Presentation on theme: "The role of identity David D.Clark July, 2012. 2 The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication."— Presentation transcript:
2 The role of identity A requirement for identity comes up often: Detect misdirection attacks on communication. Detect invalid (unauthentic) pieces of information. Validate identity/authority of incoming connections to prevent infiltration attacks. Allow application/network to pick desired communication pattern, to insert the desired degree of checking into the path between communicating parties, depending on the degree of trust between the parties. Hold parties accountable for their actions. Should a future Internet include identity mechanisms?
3 Designing identity schemes There is more than one way we could approach identity. A private matter among end-nodes. E.g. encrypted or meaningless except at end points. Signal of identity that is visible in the network. Surveillance cameras in cyberspace. Facilitate both policing (perhaps) and repression. Third-party credentials vs. continuity-based familiarity. Revocable anonymity. Anonymity can only be revoked by its creators. Probably need all in different circumstances, so architecture should not constrain. These are not choices to be made by technologists alone. Need a multi-disciplinary conversation. I am very fearful of getting this wrong.
Deterrence and identity Deterrence implies the ability to impose a cost on an actor that carries out an inappropriate action. Which implies the need to identify the actor. Which has led to calls in Washington for an “accountable” Internet. Which could be both ineffective and harmful.
Consider attribution as a tool Sort out various dimensions of attribution. Person, machine, aggregate entity. Private vs. visible. Identify key non-technical issues Jurisdiction Variation in laws and norms Relate to design of attacks Multi-stage attacks. Draw a few conclusions.
Attribution today—packets At the packet level, IP addresses. Directly identify a machine. Only indirectly linked to person. DMCA and the RIAA. Rules depend on jurisdiction. Can be mapped (imprecisely) to larger aggregates such as countries and institutions. Commercial practice today for web queries. Can be forged, but too much is made of that. Can be observed in the network by third parties.
Attribution today--applications Many applications include methods by which each end can verify the identity of the others. Banking. Sometimes a third party is involved. E-commerce, certificates. Sometimes the identity is private to the parties. Self-signed certificates. Sometimes the goal is “no identity”. Sites providing health information. Identity information can be hidden in transit.
A seeming dichotomy Two kinds of attribution. Machine-level visible to third parties. Personal identity selectively deployed and private to the end-points. Is this structure an accident? Not really. Consistent with a general approach to do “no more than necessary” as a requirement.
What sort of deterrence? Criminal prosecution. Might seem to require “person-level” identity of forensic quality. But this may not be right. Prosecutors like physical evidence. Use of network-based attribution may be more important in guiding the investigation. Espionage Often want to assign responsibility to an institution or a state. Cyber-warfare Again, need state/actor-level attribution.
Anti-attribution Critical for many purposes. Current approaches: TOR Freegate VPNs. Note: they serve to mask IP-level information.
Designing attacks Many attacks are “multi-stage”. Person at computer A penetrates machine B to use it as a platform to attack machine C. DDoS is obvious example, but not only one. Intended to make attribution harder. Attackers are clever. A form of identity theft. Tracing an attack “back to A” implies: Support at intermediate points: issue of jurisdiction. Use of machine addresses.
Issues of jurisdiction Many sorts of variation. Rules for binding identity to IP addresses. Rules for when this can be disclosed. And to whom. Support for timely traceback of multi-stage attacks. Attackers “venue-shop”. Might imply a two-level response. Both at the actor and the jurisdiction level.
13 Identity schemes invite deception Both a human and a technical problem. How do you know what information to trust? Credentials? Continuity? Collaborative filtering (trust again). Identity itself should be rich and heterogeneous Integrity through availability. How can we avoid illusion on the screen? Remember that a human is not always present. Need ability (perhaps in restricted circumstances) to delegate decision to a program.
Some conclusions IP addresses are more useful than sometimes thought. Any proposals/policies for better attribution should take into account: Multi-stage attacks. The need for “anti-attribution. Cross-jurisdiction issues are central. Within one jurisdiction, with a single stage activity, RIAA has demonstrated deterrence.
More conclusions Research should focus on mitigating multi-stage attacks, not “better tools for identity”. Multi-stage attack imply identity theft. Solutions will not be purely technical. Redesign of applications can mitigate many problems. Problems arise at that level… Integrate attribution into the application in ways consistent with needs of the dominant actor. Tight controls or none, depending on circumstances. Different patterns of communication.
16 A final issue—private association An essential characteristic of a civil society is freedom of association. Can join and leave groups at will. Can participate without fear or harassment. “Private association”. Protection can be legal or technical. Should we try for technical? Any form of identity revealed in the network provides a basis for third parties to observe patterns of association. In vocabulary of security: traffic analysis. But this is what is being called for to attribute bad actions to perpetrators. What constitutes a bad action, and who gets to say? Technology works the same everywhere.
My conclusion Better tools for personal attribution should not be a primary part of a future Internet. Does not do much good; does much harm. Applications should tailor their use of identity to the specifics of the situation.