User talk:Folbert
From Yubico
Leeuwarden, Thursday, February 19, 2009
Hold on to your hats, Stina, Steve, Leo and listeners of Security Now! This is going to be good. This is the one.
First, I'm going to show you how you could improve the yubikey so that it becomes personal. Second, how we might never have to trust anyone anymore because of this improved yubikey. Third, how this improved yubikey could be used to encrypt email. Fourth and last, The Autonomous Open ID-server.
- FIRST*** We people tend to think a lot in terms of either-or. Whereas we should think more in terms of and.
We humans are not just EITHER different OR the same. Instead we're -at the same time- different AND the same. A ray of light is BOTH a particle AND a wave. A Yubikey should have both it's existing technology AND the ability to be totally personal to the user, to the point where ONLY he or she can use the yubikey.
The yubikey is a great invention. However, it is just one Step towards the end-goal: TRUE Security. Which means.. YOU have total control over YOUR bits! If you consider that we now still can't take all the steps towards that goal, only the NEXT step, then, what would that next step look like? Well, the one BIG flaw that the yubikey has is... EVERYONE can use it. Exqueeze me? I thought that was the whole point! No, it shouldn't have this feature. Why? Because I'm human, therefore fallible! One day I might stroll off to the toilet unthinkingly and anyone who's in the building with me could then do Lord knows what to my machine with my yubikey. Same applies when you lose it. People tend to lose things, as we all know. <SIGH> Yes, me too. I'll spare you the details. So what would the solution to this problem look like? I think the yubikey should come with either built-in fingerswipetechnology or work together with existing fingerswipetechnology, in such a way, that -only you- are able to use the yubikey. The package Yubico sends should be sealed in a tamper-free fashion. The day you receive it, you are the one who swipes the button on the key, for example. And from then on only you can use it. Your fingerswipe is turned into a one-way hashed thermal template on the key, so you can't derive the information back from it. This is existing technology, by the way. See: www.invenia.es/tech:05_gb_scti_0czc
And it has already been built into a phone: http://bestinfo4u.blogspot.com/2008/11/spice-launches-touchscreen-phone-with.html
And also into a WALLET, already:) Have a look at: https://www.iwalletusa.com/ (It's swipe)
- YOU CAN SKIP THIS INFO FROM www.invenia.es/tech:05_gb_scti_0czc IF YOU -JUST- WANT TO READ MY LETTER****
- START OF ARTICLE
Fingerswipe System For Managing Secure Access to Buildings and Cash Registers and Staff Time & Attendance in Retail Establishments
A Scottish SME has developed a biometric fingerSwipe system for the retail market to monitor staff time and attendance and secure access to buildings and cash registers / tills for employees, to secure cash payment for customers, and to monitor out of hours delivery access. The system was developed to seamlessly integrate with either an existing backend database or cash register applications. The company seeks partners to integrate the fingerswipe solution into retail management applications.
The Biometric system has been developed so that it can be utilised for all these applications, potentially saving massive costs on infrastructure and system development. The one-system fits all approach allows the retailer to get on with their business and leaves the biometric development and handling to the solution. There is no need for multiple biometric servers as the BioEngine server can be configured to take into account biometric data for all.
The system was developed to seamlessly integrate with either an existing or new back-end till and database application.
The system consists of:
Fingerswipe Unit – based on thermal technology, the unit is more secure than normal fingerprint sensor technology and is safe security-wise as it does not involve passwords or access cards. From a civil liberties point of view there is nothing to fear as fingerprints are not stored – rather templates are produced and encrypted. These templates offer much less personal information than a mobile phone or a credit card or even a store loyalty card.
