Naked Science Forum
Non Life Sciences => Technology => Topic started by: thedoc on 26/09/2015 03:50:01
-
Carol Small asked the Naked Scientists:
Digital signatures have been around for getting on for 20 years now and yet we all still use passwords. Can you find out why they haven't taken off?
What do you think?
-
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm afraid that I haven't a clue. People are so lazy and gullible.
I used Thunderbird email with the enigmail extension to sign this..
Easy peasy, lemon squeezy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJWBheJAAoJEKotpsGAUcaifpAQAI/WQnCzjxMBcvtJtGXUkCC5
zS3u6JI5NPaLZ7pOFggEE1dA7LsST1Zd+r4uRkNXP6s1sR7n/L0WJdN1Ifw1RQZF
mdOqMrU869kjDnmCS+xxZiAK7UcFuVVoEVMGZNFkbzjFNedUcKbw0FrjfCxxe6V+
/ybEAJ8R2vFrLs8AkOeS6K8KATKpwI+M2XjzSCAFREW6eYSid8qpl6pgl29jsNJn
mhzlT7i/eiKDwBwRUbhJchoZN6kexda+fbaAQ25xLIkgF/XoE2ZDWXgAkTIV2UPm
c3RszovqS9IRzaxRnSMKURdUz2fOJJEkK4ezKhTz5nf29NALHsYg/fg6UlyPekNt
lrIwsESCPazxd97EL5bMVddFNLRsSJ8jmshuEXuKxdYoTrjRha/PRdsL4roChtlu
nNER0+js6nbTlW9gj+ak7PFj1K5ROYn94ob6I5p6/p8mNn/nJ0KBaXlEM81qERNP
r38L5PfDwuB3CkKsiu3kyZg30QHEH5SSaCVs9E1DNkcBaU3+Ffmmx10QpvCLanvv
nt4y/D5PYLZafn5hxOPmiGwr8PsK6B41Kkx5hfR+ilGNPXIGDfe5L0FSDZWBZEMX
fFt3srAiLc8DQ3X+JTRCueh6UyWNCAsO4uWMw8BC0dc010n5qHlt2XtkZajxPYrg
S0JznvddWKXyWHSGAUHX
=OPPA
-----END PGP SIGNATURE-----
-
yet we all still use passwords
Passwords are for identifying an individual to a computer (just as knowing a combination identifies the legitimate owner to the safe). Both of these are based on something you know. The risk in both cases is that someone else might find out what you know, and then they can pretend to be you.
Other security mechanisms include:
- Something you possess: My smartphone has an app that generates a new password every minute. If you have my phone (and can log into it), you can pretend to be me. But knowing the password I used 5 minutes ago will not help you now.
- Something you are: My wife's smartphone has a fingerprint reader; she signs in by placing a finger on the reader. Other biometric (https://en.wikipedia.org/wiki/Biometrics) markers have been tried, including iris scanners, hearth rhythm, etc (I am sure one day they will be able to quickly read DNA!). But they do have problems with reliable recognition. And there are concerns that unscrupulous hackers could hack the owner to break into the computer (just see a sampling of spy movies).
- A 4-digit PIN, as used on many ATMs. This is just another form of password, plus something you possess (the card). It has the added security that if you guess wrong a few times, your card is invalidated.
- Embedded chip: Modern credit cards have a chip that can identify itself to a reader via wireless. At one level, this is "something you own". However, some people have embedded the chip in their bodies, making it "something you are".
- Electronic Keys for cars: This is another example of something you own. Someone stealing the key can steal the car.
Digital signatures have been around for getting on for 20 years now
Digital signatures (the random characters in the post by Pecos_Bill) use complex mathematical and logical operations that are beyond anything that humans can do reliably. So then you are back to the same problem of "How do I identify myself to the program which calculates the digital signature?".
...plus, who wants to wait in line behind someone trying to type in a long string of random characters at the ATM?
-
An asymmetric (" public key") digital signature system can be easily instituted with the use of a thumb drive. So the supposition that it would not be feasible at point-of-service (like an ATM) is ridiculous.
As I said in the original message (which was conveniently ignored) I wrote this using Thunderbird email with the enigmail extension - both of them are free. It was no more trouble to do than sending an unsigned message from my gmail account. Had I sent it to someone using Thunderbird/enigmail it would have come up in plain text like any other email with an indication on the toolbar that it had been confirmed as an unaltered message from someone with access to my secret key - and I keep that puppy on a personal thumbdrive on my keychain.
Had I wished to do so the entire message could have been encrypted and signed (and decrypted and confirmed) just as easily. In the recent movie about Edward Snowden, we saw that is how he communicates privily with his contacts -- and they with him.
