Fly to San Francisco International Airport, flash two pieces of plastic, and you can drive away with a brand new car worth more than $20,000. The only assurance that the car rental agency has that you will return its automobile is your word—and the knowledge that if you break your word, they can destroy your credit rating and possibly have you thrown in jail.
Your word wouldn’t mean much to the rental company if they didn’t know who you are. It’s those pieces of plastic, combined with a nationwide computer network that reports if they are stolen, that gives the car rental firm and its insurance company the ability to trust you.
Digital certificates are designed to provide this same sort of assurance for transactions in cyberspace. Their effectiveness comes from a marriage of public key cryptography, a carefully created and maintained public key infrastructure (PKI), and the legal system.
This chapter describes how digital certificates work; it explains the role of the certification authorities (CAs) that issue the certificates; it explains the difference between client and server certificates; and it ends with some real-world observations about the role and usefulness of the digital signature technology.
As the rental car agency knows, the ability to identify people creates accountability and helps to promote trust. Indeed, identification is an indispensable part of modern life. Large organizations use employee identification badges to help guards determine who should be let into buildings and who should be kept out. Governments use identification papers to help control their borders. And, increasingly, computers use various kinds of systems to determine the identity of their users to control access to information and services.
For much of the 20th century, driver’s licenses, passports, and other kinds of identity cards have been the primary tools that people have used to prove their identities. We use them when cashing checks, when opening accounts with new businesses, when applying for a job, and when buying property. We use them when we are cited by police for speeding or jaywalking, as an alternative to being arrested, taken to a police station, and held for a hearing. By reliably identifying who we are, these physical tokens make it possible for business to extend credit and trust to individuals with whom they are unfamiliar. You might think that the alternative is to do business solely with cash. But even when cash or other articles of value are used, strong identification is often required because of the possibility of fraud. Think about it: would you take three pounds of gold as payment for a new car without knowing the name of the person handing you the bullion?
Identification cards don’t create a stable business environment by themselves: they work hand-in-hand with the legal system. If a person bounces a check or fails to carry through on the terms of the contract, the business knows that it ultimately has the option of going to court with its grievance. But a successful outcome in court is only possible if the business knows the true identity of the customer. This is one reason why it is a crime to impersonate another person in the course of a financial transaction.
Customers also need to be able to determine the identity of businesses when they are engaging in financial transactions. In the physical world, the assurance is usually provided by physical location: if Sara buys a book in Harvard Square and then for some reason decides that she has been cheated (she may have taken the book home and discovered that several pages are missing), she knows that she can walk back to Harvard Square and demand a replacement or a refund. And she knows that she can trust the bookstore, at least within reason, because the store has obviously spent a considerable amount of money on the accoutrements of business: books, shelves, carpets, cash registers, and so on. It’s unrealistic to think that the bookstore would spend so much money and then cheat a few dollars off paperback purchases that would damage the store’s reputation. And if the bookstore was a scam, at least Sara knows where the bookstore is based. In the worst case, Sara can always go to City Hall, look up the store’s owner, and take him to court.
Things are not so neat and tidy in cyberspace. Sara might spend $995 at a trendy online software store, only to discover that the copy of ExCommunicate 3.0 that she has downloaded contains a nasty Trojan horse. She ends up having to reformat her hard disk. When she goes back to figure out what’s happened, she discovers that the online shop is gone. When she tries to sue the store to collect damages, she finds that she can’t: the store was operating from Africa, and the government officials in that particular African country have no record of any such business. Sara ends up feeling cheated and resolves never to buy anything online again.
Things can be as difficult for online businesses attempting to determine the names of their customers—or trying to verify that the person at the other end of the web browser is actually the person that he or she claims to be. Consider an online stock trading company that gets an order from one of its customers to sell 500 shares of Netscape Communications, Inc. How does the trading house know that the “sell” order came from the bona fide customer and not from the customer’s 10-year-old son—or from the son’s best friend who happens to be visiting for the afternoon? What sort of proof is possible, when your only connection with your customer is over a 28.8-kbps modem?
One proven way for establishing identity in the physical world is to carry credentials from a trusted authority. Consider a passport, a driver’s license, or even a membership card for the local gym. All of these credentials attest to your identity. To bolster their claims, they rely on the good name and reputation of a national government, a state, or the YMCA.