Bioengine Server - this is the communications and identification core of any Yarg FingerSwipe network. The BioEngine utilizes a simple database containing Record IDs, BioTemplates and archived BioTemplates from previous identifications for use with the Adaptive Re-Enrollment Algorithm. The FingerSwipe Unit transmits thermal BioTemplates to the BioEngine for matching. Once this matching is complete the BioEngine forwards the identified User ID and FingerSwipe Unit ID to the users application server. This approach offers complete flexibility in the way this information is processed by the users application. Return communication to the specific FingerSwipe Unit can then be initiated by the users application containing instructions for specific text to be displayed on the Units integrated LCD display. RS232 control commands can also be sent back to the Unit to be relayed to connected third party equipment. Innovative Aspects: The fingerswipe Unit overcomes the problems associated with other biometric technologies and swipe cards.
SECURE - As this biometric product bases itself on thermal templates rather than purely fingerprint recognition it is a much more secure product. The Unit is self-cleaning therefore no fingerprint is left on the sensor, so a latent print cannot be extracted. As the recognition is also based on heat from the finger being swiped, a latex print or fake finger cannot be used to fool the system, nor indeed can a dead finger.
ADAPTABILITY - The fingerswipe unit has been developed as a plug-in product for many applications. The simplicity of the system - together with its ease of integration - makes the fingerswipe unit completely adaptable and configurable for a wide range of markets and customers.
SPEED – the match facility has a recognition factor of less than 1 second from a database of circa 2000 records. Current fingerprint technology can take over 20 seconds. Main Advantages: The thermal imaging technology is set to be one of the main biometric technologies within the commercial marketplace as it is faster, more secure and more ‘politically-correct’ than other biometric and fingerprint applications.Lawyers Liability Insurance
RELIABILITY – the fingerswipe unit cleans itself with every sweep for recognition. Current fingerprint sensors do not and this causes residue build up on the sensor, which can affect recognition.
POLITICAL CORRECTNESS – unlike fingerprint scanners, the fingerswipe unit does not store fingerprint images. A number of civil liberties organisations have expressed their opposition to fingerprint data being stored.
SAFETY – there are no issues with safety. The fingerswipe unit is totally user friendly and quality assured
- END OF ARTICLE
- THIS IS WHERE MY LETTER CONTINUES
Okay, as we've seen, this company Yarg biometrics wants to use a database of thermal templates, as well as a self-cleaning unit QUOTE:"so a latent print cannot be extracted. As the recognition is also based on heat from the finger being swiped, a latex print or fake finger cannot be used to fool the system, nor indeed can a dead finger." END QUOTE.
Maybe all there is to this technology cannot be incorporated yet into the yubikey. But it would be a great leap forward if the yubikey came with either built-in (or worked together with existing) fingerswipe technology, to totally “personalize the yubikey”. How much bigger the yubikey would get I don't know. The reason why Fingerprint-scanning is the lesser option as opposed to Fingerswipescanning, is that a fingerprint is static, it contains less information. Not only that, but it is easier to obtain a fingerprint, for instance from a glass, make a copy of it with some latex and use it to fake someone else's identity. With Fingerswipetechnology there's none of that.
Of course this would require a certain modification of the yubikey in order to get it to work with Fingerswipetechnology AND new microtechnology / nanotechnology to keep it small enough so your laptop doesn't become lopsided.
- SECOND***How do we get around the following?:
Us having to trust yubico's servers, or anybody's servers for that matter, because the same goes for ISPs. Anywhere there's blind trust placed in people, that trust can and will be abused by a malicious employee. And it only takes one employee to do you a lot of damage and leave everybody else alone, so no-one else notices anything odd. Whilst you have just been dealt a blow, that you can't even talk about, that's how big it is. It would be to your detriment to even pursue the matter, since no-one would be able to help you or even believe you. Don't forget that trust already starts the moment traffic leaves your computer, to first hit your ISP's servers. Oh, and it also comes back through your ISP's servers. They're the ultimate Man In The Middle. Isn't trust great? You've not been bitten yet? So far so good, eh? Keep your fingers crossed. But don't forget to uncross them, if you want to use..
