Transcript slides
Identity Management is
What is the question?
• what are risks to mitigate?
• what are the new risks created by trusting the ID
management?
• what are the new risks created by
– ID fraud or failure
– malicious abuse of ID recovery
– denial of service
• You may think you are building one thing but if
it works, it will become another
What is the Question?
• Targeted Ads
Public Services & Finance
When the Real Merges with the Artificial?
“Identity Providers” Provide
•
•
•
•
•
•
Fraud prevention & detection
Payment
DRM
Resource allocation
Personalization & price discrimination
Filtering
Reputations Systems
– Assume strategic behaviors by
opponents
– Always linked to persistent pseudonym
– Low end reputation systems merge
with rating systems
• Examples: eBay, slashdot, political blogs,
kazaa
– Reputation designs have assumptions
about fluidity of community
• embeds identity in a community
Bit Torrent
–
–
–
–
Swarm downloading
No static reputation
Must upload in order to download
NO assumptions about community
Who Is an ID Provider
• Amazon Honor System
• Small payments for web sites not accepting cash
• Rollout in the blog and open source communities
• Micropayments from pre-established accounts
– Fraud prevention & detection, Payment, Resource allocation
– Personalization & price discrimination, Filtering
• FaceBook
– Places identity in a community
– Available to employers
• martial status, orientation, religion, political interests
• cultural indicators
• are you one of us?
– Personalization & price discrimination, Filtering, resource allocation?
Rating Systems
• Assume passive acceptance of ratings, active rating parties
• There may be no identity or account information
• Work on “wisdom of crowds”
– integration of many low quality signals is better than a single
signal
• Examples: eopinions, Zagats
• Web site rating based on shared history and community
behavior
Securing the User: Account
Management as Privacy Service
• Series of failed third party payment and privacy
management systems
–
–
–
–
–
generate one time credit cards
decrease spam by creating single-merchant emails
protect physical location information
decrease fraud for merchants and subscribers
generate individual credentials
No Single Identity
• Identity systems determine fraud tolerance
– any entity with equal or more tolerance will seek to
free ride
– any entity with more tolerance will under-invest in
protecting the identifier
– identifiers
• free riders
• tragedy of the commons
• risk shifting
– MySpace
– solving this requires better systems, as well as better
regulation
Securing the User on the Network
–
–
–
–
Identity based cryptography
Sender ID
Domain Keys
IPv6
Identity Based Cryptography
Implications
– If eBay signed all outgoing emails at server, no
phishing and no masquerade
– Incoming server could examine email and identify
genuine emails, inside the trusted network
– Select customers could be given authentication for
customer subgroups
• e.g., Bank of America with Comcast address
– Has the potential to retain the value of the
merchant-customer email channel in the face of
massive phishing
– Can be implemented ad-hoc
Identity -Based Cryptography
–
–
–
–
–
Domain Specific Master Key
A Master secret key for each domain
Master secret key generates individual keys
Individual keys are distributed using trusted network
Individual secret key has public key
Anyone can generate the public key knowing the
identity string and master secret key
» identity key confirms email, domain association
» domain association can confirm other attributes
» 20 ms per email for sig/verify
» compatible with current email via headers
[email protected]
[email protected]
[email protected]
Microsoft Sender ID
– Check that TCP/IP addresses are correct all along
the loop
– Cannot address NAT
– Cannot address botnets or subversions of networks
– Requires large-scale coordination for rollout
Yahoo Domain Keys
–
–
–
–
Authenticate DNS with traditional cryptography
Authenticate emails as sent from domains
Traditional PKI structure
Problematic for political reasons, requires
coordination
– In summer of 06, AOL rejected gmail email because
of domain-key based spam
Design for the Network or the
Human?
• Start with human trust behaviors
• Trust
– Used for simplification
– Encompasses discrete technical problems
• privacy, integrity, data security
– Embeds discrete policy problems
• business behavior, customer service, quality of goods,
privacy
Usability on the Surface
•
Does What we Built Work?
–
–
Toolbars, do people pay attention?
Signed Email, tor
–
Seals
–
SSL
•
•
•
can you install it
can you use it
can you detect it?
•
A triumph of style over substance
•
•
what is that funny lock and what does it mean?
economics is NOT the same as business
Dominant Trust Communication
Beyond Interface Deep
• Security people may want
– surveillance as prevention
– information more than privacy provision
• Not built for the way people act
– would that be a 7.2 privacy preference?
– do you trust more or les than 17%
– we’ll helpfully stop you from lying in any
circumstance
• With appropriate risk communication, signaling,
etc
– examination of how humans evaluate risk
– computer security -- decision-making under
uncertainty
Security and Processes
Business processes
Organizational processes
Security aligned with users and processes
to the extent that this is possible
Users subvert security when it
violates privacy
provides nonrepudiation for all actions (blog, IM)
prevents use of media
or it is simply in the way
human risk behaviours are fairly consistent
trust pictures of faces, discount risks
Trust and Context
vs.
Resource Verification
Resources are often fairly easy to identify as
“good” or “bad” in physical realms
Trust and Context
vs.
Resource Verification
Resources are often fairly easy to identify as
“good” or “bad” in physical realms
Trust and Context
Fewer signals in economic terms
Less usable in design terms
Standing on the Toenails of Giants?
•
Economics
–
Behavioral
–
Rational
•
•
•
•
•
•
•
adversaries prefer to limit conflict scope
credible commitment
the advantage of closing off options
tipping
small incentives
CENTRALIZED PLANNED ECONOMIES DON’T
WORK
distributed mechanisms, coordination at the low level
Behavioral Economics implies
Usability
– usability studies
– involving designers at an earlier level
– what do users understand?
• wireless & broadband
– wide spread deployment by non-experts
– botnets, e.g., home users, major tier 1 threat
– Usability in Depth implies economics
• Interface
• Interactions
• Incentives
– is it rational to design for humans as if they were machines?
• Social context
• Human and Organizational requirements
Net Trust Building from Theory
• Using Social Context to Build Digital Context
Beyond Trusted Third Parties
• Giving users their own histories
– This is a new site you have never visited
– This site has no domain name, just a IP address
• in a more meaningful manner, e.g. alert
– FDIC says this in not a bank
– BBB says YUCK
– Your friends haven’t visited this site
• As opposed to
– Verisign has not approved this certification
Identity Systems
• Place risk on responsible party
– instant credit == instant loss
– no distribution of some loses
• the police will not risk liberty to enforce your cheap business plan
• Do not allow risk-shifting to
– citizens
• pay for construction, maintenance through taxation
• pay for financial failures in personal lives
• law enforcement implements prosecution of the victim or
perpetrator of crime
• there is no cost to the creator of the risks
Educate the Individual
• Education without empowerment is useless
– risk that could be decreased is instead shifted
– empower by design and regulation