Internet Security Systems - AlertCon(TM)

More on Key Management

Posted by Tom Cross on January 09, 2007 at 4:00 PM EST.

Rob Freeman asks "Is the solution to have a single passphrase that provides access to all other passphrases and keyfiles in a secured database? Or, is it better to have a single passphrase and keyfile for all activities?"

Ultimately, I think the problem is with passphrases. Bruce Schneier looked at MySpace passwords back in December. It's not a pretty sight. He writes that "that passwords have outlived their usefulness as a serious security device." I think they're OK for protecting MySpace accounts, but for online finance and confidential information, they are a serious problem.

One problem is that consumers aren't good at knowing whether or not they are giving their credential up to the right party. In the current browser security model, the web browser verifies that the website has a certificate, but the fact that a certificate has been issued doesn't mean that the website is who it claims to be. Ultimately, we need smarter credentials, that will validate that the service they are authenticating to is the service they are supposed to authenticate to. I think these credentials ought to be stored in a tamper-resistant hardware device that requires some second factor, such as a password, to operate. The hardware device can get lost or stolen, but that's true of physical keys, as well. Hardware tokens have many of the same use properties as physical keys, and that's a model that is well understood in society.

Why don't people have these? It's a business problem. The cost associated with a security technology must be lower than the savings it provides due to reduced fraud, for the person who has to spend the money.

Sometimes the cost associated with deploying a security technology exceeds the savings associated with fraud, and this is often the case with certification authority hardware token technologies. This is why we still use passwords.

Sometimes, the cost of the fraud is not actually born by the parties that are in a position to spend the money on better security technology. How much of the cost of credit card fraud is actually born by the people who are responsible for the architecture of credit cards, as opposed to the merchants that accept them? How much of that cost is recovered through offering credit monitoring services, fraud protection, and other features to consumers who wouldn't bother with them if there was no fraud problem? How much would it cost to upgrade the credit card infrastructure to provide better security?

We're seeing some upgrades to the network start to happen in the US, but they are mostly driven by the need to reduce the cost of using credit cards for small dollar point of sale applications rather than to address security problems that occur on the web due to theft of numbers.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.