CA SSL certificate successfully forged

Researchers in Switzerland and the Netherlands have successfully generated an apparently valid CA certificate, using a ‘collision’ attack on the MD5 hashing algorithm. (A collision is when you find a plaintext of your own choosing which produces the same hash as the genuine plaintext you’re trying to forge…). The report on the ZDNEt website also mentions Arjen Lenstra of the EPFL (Ecole Polytechnique Fédérale de Lausanne), who led the research.

I was lucky enough to hear Arjen speak at the recent HP Colloquium, hosted by the Information Security Group at Royhal Holloway University of London. He was talking on the theme of ‘factorisation methods for large prime numbers’ – and if I say that he made it both instructive (even to a non-mathematician like me) and entertaining, you’ll get some indication of what an engaging speaker he is.

The researchers laced together a bank of more than 200 games consoles to assemble the requisite computing power, though for the time being they decline to publish the algorithms they used to produce the MD5 collision. There’s a quite detailed description of the experiment here, with background details of how MD5 hashing works, how it can be broken and so on. As you’ll see from the details of the attack, this isn’t something just anyone is going to knock up in their garage over the weekend – but neither does it use anything particularly esoteric.

The bad news, from a user perspective, is that there is not a great deal the average punter can do to mitigate the risk which this attack highlights. They will just have to wait for current MD5-using CAs to upgrade their technology and switch to more collision-resisitant hashing algorithms.

The problem with public identifiers

There’s an intriguing story in the Montgomery County Sentinel which neatly illustrates a couple of things about identity systems. It concerns some high school students whose latest game is to spoof the number plate of someone else’s car and then deliberately speed past a speed camera. The first the unwitting owner of the genuine plate knows about it is when a $40 ticket lands on their doormat*.

So what does this tell us about identity systems? Well, first, that a permanent, public identifier (such as a number plate) is not necessarily a sufficient or reliable proof of identity. In this instance it’s clear that, as a credential, it’s not immune from forgery; nor does it, on its own, reliably and uniquely identify the holder.

Second, the creativity of those who set out to break or bend identity systems almost inevitably outstrips the ingenuity of the designers.

Would the same spoof work in the UK? In most cases, I suspect it would. Under UK law, speeding is a “strict liability” offence – meaning that you can’t plead mitigating circumstances, so it’s subject to a summary penalty; currently, UK law in this area reverses the presumption of innocence, so the burden of proof is on the recipient of a speeding ticket to prove that they were not the driver of the vehicle at the time (regardless of whether, as in this case, it wasn’t actually their vehicle); and the majority of UK speed cameras take a still photograph from behind the vehicle after it passes the camera… so the actual driver of the car doesn’t appear in the picture.

Some mobile and ‘face-on’ cameras capture the driver’s face with varying degrees of clarity, but again, the burden would be on the registered owner to prove that it wasn’t them at the wheel. Either way, it would certainly work as a nuisance attack, even if the victim did eventually get the ticket cancelled and any points knocked off their licence [sic].

*Incidentally, it’s funny how this story also illustrates some of the many differences between the US and UK English vernaculars. The US version would be about spoofing license [sic] plates and waiting for a $40 citation to wind up in someone’s mailbox… ;^)

Can Internet content rating work?

The UK’s Culture Secretary, Andy Burnham, has said he wants to introduce some form of content rating system on the Internet – and that he will negotiate with the US to draw up plans which cover English-language websites. Can it work?

Let’s assume, for a moment, that he’s able to persuade his American counterparts to play ball (which is quite an assumption to start off with). He says he wants to protect internauts from “unacceptable” content such as video clips of beheadings; I’m also assuming that he wouldn’t go to all this trouble only to leave internet pornography un-regulated, so presumably that will be included in the plans too. The obvious issue this raises is that predominantly visual content is not language-specific. To be blunt – if someone’s going online to look at boobies, it’s not going to make a material difference whether they are English boobies, Ugandan boobies or Galapagos boobies.

