170 likes | 293 Vues
The role of identity. David D.Clark July, 2012. The role of identity. A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information.
E N D
The role of identity David D.Clark July, 2012
The role of identity • A requirement for identity comes up often: • Detect misdirection attacks on communication. • Detect invalid (unauthentic) pieces of information. • Validate identity/authority of incoming connections to prevent infiltration attacks. • Allow application/network to pick desired communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties. • Hold parties accountable for their actions. • Should a future Internet include identity mechanisms?
Designing identity schemes • There is more than one way we could approach identity. • A private matter among end-nodes. • E.g. encrypted or meaningless except at end points. • Signal of identity that is visible in the network. • Surveillance cameras in cyberspace. • Facilitate both policing (perhaps) and repression. • Third-party credentials vs. continuity-based familiarity. • Revocable anonymity. • Anonymity can only be revoked by its creators. • Probably need all in different circumstances, so architecture should not constrain. • These are not choices to be made by technologists alone. • Need a multi-disciplinary conversation. • I am very fearful of getting this wrong.
Deterrence and identity • Deterrence implies the ability to impose a cost on an actor that carries out an inappropriate action. • Which implies the need to identify the actor. • Which has led to calls in Washington for an “accountable” Internet. • Which could be both ineffective and harmful.
Consider attribution as a tool • Sort out various dimensions of attribution. • Person, machine, aggregate entity. • Private vs. visible. • Identify key non-technical issues • Jurisdiction • Variation in laws and norms • Relate to design of attacks • Multi-stage attacks. • Draw a few conclusions.
Attribution today—packets • At the packet level, IP addresses. • Directly identify a machine. • Only indirectly linked to person. • DMCA and the RIAA. • Rules depend on jurisdiction. • Can be mapped (imprecisely) to larger aggregates such as countries and institutions. • Commercial practice today for web queries. • Can be forged, but too much is made of that. • Can be observed in the network by third parties.
Attribution today--applications • Many applications include methods by which each end can verify the identity of the others. • Banking. • Sometimes a third party is involved. • E-commerce, certificates. • Sometimes the identity is private to the parties. • Self-signed certificates. • Sometimes the goal is “no identity”. • Sites providing health information. • Identity information can be hidden in transit.
A seeming dichotomy • Two kinds of attribution. • Machine-level visible to third parties. • Personal identity selectively deployed and private to the end-points. • Is this structure an accident? • Not really. • Consistent with a general approach to do “no more than necessary” as a requirement.
What sort of deterrence? • Criminal prosecution. • Might seem to require “person-level” identity of forensic quality. But this may not be right. • Prosecutors like physical evidence. • Use of network-based attribution may be more important in guiding the investigation. • Espionage • Often want to assign responsibility to an institution or a state. • Cyber-warfare • Again, need state/actor-level attribution.
Anti-attribution • Critical for many purposes. • Current approaches: • TOR • Freegate • VPNs. • Note: they serve to mask IP-level information.
Designing attacks • Many attacks are “multi-stage”. • Person at computer A penetrates machine B to use it as a platform to attack machine C. • DDoS is obvious example, but not only one. • Intended to make attribution harder. • Attackers are clever. • A form of identity theft. • Tracing an attack “back to A” implies: • Support at intermediate points: issue of jurisdiction. • Use of machine addresses.
Issues of jurisdiction • Many sorts of variation. • Rules for binding identity to IP addresses. • Rules for when this can be disclosed. • And to whom. • Support for timely traceback of multi-stage attacks. • Attackers “venue-shop”. • Might imply a two-level response. • Both at the actor and the jurisdiction level.
Identity schemes invite deception • Both a human and a technical problem. • How do you know what information to trust? • Credentials? Continuity? • Collaborative filtering (trust again). • Identity itself should be rich and heterogeneous • Integrity through availability. • How can we avoid illusion on the screen? • Remember that a human is not always present. • Need ability (perhaps in restricted circumstances) to delegate decision to a program.
Some conclusions • IP addresses are more useful than sometimes thought. • Any proposals/policies for better attribution should take into account: • Multi-stage attacks. • The need for “anti-attribution. • Cross-jurisdiction issues are central. • Within one jurisdiction, with a single stage activity, RIAA has demonstrated deterrence.
More conclusions • Research should focus on mitigating multi-stage attacks, not “better tools for identity”. • Multi-stage attack imply identity theft. • Solutions will not be purely technical. • Redesign of applications can mitigate many problems. • Problems arise at that level… • Integrate attribution into the application in ways consistent with needs of the dominant actor. • Tight controls or none, depending on circumstances. • Different patterns of communication.
A final issue—private association • An essential characteristic of a civil society is freedom of association. • Can join and leave groups at will. • Can participate without fear or harassment. • “Private association”. • Protection can be legal or technical. Should we try for technical? • Any form of identity revealed in the network provides a basis for third parties to observe patterns of association. • In vocabulary of security: traffic analysis. • But this is what is being called for to attribute bad actions to perpetrators. • What constitutes a bad action, and who gets to say? • Technology works the same everywhere.
My conclusion • Better tools for personal attribution should not be a primary part of a future Internet. • Does not do much good; does much harm. • Applications should tailor their use of identity to the specifics of the situation.