Good identification credentials are tamper-proof (or at least tamper-resistant) so that the person who holds them can’t change them. They should also be forgery-proof to prevent anyone other than the appropriate government or organization from issuing them.
In the physical world, tampering and forgery are usually prevented by using exotic materials. Polaroid, for instance, manufactures a semitransparent film that is affixed to the driver’s licenses issued by many U.S. states. Driver’s licenses equipped with this film are tamper-proof: try to remove the film to alter the license, and the film changes color. They are also forgery-proof: it’s easy to tell the authentic film from fraudulent film, because the authentic film displays the name of the particular state when it is tilted to a certain angle. Counterfeiters could make their own film, but the equipment required to do so is incredibly expensive. Furthermore, the process that is used to manufacture the film is itself protected by patents and trade secret.
Another exotic material that has become common is the security hologram. These holograms are placed on credit cards, tapes on CD cases, software packages (such as Microsoft’s Windows 95), and even some books. Although it’s fairly easy to make a hologram with film, it is much harder to press a hologram onto a thin piece of metal: the equipment is expensive and the knowledge is relatively rare. And as the businesses that operate these machines tend to have close relationships with the banking industry, they don’t look kindly on counterfeiters.
In the physical world, identification cards are so commonplace that we rarely think about how they work. Your U.S. passport has your photograph, your hair and eye color, and your signature, among other information. You prove your identity by handing the passport to an inspector and having the person compare its photograph with your face. If the inspector is interested in giving you an especially hard time, he or she might ask you to sign your name on a piece of paper and compare that signature with the one on the document. Or the inspector might ask you questions based on the information that the document contains.
For credentials that are less important, such as a gym membership, there might not even be a photograph: mere possession of the document is assumed to be proof of identity. That’s because the added cost of a photograph might be greater than the lost income from stolen service that would result if two people were sharing a single ID. On the other hand, if fraud becomes a major problem, then greater security measures—such as a photograph on the ID—might be warranted.
Personal computers have traditionally not identified their users. Instead, PCs have traditionally given complete access to any person sitting at the computer’s keyboard. That’s why they were considered personal computers—they weren’t shared with others. But these days, when PCs can be accessed over a network, or when a PC containing sensitive information might be shared by a group of individuals, physical access alone is no longer an acceptable criteria to determine access. Some way of identifying users is necessary.
Many computer users already have several forms of ID in their possession. Why not simply use them—or have the computer scan your facial features and determine who you are?
Unfortunately, most computers can’t look at your face and then glance at your driver’s license to decide if you should be allowed access or not:
Most computers don’t have video cameras.
Even computers that do have video cameras don’t have software that lets them reliably identify a person.
Even computers that can identify people from video images still don’t have the “common sense” to know if they are looking at a real-time video image of a person or a videotape of the person that’s been previously recorded.
And even if computers had common sense, they don’t have the hands, fingers, and so forth to look at a driver’s license and determine if it is a true instrument or an imitation.
Although there is active research in using physical characteristics such as a person’s face or voice for identification (see Section 6.1.3.3, later in this chapter), far simpler and cheaper systems have been used for years. But there is a key difference between these systems and the document-based identification systems used by people in the physical world. Rather than proving that the person sitting at the keyboard is a particular person, most computer ID systems are designed to let the computer determine if the person sitting at the keyboard is the same as the person who was sitting there yesterday.[31] These systems care about continuity of identification rather than absolute identification.
Practically speaking, absolute identification has not been a requirement for most computer systems. A computer on your local area network doesn’t need to know your true legal name. It simply needs a way of verifying that the person trying to access it today is authorized to do so.
The earliest digital identification systems were based on passwords: every user of the system is assigned a username and a password. To prove your identity to the computer, you simply type your password. If the password that you type matches the password that is stored on the computer, then you must be who you claim to be.
Because they are simple-to-use, familiar, and require no special hardware, passwords continue to be the most popular identification system used in the computer world today. Unfortunately, there are many problems with using passwords for identification. Almost all of them revolve around four key factors:
The computer has to have your password on file before you attempt to prove your identity.
Your password can be intercepted when you send it to the computer. Somebody else who learns your password can impersonate you.
People forget passwords.
People choose easily guessed passwords.
People tell their passwords to others.
Nevertheless, passwords continue to be used as a common identification system for many applications.
