If you would like to read the other parts in this article series please go to:
- Identity (Management) Crisis (Part 1): The evolution of identity concepts
- Identity (Management) Crisis (Part 2): Everything you (think you) know is wrong
- Identity (Management) Crisis (Part 4): Selecting a Comprehensive Identity Management solution
In Part 1 of this series, we took a look at the evolution of the concept of “identity” and what it means, both within and outside IT. In Part 2, we discussed how everything you think you know about identity – and particularly the idea that credentials equal identity – is wrong. In this, Part 3, we’re going to begin the discussion about some current identity management solutions as well as new ways to implement old methods of verifying identity.
Signature as proof of identity
In pre-electronic times, the handwritten name served as the legal representation of a person’s identity and intent on a contract or other document. Because handwriting tends to be more or less unique from one individual to another, a signature provided evidence that the named person created and/or had read and agreed to the content of the document.
However, signatures can be forged (faked). Forgery is a criminal offense but contrary to popular belief, merely signing someone else’s name does not generally constitute forgery under the law. For example, a person can legally give another person permission to sign his/her name, either manually or by using a signature stamp or machine; this is common practice in business offices and government agencies where the person whose signature is needed on a huge number of documents can’t possibly spend all the time required to personally sign them. To be forgery, the signing of another’s name generally must be done for a fraudulent purpose – that is, to deceive someone and/or gain at another’s expense (Specific elements of the crime will be set out in the legal statutes that make it an offense, and may differ from one legal jurisdiction to another).
To verify that a signature is indeed made by the person whose name it represents, the signature can be notarized. A notary public is a public official who is commissioned by the government to witness the signing of documents (among other things) and authenticate the identity of the person signing, usually by examining identification documents such as a driver’s license or passport. The notary affixes his/her own signature and seal to verify that the signatory is whom he/she claims to be.
In the IT world, we have digital signatures to serve a similar purpose, acting as evidence that an electronic message or document was created or sent by the person or entity it appears to have come from. Digital signatures can go a step further and verify that the message or document has not been changed in any way since it was signed.
Digital signatures have been around, at least in concept, since the 1970s (Diffie and Hellman) and available in commercial software since the late 1980s (Lotus Notes). Now digital signatures are becoming more commonplace, with many governmental agencies using them to publish official documents, and in many jurisdictions digital signatures are legally binding, just like handwritten signatures.
Digital signatures use the public/private key pair scheme and so rely on a public key infrastructure (PKI) to issue the digital certificates that contain these keys for signing electronic documents. The certification authority’s role is somewhat like that of the notary public – it’s a trusted third party that gives its “seal of approval” to the signatory. The private key is bound only to that particular person and its use to sign the document indicates that person, and no one else, did the signing. Digital certificates are used not just to identity people, but also machines such as web servers.
The key to trusting a signature – whether handwritten or electronic – as a verification of identity hinges on your trust of the third party – notary public or CA – that vouches for it. If a notary is lax in requiring identity documentation or doesn’t know how to determine whether the ID is valid, the authenticity of the signature may be in question. If the CA issues certificates to anyone who asks, under any name, without any verification that the requestor is using his/her real identity, the digital signature is no good.
Extended Validation (EV) certificates are much more expensive than other digital certificates, because they involve a more thorough background check to verify the legal identity of an entity. These have been around since 2007, when guidelines for issuing them were ratified, and are used for identifying secure web sites.
With a handwritten signature, each individual signing must be witnessed by the notary. With electronic signatures, the CA issues the certificate and it can then be used for many different signings. Thus it is imperative that the private key be kept secret. If it becomes known to anyone other than the designated and verified signatory, it becomes worthless. The private key is stored in a file that can be kept on a computer’s hard drive, on a removable drive such as a USB key, or on a smart card.
Beyond the signature
Because signatures can be copied or forged, something more is often required to prove identity when signing particularly important documents. Driver’s licensing agencies, some banks and other entities may take a person’s photo and/or require that he/she provide a thumbprint along with the signature.
In the IT world, biometric authentication goes beyond a digital signature, which could be stolen by a clever hacker. As we discussed in Part 1, even biometrics is not a foolproof way of verifying identity, but it can add another layer to the verification process. If you possess the right private key, your fingerprint matches the one stored for you in the database, you know the password, and you’re able to answer some obscure challenge/response questions with the correct information, it is highly likely that you really are the person you say you are. Thus, just as we look to a “defense in depth” solution for protecting our systems from attack, the best bet for verifying identity is an “authentication in depth” strategy.
What’s the problem with that? There is none, from the security administrator’s point of view. But users will hate it. And even we security pros, if we’re honest, get a bit annoyed when our banking sites ask us to change our passwords, re-enter the phone number associated with our accounts, and type in the name of our first boyfriend’s aunt’s dog before it will let us in to check our balances.
A good identity management system needs to be transparent to the user, just as a good overall security plan can’t sacrifice usability or it will ultimately fail, as Bruce Schneier intimated when he said “The more secure you make something, the less secure it becomes.“
Toward a comprehensive identity management solution
Identity management is about more than just identity authentication, although authentication is an important component. The identity management system must first establish the identities of persons or entities (such as computers) and then use that information to control access to the resources in the system. It sounds simple, but implementing it effectively can be very complex.
In today’s IT world, it’s all about EaaS – Everything as a Service. The identity management system must be integrated to deliver those services to users seamlessly, on demand, while determining who gets access to which services and to what degree. And it goes both ways; users must be able to verify the identities of the service providers, as well.
Even home networks today require some system of identity management. Parental controls rely on identity authentication to give parents the ability to restrict what games their children can play, what web sites they can access, how long they can stay online, and so forth.
In Part 4 of this series, we’ll look more closely at the criteria for choosing a comprehensive identity management solution for an organization, federated identity management, and the effect of the Cloud on identity issues in IT. Then we’ll briefly discuss the future of identity.
If you would like to read the other parts in this article series please go to: