Arnstein's musings: New solutions for authentication and the need for PKI
On my walk to work this morning I had some time to reflect on authentication technologies and my work on PKI solutions in the Norwegian public sector. This article should be considered just general musings on the topic, I haven't concluded on the matter, but feel I have to admit that I've been a smart card fetishist.
Smartcard in PKI-based solutions are normally used to carry your private key. For authentication purposes they thereby provide a two-factor authentication because unlike a password you can carry it away, and mere knowledge wont gain an intruder access. For signature purposes they give the owner a higher degree of control over his signature key by never exposing it directly, only indirectly trough cryptographic operations performed by the card.
Nice as they are, smart cards have some annoying problems. Primary is the need for a physical interface to the computer, with associated drivers, risk of physical damage and wear. Software is also needed to interface with the cryptographic operations performed in the card, often not available for multiple platforms. Interfacing with the cards over a web site leads to more problems, especially if special applications are needed to perform functions like signatures.
Even so, passwords are not a good authentication solution, and smart cards seem to make inroads, albeit slowly, as the following quote from Bill Gates imply:
"A major problem for identity systems is the weakness of passwords. Unfortunately, with the type of critical information (protected by) these systems, we aren't going to be able to rely on passwords. Moving to biometrics and smart cards is a wave that is coming, and we see our leading customers doing this."
I won't go into the problems with biometrics, but in general I wouldn't like to use it for authentication for anything but my local system. So smart cards seem to be the way to go for authentication on the network level in critical information systems (like the ones in the health care sector, I'd say). This being the trend, there might be hope for the technology in the end.
Long dissertations have been written on the nature, effects and attributes of signatures, what they convey on a written document and their applications in the electronic world. I won't go into this deeply here, but I think their main use can be summed up in that they are (typically) a statement of intent, the semantics defined by their context, and identifying a certain individual.
In the digital world, signatures have often been associated with the enigmatic property of "non-repudiation", a function that in some way links the content (and presumably, the semantics) of a document uniquely with a specific individual in such a way that the individual should not be able to say that the document was not created by him. In a digital world, where bits can be modified, created and destroyed at will, this property can be useful, but might perhaps not be necessary to give an adequate electronic signature.
The use of smart cards for home users is fraught with problems, some mentioned above. Working on a help desk for general, non-techy home users with smart cards does not seem like fun. The chain from web application to user and smart card is too long and too uncertain in types of software, hardware and interfaces.
But what's the alternative? Well, for complete control over the signature key material, the alternatives are few. But compromising on this aspect might lead to better solutions for many applications. Seldom, if ever, is the signature a desiding aspect of disputes in relations to contracts. While the risk of false signatures might increase, security breaches not prevented might instead be detected and reacted upon. False electronic signatures might be detected by checking ip logs and verifying with the physical location of the person signing and other ways.
Conclusion - so what to make of this? Smart cards might not be the way to go for authentication and signature solutions for web applications directed at the home user. In professional settings, in enterprises where authentication needs are high, smart cards are a coming thing. To exploit their value thoroughly, they should also be used for inter-domain authentication and for integrated signature applications when needed.
[Arnstein's musings] (Permanent link to this entry)