Another way that people can prove their identity is through the use of a token—a physical object that you carry with you that somehow proves your identity and grants you access.
Access cards are typical tokens used to prove identity in today’s business world. To open a door, you simply hold the card up to a reader. Every card has a unique number. The system, in turn, has a list of the cards authorized to open particular doors at certain times. In order for the system to be effective, people should not lend their cards to others.
As with passwords, tokens have problems as well:
The token doesn’t really “prove” who you are. Anybody who has physical possession of the token can gain access to the restricted area.
If a person loses his token, he cannot enter the restricted area, even though his identity hasn’t changed.
Some tokens are easily copied or forged.
Thus, token-based systems don’t really authorize individuals: they authorize the tokens. For this reason, token-based systems are often combined with password-based systems. To gain access to a room or a computer, you need to both present the token and then type an authorization code. This is the technique used by automatic teller machines (ATMs) to identify bank account holders.
A third technique commonly used by computers to determine a person’s identity is to make a physical measurement of that person and compare that physical measure with a profile that has been previously recorded. This technique is called a biometric, because it is based on measuring something about a living person.
There are two ways that biometric identification systems can be used. The simplest and most reliable way is to compare an individual’s metrics with a specific stored profile. The second technique is to scan a large database of stored profiles looking for a particular match. This second technique is more prone to false-positive matches than the first.
Many kinds of biometrics are possible:
An image of a person’s face
Fingerprints
Footprints and walking style
Hand shape and size
Pattern of blood vessels in the retina
DNA patterns
Voice prints
Handwriting techniques
Typing characteristics
Biometrics can be reliable tools for ascertaining identity, but they have so many problems that they are not commonly used. Some of these problems include:
A person’s biometric “print” must be on file in the computer’s data bank before that person can be identified.
Biometric-based authentication usually requires expensive, special-purpose equipment to measure the particular biometric desired.
Unless the measuring equipment is specially protected, the equipment is vulnerable to sabotage and fraud. For example, a clever thief could defeat a voice-recognition system if he or she had access to the wires connecting the system’s microphone to the voice-processing unit. With such access, the thief could simply record the voice of an authorized individual. Later, when the thief wished to gain unauthorized access, he or she would simply play back the recording.
Because of the possibility of false matches, biometrics are often combined with passwords or tokens. In the case of passwords, a user might be asked to type a secret identification code, such as a personal identification number (PIN), and then give a biometric sample, such as a voice-print. The system uses that PIN to retrieve a specific stored profile, which is then compared with the sample that has just been acquired.
Many of the identification systems described in the previous section can be improved through the use of digital signatures.
The theory behind digital signatures is described in Chapter 10. Briefly, each user of a digital signature system creates a pair of keys:
If Ian’s public key is widely distributed in a tamper-proof format, then he can use his private key to prove that he is in fact Ian (provided, of course that he has been careful to prevent others from stealing his private key). The advantage of using public key cryptography is that this proof can be done safely over a telephone or a computer network even if a third party is eavesdropping.
To see how Ian could use his private key to prove his identity, imagine that Ian and Wendy are exchanging letters by electronic mail. All Wendy has to do is send Ian a brief letter with a random number, asking him to digitally sign the number and send it back. When Wendy gets the letter back, she verifies the signature with her copy of Ian’s public key. If the signature matches, then she knows that the person she is communicating with has Ian’s private key. If Ian has been careful with his keys, Wendy can reasonably infer that the person she is communicating with is Ian (see Figure 6.1).
Notice that this technique cannot be compromised by either eavesdropping or tampering of a third party (such as Peter). Even if Peter observes all the communications that go between Wendy and Ian, he will not see Ian’s private key and will not be able to forge his signature. Peter can, however, cause Wendy to distrust Ian. He can do this by modifying the message as it travels between Wendy and Ian. Ian won’t sign the right message, and Wendy will wonder why Ian isn’t doing what she asked. Alternatively, Peter could modify the signed message; this might make Wendy think that somebody was trying to pose as Ian (somebody who does not have the correct key).
Many ways have been developed for protecting private keys:
- Store the key encrypted on the hard disk.
The simplest way to protect a private key is to encrypt it using a passphrase. This is the way that programs such as PGP and Netscape Navigator protect private keys. This technique is convenient. The disadvantage is that if somebody gains access to your computer and knows your passphrase, he or she can access your private key. And since the key must be decrypted by the computer in order to be used, it is vulnerable to attack inside the computer’s memory by a rogue program or a Trojan horse.
