Transcript slides
Identity Management is What is the question? • what are risks to mitigate? • what are the new risks created by trusting the ID management? • what are the new risks created by – ID fraud or failure – malicious abuse of ID recovery – denial of service • You may think you are building one thing but if it works, it will become another What is the Question? • Targeted Ads Public Services & Finance When the Real Merges with the Artificial? “Identity Providers” Provide • • • • • • Fraud prevention & detection Payment DRM Resource allocation Personalization & price discrimination Filtering Reputations Systems – Assume strategic behaviors by opponents – Always linked to persistent pseudonym – Low end reputation systems merge with rating systems • Examples: eBay, slashdot, political blogs, kazaa – Reputation designs have assumptions about fluidity of community • embeds identity in a community Bit Torrent – – – – Swarm downloading No static reputation Must upload in order to download NO assumptions about community Who Is an ID Provider • Amazon Honor System • Small payments for web sites not accepting cash • Rollout in the blog and open source communities • Micropayments from pre-established accounts – Fraud prevention & detection, Payment, Resource allocation – Personalization & price discrimination, Filtering • FaceBook – Places identity in a community – Available to employers • martial status, orientation, religion, political interests • cultural indicators • are you one of us? – Personalization & price discrimination, Filtering, resource allocation? Rating Systems • Assume passive acceptance of ratings, active rating parties • There may be no identity or account information • Work on “wisdom of crowds” – integration of many low quality signals is better than a single signal • Examples: eopinions, Zagats • Web site rating based on shared history and community behavior Securing the User: Account Management as Privacy Service • Series of failed third party payment and privacy management systems – – – – – generate one time credit cards decrease spam by creating single-merchant emails protect physical location information decrease fraud for merchants and subscribers generate individual credentials No Single Identity • Identity systems determine fraud tolerance – any entity with equal or more tolerance will seek to free ride – any entity with more tolerance will under-invest in protecting the identifier – identifiers • free riders • tragedy of the commons • risk shifting – MySpace – solving this requires better systems, as well as better regulation Securing the User on the Network – – – – Identity based cryptography Sender ID Domain Keys IPv6 Identity Based Cryptography Implications – If eBay signed all outgoing emails at server, no phishing and no masquerade – Incoming server could examine email and identify genuine emails, inside the trusted network – Select customers could be given authentication for customer subgroups • e.g., Bank of America with Comcast address – Has the potential to retain the value of the merchant-customer email channel in the face of massive phishing – Can be implemented ad-hoc Identity -Based Cryptography – – – – – Domain Specific Master Key A Master secret key for each domain Master secret key generates individual keys Individual keys are distributed using trusted network Individual secret key has public key Anyone can generate the public key knowing the identity string and master secret key » identity key confirms email, domain association » domain association can confirm other attributes » 20 ms per email for sig/verify » compatible with current email via headers [email protected] [email protected] [email protected] Microsoft Sender ID – Check that TCP/IP addresses are correct all along the loop – Cannot address NAT – Cannot address botnets or subversions of networks – Requires large-scale coordination for rollout Yahoo Domain Keys – – – – Authenticate DNS with traditional cryptography Authenticate emails as sent from domains Traditional PKI structure Problematic for political reasons, requires coordination – In summer of 06, AOL rejected gmail email because of domain-key based spam Design for the Network or the Human? • Start with human trust behaviors • Trust – Used for simplification – Encompasses discrete technical problems • privacy, integrity, data security – Embeds discrete policy problems • business behavior, customer service, quality of goods, privacy Usability on the Surface • Does What we Built Work? – – Toolbars, do people pay attention? Signed Email, tor – Seals – SSL • • • can you install it can you use it can you detect it? • A triumph of style over substance • • what is that funny lock and what does it mean? economics is NOT the same as business Dominant Trust Communication Beyond Interface Deep • Security people may want – surveillance as prevention – information more than privacy provision • Not built for the way people act – would that be a 7.2 privacy preference? – do you trust more or les than 17% – we’ll helpfully stop you from lying in any circumstance • With appropriate risk communication, signaling, etc – examination of how humans evaluate risk – computer security -- decision-making under uncertainty Security and Processes Business processes Organizational processes Security aligned with users and processes to the extent that this is possible Users subvert security when it violates privacy provides nonrepudiation for all actions (blog, IM) prevents use of media or it is simply in the way human risk behaviours are fairly consistent trust pictures of faces, discount risks Trust and Context vs. Resource Verification Resources are often fairly easy to identify as “good” or “bad” in physical realms Trust and Context vs. Resource Verification Resources are often fairly easy to identify as “good” or “bad” in physical realms Trust and Context Fewer signals in economic terms Less usable in design terms Standing on the Toenails of Giants? • Economics – Behavioral – Rational • • • • • • • adversaries prefer to limit conflict scope credible commitment the advantage of closing off options tipping small incentives CENTRALIZED PLANNED ECONOMIES DON’T WORK distributed mechanisms, coordination at the low level Behavioral Economics implies Usability – usability studies – involving designers at an earlier level – what do users understand? • wireless & broadband – wide spread deployment by non-experts – botnets, e.g., home users, major tier 1 threat – Usability in Depth implies economics • Interface • Interactions • Incentives – is it rational to design for humans as if they were machines? • Social context • Human and Organizational requirements Net Trust Building from Theory • Using Social Context to Build Digital Context Beyond Trusted Third Parties • Giving users their own histories – This is a new site you have never visited – This site has no domain name, just a IP address • in a more meaningful manner, e.g. alert – FDIC says this in not a bank – BBB says YUCK – Your friends haven’t visited this site • As opposed to – Verisign has not approved this certification Identity Systems • Place risk on responsible party – instant credit == instant loss – no distribution of some loses • the police will not risk liberty to enforce your cheap business plan • Do not allow risk-shifting to – citizens • pay for construction, maintenance through taxation • pay for financial failures in personal lives • law enforcement implements prosecution of the victim or perpetrator of crime • there is no cost to the creator of the risks Educate the Individual • Education without empowerment is useless – risk that could be decreased is instead shifted – empower by design and regulation