Invariant Properties

Introduction to Digital Certificates, Part 2: IDs

Bear Giles | May 29, 2012

This is part of a series on Digital Certificates.

Before we get into the details of digital certificates we need to take a big step back and ask what an ID means in the big picture.

Any ID has several mandatory characteristics:

1. it is tangible. (Yes, computer files are tangible.)

2. it identifies a “subject”. For instance, the citizen of a passport, the driver of a state driver’s license, the employee, the student.

3. it identifies an “issuer”. In the examples above this is the country issuing the passport, the state issuing the driver’s license, the employer, the school.

4. it has some way to bind the subject to the person or organization. At a minimum it’s a photograph and/or signature, perhaps with basic biometric information like height and weight.

5. it has some way to bind the issuer to the document. For an employee badge or student ID this might just be a logo. For high security documents you may add watermarks, holograms or even laminated layers containing fluorescing content.

6. it is reasonably immutable.

An ID may include additional characteristics:

1. a unique serial number.

2. an expiration date, and possibly a ‘not valid before’ date as well.

3. usage restrictions. (E.g., there may be driving hours restrictions on a driver’s license.)

4. alternate names for the subject or issuer.

Vulnerabilities and Attacks

What are the vulnerabilities of IDs? How can they be attacked? Entire books have been written on this subject but we can quickly hit the highlights.

Impersonation

We can check that the person presenting the ID matches the description on the ID… but how can we trust that the person going to the issuer isn’t impersonating somebody else? It’s a valid ID issued to the wrong person.

What about the issuer itself? How can we trust the issuer is who it claims to be? Consider the classic student fake ID.

Outdated Information/Revocation

What do you do when the subject dies (if a person) or is acquired by another organization (if a business)? What if the student graduates? Drops out?

A variation on this is when the state suspends a person’s driver’s license. It’s no longer valid as proof of authority to drive but it’s still proof of identity. How to you make sure third parties have the most current information?

Tampering and Forgery

An ID should be immutable but it may still be possible to tamper with it. E.g., paste a picture of one person on top of the picture of a different person on a driver’s license. How easy will it be to detect that if you only look at the ID through a plastic sleeve?

This is a key point to remember – fake IDs don’t need to be perfect. They only need to be “good enough” for the intended purpose. That can be a shockingly lower barrier than you expect.

Lack of Due Diligence

This vulnerability is the nastiest – how can you trust the issuer to do a good job? In some cases this is sloppiness, but there’s also the structural questions of who pays the cost of investigating the subject and who pays the cost when the issuer is mistaken. An issuer who is expected to pay the costs for the investigation but will pay no penalty for mistakes isn’t likely to put much effort into the investigation. Make no mistake – they may not make intentional errors. They just won’t be zealous about doing an in-depth investigation.

On the other hand an issuer who faces a serious financial risk if they misidentify the subject will naturally make a much more serious effort to get it right.