- Store the key encrypted on removable media.
A slightly more secure way to store a private key is to store it encrypted on a floppy disk, a CD-ROM, or other removable media. With this technique, an attacker needs both your media and knowledge of your passphrase to access your private key. Unfortunately, to use your private key, your computer must decrypt the key and put a copy of it in its memory. This still leaves the key vulnerable to attack by a computer virus, Trojan Horse, or other rogue program.
- Store the key in a smart card or other “smart” device.
This is one of the most secure ways to protect your private key. The smart card has a small microprocessor and actually creates the public key/private key pair. The smart card can transmit the public key to the host computer and has a limited amount of storage space for holding 10 or 20 public key certificates (see Figure 6.2). Ideally, the private key never actually leaves the card. Instead, if you want to sign or decrypt a piece of information, that piece of information has to be transmitted into the card, and the signed or decrypted answer transmitted off the card. Thus, attackers cannot use your private key unless they have possession of your smart card. And, unlike storing the private key on a floppy disk, a rogue program running inside your computer can’t surreptitiously make a copy of your private key because the key itself is never placed in the computer’s memory.
Smart cards are exciting pieces of security technology. Take the card out of your computer, and you know that nobody else has access to your private key. Smart cards can also be programmed to require a PIN or passphrase before they will perform a cryptographic function; this helps protect your key in the event that the card is stolen. They can be programmed so that if many PINs are tried in succession, the key is automatically erased. And smart cards can be built to use biometrics as well. For instance, you could build a fingerprint reader or a small microphone into a smart card.
Smart cards aren’t without drawbacks, however. Some of them are fragile, and normal use may eventually result in the card’s becoming unusable. Some kinds of smart cards are exceptionally fragile.
If the card is lost, stolen, or damaged, the keys it contains are gone and no longer available to the user. Thus, it is necessary to have some form of card duplication system or key escrow to prevent key loss. This is especially important for keys that are used to encrypt stored data.
It is also the case that smart cards are not completely tamper-proof. In 1996, Ross Anderson and Markus Kuhn presented a paper on how they broke the security of a professionally designed smart card widely used for security mechanisms.[32] Later that year, DeMillo, Lipton, and Boneh of Bellcore announced a theoretical attack against smart cards that perform encryption. Other researchers, including Shamir and Biham, quickly entered the fray and published a variety of attacks on hardware-based encryption systems.
An interesting twist on using public key technology to prove identification is the Pitney-Bowes Veritas system, which uses digital signatures to authenticate photographs and other information stored on physical documents (such as a driver’s license). The Pitney-Bowes system stores a high-density two-dimensional bar code on the back of a plastic card. This bar code contains a digitized photograph, a copy of the driver’s signature, and information such as the driver’s name, age, and address. All of the information stored in the bar code is signed with a digital signature. The private key used to create this signature belongs to the card’s issuing authority.
To verify the digital signature stored on the back of the plastic card, it is necessary to have a Veritas reader. This reader scans in the two-dimensional bar code, verifies the digital signature, and then displays a copy of the photograph on a small screen. A liquor store might use such a system to verify the age of people attempting to purchase alcohol, as well as to verify the names of people writing checks.
Veritas was first tested in 1994 to issue IDs for 800 students at the University of New Haven. In 1995, Veritas was tested at the Special Olympic World Games in Connecticut. Approximately 7,000 athlete credentials were issued and used for the games. These credentials contained a photograph of the athlete, biographical data, and medical information. Pitney-Bowes reported a 100 percent read rate on the cards. At one point, the event’s network went down, and the offline data retrieval capability of Veritas enabled officials to retrieve medical data in life-saving situations.
[31] The Massachusetts-based Miros company has even developed a set of web access control tools that use a small video camera to grant web access. For information, see http://www.miros.com.
[32] For an excellent description of the ease of attacking hardware-based encryption devices, see Ross Anderson and Markus Kuhn, “Tamper Resistance—a Cautionary Note,” in The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp. 1-11, ISBN 1-880446-83-9. PostScript can be found at http://www.ft.uni-erlangen.de/~mskuhn/anderson-kuhn-tamper.ps.gz. HTML can be found at http://www.ft.uni-erlangen.de/~mskuhn/tamper.html.