[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: global names are a security flaw
On Wed, 10 Dec 1997, Carl Ellison wrote:
-> -----BEGIN PGP SIGNED MESSAGE-----
-> At 03:53 AM 12/6/97 -0200, Ed Gerck wrote:
-> >Now, the obvious problem here is not with global names but with lack of
-> >information! Of course, before you can find anything (even a name), you
-> >must know what you are looking for .... so, if you don't know Bob Jones'
-> >middle name (even though he is your friend) then you can't find him at IBM
-> >or, if you don't know where Alice Smith works then you can't find her. I
-> >could further say that if you don't know Alice Smith's phone number then
-> >you can't call her!
-> >(Clearly, if you start with zero information all you have is entropy...)
-> Or from the other POV it's not lack of information but the wrong amount of
-> information. There's not enough to identify the person but enough for a
-> human to make a guess and therefore a mistake, resulting in a security flaw
-> either by accident or by contrivance of some enemy.
I have problems following your argument, because anyone can always make
guesses and always make mistakes even in good faith -- it's our task to
make sure that the world does not end when that happens!
Of course, if we ask for user input we must let the user be free to input
anything that fits in the allowed (by us) alphabet. However, you phrase
above imply that "silent faults" (a "silent fault" is defined as an error
condition that leads to wrong outputs without warning or detection by the
user) are the norm when an user makes a mistake or takes a wrong guess (in
good or bad faith) -- when all security specs say otherwise.
I would say that while we must guarantee that a close guess will not be
able to break our security scheme (so that any mistake must lead to an
error), we must also make sure that a mistake will not lead to a silent
fault or a disaster as you imply. This is called "fault-tolerant design".
For example, we may detect that the given global name does not pass some
error-checking code (as found in barcodes, SSN numbers, credit-card
numbers, etc.) and warn the user that the transaction cannot proceed
because the input was in error. It is easy to prove that this scheme can
be made arbitrarily safe against errors by increasing the self-checking
part of the name.
Other measures can be used together with the error-checking procedure,
either at the same time or before the actual authorized action, such as
asking twice for the same input, requiring a password, requiring a
smart-card token, requiring an e-mail confirmation, etc.
That's why I said your "example" of flaws in global names was rather an
example of a flawed protocol, which would also "work" in a wrong way with
local names. Your design was not fault-tolerant.
Further, global names come in many flavors, such as fingerprints, retina
scans, DNA sequences, public-keys, public-key hashes, X.500 DNs, e-mails,
hash of X.500 DNs, hash of e-mails, etc. Any one of these names can always
be made private by a suitable cryptographic hash. And any may have enough
information to allow Bob E. Jones to be found at IBM -- without destroying
the world in case of mistakes.
That't why I say that global names are neither a security nor a privacy
Dr.rer.nat. E. Gerck firstname.lastname@example.org