Why is this not used more often? The US government sued Phillip Zimmerman, its creator, for exporting "war materials"------ unsuccessfully.
Make your own conclusions about it - and why the idea was poo-poo'd here - for yourselves.
*****************
Upon reviewing evan_au's post, I am reminded that the break-in at OPM stole the fingerprints of everyone who had worked - or applied to work - for the federal government in the past 20 years.
You would be well-served by watching John Oliver's interview with Edward Snowden about secure passwords.[1.]
But Snowden still uses asymmetric - public key - cryptography for anything serious.
[1.]
-
Biometrics-including fingerprints- are a bad idea BTW.
The screw-case on them is, you can't revoke them, so if someone finds out your biometric parameters, it's possible for a bad guy to break into all you files.
-
Fundamentally, the key is either something only you have (a card, or key or whatever), or something only you know (like a PIN or a password).
The first can be stolen- so it has relatively low security.
The second can, in principle, be guessed, so it too has low security.
So we use a combination - like the much loved "chip and PIN" system. Knowing that my PIN is my mother's birthday (It isn't really) won't help you unless you have the card.
Stealing the card won't help you unless you know the PIN.
For distant communications like the web or the 'phone, it's more difficult to use a "thing" for identification so we usually rely on a password (or several)
For things perceived as valuable enough to make it worth the hassle-like bank accounts- there are ways of using a physical item to validate your id but you have to have it with you.
Stuff like this
http://www.barclays.co.uk/Helpsupport/UpgradetoPINsentry/P1242559314766
or Bill's thumb drive on his keyring.
The biggest problem with this is that if it gets lost or stolen, you can't prove who you are.
Obviously, it's difficult to lose your fingerprints- but not impossible and as Wolfekeeper pointed out, you can't get a replacement if they get compromised.
The idea of a password should be fairly safe- it only takes a dozen or so characters before the chances of guessing correctly become astronomical.
But the reality of the human mind is such that we are not good at remembering strings of random characters- so we use passwords and, all too often, do it badly.
https://xkcd.com/936/
-
The current buzzword/idea is 'multifactor authentication' so you might have to type in a password, and then they check that it's the same computer you normally log in from and maybe one or two other things.
Checking a biometric as one factor of multifactor authentication isn't a bad idea.
-
It is illegal to use asymmetric public key cryptography with a modulus greater than 256 in "free" Britain.
Although that applies to encryption and not secure iron clad digital signatures -- the government propaganda schmucks writing here don't want you commoners to even hear about effective means of securing your privacy -- even its cousin digital signatures.
-
When securing our privacy means allowing illegal activites go on unchallenged.. I feel that I'd rather have the government spying on me than my children molested or killed thank you very much..
There are many faults to all security measures onto digital media.. the only way left to approach these things is a multiple layer of protection manner. Password, PIN, AND biometric will soon be the case.. and then what?
btw.. I had a laptop that had facial recognition locking function.. I managed to fool it with a photograph of my face.
-
It is illegal to use asymmetric public key cryptography with a modulus greater than 256 in "free" Britain.
Under what legislation?
I could only find a case where a body was fined for not using adequate encryption.
-
It was more or less illegal to export high-grade encryption from America, because it's counted as a 'munition'/spy stuff.
Since a lot of equipment is American, that's a problem.
However, restrictions have eased since 2009 apparently, but Americans still have to show it to some shadowy body, and there's some places they can't export to:
https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States#Current_status
-
United Kingdom
The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007,[20] requires persons to supply decrypted information and/or keys to government representatives with a court order. Failure to disclose carries a maximum penalty of two years in jail. The provision was first used against animal rights activists in November 2007,[21] and at least three people have been prosecuted and convicted for refusing to surrender their encryption keys,[22] one of whom was sentenced to 13 months' imprisonment.[23]
PGP is freely available on the internet and freely available to everyone
-
PGP is freely available on the internet and freely available to everyone
Snowden claims that the US National Security Agency worked through various private (eg RSA (http://www.reuters.com/article/2013/12/21/us-usa-security-rsa-idUSBRE9BJ1C220131221), in USA) and public (eg NIST in USA) organizations to weaken encryption algorithms.
The NSA are not the only ones - the encryption in GSM was intentionally weakened - to the point where ordinary PCs could quickly crack it, 15 years later.
And the UK kept public key encryption a secret, after they invented it.
It's really an ongoing battle between those protecting national security, and those trying to destroy it.
Ordinary citizens are caught in the middle, trying to protect their bank accounts and their home computers from getting trashed.
And while "Moore's Law" continues, the crackers will eventually win.
The only side-benefit is that all of us gain from the development of new techniques in mathematics, computers, and quantum theory (after the techniques are declassified, many years later). In the meantime, billions of dollars have been wasted, across all nations.