[Oh, all right, then… in the spirit of it: you can follow any of those links without running the risk of seeing a bare mammary, I promise]

Another problem is that Mr Burnham’s language does not make any distinction between web sites and web content. Enforcing content rating for websites is going to be hard enough; enforcing it at a sensibly granular level is very likely to be impractical – as the recent row over Wikipedia’s 1976 “Scorpions” album cover amply illustrates.

But the fatal problem is perhaps this one: Mr Burnham is unsurprisingly keen to portray his proposals as “controlled consumption” rather than “censored publication”. But of course, if that control over consumption is to be seen as anything other than censorship it has to be discretionary (for instance, the ability of a parent to decide what their children may or may not see).

So, what would the enforcement of such a law entail, in practical terms? Well, ignoring any technical niceties for the time being, it suggests that the law enforcement authorities could get a clear enough view of what’s happening inside your household to prove to a court that one of the following offences had been committed:

1 – someone under-age had accessed ‘unacceptable’ content despite the parental controls applied by the diligent householder;

2 – the householder had negiligently or willingly left the controls on a setting which failed to prevent the viewing of ‘unacceptable’ content.

I applaud Mr Burnham’s concern for the cultural well-being of the country, but I think he has yet to show that that level of law enforcement access would be any less damaging than the content he wishes to block.

New paper accepted for publication

Earlier this year, I was able to work with a couple of very bright colleagues – Susan Landau and Hubert Le Van Gong – on a paper setting out some of our ideas for “privacy in depth” in federated identity systems.

I’m delighted to say that we’ve just heard the paper was accepted to be part of the proceedings of the Financial Cryptography and Data Security 2009 conference. The honour of presenting it (in Barbados in February – dirty work, but someone has to do it…) rightly goes to Susan Landau, who was not only the creative force behind the work but also undertook all of the most tiresome editing tasks.

Speaking of Susan (and she will probably send me a mail bomb when she reads this) reminds me of something I have been meaning to blog for a while.

A couple of years ago I visited a customer with some of my sales colleagues; I was there to talk to the customer about federated identity, set out where we thought it was going, and see what we could come up with in terms of possible application to their business. As we headed back across the car park after the meeting, one of my colleagues said to me: “You know, there are some times when I see one of my colleagues at work and it makes me proud to work for Sun. That was one of them.”

I can honestly say that that was the nicest professional compliment I have ever been paid. However – and in keeping with the ingrained English tendency to beat compliments away with a stick – that isn’t the point.

A year ago at the HP Colloquium I heard Susan give her talk on technology and privacy, and in particular on the privacy-hostile effect of much recent public policy (both US and UK), and was struck by the three core qualities Susan brought to the presentation:

– the technical competence to know what she was talking about;
– the clarity of vision to see how the technology and policy interacted to produce the outcomes;
– the ethical integrity to stand up and speak out.

All of a sudden, I knew what my colleague had meant – I felt proud to work for a company which would have someone do what Susan did. You often hear management gurus and self-help pundits imply that the road to self-fulfilment as a human being is to be a great employee; actually, I think Susan’s example shows that the best way to be a great employee is to be a great human being.

The difficulty of defining "personal information"

One of the pressing problems of the times, in the digital identity and privacy world, is that of defining what counts as personal information.

It’s important from the individual’s point of view, of course, because the individual is the one with most at stake should that information be abused.

It’s important from the legislator’s point of view, because without a clear definition of what is ‘in’ and what is ‘out’, they can’t frame meaningful and enforceable legislation.

It’s important from the data custodian’s point of view too, because they are the entities stuck with the twin problems of demonstrating compliance to the applicable law and of keeping their data subjects happy.

This recent example from the Commonwealth of Massachusetts neatly illustrates some of the difficulties. It will come into force on Jan 1st, 2009. As you will see, it adopts a simple definition of Personal Information:

“a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”

Interestingly, given the specification of Massachusetts residency and personal names, it precedes this with a broad definition of “person”, to include natural and legal persons but excluding any part of the public bodies of the Commonwealth.

You’ll notice, too, that the Massachusetts definition includes public sector credentials (social security number, driver’s license number, state-issued ID card number) and those commercial sector credentials to do with bank accounts. On the other hand, it does not refer to healthcare or health status information, which might seem to be another class of personal data meriting protection.

