driver’s license. Fun fact about this. That is NOT the proper way to do things. Did you know that asking for your driver’s license goes against the credit card provider’s agreements with the vendor? Why? Because they’ve now swiped your card, and potentially could have copied the magnetic code while you weren’t looking, and then they’ve looked at your driver’s license and can take your personal information to steal your identity.
- (Second most common) Nothing, They just nod, smile, and send you on your way. SECURE.
- (What is supposed to happen but almost never has) They ask to see your credit card, and verify the signature on the back of the card (you know, that space that say’s “THIS CARD IS NOT VALID WITHOUT A PRESENT SIGNATURE”) against what you signed on the machine. There are two very key problems with this method. First, your signature on the card NEVER looks like your real signature because the card surface is SLICK, and the pen slips, and it smudges. Second, your signature on the MACHINES never looks like your signature, because it’s like signing your name by peeing into snow. There isn’t enough precision to capture the subtle nuances of a person’s signature
- On the internet. Online shopping is the new thing. Do you sign anything when you buy stuff on amazon? No, your zip code is considered your signature online. Do I even have to get into how dumb this is? How insecure? Your zip code is incredibly easy to find in the world. Especially when we hand our drivers licenses to jimmy at the market every time we swipe our credit cards (yeah, now you are starting to see the web we’re building)
- Mobile store fronts. We’ve all done these at this point. You are out at a swap meet, or some little shop in the middle of nowhere, and THANK GOD they take credit cards now! How? Little devices that plug into phones or tablets. And in some cases some professional businesses are now using prefab tablet devices with credit card readers built in AS their registers. It’s the future! but now not only are you signing on a touch pad, but usually you are signing with your finger, so this is even WORSE for verifying your signature than the dumb signature pads at the market are.
So really: How confident are you in the current method of signing things? My thoughts: Not very. Signatures suck. So yes, moving to a digital signature might not be perfect security, but honestly. It’s probably a lot better than we have.
We can easily extend this to signing documents. How many documents these days are emailed to you, and then you have to print them, sign them, scan them, and send them back. (Because who has a fax machine anymore? really?)
Now from that, how many documents that you receive in person, COULD be emailed to you instead? I’d say most if not all. Imagine how much paper would be saved if instead of printing/signing/scanning, you could just digitally sign from your computer, or even your phone (wouldn’t be hard to get a reader connected to your phone. easy). What’s more, a printer costs what…Minimum of 20-40 dollars, a scanner…same range. A smart card reader is like 10 bucks. It’s freaking cheap.
So first let me give you a breakdown of two options for improving the system. One is a centralized system, the other is a decentralized system.
In EITHER case you would have to buy a smart card reader for your home computers, but they are cheap, and easily purchased. This is no big deal at all. Also keep in mind that one key part of PKI is that your smart card has a PIN. So it’s not enough for someone to steal your card with your signature, they also need to steal your pin. IE “2 Factor Authentication.” Something you have and something you know. Welcome to IT security 101.
- de-centralized (sort of)
A centralized system is simple, and effective. The idea of this is all the public keys in the country are kept together by a central store, all private keys are issued by said central source. In this vision someone, let’s say a branch of the government, issues smart cards to people, after verifying their identity. My vision for this method is that your digital signature is put into your driver’s license. Your license becomes a smart card, sense you have to go to the DMV to be issued your driver’s license anyway, they issue the certificate.
Now when you go to the store and shop, or shop online, or use a Mobile store front/phone/tablet thing…You pay with your card, then you insert your driver’s license, tap in your pin, and it signs the transaction. The credit card company then would confirm the signature against a copy of your public key to verify it’s you. Your public key is available to them from a government store, they can either remotely authenticate against it, or a more convenient/more likely scenario is when you sign up for your card, they would download a copy of the public key, and every so often they would check to make sure it’s not revoked/replaced/renewed with a new key. This is a key point, if your key is STOLEN, it is of course possible to revoke the existing key, and reissue a new certificate, and something I might add that you currently CANT do with your physical signature. Suck on that pen’s.
