Identity Crisis: The Delusion of NSTIC

U.S. Commerce Secretary Gary Locke last week announced the release of the National Strategy for Trusted Identities in Cyberspace (NSTIC) during an event sponsored by the U.S. Chamber of Commerce. The event appears to have been your standard hoopla affair, and comes a couple months after circulation of the initial draft. You can read the NSTIC strategy in its entirety here.

Overall, NSTIC is an interesting effort undertaken by the federal government in recognition of the myriad failures limiting the growth of safe, secure online transactions today. In particular, the report puts a major emphasis on the continued use of passwords, and in the need for individuals to have unique credentials for the dozens of sites they interact with on a regular basis. Most people make use of unsafe computing practices, reusing passwords and/or choosing week, but easily remembered, credentials.

Unfortunately, this initiative appears to be very short-sighted and, at least on face, a bit ludicrous. Yes, passwords are a major problem today, but nothing in the strategy really addresses passwords specifically. Instead, the report targets the lack of a single "trusted" credential and seem to view the solution as being to simply consolidate all credentials into one "strong" credential. They do make mention of smart card technology in the strategy, but they are certainly not mandating any one solution since they want to create room for innovation. I have very low hopes for this approach.

Key Quotes

There's much criticism that can (will) be leveled at this proposal, but let's first look at what it promises.

First up, let's look at the defined "vision" of the plan:

"Individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation."

Note that this vision is very utopian in nature. One trend I noticed throughout the document is a tendency toward focusing on the positives. The threat to online identities is only played upon in the initial problem scenario setup, and then is almost completely set aside, even though the plan itself instantiates new threat exposures under the original problem scenario.

Note here that "FIPPs" are "Fair Information Practice Principles":

"The eight FIPPs are transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing."

"Universal adoption of the FIPPs in the envisioned Identity Ecosystem will enable a variety of transactions, including anonymous, anonymous with validated attributes, pseudonymous, and uniquely identified--while providing robust privacy protections that promote usability and trust."
These two quotes are interesting. Again, NSTIC takes a somewhat idealistic approach, trying to find that win-win scenario. Unfortunately, as we'll discuss below, there are a lot of new (and old) challenges that will, I think, lead to compromising on some of these FIPPs. Either that, or it will be found to be unimplementable. Notice that they describe the attributes, but they don't really weight them, or talk about whether or not they can or should be weighted. I think we'll find that the FIPPs, in implementation, are internally contradictory, and will thus lead to weakening some factors in favor of others.

Last, we'll end with a quote from NSTIC on the "voluntary" nature of these "Identity Ecosystem"...

"Finally, participation in the Identity Ecosystem will be voluntary: the government will neither mandate that individuals obtain an Identity Ecosystem credential nor that companies require Identity Ecosystem credentials from consumers as the only means to interact with them Individuals shall be free to use an Identity Ecosystem credential of their choice, provided the credential meets the minimum risk requirements of the relying party, or to use any non-Identity Ecosystem mechanism provided by the relying party Individuals' participation in the Identity Ecosystem will be a day-to-day--or even a transaction-to-transaction--choice."

The goal of NSTIC will be to create a single credential that will be universally used. I fully expect that the bar will be lowered, and quickly, to allow for solutions to be presented. Once these solutions are deployed, then I fully expect to see "encouragement" from the feds to speed adoption. For instance, life will be made "easier" in many areas of interacting with the feds, if only you adopt use of an approved NSTIC ID. However, in doing so, you'll inevitably be making security and privacy trade-offs.

Reading the CNET article, "Obama moves forward with Internet ID plan," provided some additional quotes of interest:

"During his speech, Locke lashed out at the 'conspiracy theory set' who have criticized the proposal. A column in NetworkWorld.com, for instance, called NSTIC a 'great example of rampant, over-reaching, ignorant, and ill-conceived political foolishness.'"

What you see here is a classic "either you're with us or against us" ploy; one that has been popping up with greater frequency these days. Rather than accept that this idealized plan has weaknesses, they'd rather cast all critics as being "wackos" (note the language "conspiracy theory set") who simply don't get it. Of course, the irony of this all is that we do "get it" and very much so. How many years of infosec experience does Secretary Locke have? I'm guessing it's a lot less than me... in fact, let's look at who Locke is over on Wikipedia. He's a career politician, currently Commerce Secretary, but also standing nominee to become the next US Ambassador to China. So, I take his comments as purely political defensive maneuvering.

