The Ghost of Christmas Future: Identity Management in 2033

By Arthur Lessard and provided by the CIO Leadership Network.

It’s 7:30am on Friday morning. Your PDA wakes you with the latest Bach/Mozart/U2 synth medley it bought for you from the classics server off the web overnight; you’re fairly pleased with the purchase, since you didn’t even know the synthers were playing with that arrangement again. The “housething” system turns up the wall screen and flips on your favorite news channel.

The news follows you into the bathroom as you pad towards the shower, displaying on the smaller wall screen. You start the shower and notice out of the corner of your eye the banner ad, announcing another show added to the Mongoose touring schedule in Europe, available by holo at the local club. You authorize the club ticket purchase with a verbal password, and then authorize the housething to order flowers and have them sent to your spouse at work later that day. You also dictate a memo to your spouse about the concert; since it’s a bit, ahem, racier than your typical memos, you wrap it up with decent encryption using your spouse’s public key and have it delivered to your spouse’s public mail drop.>/p>

After getting dressed, you head downstairs for breakfast; the housething called the local warehouse grocer and restocked the fridge the night before. Somehow it even managed to get you those Peruvian shitake mushrooms you’ve had on the list for 2 months. This is going to be a good day.

After breakfast, you head to the den, since on this virtual day you’ll be working from home. You boot up your workstation software on the housething wall screen and use a fingerprint and a scan of your sub-dermal sec-chip to access your credentials and authenticate to your work’s edge system, which provides a seamless connection to all of your servers and data. After a couple of hours of work, you decide you’ve earned a break. You leave the room, which instantly recognizes the absence of the sec-chip and locks the work session behind you.

Most of the activity in the above scenario will seem fairly familiar to a modern technophile. The truth is that scientific “revolutions” are relatively rare; those of us that grew up in the 60’s and 70’s are still waiting for our flying cars. The “revolution” of the last 20 years hasn’t been in space flight or “invisibility cloaks,” but in communication, and that trend is likely to continue. Cell phones, the Internet, PDA’s, all of the biggest changes in our day-to-day lives have been in the field of communication.

This is generally thought of as a good thing, constant dinner interruptions by our “crackberries” notwithstanding, but the ubiquitous nature of our tethers to the rest of humanity have come with a price. Privacy and security have struggled to keep up with our ability to buy items with the click of a button, and the invasion of privacy and identity theft are affecting everyone from little old ladies in Pasadena to infants in India.

The most interesting part of this dilemma is that the technologies to adequately protect us already exist; as with most technology issues, the devil is in the implementation, not the details. Encryption and digital signatures have been around for decades, and the application of public/private key pairs to everything from encrypting data to authorizing payments will continue to be “good enough” with decent key lengths for decades. Today’s 1024-bit keys are adequate, and even with Moore’s Law working against us by doubling processing power every few years, it’s doubtful that 4096-bit keys will be easily breakable 25 years from now.

So what is the problem?

Basically it comes down to transparency and standardization. It’s the same issue preventing us from leveraging the technology transparently today. Application and service providers are still working on integrating it into their products. Even if they do, there is no standard for key management, meaning every vendor still requires you to create and store keys just for their applications. Attempts to provide a standard way of creating and accessing these identity credentials are therefore stalled.

So let’s look at how things should work. Our system will require that every man, woman and child in the system has a pair of 4096-bit randomly generated public/private key pairs. These are lengthy keys, which mean that users generally will never deal with them directly. Your public key is a matter of public record and will be available to the world; your private key is a different matter.

At some point in the next 25 years, I believe we will see a new service industry spring up around identity management for the public; call it the “credential service.” These companies will offer security for the average user, and their primary function will be the storage and authentication of your lengthy private keys. Shadows of these functions exist today in the form of Certificate Authorities and other mechanisms, but for true transparency and standardization we’ll need a service industry dedicated to the generation and maintenance of these keys.

Of course this is just the start for seamless identity management. You can easily have a highly secure private key that can be used to authenticate you, but how do you use it? The answer depends on what you want to do with it. Not every transaction requires James Bond-like security to authorize. The truth is that the method of access to your credentials should depend primarily on the criticality of what you want to do with them. In the above scenario, we had several activities occur that required some form of authentication, but at different levels. Notice that the “housething” and your PDA are authorized to perform some automated tasks on your behalf, presumably based on prior instructions. For example, your PDA has been told to keep an eye out for certain types of music for sale on the web, based on your personal criteria.

