(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

I saw this news tidbit in the Vancouver Sun yesterday morning on the plane back to DC.

The Russian FSB now has the power to open postal mail without a warrant. [ Update: similar shenanigans by the UAE for cell phones. Thanks to Apu K. for the link. -Ed.]

It really doesn’t matter which government or what medium…if there is data of value for either security or economic reasons, laws will be bent or broken to get at it.

“It reminds one of Soviet times. And the worst thing is, the people don’t care.”

“This document carries a technical character,” a ministry spokesman said, denying that security services would see their powers broadened with the decree.

Observations:

1. very curious phrase “a technical character” … meaning “pay no attention to the man behind the curtain!” You simply shouldn’t be concerned because this is a very technical topic and it doesn’t actually mean that you’ve lost rights even though that seems like exactly what we’re doing.
2. cognitive dissonance caused by that last sentence: either the security services already have this power, or the decree is meaningless b/c it doesn’t broaden powers, but on the face, that is what it seems *exactly* to do. Big lies are more easily believed, I suppose, particularly without any counterbalance in views.

Update:

The cognitive dissonance was nicely described as a Jedi Mind Trick. In addition, it was pointed out to me that it is likely that people actually do care, but in the absence of a free media, this sort of thing receives either no attention or only positive attention, and that dissenting opinions are only confined to venues with a purposefully ridiculous nature.

[I originally wrote this essay in early March of 2007 as a reaction to the public request for comments by DHS on the implementation measures of the law. The RealID Act has been analyzed a number of times and is still in the process of being challenged, repealed, and amended by a number of groups. And we still have not seemed to learn how to safeguard identity documents. -Ed.]

The REAL ID Act of 2005 is a controversial U.S. law that establishes standards for State-issued driver’s licenses and identification cards that citizens would use for a “Federal purpose.” The DHS currently chooses to limit the definition of a “Federal purpose” to three activities: gaining access to a Federal facility, boarding federally-regulated commercial aircraft, and gaining entrance to a nuclear power plant. The Act itself was passed as part of a massive spending bill that included provisions for Tsunami Relief — a bill that would have been difficult to vote against. On March 1, 2007, the Department of Homeland Security (DHS) announced draft regulations (a Notice of Proposed Rulemaking, or NPRM) [1] meant to set standards to fulfill the Act’s requirements. The NPRM discusses the information and security features that must appear on each card, the verification process for each applicant’s claim of residence and immigration status, and the physical security of the facilities (including background checks of DMV employees) that issue REAL IDs.

The NPRM claims that REAL ID both increases security and does not substantially threaten privacy [2] because the systems and databases for carrying out the information storage and retrieval remain firmly under the control of the states. This claim has sparked a great deal of controversy, and bills are currently before both the House and Senate to repeal the Act [4]. There are at least two problems with this claim.

First, as many researchers and privacy advocates have pointed out, the Act creates a de facto national ID card, despite protestations to the contrary within the text of the NPRM. The central claim — which can only exist unchallenged in a society that misunderstands the underlying technology — asserts that since the storage of personal information is physically distributed among the States, no centralized Federal database exists.

In our networked society, the distinction between centralized and distributed is almost meaningless. The physical location of data has little to do with whether or not it can be accessed. In fact, the NPRM requires that Federal agents (or even civilian employees like those hired for airport screening) have access to the data when validating an identity. Since it seems likely that such an employee would access this data through a network computing system, whatever software they are using to do so would merely be a veil over a set of linked databases. The NPRM also requires that the States to explicitly share REAL ID information. These requirements create a logical, nationwide, distributed database accessible to Federal employees at will.

Second, establishing identity does not necessarily establish intent or motive [3]. The London and Madrid bombings were carried out by home-grown terrorists. In the U.S., Timothy McVeigh, Theodore Kaczynski, the DC-area snipers of 2002, and the alleged perpetrator in the recent Holocaust Museum shooting [5] would have been able to unabashedly carry their REAL ID as they committed their crimes. Identity does not automatically predict criminal behavior, and assuming that citizenship somehow confers the inability to engage in criminal acts is a faulty judgment at best.

Driver’s Licenses

Driver’s licenses serve as a default method of establishing age or identity in U.S. society. Standardizing the information appearing on a license (which can vary because each State manages its own licenses) as well as the process of verifying this information seems to confer a benefit to at least the people who need to check this information. From this perspective, the REAL ID Act simply proposes to ensure that an inconsistent, distributed identity system contains information in a form suitable for authenticating the bearer to a Federal agency or delegate.

Since licenses routinely serve as the default method of establishing age or identity for most U.S. citizens, the Federal government has to rely on them for certain sensitive situations. But it remains unclear that REAL IDs will substantially improve homeland security. This intangible and unproven benefit does not seem to justify the increased risk that attends a single, highly-trusted identification document and a distributed, highly-accessible database of personal information.

