Passwords, Open ID, and “Information Cards”
August 12th 2008 09:48 am
Randall Stross/Digital Domain has posted a NYT story on passwords, Open ID, and Information Cards.
The “Information Card Foundation” is only a few weeks old, and the technique is trying to solve problems with both passwords and with Open ID. The posting roasts the old chestnuts about how bad passwords are (does anyone really need convincing?), then roasts Open ID a bit, and then introduces Information Cards, a slightly more flexible but still vulnerable technology.
Personally, I’m not convinced that Information Cards are any safer or easier to use than Open ID can be.
I’m interested in the claim that 50 million people use Open ID. I tried setting it up on my blog and the software doesn’t work. I should try it again, since both the blog and the Open ID plugin have been somewhat upgraded.
Information Cards
There seem to be three arguments in favor of Information Cards:
1. Information cards are easier to use.
In particular, they claim that you simply click on a desktop icon and the authentication can take place without human intervention. This can be a very powerful way of doing it. However, this means that the owner’s credentials are embodied in a data file. Now we have to both protect the data file and we have to distribute it to any and desktop the user might want to use.
2. Information cards can be tailored to different policy requirements
The Information Card mechanism (they have a bunch of specialized jargon I haven’t bothered to learn yet) seems to consist of a container with individual ‘cards.’ Separate applications or web sites can have separate cards, to mirror the notion of a wallet with different cards for different authenticated activities. Thus, you don’t have to use the same authentication credential for both strong and weak applications.
3. Separate information cards apparently can reflect different identities
The system admits the notion of anonymity through the use of ‘sock puppet’ identities. In other words, the system lets you establish a differentidentity – possibly with different details of name, address, and so on – on different cards.
Open ID Versus Information Cards
Some arguments against Open ID have merit, some seem trumped up or based on incomplete information.
1. Open ID is password based
In fact, Verisign/Network Solutions (are they still the same or did they split? I can’t keep it straight) offers an authentication service that interoperates with Open ID and uses SecurID tokens. If I ever get Open ID to work on my blog, I might spring for one of those, if only for the hack value of having one.
2. You can’t do sock puppets with Open ID
This appears to be a real problem. On my blog I maintain two user IDs: one to log in as admin and another to log in as ‘me’. It would be nice to select among them for Open ID. There are ways to extend Open ID to do this, but they depend on the Open ID server.
At the moment, you probably need to set up multiple Open ID credentials to log in as separate identities on typical web sites.
3. You use the same credential for high and low assurance
This isn’t necessarily a problem, assuming that there’s no transitivity, or risk of a “man in the middle” attack.
In other words, if you can log in to a low assurance site as “president.gov” then the site should not have any way of using that credential to send authenticated messages or commands to a high assurance site.
4. Moving the credentials around: the “traveling user problem”
I suspect it will be easier to carry Open ID credentials from one desktop to another. It seems clear that information cards are tied to a data file that undoubtedly contains cryptographic credentials. We don’t want attackers to be able to steal such files and masquerade as the owner.
However, these information card data files will become a prime target for rootkits.
If the technology is going to work, then we should be able to post information card files on the Internet and attackers shouldn’t be able to crack them. That’s a tall order.
One Response to “Passwords, Open ID, and “Information Cards””
Leave a Reply
You must be logged in to post a comment.
Thank you for mentioning rootkits!
But there is more!
Information Cards will only be secure if there are real separate cards, using embedded cryptography, in use: every security measure running directly on a PC only is vulnerable (see rootkits), and virtual Information-Cards (which are only data stored on your computer), are an invitation to pishers! They only have to upload this Information-Card Data from your Computer, and pishers get everything they like to have!
Why? There is a not curable flaw:
Everything running directly on a PC (specially with MS-Software) can be faked or spied on.
The only thing which helps is an external ID (Card or USB-Dongle) with embedded Microprocessor which handles all the communication with embedded cryptography and refuses to be spied on.
Everybody involved, but specially a readership that is no expert in security and privacy has to know this! People should know the limits and drawbacks of security. Otherwise a new circle of Insecurities and Security Breaches and even loss of personal identity Data may follow.
And, bye the way:
Information Card Users give their essential personal identity data to the companies which are issuing the Information Card – that is another vulnerability. These Companies have all the personal identity data and the possibility to access all WEB-based connections. Who is supervising these Companies? Remember lost data reported in the press?
Bluebee on 13 Aug 2008 at 3:54 pm #