Such purchases are likely very small, on the order of a few dollars, and as such don’t require your personal authentication. However, it is likely that in 2033 all purchases or uses of credit cards or other credit instruments will require the authentication of your digital signature using your private key; vendors have learned the lessons of the “naughty aughties” and prefer to pass the risk of lower forms of authentication onto the consumer. How do we bridge the gap?

This is where the credential service comes in. You’ve chosen a service provider who keeps and protects your private key for transactions. However, you recognize the risk is low in purchasing low-value items, so you take advantage of one of the services of the credential provider. You’ve authorized certain devices, such as your PDA and housething, to perform certain transactions (say, media purchases up to a certain dollar value or grocery purchases to be delivered to your home) on your behalf. These devices have their own authentication credentials, at a lower security level, which they use to connect to the credential service and access your official strong credentials on your behalf. Yes, there is a minor risk that someone who finds or steals your PDA can make purchases on your behalf, but only for small amounts and only on certain types of transactions.

For an impulse purchase such as the tickets to see the Mongoose, this will likely require a form of personal authentication from you. On the other hand, it’s still a one-off purchase of only a few hundred dollars, meaning that providing your full personal credentials, including biometrics or “sec-chip,” are neither necessary nor practical. So an additional risk you’ve assumed is to authorize the credential service to allow use of your full credentials for purchases up to, say, $500 through the use of a personal password, a secret word or phrase you must provide when initiating those types of transactions. Again, a minor risk, but you’re a good consumer and routinely change the pass phrase with the credential service, so the risk is mitigated.

Of course, there are going to be those risks that you can’t or won’t assume, which will require the use of much stronger authentication methods to perform. In the above scenario your work, for example, is likely going to require the full use of your credentials to prove you are who you say you are before allowing full access to your work resources. The problem is that it is a bad idea to have multiple copies of your personal private key floating around; in fact the credential service won’t allow it by their ToS since it prevents them from honoring your warranty with them.

This is where intermediate security mechanisms come into play. The private key at the credential service can be remotely accessed for such transactions, but only through some form of multifactor authentication such as biometrics. In the above scenario, we hypothesize that this is relatively commonplace in 2033; ATMs and other legacy devices for those that still need cash will probably also require some special form of authentication, as will something major such as a car or home purchase. Thus, most adults and teens have a subdermal chip, commonly referred to as a “sec-chip”, installed under the skin of one of their hands. It’s painless and small enough to not interfere, and it has the ability to store multiple smaller public/private key pairs. It can also be accessed using proximity readers, including updating or adding keys.

When you have the need to access your official credentials from the credential service in an environment requiring personal authentication, these areas will be equipped with a basic biometric reader (fingerprint is most common) along with a proximity reader that can pull keys from the chip under your skin. This satisfies the requirement of two forms of authentication – “something you have” and “something you are” – and is a secure way of authenticating yourself to your credential service to provide authentication to services such as the edge device at your work that accepts your house connection. The “sec-chip” keys can also be used to temporarily secure information using the on-board keys in those rare cases in which you don’t have access to your credential service, or recognize when you’ve walked away from your work session.

There are several extensions that can be postulated to the above scenario – the ability to access government services to examine or change your personal information comes to mind – but the basic premise is that we have a need for the equivalent of “credential services”. The biggest gap and impediment to adequately securing e-commerce and other conveniences is standardization; vendors simply do not have a convenient and transparent way of authenticating users without coming up with their own, requiring users to create and maintain sometimes dozens of passwords and keys, most of which are not very secure in and of themselves. The question is not whether companies will step in to fill this “credential service” gap, but when.

Read The Ghost of Christmas Future, Part II.

• Arthur Lessard
• VP, Worldwide Security, Technicolor Home Entertainment Services, Inc
BIO
Arthur Lessard is VP of Worldwide Security for Technicolor, responsible for protection of customer content and intellectual property throughout the various Technicolor services organizations. His role encompasses managing both physical and information security in the production environments, and interfacing with the IT organization for network and business security. Lessard engages external auditors for site visits, develops and coordinates implementation of security policy and standards for Technicolor business units, and drives development of new security-oriented services. He also works with various law enforcement agencies, the MPAA, FACT and other organizations related to the control of movie piracy activities.