One could see how the underlying thinking here seems rational. For example, we might think that a license conveys information about the level of an individual’s commitment, involvement, or investment in the society that granted the license. A driver’s license provides a very weak attestation of such commitment, but the underlying idea has merit: a Soccer Mom or Nascar Dad that pays taxes, is on the PTA, holds a mortgage, and coaches Little League is probably less likely to engage in the mass murder of fellow citizens.

Let’s undertake a thought experiment. Hypothesis: the government could most readily increase security by issuing tamper-resistant cards that display a number from 0 to 100 indicating the level of a person’s investment in the American Dream. Even this solution is fraught with uncertainty. How is the measure obtained in the first place? What threshold is suitable for disallowing people from boarding a flight? What if the “patriotism level” varies (e.g., it may tend to dip on April 15th)? How can these cards be protected against forgery and theft? Finally, establishing such a score arguably represents a greater government intrusion on a person’s life than the current proposed REAL ID standard. The chief lesson to learn here is that any credential system has problems, and even a credential system that tells the authorities exactly what they want to know (thus providing the greatest security benefit) is far too invasive.

Summary

I’ll close with some mildly disheartening observations. First, the estimated extra wait time per application is 44 minutes. I would expect patient terrorists to find 44 more minutes to be a reasonable sacrifice. Second, even though I know security metrics presents a tough challenge, the hemming and hawing of the “Estimated Benefits” beginning on page 107 and ending on 109 of the NPRM is amusing and saddening.

With all the criticism, the NPRM does have two bright spots: it rejects the use of RFID, saying that “there is not an identifiable need for driver’s licenses and identification cards to be routinely read at a distance.” In addition, the the NPRM concludes that encrypting the machine-readable 2D barcode on a REAL ID would involve a great deal of cost (in setting up and maintaining a key infrastructure) while imparting little increase in security.

The NPRM details no reward for states that aggressively protect their citizen’s privacy, nor does it detail punishment for states that lose, leak, or destroy a citizen’s information. Although the NPRM requires States to assemble a cybersecurity plan, it does not define a concrete method of review and assessment of such a plan, and it seems unlikely that the DHS would revoke a State’s ability to issue REAL IDs or summarily declare existing REAL ID licenses invalid as punitive measures.

References:

[1] NPRM Press Release:
http://www.dhs.gov/xnews/releases/pr_1172765989904.shtm

[2] REAL ID Act FAQ:
http://www.dhs.gov/xprevprot/laws/gc_1172767635686.shtm

[3] Real-ID: Costs and Benefits. Bruce Schneier.
http://www.schneier.com/essay-160.html

[4] REAL ID Repeal and Identification Security Enhancement Act of 2007
HR 1117 IH. http://thomas.loc.gov/home/gpoxmlc110/h1117_ih.xml

[5] Security Guard Dies in D.C. Holocaust Museum Shooting
http://www.cbc.ca/world/story/2009/06/10/washington-holocaust-musuem569.html

Last week, Ron Rivest sent mail to the NIST SHA-3 competition mailing list. In it, he makes a number of interesting points on behalf of his MD6 colleagues. The email starts off by saying:

“We suggest that MD6 is not yet ready for the next SHA-3 round…the submitted algorithm MD6 would need significant speed-up in order to match the SHA-2 speeds on the standard reference platforms [a NIST requirement].”

Their motivation for withdrawing MD6 seems to stem from a concern that the competition should focus on finding a provably secure hash function rather than focus on performance as a more important criteria:

“The MD6 submitters feel that it is extremely important that the final SHA-3 algorithm be provably resistant to differential attacks.  Indeed, it is the surprising power of differential attacks that stimulated the entire SHA-3 competition.”

The problem is that the MD6 team feels that they cannot reduce the rounds in the algorithm to meet the performance demand and simultaneously keep the provable level of security:

“Thus, while MD6 appears to be a robust and secure cryptographic hash algorithm, and has much merit for multi-core processors, our inability to provide a proof of security for a reduced-round (and possibly tweaked) version of MD6 against differential attacks suggests that MD6 is not ready for consideration
for the next SHA-3 round.”

This kind of performance vs. security tradeoff seems central to an information assurance argument. For high assurance apps, I might be very willing to have a slower but more secure hash.

It is a shame that people won’t get to bang on this particular candidate more as part of the official competition, and I think it suggests that NIST should be converging on a suite of hash functions rather than a one-size-fits-all winner. Why does there have to be one overall winner here? Hashes are used in a variety of contexts, and it seems to me that we are going to wind up with “design by compromise” (pun intended).

This seems like yet another fundamental difference from the AES competition. It is fine to have one symmetric key cipher (very specific purpose), but declaring that there is one answer for hashes…seems a bit short-sighted.

Why does having just one standard hash algorithm help? “Helps…” what (or who) do what?