Now they key part of a signature is the idea of TRUST. In this case, trust is provided by the government (and it doesn’t have to be the government, it could be a 3rd party company, but really, this could replace social security cards, and everything would be BETTER). The government say’s “yes, this signature belongs with Brandon.” Here is the beauty. In a PKI system like this, the centralized store DOES NOT have a copy of your private key, ONLY the public key. So if the government is hacked and all the keys are stolen, they are only getting their hands on PUBLIC information anyway. So it’s FINE.
In reality the system would not be a one key one person kind of thing. In an ideal world you’d have your “identity” key that you’d use for almost nothing, this would be like your social security number. From that you’d spawn sub keys that would act as your interfaces to different companies. Maybe you spawn one for your bank, and provide that directly to the bank. The keys would still be easily marked as YOU because they’d be linked to your primary “identity” key, but it would increase security some. I won’t go into too many details because they aren’t really important to the theory of the matter.
This is a more complicated, but also potentially more secure method of handling things. So let’s imagine that the government isn’t in control of everything. This is the dream for many people, having the government stick their fingers into all the pies is not something everyone is fond if. Above, and in a previous article, I linked to a wiki entry on the web of trust. Expanding this into epic proportions actually creates an interesting cultural web of identity.
So imagine if you will that we start using smart cards as signatures, but that there is no ‘central store’ from the government, instead we generate our own key. How then do we prove that the key belongs to who it belongs to? In a beautiful way! It’s a natural evolution of our current signature system. So let’s start. I’m a young man in a society that has adopted using certificates as signatures. I’m reaching the age where it’s time I take responsibility for my life. So I configure my first key. My core identity. The thing that proves I am me. What do I do? Well I start by getting my mother and father to sign my key. Thus they prove to anywhere that knows them, that I am me. That gives me a lot of inherited trust. Then as my friends get their parents to sign theirs I inherent a small portion of that trust by signing my friend’s keys and having my friends sign theirs. This creates a basis, my public key I attach to…My Facebook, my google account, my email. Or some other public service that I interfaces with them in kind. So people that need to verify my signature, can.
Then, I go to sign up for my first bank account. I go into the bank, the bank verifies that I am who I say I am through whatever methods they deem appropriate, then someone in the bank’s trust web sign’s my key, giving me a huge heap load of trust, meanwhile I leave a copy of my public key with the bank, so that they can verify my signature when I make purchases with my card, and send me encrypted emails about my account.
When I get a job, my employer then sign’s and verifies my key, giving me even more trust.
As time goes on, it becomes extremely evident that I am me. There are few gaps in my proof of existence.
The benefit of this system is that A) it doesn’t require a huge infrastructure on the part of the government. B) The trust evolves more naturally, and is more reliable. You know someone is them, because their entire LIFE is signed onto that certificate
The drawback is on the other side though… if your identity is stolen, someone gets your key… You have to send a revocation certificate to each place your identity is confirmed, and re-issue a new certificate.
Now in most cases, as I mentioned in the centralized pitch, you would use a sub key for each place you are interacting with, or at least “a key for banks, a key for jobs” that kind of thing. Those sub keys inherit your identity from the primary key, but your primary key holds all the “trust.” Thus if a sub key is compromised then you just revoke the sub key and issue a new one…
The fear though, is that your primary key somehow gets compromised. At this point you essentially have to delete all the years of trust you have established and start fresh, getting new signatures to prove you are you.
On the one hand, that is terrible. On the other…It is still better than you can do if someone forges your signature, or steals your social security number.
Again. I’m not saying this is a perfect solution, but neither is our current solution. I like to imagine a society driven by cryptography keys. I think it has an immense potential. Yes the first few years would be dicey as we wouldn’t have parents to get our initial signatures from…But given a generation or two, man…What a world we could live in. Not to mention. if you are required to sign with a key when you sign up for an email address, or some other account. That leaves the anonymity of the internet intact in the sense that people don’t have to know its you…But if you break the law, law enforcement has an easy path to identifying you, thus solving some of the biggest problems in our society right now in one fell swoop.
I don’t know. I think it’s worth thinking about. I think it’s worth talking about. The current solution doesn’t work in society as it is anymore. It’s just a nicety that we use to tell ourselves that our identities are safe. At least, that’s my take on it.