Answer: the fingerswipeable yubikey itself. Something unfakeable (like maybe, oh I don't know, a live, freshly generated thermal template from a fingerswipe?) in the (delivery of the) authentication should say to the website or application: This is a genuine yubikey AND a genuine fingerswipe. So you swipe it twice: Once for being able to use your yubikey and the second time to authenticate through the yubikey to the website. Build a comparator into the yubikey which checks for the Thermal Template that was created the first time you used it and the "live" Thermal Template. Think of it as a switch. As soon as the comparator sees that the "live" swipe matches the "stored" swipe, it only sends your ID-tag in the form of for instance a 64 character OTP to the website, or, more preferable, to The Autonomous Open ID-server. This way you don't have to be afraid that your Thermal Templates get stored on servers everywhere. Since only you can use YOUR yubikey, due to the built-in fingerswipetechnology, those two matching swipes would give both parties the reassurance needed that you are you.
To prevent against real-time phishing you could have the valid website check the IP-number of the Autonomous Open ID-server of which there would only be let's say a couple of hundred around the world. They might take over the role of Yubico's servers as well as the role of "hub" from existing nodes on the web, and/or co-exist. I will explain more about this below: Fourth: The Autonomous Open ID-server.
A different solution for a different problem would be to have yubikeys that can recognize & talk to each other. Say you want to connect to a real person who also has a yubikey. (What follows is a simplified example. To keep computational cost down you would need to use session keys.) Here we go: Traffic from them coming into your computer is encrypted with the public key belonging to your yubikey and traffic from your computer bound for them is encrypted with their yubikey's public key. At both ends it's being decrypted with the respective private keys. As is also described in THIRD, for email. Now you are more secure, because it takes two authenticated persons to get a connection going. At some point, this might become a network of yubikeyed people, who can really trust each other's traffic. The connection to your ISP would also be encrypted, so even your ISP can't read your traffic anymore. Of course, sometimes you still want anonimity. If the proposed fingerswipeable yubikey came with an anonimity ON/OFF mode, you'd still be able to secure your traffic AND use the TOR service to hide your IP address. You do this by having two different sets of private & public keys on your yubikey, one for normal use and one for anonymous use. Where you could for example be identified with a one time 64 character passphrase, in order to prevent someone from posing as you. Yet you'd still be anonymous.
The whole thing should obviously be made in such a fashion, that when you start tampering with the yubikey you can't use it anymore. It should be made physically impossible to take it apart and use it to pose as someone else. Also: I mentioned the Thermal Template that was created the first time you used it, but one could conceive of a child or a teenager's fingerswipe changing over time. In that case it would be handy to have like 3 to 5 Thermal Templates which lose the oldest one, when a new one is added. That way you would avoid not being able to use the yubikey due to a growth spurt. Of course, this might weaken the yubikey's security. You'd want to experiment with that, I'm sure.
- THIRD***You could have the thermal template be (the basis for) an AES-key, stored in the yubikey. The owner now has a unique AES-key that is NOT stored on yubico's servers but which ONLY resides within the key itself. You could see that as a private key, like is being used in asymmetric encryption. Make the yubikey generate a public key. Now your email contacts can encrypt the emails they want to send to you with your public key. This email traffic can then only be read by a person who has the private key; which is you! Even if some jealous spouse wanted to use your yubikey to read your emails, it simply wouldn't work, since her fingerswipe would be different from yours. Now, even total noobs can email safely!
In about a decade or so, a whole new Virtual Society has sprung up, on the internet. It needs something we've been taking for granted in the Real Society: A form of identification via your body. Just like in the real world, unless you WANT to be anonymous, you should never have to change your online identity, for the rest of your life. A fingerswipeable ANYkey might be the answer to that call.
In an age where it's getting easier and easier for online companies and governments to track WHAT we do and WHERE we're doing it from, the necessity for anonymity and encryption of your data becomes ever more apparent. The old username and password scheme is also too easily being abused at the moment, by baddies, to stymie and thwart good people, who find themselves unable to log in, because said baddies are blocking them from the server. Which they reside over. With which we entrust them. Which they can do anything they like on, to other people, because no-one can hold them accountable, and they themselves can do that to you..in total secrecy, in total ANONIMITY! As long as one person on the whole planet is still vulnerable to this mistreatment, we are all the worse for it. What if that one person has a lot of potential to do good, for instance a doctor, inventor or a scientist, but is being stymied precisely because of that, by malicious hackers/rogue employees. It's time for a more fair approach, one with which the person who wants to log in is totally protected from this type of hidden online violence.
