Cogito Ergo Sum

At the airport I headed for the "Clear" lane and quickly was confirmed as myself. My home airport is Atlanta, and once I was authenticated as me, I was dumped into the general security maze where I had to show my boarding pass and Clear card identification picture to the TSA agent. Since the picture on the card was so small and washed out, it took the agent almost a minute to let me through. In fact, the picture is so bad it could be that of any white male over 25. Nevertheless, I made it through the first checkpoint and passed into the great unwashed masses. Had I gone through the "elite" security line, I would have skipped the step where I had to scan my thumbprint and just used my driver's license or passport to prove my identity. I also would have been in an area with experienced travelers who know they can't take a 64-ounce Big Gulp through security.

As it was, I now found myself in the casual traveler security area. A young lady pushed me aside and actually forced her way past me so that she could get in line ahead of me. Normally I would have stopped her, but I already had placed my portable taser (disguised as a laser pointer) in my carry-on. She had four bags, 10 pounds of necklaces, five pounds of earrings, and thigh-high boots and could not understand why she kept setting off the alarm in the body scan. Oh, yeah–she also had her boarding pass in one of her carry-ons that now was stuck in the middle of the baggage scan.

So What?

So, what advantage did my Clear card provide me? No advantage. In fact, I had to go through an additional step (inserting my card in a machine and scanning my thumb print) before I approached a TSA agent and showed him my boarding pass and a photo ID. OK, using the Clear card did dump me into the front of the security maze, and on a Monday morning, if you were not a frequent traveler, the process could get you through security faster. But that benefit was only because the issuers of the Clear card have cut a deal with the airport (or maybe TSA)–not because I could prove who I was using a retinal scan. This seems like a good idea gone totally wrong. Using Clear technology I can pretty well prove I am the person who was issued the card and the Clear folks have done some kind of background investigation on me, but those two bits of information are not being used to identify me as a trustworthy traveler. I still must submit to all the scans of my person and my luggage, and I must still submit a photo ID to prove I am the person listed on my boarding pass.

I work at a lot of different places. I have domain accounts at dozens of organizations. I have VPN access tokens for about half that number. I have photo IDs with embedded chips. I have VPN accounts with user name and password access. If you are doing any work for the Department of Defense, you need a Computer Access Card (CAC), which is a multipurpose card that can be used for identification purposes and to log on to DoD networks, systems, and Web sites. They support public key infrastructure encryption and electronically can sign e-mails and documents. To obtain any of the above-mentioned accounts or cards, you need to start with some basic form of authentication that says I am who I am.

A Better Idea?

Maybe it is time to get real about some common, secure form of authentication that can be used across various organizations and for various purposes. Some of the features of the Clear card could be used as a basis for such an authentication system.

There is a real qualitative difference in the level of sophistication we need to secure IT systems. Business always has needed to ensure sensitive and critical business information is easy to access by those who need access and difficult or impossible to access by those who should not have access. Before the Internet and before the PC revolution, most of that security could be provided by purely physical means: locked doors, keypad access to data centers, etc. Physical security is no longer sufficient. I never may gain access to the data center, but I am able to log on to servers in that data center.

Maintaining security through remote electronic access is more difficult than locking and guarding a door. The very nature and complexity of remote network connections provide many more points of access or points of attack. In addition, there are many more intelligent minds working to try to circumvent or defeat existing security systems. The hacker community continuously and constantly is working to exploit weaknesses in data systems and thus gain access to or hack those systems. The motivation may not be sinister; it may be nothing more than to prove it can be done. Nevertheless, it doesn't matter whether hackers ever use any secure data they access–the access itself is sufficient cause for alarm. Both physical and electronic securities start with one basic premise: the individual. Once that individual is identified, then the rights that individual has to access secure resources must be controlled.

