1 / 17

The role of identity

The role of identity. David D.Clark July, 2012. The role of identity. A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information.

agrata
Download Presentation

The role of identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The role of identity David D.Clark July, 2012

  2. The role of identity • A requirement for identity comes up often: • Detect misdirection attacks on communication. • Detect invalid (unauthentic) pieces of information. • Validate identity/authority of incoming connections to prevent infiltration attacks. • Allow application/network to pick desired communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties. • Hold parties accountable for their actions. • Should a future Internet include identity mechanisms?

  3. Designing identity schemes • There is more than one way we could approach identity. • A private matter among end-nodes. • E.g. encrypted or meaningless except at end points. • Signal of identity that is visible in the network. • Surveillance cameras in cyberspace. • Facilitate both policing (perhaps) and repression. • Third-party credentials vs. continuity-based familiarity. • Revocable anonymity. • Anonymity can only be revoked by its creators. • Probably need all in different circumstances, so architecture should not constrain. • These are not choices to be made by technologists alone. • Need a multi-disciplinary conversation. • I am very fearful of getting this wrong.

  4. Deterrence and identity • Deterrence implies the ability to impose a cost on an actor that carries out an inappropriate action. • Which implies the need to identify the actor. • Which has led to calls in Washington for an “accountable” Internet. • Which could be both ineffective and harmful.

  5. Consider attribution as a tool • Sort out various dimensions of attribution. • Person, machine, aggregate entity. • Private vs. visible. • Identify key non-technical issues • Jurisdiction • Variation in laws and norms • Relate to design of attacks • Multi-stage attacks. • Draw a few conclusions.

  6. Attribution today—packets • At the packet level, IP addresses. • Directly identify a machine. • Only indirectly linked to person. • DMCA and the RIAA. • Rules depend on jurisdiction. • Can be mapped (imprecisely) to larger aggregates such as countries and institutions. • Commercial practice today for web queries. • Can be forged, but too much is made of that. • Can be observed in the network by third parties.

  7. Attribution today--applications • Many applications include methods by which each end can verify the identity of the others. • Banking. • Sometimes a third party is involved. • E-commerce, certificates. • Sometimes the identity is private to the parties. • Self-signed certificates. • Sometimes the goal is “no identity”. • Sites providing health information. • Identity information can be hidden in transit.

  8. A seeming dichotomy • Two kinds of attribution. • Machine-level visible to third parties. • Personal identity selectively deployed and private to the end-points. • Is this structure an accident? • Not really. • Consistent with a general approach to do “no more than necessary” as a requirement.

  9. What sort of deterrence? • Criminal prosecution. • Might seem to require “person-level” identity of forensic quality. But this may not be right. • Prosecutors like physical evidence. • Use of network-based attribution may be more important in guiding the investigation. • Espionage • Often want to assign responsibility to an institution or a state. • Cyber-warfare • Again, need state/actor-level attribution.

  10. Anti-attribution • Critical for many purposes. • Current approaches: • TOR • Freegate • VPNs. • Note: they serve to mask IP-level information.

  11. Designing attacks • Many attacks are “multi-stage”. • Person at computer A penetrates machine B to use it as a platform to attack machine C. • DDoS is obvious example, but not only one. • Intended to make attribution harder. • Attackers are clever. • A form of identity theft. • Tracing an attack “back to A” implies: • Support at intermediate points: issue of jurisdiction. • Use of machine addresses.

  12. Issues of jurisdiction • Many sorts of variation. • Rules for binding identity to IP addresses. • Rules for when this can be disclosed. • And to whom. • Support for timely traceback of multi-stage attacks. • Attackers “venue-shop”. • Might imply a two-level response. • Both at the actor and the jurisdiction level.

  13. Identity schemes invite deception • Both a human and a technical problem. • How do you know what information to trust? • Credentials? Continuity? • Collaborative filtering (trust again). • Identity itself should be rich and heterogeneous • Integrity through availability. • How can we avoid illusion on the screen? • Remember that a human is not always present. • Need ability (perhaps in restricted circumstances) to delegate decision to a program.

  14. Some conclusions • IP addresses are more useful than sometimes thought. • Any proposals/policies for better attribution should take into account: • Multi-stage attacks. • The need for “anti-attribution. • Cross-jurisdiction issues are central. • Within one jurisdiction, with a single stage activity, RIAA has demonstrated deterrence.

  15. More conclusions • Research should focus on mitigating multi-stage attacks, not “better tools for identity”. • Multi-stage attack imply identity theft. • Solutions will not be purely technical. • Redesign of applications can mitigate many problems. • Problems arise at that level… • Integrate attribution into the application in ways consistent with needs of the dominant actor. • Tight controls or none, depending on circumstances. • Different patterns of communication.

  16. A final issue—private association • An essential characteristic of a civil society is freedom of association. • Can join and leave groups at will. • Can participate without fear or harassment. • “Private association”. • Protection can be legal or technical. Should we try for technical? • Any form of identity revealed in the network provides a basis for third parties to observe patterns of association. • In vocabulary of security: traffic analysis. • But this is what is being called for to attribute bad actions to perpetrators. • What constitutes a bad action, and who gets to say? • Technology works the same everywhere.

  17. My conclusion • Better tools for personal attribution should not be a primary part of a future Internet. • Does not do much good; does much harm. • Applications should tailor their use of identity to the specifics of the situation.

More Related