Invariant Properties

  • rss
  • Home

Introduction to Digital Certificates, Part 2: IDs

Bear Giles | May 29, 2012

This is part of a series on Digital Certificates.

  • Introduction
  • IDs
  • X.509v3 Certificates
  • Creating Certs with Bouncy Castle
  • RA, CA and repository

Before we get into the details of digital certificates we need to take a big step back and ask what an ID means in the big picture.

Any ID has several mandatory characteristics:

1. it is tangible. (Yes, computer files are tangible.)

2. it identifies a “subject”. For instance, the citizen of a passport, the driver of a state driver’s license, the employee, the student.

3. it identifies an “issuer”. In the examples above this is the country issuing the passport, the state issuing the driver’s license, the employer, the school.

4. it has some way to bind the subject to the person or organization. At a minimum it’s a photograph and/or signature, perhaps with basic biometric information like height and weight.

5. it has some way to bind the issuer to the document. For an employee badge or student ID this might just be a logo. For high security documents you may add watermarks, holograms or even laminated layers containing fluorescing content.

6. it is reasonably immutable.

An ID may include additional characteristics:

1. a unique serial number.

2. an expiration date, and possibly a ‘not valid before’ date as well.

3. usage restrictions. (E.g., there may be driving hours restrictions on a driver’s license.)

4. alternate names for the subject or issuer.

Vulnerabilities and Attacks

What are the vulnerabilities of IDs? How can they be attacked? Entire books have been written on this subject but we can quickly hit the highlights.

Impersonation

We can check that the person presenting the ID matches the description on the ID… but how can we trust that the person going to the issuer isn’t impersonating somebody else? It’s a valid ID issued to the wrong person.

What about the issuer itself? How can we trust the issuer is who it claims to be? Consider the classic student fake ID.

Outdated Information/Revocation

What do you do when the subject dies (if a person) or is acquired by another organization (if a business)? What if the student graduates? Drops out?

A variation on this is when the state suspends a person’s driver’s license. It’s no longer valid as proof of authority to drive but it’s still proof of identity. How to you make sure third parties have the most current information?

Tampering and Forgery

An ID should be immutable but it may still be possible to tamper with it. E.g., paste a picture of one person on top of the picture of a different person on a driver’s license. How easy will it be to detect that if you only look at the ID through a plastic sleeve?

This is a key point to remember – fake IDs don’t need to be perfect. They only need to be “good enough” for the intended purpose. That can be a shockingly lower barrier than you expect.

Lack of Due Diligence

This vulnerability is the nastiest – how can you trust the issuer to do a good job? In some cases this is sloppiness, but there’s also the structural questions of who pays the cost of investigating the subject and who pays the cost when the issuer is mistaken. An issuer who is expected to pay the costs for the investigation but will pay no penalty for mistakes isn’t likely to put much effort into the investigation. Make no mistake – they may not make intentional errors. They just won’t be zealous about doing an in-depth investigation.

On the other hand an issuer who faces a serious financial risk if they misidentify the subject will naturally make a much more serious effort to get it right.

Lessons

We can summarize this in two observations:

1. A third-party certificate authority will put its own interests above yours.

2. Your own certificate authority will still need to invest substantial resources to prevent impersonations, tampering, forgery, etc.

The bottom line is that Digital Certificates are a powerful tool but they are only a tool. They are not a silver bullet.

Danger, Danger, Will Robinson!

If you read nothing else in this series, read this!

Top 10 PKI Risks

Everything you Never Wanted to Know about PKI but were Forced to Find Out (Peter Gutmann)

Categories
java, security
Comments rss
Comments rss
Trackback
Trackback

« Introduction to Digital Certificates, Part 1 Introduction to Digital Certificates, Part 3: X509v3 »

Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

Archives

  • May 2020 (1)
  • March 2019 (1)
  • August 2018 (1)
  • May 2018 (1)
  • February 2018 (1)
  • November 2017 (4)
  • January 2017 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • February 2016 (3)
  • January 2016 (6)
  • December 2015 (2)
  • November 2015 (3)
  • October 2015 (2)
  • August 2015 (4)
  • July 2015 (2)
  • June 2015 (2)
  • January 2015 (1)
  • December 2014 (6)
  • October 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (1)
  • June 2014 (2)
  • May 2014 (2)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (3)
  • January 2014 (6)
  • December 2013 (13)
  • November 2013 (6)
  • October 2013 (3)
  • September 2013 (2)
  • August 2013 (5)
  • June 2013 (1)
  • May 2013 (2)
  • March 2013 (1)
  • November 2012 (1)
  • October 2012 (3)
  • September 2012 (2)
  • May 2012 (6)
  • January 2012 (2)
  • December 2011 (12)
  • July 2011 (1)
  • June 2011 (2)
  • May 2011 (5)
  • April 2011 (6)
  • March 2011 (4)
  • February 2011 (3)
  • October 2010 (6)
  • September 2010 (8)

Recent Posts

  • 8-bit Breadboard Computer: Good Encapsulation!
  • Where are all the posts?
  • Better Ad Blocking Through Pi-Hole and Local Caching
  • The difference between APIs and SPIs
  • Hadoop: User Impersonation with Kerberos Authentication

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Pages

  • About Me
  • Notebook: Common XML Tasks
  • Notebook: Database/Webapp Security
  • Notebook: Development Tips

Syndication

Java Code Geeks

Know Your Rights

Support Bloggers' Rights
Demand Your dotRIGHTS

Security

  • Dark Reading
  • Krebs On Security Krebs On Security
  • Naked Security Naked Security
  • Schneier on Security Schneier on Security
  • TaoSecurity TaoSecurity

Politics

  • ACLU ACLU
  • EFF EFF

News

  • Ars technica Ars technica
  • Kevin Drum at Mother Jones Kevin Drum at Mother Jones
  • Raw Story Raw Story
  • Tech Dirt Tech Dirt
  • Vice Vice

Spam Blocked

53,793 spam blocked by Akismet
rss Comments rss valid xhtml 1.1 design by jide powered by Wordpress get firefox