The information in this weblog is provided "AS IS" with no warranties, and confers no rights.
This weblog does not represent the thoughts, intentions, plans or strategies of my employer. It is solely my opinion.
All content is protected under copyright.
Search Archives:
RSS feed:   "2.0"

Welcome to J.P. Stewart's Weblog!

Remember, the default view (which is what you get if you clicked on the main link) only displays a week of content. Use the archives link to read back farther.

For questions or comments send email to jp -AT- jpstewart.org.

Only one particular entry is displayed. Please use the "Next" or "Prev" links to navigate or click on "home" above if you want to return to the main page.

Techno Standards
Thu Mar 4 01:17:18 2004 | Prev | Next

Well I figured that I should finish my entry about which tech standards are not up to par yet...

I need to apologize because there is a very good possibility that I may repeat some of the things that I covered in my last article. This is mostly because I was SOOO tired when I wrote it, and don�t remember much from it. Sure I could go back and read it all, but I would rather stick to what my entries have always been and that is flash in time brain dumps.

So, where I left off...

Public security trust mechanisms:
This area is really interesting. There is A LOT of technical solutions in this area. They seem to center around some major security concepts as well. The first concept is identity. You have to be able to have some sort of identity, whether it�s a name, a number, a picture, or a GUID. Some value must exist which is tied to you. In some cases this value is a PART of you (iris, finger, hand, or face print). Then there are cases where this id is something that you created and it is only tied to you because at some point in time when your identity was created you were able to specify it. There are also cases when this id is something which was given to you by others. This can usually either be some sort of card or device which contains some OTHER token matching your concept of identity with whoever you are identifying with. And while I touched on this a bit, there is a whole other system which is dedicated to verifying that the identity provided at some later point in time is actually the identity which you provided earlier or was assigned to you (or a part of you) depending on the specific case. This action can also go several routes as well from using one way hashes which are compared with earlier created one way hashes to comparing biometric data which was collected earlier. (I will go into this more in a bit, but for now this is just an overview.) Then finally there is the question of trust as well. This is a funny notion because the definition of it fundamentally depends on the system in which the person is being trusted in. For instance the level of trust that exists in a system such as package tracking is much different that the level of trust needed in a community forum where others can voice opinions, which is still different from the level of trust at an online bank site. There is one more item which is usually included in this bunch and that is encryption, but quite often that is actually more of an implementation thing and does not always relate directly to trust.

So first of all, I should point out that nothing is perfect and every system has some holes. You just want the holes to be in the right system depending on your uses for it. Our society does not always like that notion though. One example (maybe not the best) is CDs. When they started storing music and started becoming a standard they started getting used for other things as well such as data for a computer. Now I am not arguing this decision as I think that we would not be where we are today without this, but still I am not sure if the person or people that started thinking of alternative ways to distribute music ever saw the CDRW coming. That being said, the assumption that you can trust the contents of a cd because there is no way for just �anyone� to create one was thrown out the window when CDR and CDRW drives became popular (I know I got mine in 1997...how about you?) That does not mean that the standard by which music is stored on CD or the people who came up with the system were flawed, it just means that things change. The same is true in other areas as well, and if there is anything else that you take away from this paragraph, I hope it is the fact that things change and what we may depend on as the key to trust and/or security for something may change in the future and that trust may be affected.

So what do we usually use as identity. Well for the most part there are two major forms: Usernames and Email addresses. Of course email addresses have a user name in them, but the email address also gives the concept of some greater more unique realm that the user can be a part of (thereby allowing there to be more than one �Joe�: [email protected] vs. [email protected]). Then again, there are new systems being developed where simply a hash/number/guid which is generated based on your face/eye/hand/thumb print. In the end though, it always comes back to the concept of �you�. So these are all things that are also designed to be unique. Surely everyone is thinking that no two email addresses can be the same and that no one has the same fingerprint or those other biometric features. This of course seems true. And as I see it, probably is. But it should be noted that it IS a dependency, and should this dependency be broken or not valid anymore, then the whole system is not valid anymore.

Then of course there is proving our identity. The most common way to do this is either with some kind of secret phrase (password, private certificate, PIN), or again by some biometric process that is physically linked to YOU. This part of the process has many MORE dependencies. For instance, this depends on the fact that your password is not blank, you have not told it to someone, someone else can not obtain it through some other means, or any other method by which I can provide the same information as you would. Isn�t that a wild concept? I can provide YOUR username AND YOUR password�.and wow�hey, suddenly I am YOU. And all this not from something that was designed poorly or because something broke, but just because an assumption: my secret information is always secret, was broken at some point.