Interestingly, not all in attendance were completely supportive

"Sen. Barbara Mikulski, a Maryland Democrat who also spoke today at the Chamber event, seemed to veer a bit off-message--and instead of touting anonymity, she stressed the importance of aiding law enforcement.

Protecting civil liberties is important, Mikulski said. 'But the first civil liberty is to be able to have a job, lead a life, and be able to buy what you want in the way we now buy it, which is through credit cards.'"


These comments highlight one of the many inherent contradictions that will be faced by NSTIC, and that are implicit in the FIPPs. Given the current direction of the political leadership in this country, I do not for one nanosecond believe that there will not be interference from government or law enforcement in these implementations. Moreover, I am extremely concerned that we're seeing the feds start pushing toward a single high-value credential as they stand to gain a lot more than they would lose, even though the average US citizen would be in just he opposite position.

Lastly, I found this insight to be on the verge of being prophetic:

"Another concern: Although the White House is describing the NSTIC plan as 'voluntary,' federal agencies could begin to require it for IRS e-filing, applying for Social Security or veterans' benefits, renewing passports online, requesting federal licenses (including ham radio and pilot's licenses), and so on. Then obtaining one of these ID would become all but mandatory for most Americans."

Criticism of the Plan

Network World already produced criticism of NSTIC when the draft first came out in January (see: "NSTIC and the feds HUA problem"). This criticism earned them the bane of Secretary Locke in his "conspiracy theory set" comments. However, I think there are several problems with this proposal.

1) NSTIC Solves the Wrong Problem

Much of the focus in NSTIC is on creating this so-called "Identity Ecosystem." Unfortunately, it does not generally speak to the core problem, which is ongoing reliance on password-based authentication. Reading between the lines in the report, it seems that their unstated believe is that, if they can reduce the number of accounts people use, then that will trigger peoples' willingness to then adopt use of stronger authentication mechanisms, such as smart card technology.

On the one hand, this seems like a nice idea, but on the other hand, how sure are we that we have truly good, viable, scalable alternatives to passwords? Smart cards have been deployed within the federal space, but we have to bear in mind that deploying to an "enterprise" environment is very different from deploying to the public at large. Moreover, even with the deployment of a smart card, we will STILL have passwords (or PINs) present, which means that we've not really solved the problem, but merely shifted it a bit.

More than anything else, I would love to see major research investments around how to rid the world of passwords altogether. That is the problem that needs to be solved. ID Ecosystem is secondary.

2) NSTIC is Anti-Anonymous

The notion that NSTIC will protect anonymity is a bit of a joke. In fact, as Sen. Mikulski's comments reflect, there absolutely will be a drive toward providing law enforcement with access. Despite the hand-waving and positivity in the report, I do not for one nanosecond believe in the "good will" of our government. We've been betrayed far too many times, especially since 9/11, and I think that we will only see more of this behavior.

The bottom line is that these credentials will have to have a home somewhere on the Internet, which means that whomever hosts that credential will have the ability to de-anonymize the ID and link it definitively to a person. Moreover, this is the whole point of a "trusted Identity Ecosystem" - to get rid of true anonymity.

Some could (have/will) argue that anonymity doesn't truly exist any more, and to a degree I would agree, but there's still somewhat of an ability to cover most tracks if one were really interested in doing so. This proposal is nothing short than a "cure" to anonymity, which means it is, in fact, anti-democratic, since anonymous speech is a tenant of our (allegedly) free society.

3) NSTIC is Anti-Privacy

Despite all the talk about FIPPs and protecting privacy, the simple fact is that - as already noted - a single "trusted" credential like this will, by definition, be de-anonymized. Sure, you may be able to control information disclosure in a given authenticated situation, and yes they definitely have put some thought into this topic, but the fact still remains that the ID will be authenticated by a service provider who has fully vetted you and who can tie a credential to a person.