“Aha”, some of you may object… “but there’s no need to legislate here for healthcare data, because that’s covered by HIPAA…”. Good point – but in that case, why legislate for banking data, which is covered by Gramm Leach Bliley?

I’m not saying either approach is right or wrong, mind you – I’m just using this as an example of why the apparently simple question of “what is personal information?” can rapidly spiral into complexity.

Corporations dealing with the personal information of Massachusetts residents will probably be fairly happy with this Commonwealth statute: its relatively narrow definition of Personal Information means that their regulatory compliance burden should be comparatively light. Contrast that, for instance, with the current European debate over whether anonymous or pseudonymous identifiers (such as IP addresses or Liberty-style ‘opaque handles’) should, in their own right, be classed as personal data.

In parts of Europe (for instance, at the Independent Data Protection Centre of Schleswig Holstein and on the Primelife project) they are considering an alternative approach, based on
the principle of “linkability”. Their argument is that, whatever the scope of your definition of ‘personal information’, what’s at issue is the extent to which the individual’s privacy can be compromised if the right (or wrong) links can be made between one piece of data and another. To take a simple example: your blood type might not, on its own, be personal information (in the sense that it doesn’t uniquely identify you) – but if and when it can be linked with your name (or with other factors which allow you to be uniquely identified) then it almost certainly should benefit from protection as personal information.

It’s not a simple approach, I grant you – but given the huge disparity between different legislations’ definitions of personal information, it may turn out to be the only workable way of achieving any useful level of consistency in our frontierless digital world.

Liberty Alliance webcast on ArisID

The Liberty Alliance will be hosting a webcast next Thursday (Dec. 11th) at 4pm GMT. Registration is through this URL.

ArisID has grown out of Liberty’s existing IGF (Identity Governance Framework) programme, and was set up to work on two aspects of IGF:

– to produce a simple, web-services based implementation of Declarative Identity Services (in which applications state how they expect identity services to be provided, and assume that servers are intelligent enough to cater for that);

– to put Client Attribute Requirements Markup Language (CARML) into practice… so that there are effective ways for data subjects and data controllers to express their expectations.

(For more information, visit the wiki and FAQ here)

This is a really practical step towards simple but effective management of identity data and the associated relationships in which it is exchanged; if you’re interested not just in where web-based identity management is heading, but how to get there, this is definitely a webcast to catch.

Illegal p*rn sharing, and digital ID

The BBC News site has an article today about “hundreds” of UK internet users who have recently received letters from a law firm in Frankfurt, alleging violation of copyright and demanding £500 or so in compensation. The allegation is that they have inappropriately shared “adult titles” (though I assume the implication is that they have shared more than the title…).

According to the report, many of the recipients of these letters deny having done anything of the sort. In some cases (particularly among the more elderly pensioners), it’s a pretty plausible denial…

So what’s going on here, and what are the wider implications?

Well, let’s assume first that the German company is genuine, and is sending the letters in good faith. That’s an assumption which bears checking, because I should imagine there are those who, mortified by the mere fact of the accusation, may have sent in their £500 just to make the whole thing go away. They would be unlikely to complain, or discuss it with anyone, because of the embarrassment factor. All in all, that would make for quite a neat phishing scam – playing rather more subtly on human weakness than the “Nigerian 401’s” appeal to raw greed.

The company apparently bases a lot of its forensics on IP addresses; identifying addresses which appear to be associated with illegal file-sharing, and then approaching the ISPs in question for disclosure of the user’s details. And that raises a number of issues:

– first, it’s possible that the IP addresses in question are indeed associated with illegal downloads, but that it’s not the fault of the registered user: exploitation of unprotected wireless hubs, bot-nets and IP address spoofing are all plausible alternative explanations.

– second, one has to ask where this leaves the European proposals for IP addresses to be included within the scope of Personally Identifiable Information (PII) and regulated as such.

To my mind, that step would be both premature and dangerous, while these practical means of exploiting IP addresses remain technically available and, as this news item clearly illustrates, commercially valuable.