A good friend of mine who is the definition of a ‘Security Expert’ replied to my recent post regarding the use of current encryption technologies. He had this to say about my assertion that PKI cannot prove my identity:

PKI-based authentication can prove who you are, to the extent it can prove that the name in the certificate corresponds to the entity wielding the private key.

Since he seems by this to have missed my original statement I wanted to clarify why I don’t believe PKI technology can be used for personal identity. The problem isn’t the technology, certainly if I am only one with the private key then I can prove who I am. My argument is that you cannot secure the private key.

Oh sure, you could take that private key and ACL/encrypt it down to my user account. Even better you could put it on a thumb drive bio-metrically encrypted for only my access. This is still insufficient security. Programs running on machines that I use when accessing that data can get to that data. Since you cannot secure the platforms we use, you cannot secure data stored or accessed by them. Not that the technology is wholly unusable, for some things it would be entirely sufficient; however, I sure wouldn’t want my private-key to be the only thing needed to access my online banking.

Let’s say we went down this road and everyone had a private key. That provides one attack everyone is vulnerable to. It would be a matter of hours before people started finding ways around whatever security was in place. Wherever you have more potential victims and higher rewards the criminals will attack. Why do you think MS-Windows has been attacked the most?

The hidden beauty behind the mess of online credentials is that everyone does it differently. This forces an attacker to pick something specific to target, like PayPal, or BoA. The attack, if successful, only works there. This is a good thing. Putting all our eggs in one security basket is just a bad idea… Kinda like using the same username and password on every website you visit.

Comments