Human Frailty

Identifying the user as a specific individual is so obviously the first point of failure it often is overlooked. We become so engaged with transport layers and security layers and encryption we forget most data breaches are caused by human weakness. People leave their passwords unsecured on sticky notes; they fail to lock their machines when they leave their desks; their passwords and access accounts are readily available on text files on their laptops; they share their passwords with others; and so on and so forth. If we only could be sure the users on this machine at this IP are really the people we think them to be, a large part of our security concerns would disappear and we could concentrate on the interesting technical aspects of security.

Most computers on a corporate network are accessed using a simple user name and password response that is authenticated against a directory service. Once the user name and password are validated, the logged-on system is granted all privileges associated with the authenticated account. My laptop allows me to log on to the machine (and thus the network) by scanning my index finger. That apparently provides an additional layer of security. Or does it? If someone has access to my password (user names are virtually always available and known), that someone then can log on to my machine using that password and change my fingerprint authentication to match that individual's prints instead of mine. In point of fact, all the fingerprint scanner does is allow me an easier way to log on to my machine–it really does not provide any additional security.

A Simple Proposal

What we really need is a device of some sort–a card–that can do the following:

o Verify the holder of the card actually is the individual associated with that card.

o Allow that user to log on to a computer or network using that card.

o Provide a reasonable assurance another individual cannot spoof the individual who is associated with that card.

The Clear card satisfies the first criterion. A government CAC satisfies the second. The third criterion could be enforced using regularly scheduled reauthentication sessions on a secure system. What we need is a universal security card that satisfies the first and second criteria.

I am not advocating a universal ID card sponsored or provided by the government. Time and time again, government organizations have proven themselves to be inefficient and prone to lapses of security. My fear of allowing the government to administer universal access cards is not a fear of "Big Brother" having access to my information as much as it is a fear of the government botching things up so as to make them worthless. Besides, Google is the real Big Brother. I suspect it has more information on me than our federal government does.

Standards

Imagine an international agency staffed with representatives from the major security, software, and hardware vendors, organized along the lines of the W3C. The organization would create standards for a universal access card that would provide the ability to satisfy the first two criteria above. The card would include a tamper-proof embedded chip that would contain biometric data sufficient to identify the card owner. It would be designed in such a way it could contain proprietary, encoded data that could be used to interact with other security systems.

Most of the corporate identification cards I now have contain scannable data that permits access to secure areas. This easily could be replicated using standard data fields. The card could be designed to interact with existing and future biometric systems for proper authentication. Pluggable USB devices could interact with a computer-friendly card or use an interface such as those provided for the current CAC systems. Users would be required to authenticate using the card, a fingerprint scan, and perhaps an additional user name and password system.

Software security systems would require regular reauthentication to alleviate the problems caused by users walking away from their machines. Lost or stolen cards would not pose a security threat as biometric authentication would be required for their use. A stolen card may get unauthorized people into the building (as long as the card wasn't reported stolen), but it would not allow them access to any computing resources. The cards could be used for PKI systems and digital signatures.

The weakest spot in a secure card system is at the point of origin. If I were able to create a "false" identity, I could use that identity to obtain a bogus security card, although the value of such a false identity is questionable. If I were predisposed to commit data theft, I just as easily could do it with a real card as a false one. The real value to a criminal is to obtain or create a card that spoofs that of a real individual who does have access to secure systems. Using a combination of unique identifiers, PKI encryption, biometrics, and one-time ciphers to create the original card, it should be possible to create unique cards that cannot be spoofed.

The benefits obtained from using a spoof-proof universal security card will outweigh the costs of such a system. The use of a universal security card could and may be extended into other realms such as airport security or banking. It is not too far a leap to imagine inserting your card into a PDA, authenticating via retinal scan, and paying for your groceries. Airlines already are providing scannable boarding passes for portable electronic devices. Adding a security card to that device is the next logical step. Heck, my Clear card might even prove useful to me someday.

Please address comments, complaints, and suggestions to the author at prolich@yahoo.com.