- Fourth: The Autonomous Open ID-server***
But how do you solve this. We're all dependent upon servers being maintained by people, who can do nasty things to you. Answer: you get the people out of the loop altogether. It should be a self-contained, self-maintained server which is only checking for your ID-tag, released by the comparator built inside the yubikey and therefore could only have come from a yubikey owned by the same person who's logging in. That way, you can get online accross the web, because you would only have to check it against the people-less Open ID-server to get access to the hopefully many websites which are connected to it. It (the server) would treat everyone equally good or bad, depending on it's design. Who should it be designed by, you might wonder. Well obviously by the open-source community, since this has proven to be an effective way to get things done in a transparent manner.
The autonomous and auto-scalable server(s) should have enough redundancy built in, to be able to keep running for a long time without maintenance. Of course, should that be unavoidable, then it would have to be the open-source community to tinker around with it, rather than a closed-source group. A bit like the astronauts, who go in with a plan, get the job done, and get out of there again. Under the watchful eyes of the OSC. It would have to become "The Thing To Do", for websites, to use these autonomous Open ID-servers as their means of login. The old method [username & password & oh no email too -for every single website-] should become not only a thing of the past, but something suspicious. Those companies who refuse to give up the old method must be enjoying the power they can abuse and exert with it over their users.
Then, it would become much harder for a company's rogue employee to throw you off their login for no reason, because they would have to put in a request on a public list, so that everyone knows who is being thrown off and for what reason. That person would have to have done something bad, like trying to hack into the company's website, or something in the way of rude behaviour. This would then have to be proven by that company. Meanwhile, the person he wants to throw off should at least have the right to keep using the company's website to erase his or her own files, which almost inevitably isn't the case now, when you are being blocked from logging in with today's username and password scheme. You are simply not allowed access to your own bits anymore. We only need to think of our future whistle-blowers to see that the present login-situation is a farce. What if a local admin happens to disagree with a whistle-blower's point of view or is too afraid of repurcussions and decides to block the whistleblower from logging in. Now the whistleblower is made to look like a fool, because he or she cannot update his or her own webpage anymore. Do you think such blocking behaviour would happen only once? Instead of again and again on other sites? You wouldn't have such problems with autonomous Open ID-servers. Cloud computing could be a singe or a cinch, depending on the type of authentication you use.
Furthermore, I think electronic voting wouldn't be such a problem anymore, if we were to use the fingerswipeable yubikey. It uniquely identifies you as you, so what you want is to tie your choice to your fingerswipe. To do that, you need a secure connection (https) and an open-source community driven website. Now everyone can vote from the comfort of their own home. It's either that, or pencil and paper, because that's the safest option known so far.
Notice I didn't even mention the kind of threat which has gotten way more attention, and therefore seems more obvious, which is: hackers stealing your personal and financial data. It's much more widely known and therefore "accepted" as a threat. But even that threat would become severely limited if the fingerswipeable yubikey were to take off on a big scale. Banks and most corporations, even online financial ones, cannot be trusted to handle this on their own. All it yields is a patchwork or a plethora of login-schemes all of which fall short of the kind of security a fingerswipeable yubikey and autonomous Open ID-servers would bring.
One day, in the not too distant future, people might all have a yubikey on steroids. They log in without fear, because open-source works. They send and receive data with it over the internet, in a thoroughly encrypted fashion, and they also store this data on their yubikey-encrypted drives, so that only they can read it, with a swipe of their finger. Thus our body has become our passport, because we all have a body, but no-one else has YOUR body.
I hope you've enjoyed my contribution.
Kind regards,
Folbert Schoon
THE NETHERLANDS
P.S: I've sent my address details to jakob at yubico dot com on 19 February 2009.