And then of course there is the issue of trust. Once I have validated who you say you are to the best of your ability, how much should I actually trust what you send to me? There are two aspects of this. One is easier to solve than the other, BUT they both have vulnerabilities. The first aspect is usually technical. We live in a world where information now travels on vast networks and goes through hundreds of devices before it gets where it needs to go. How to make sure that the information is not tampered with (that the information is the same when I created it as it was when you received it)� This problem has been thought about a lot by a lot of smart people. As I said the last time there are various solutions for this, but the most common that we have, and the one used almost everywhere in some form is certificates. When you go to an HTTPS page, you use the certificate that page presents you to encrypt data and thereby ensure that no one else can see it. (Note that this does NOT add client trust, but only provides server trust. There ARE systems that are somewhat widely used (client certificates) which provide BOTH sides of trust.) For the most part this trust is rooted in the fact that whoever issued the server certificate must ALSO be someone you trust and thus a chain of trust is created. There is no way to automatically trust any certificate without either trusting who issued it or already trusting it to begin with. This is obviously by design. Well, this makes things kind of difficult for those with servers, so the solution was to include some common entities that issued certificates into the operating system. Verisign, Thawte, and GTE are examples of this. By default windows XP machines will trust servers that present certificates signed by these providers. What does this mean? This means that the concept of trust usually depends on you REALLY trusting the person who vouches for the end user. How much do you REALLY trust Verisign, Thawte, and GTE Cybertrust? I am not sure, but I would not be surprised if they all had different policies, different prices, different clients, etc. They supposedly have rigorous standards though, and the entire security mechanism used most places on the internet (and in MANY more places than just between the browser and a web server) depends on this trust. This again...is a dependency and while things work great now, all it takes is for one rouge person/attacker/mistake/bad cert and the whole system can be thrown off. I don�t see that happening, but I DO warn my colleagues that it is not good to have all these dependencies without understanding them.

Relying on two or three layers (as described above) is usually pretty good because you are assuming that not all will fail�.but when you make the decision to rely on only one item. Whether its to rely on identity (as many blog comment sections do), to rely just on a password as many more places do, or to rely only on a certificate trust (which again many places do), if any one item fails, then trust/security is lost.

Now there is one more thing that I did not cover above. I suppose that is because I wanted to rant a bit and was on a role. That is that once you have used all of the other factors, how do you actually trust the person underneath the technology, and what do you do to ensure that they can not take advantage of you. Well, as I mentioned before there are solutions to this already. I don�t think that there are great solutions yet. We need something as standard as all the other areas that I just mentioned above. As I mentioned before PGP (which provides identity, passwords, encryption, and trust) allows people to sign your certificate thus saying that they trust you. The more signatures that you have, the more that you are likely to be trusted. There are other tools that are starting to do this as well. For instance orkut (www.orkut.com) provides a way to rate your friends on a trust scale. Its VERY basic, and crude, but the concept of having everyone that you know rate how trustworthy they think that you are anonymously seems like a great way to determine how trustworthy you actually are. As always there are technical problems and solutions associated with this, but I think that I will leave that for others. I am really not sure what the BEST way to deal with this really is, but one thing is for sure: lots of people are thinking about it, and plenty of people are coming up with ideas for implementations as well.

Well, there I have gone and spent all the time that I would have taken to talk about other technologies follies and just talked about security and trust...that�s what I get for actually working in security I suppose.

So you�re just dying to know where techno in the title comes from right? Well yesterday (Tuesday) I got to go see The Crystal Method downtown at the showbox. It was an awesome show. I really like tCM. I really like their older stuff better, but lucky for us they played their older stuff. One of the friends that I was with took some pictures 1 2 3 4 5 6. I am waiting for pictures here as well. I may be in one. :)

Well, I have gotten to ride the new bike a few times since I bought it, and its darn fast. That is for sure. I am really glad that I took the course. They are really able to teach some important skills that apply to all bikes. I think that I would have really had problems without the class. Also, I recognize that I am not an expert either; I am still learning many things. I stalled while trying to start at a green light facing uphill. That�s pretty embarrassing. I hope that I will get used to it at some point, but I just need to practice.

Also, the picture of my bike that I included earlier was the factory pic and did not exactly match mine. (go figure) Here is an ACTUAL picture of the bike that I took the other day:

(Feel free to email me for more pics)

Until Later� J.P.

Referenceces: http://blogs.msdn.com/jledgard/archive/2004/02/23/78893.aspx

TrackBacks referenced:
http://blogs.msdn.com/jledgard/archive/2004/02/23/78893.aspx
Posted by: j.p.





[Valid RSS]
� 2002 - 2024: J.P. Stewart, All rights reserved.