Although having a single general-purpose hashing ‘solution’ (eeek) appeals to me at a high level in terms of having a single best well-understood standard, I think the community has made a mistake in viewing this competition through the experience of the AES lens.

I lurk on the NIST mailing list for this effort, and from my dipping a toe into the message stream now and then, there seems to exist a great deal of mystique and general disagreement among the experts on just what properties a crypto-strength hash should have. And from what I can tell, the disagreement does not seem to mimic traditional minor squabbles, but rather fundamental disagreement as to what is important — and a large part of this disagreement stems from wildly differing use cases for a hash: one-way mapping? HMAC? PRNG? Crypto algorithm building block? Long term integrity check?

Consider also that having a single winner mandated for all government interaction leaves the whole system without a ready backup should a hole be found in the winning candidate….

Smart Energy Grids will save us, the planet, and possibly the universe. We should rest assured that the industry, with the help of smart academics, knows what it is doing:

http://us.cnn.com/2009/TECH/03/20/smartgrid.vulnerability/index.html

Also, industry representatives said, they have no intention of putting an unsafe grid online.

"We are not going to manufacture this car without a seat belt," said Ed Legge, a spokesman for the Edison Electric Institute."


That sounds comforting. But seatbelts don’t do much against side-impact crashes, or alien laser rays, now do they?

[The original email spurred a piece of funny commentary by Sergey about "security by analogy" -Ed.]

Although it should be common knowledge that using the SSN for identification is a bad idea, companies are not prohibited from asking for your SSN [1] and using it as part of an identifier. And some still do.

For example, I recently set up cable service for a bundled TV and Internet package. The phone sales rep insisted that all customers had to provide a valid SSN; I spent a good ten minutes trying to elucidate why. The final reason seemed to be that the cable company (call them Comwarner) still uses the SSN as the primary customer identifier and have no plans to change this. The reason I was given for the actual use was to combine it with the customer name and check for deadbeat ex-customers trying to sign up again. I also assume that Comwarner’s actual database schema probably includes some auto-generated customer identification string, and either the sales rep never sees it (instead, he claimed the system only displays the last 4 digits) or didn’t care to tell me that such a number existed when I asked.

It seems as if signing up a new customer would be the perfect time to switch over to a new ID system in which unique customer identifiers are generated. Unfortunately, nobody has a really good system for helping customers manage all these new unique identification numbers.

I could have easily supplied a fake SSN at that point, but I did not, because I had a sneaking suspicion of what would happen next…

Part of the TV service was the option to have DVR instead of a regular cable box. In order not to pay a hefty deposit, however, they run an “instant credit check” on you. Had I supplied a fake SSN or one that didn’t gel with my name, I would be out a chunk of change, or not be able to automatically record the entire season of…whatever I don’t actually watch anyway.

Private companies are not the Social Security Administration. Doctors, dentists, and utilities do not need a string issued for a specific government retirement program in order to provide service. They might think they do, and the folks on the front lines charged with the responsibility of asking you for this information
are not the ones that created the policy.

The Protect America Act (PAA) was passed in August of 2007. In effect, this ill-considered law re-purposes an existing NSA data collection and surveillance framework to observe domestic conversations. In a succinct article (“Risking Communications Security: Potential Hazards of the Protect America Act”) in the next issue of IEEE Security & Privacy magazine, Steve Bellovin, Matt Blaze, Whitfield Diffie, Susan Landau, Peter G. Neumann, and Jennifer Rexford write about the security aspects (as opposed to the civil liberties concerns) involved in permitting the NSA to spy on US persons. A preprint is available on Steve’s website and from Matt Blaze’s blog entry. The authors are pretty adamant about making sure such a powerful capability is just as powerfully justified and protected: “If security cannot be assured, then any surveillance performed using that system will be inherently fraught with risks that are fundamentally unacceptable.” Note that “fundamentally unacceptable” is pretty direct language (for example, they did not say the system was “unreasonable”, “ill-advised”, or merely “risky”); this type of phrase is as close to harsh criticism that an academic might come in a professional publication.

The ball on this topic got rolling when Susan wrote an op-ed piece for the Washington Post in August 2008 on why it was a bad idea to re-purpose a system built to spy on external entities to begin spying on domestic entities.

The bottom line: the unintended consequence is that such a system is now a really juicy target for foreign entities to spy on domestic entities. It is also ripe for abuse by insiders. The underlying problem is that domestic data will be captured; it is simply too hard to filter out domestic data given the limits of current networking technology. The IEEE S&P article also has a pointer to a very well-written article about the Greek cell phone system compromise; these threats are not theoretical. Asking the NSA to do something that it has no experience (presumably) doing is a bad technical policy, especially since the technology cannot simultaneously meet the demands of the new law and the expectation of privacy derived from, among other things, the 4th Amendment. I suspect that many in the NSA rank & file might agree; this seems to be a situation where everything looks like a nail when all you have is a hammer.