More importantly, this vetting process will necessarily require an individual to disclose even more information than they already do today just to get the "trusted" ID. I would imagine this will require providing Social Security numbers, addresses, possibly submitting to background checks, etc. Where does the line get drawn? And, more importantly, how do we keep the line from continuing to move toward more up-front disclosure of information, all in the name of pseudo-trust on the Internet?

The very existence of a "trusted" ID that has been reasonably linked to an individual means that it will be de-anonymized. Thinking about this from a legal perspective, you're going to have to go to great lengths to tie the ID to a person so that you can then extend how you'll be able to use it in legally-binding transactions. The farther we go down that road, the less private everything will be. Mark my words.

4) It Will Be Tracked

In the report, there is hand-waving about how you, the individual, will be able to control what is disclosed to the other part in a transaction. A model not too dissimilar from the Kerberos protocol is described. However, what is glossed over is that there is, out of necessity, a trusted 3rd party brokering the transaction. What is to stop this 3rd party from then tracking all the touchpoints between consumer and end-party? It seems to me very likely that this is where law enforcement will first focus their efforts. We'll now have mutual authentication, and the consumer will have a strong credential to boot that is tied to them through some sort of rigorous registration process (after all, how else would you ensure that someone is who they claim during registration?). The trusted 3rd party need only keep a record of authentication transactions succeeding with ID X and Site Y and the rest proceeds from there.

Secretary Locke would have us believe that this won't happen, but I see nothing in the plan that would prohibit a provider from tracking basic transactions. Moreover, having experience in these types of systems, I cannot see how the provider wouldn't track this information. At best the authors are being naive, and at worse their actively trying to mislead.

5) It Will Be Broken

In consolidating to a single "trusted" credential, no matter how strongly authenticated, NSTIC is absolutely creating a high-value target. What happens when it's compromised/broken? It will happen at some point in time. Maybe not today. Maybe not tomorrow. But, at some point in the near future, whatever credentials are released as part of this "Identity Ecosystem," they will become compromised. How do you address that event? How do you now a) suspend the ID, b) validate that the actual consumer is who they claim to be, c) prevent the attacker from blocking revocation through impersonation, and d) limit the costs to the consumer for cleaning up the resulting mess? I have very low expectations in this area, and I think it will take one class break of a NSTIC credential system to cause the whole thing to fall apart. That is, unless resilience and recoverability are somehow built into the system, which seems somewhat unlikely given the current draft.

Ironically, this problem ends up coming back to the original problem: How do you prove that someone online is who they claim? You don't. You have to fall back to out-of-band methods. And, as we've seen with account security questions, some of those out-of-band methods are worse than the solutions themselves. Much needs to be done in this area to improve things before NSTIC will be viable.

Bonus: It's going to take a generation!!!

My last quip here is not so much a criticism of NSTIC as it is a general comment. Whatever we do today to "fix" problems such as the one targeted by NSTIC, it will take at least a generation for it to roll into play and take full effect. There's no way my grandparents - both in their 90s - are going to make use of NSTIC credentials. I'm also somewhat doubtful that the Boomers (my parents included) will be adopting these new approaches. There's simply not much incentive to do so. However, I fully expect that they'll continue to tinker online and undertake a certain percentage of online transactions.

What this all means is that it's going to take another 25 years for any solution to become fully mainstream. Let's now think about where we would all like to see things go in the next 25 years. In the grand scheme of things, I think addressing passwords themselves should be priority #1. I don't think NSTIC ends up being all that important once the password problem is solved. A degree of consolidation is likely inevitable, but we're already seeing that as Twitter, Facebook, and Google credentials are used elsewhere. Perhaps NSTIC provides a mechanism to informally regulate these authentication credentials, but without any legislative teeth, it seems unlikely to go anywhere.

It seems the biggest benefit from NSTIC will be the availability of additional research funding for tackling some of these authentication-related challenges. Out of the whole program, that's probably the biggest benefit. It's too bad we have to deal with all the delusional hoopla and political posturing along the way.

About this Entry

This page contains a single entry by Ben Tomhave published on April 18, 2011 12:05 PM.

GRC and Cloud Security was the previous entry in this blog.

Thoughts on Secure360 and RMISC (2011) is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7