Security-by-credential or security-by-inspection

[Joseph Ashwood]

----- Original Message -----
From: "Greg Broiles" <gbroiles at parrhesia.com>
To: <cypherpunks at lne.com>
Sent: Friday, November 09, 2001 3:12 PM
Subject: CDR: Re: Security-by-credential or security-by-inspection


> At 01:10 AM 11/9/2001 +0100, Nomen Nescio wrote:
> >[...]
> >A few other irrelevant points have been made.  Given that ID is not
> >perfectly reliable, do we need to tattoo numbers on people's forearms?
> >This is the fallacy of perfection.  ID can be combined with a simple
> >thumbprint for biometric identification (already widely used for cashing
> >checks) and you will raise the cost of forgery considerably.
>
> Bullshit. There's no real-time on-line database of ordinary citizen
> fingerprints available to match versus ID cards, even if the cards (which
> don't exist and haven't been issued) were available.

Then let's make proper use of technology. We want to make sure the ID card
is issued by the correct authority, that's almost exactly what digital
signatures were designed for. Just create some uniform way of computing the
data from the card (easiest would be to just use a plain old-fashioned
smartcard), and check the signature against a publicly known public key.
It's really quite simple.

> So, yeah, sure, thumbprints would let us know if the dead suicide bomber's
> "real name" was really the one he used to rent the truck or buy the plane
> ticket .. or if he just got started on his project early enough to get his
> stolen identity matched to his real fingerprint .. but how, exactly, is
> that going to Save the Children?

That is the far bigger problem. Identifying these people simply won't make
any difference. If a person is intent on being a suicide bomber, they will
blow other people up with them, no matter how well we can make an
identification.

> Can you get that up and running in, say, 60 days?

Couldn't get the thumbprint idea going that quick, but smartcards and
smartcard readers are already in mass production making my idea not easy,
but possible to get underway in 60 days. Completion though would be a matter
of approximately a decade.

> California has been trying for years to get a vastly less ambitious system
> working even a little bit at the Department of Motor Vehicles - at one
> point (several years in) they figured out that they had to throw away
> everything they'd done so far and start all over again. A project like you
> propose in your casual, offhand manner is probably 100 times more
expensive
> and more complicated that California's .. but that doesn't seem to scare
> you. The IRS's computer system is in similar disarray - they can't always
> find records or correlate things, and they've gone ahead and assigned
> everyone nice easy numbers, and they operate on a timeframe of months and
> years, not seconds ticking by at a departure gate or a gas station pump.
> The FBI tried to build a database of disqualified firearm purchasers for
> use in the "instant check" process and it's proved to have an error rate
of
> between 5 and 10%.

Very good examples of how not to go about it. My idea (while far from
perfect or fully developed) lacks the same bottleneck points, the only
information that needs to be accessed millions of times remains static
across years, with a retrieval rate like that it would be more than possible
to simply broadcast the key over a public broadcasting station along side
the current time, since nobody is watching anyway you could easily take over
the closed captioning for a few seconds to send out the key. I'm clearly not
addressing certification of the key as correct but having the president read
back a hash of it at the state of the union address (couldn't be any more
boring than the rest) would certainly provide some evidence.

> If the CA DMV, the IRS, and the FBI can't get these sorts of databases up
> and running given their already generous budgets (millions and billions)
> and timeframes measured in years, how can you possibly think that anything
> like this is even possible - even before reaching the "is it a good idea?"
> question.

Agreed.

> >   Many of
> >the hijackers would have been caught simply by cross-referencing their
> >IDs against existing databases.  That's what El Al does and they have an
> >excellent safety record in the most terrorist-infested part of the world.
>
> Hmm. Then it's funny that Mohammed Atta (likely the worst-looking on
paper,
> since he's the guy who was meeting with an Iraqi intelligence agent in
> Prague and had outstanding criminal/traffic warrants) was able to clear
> Customs when he re-entered the country.
>
> The "ID card" fairy tale still loses.

I agree, no matter what method is chosen, the possibilities for abuse are
excessive (some of these people can't even be trusted not to use a phone
book improperly, give then some real power and who knows what will happen),
and the value of the target is too great. Let's pretend that my idea is
used. Let's say each card costs $10 to issue. How much is impersonation
worth? Well for something of the impact of Sept 11 it could easily be
estimated at billions of dollars. That will buy a massive amount of computer
power, a large quantity of the world's best mathematicians, and a
significant amount of time. I don't like the odds of DSA against that, it's
too close to the wire right now, supplying a target of this size could be
devastating. That leaves RSA varients, but for billions of dollars and a
significant amount of time 2^80 work (SHA1) isn't that much, some less fully
examined algorithm would have to be used, that presents it's own problems.
Basically the target is simply too big for current standards, once SHA-512
is fully examined there may be a chance, but until then I just don't think
the card everyone idea is cryptographicly feasible. The non-cryptographic
methods would pose additional problems because anything that can be
phyisically made by one person can be physically made by another.

> Further, your "perfection isn't necessary" argument would be reasonable if
> we weren't talking about trying to solve a terrorist problem - but it's my
> impression that's the context of this discussion. The interesting thing
> about terrorism is that its direct effects aren't especially important -
> it's the secondary effects on people not physically affected by the event
> which give terrorism its power. Losing 5000 people in one day to an
> identifiable cause - or the 3 or 4 that we've lost to anthrax - is
> absolutely nothing, statistically speaking. Red meat and cigarettes
> probably kill a WTC's worth of people every day in the US alone - and we
> probably lose an anthrax letter's worth of deaths every day to even more
> obscure stuff like bee stings or wading pools.

That's true, we certainly lose more people to far more mundane things every
day than the WTC tragedy caused. But at the same time you have to realize
that most people don't think about bee stings as a cause of death, they
don't even think about bed they sleep in as a cause of death (look up the
statistics it's hilarious), and both of those cause vastly more deaths each
year as terrorism on average. The problem is that the media has hyped this
up, the president's handlers have told him that this is a big deal, as a
result of this the general populus wants blood. Thinking people know taht we
will never eliminate terrorism, well I guess on a technicality we could, but
it would require extermination of all but 1 human.

>The placebo effect created by these measures [is important]

I think that line says it all.
                        Joe