Rethinking Digital Security

This entry is offers an alternative to how we should think about security. The idea actually originated from Christine Komatsu - a design student that is working on a project to rethink how we perceive the basic notion locks and keys.

Digital Security today and why it is flawed:

There are 3 components that all computer systems rely on to enforce security

1. Authentication - This is usually the first step, a computer needs to know that you are you.
   
2. Authorization - OK, I verified you are you. Computer systems now need to control what resources a user can access or cannot access. Users must also be able to "delegate" access to resources they own to others.
3. Private communication - in order to not compromise authentication or authorization, computers must have a secure and anonymous mechanism to communicate to users.

However, this model is totally useless for real world systems like securing your house. A house has no concept of your identity or authorization, it only know about locks and keys. If you are afraid that you might lose your key, you duplicate your key and give it to your friend. If you need more security, buy a bigger and stronger lock. If your house has been compromised, change your locks and get new keys.

The reason why we might want to use this way to think about security is:

1. People who want to compromise your resource will focus only on stealing your key, not your identity. If your resource is compromised, you don't lose your identity.
   
2. Keys can be replicated, and distributed - identity cannot. Even if you delegate resource access to someone else, if your identity has been compromised, your friend cannot re-delegate control of the resource back to you.
   
3. Many locks of different strengths is much more desirable than one lock that can open all doors.
4. Its hard for users to think about having multiple identities - its easier to think in terms of owning multiple keys.
5. Delegation models are extremely difficult for the average person to think about.
6. People are leary of single sign-on - If digital security is based on identity, and your identity is compromised, all your resources are open to thieves.
   

I believe if we rethink digital security in terms of locks and keys, users can strike a better balance between accessibility, manageability , and security.


How such a system would work:

In the new way of think about security, there are 3 number activities:

1. Creating new keys
   
2. Creating new locks
3. Putting locks on resources
4. Opening & Closing a lock

Creating new keys

The idea is that every person would have one or more keys. Keys come in many different forms - they can be a password, a RFID tag attached to your shoe, a physical device with an encrypted password (e.g. id card), or a rotating token key. Hence keys can be either created on a computer (e.g. a password), bought in a store (e.g. RFIDs), etc.

Creating new locks

Users should be able to create digital locks should have the following properties:

1. They can require 1 or more keys to be opened - To enhance security, a user may want to require more that 1 key to open a lock. E.g. a user may want to make sure their lock on their door is protected by both a key card as well as the RFID embedded in their shoe. Since most people in North America wear shoes, it ensures that a thief cannot just steal your wallet but also your shoe in order to enter your house
2. They can be opened with multiple combination of keys - To enable recovery of losing keys, a user can specify that a different combination of keys (e.g. 2 different key cards give to two different friends) can open the lock. This way, if the user loses their own keys, they can user can retrieve the 2 key cards from their friends to open the door. Neither friend can open the door themselves, hence a friend losing a key is not of concern.
3. Locks can be created anywhere - to improve security, resources should be able to create locks themselves. This requires that the keys are available to the resource at the time that the lock is created. Instead of having a central "lock factory" that could be compromised, keys stolen, locks duplicated, etc, having the lock being created on the resource itself increases security. For example, a user may want the lock to be created on the safe, and not created on the internet.
4. Locks know the id of the keys that can open it
   
5. Locks have a unique publicly visible ID - All locks should be identifiable so that the user can remember what keys.
   

Adding/removing locks from resources

Putting locks on resources is like putting locks on doors. Digital locks are different because they can be put on multiple resources. Resources must abide by the following rules:

1. Resources can require multiple locks for access
2. The number of locks required to access a resource must be set at the time that the resource is open.
3. Resources can copy locks from other resources
4. Resources can only have locks added / removed only when the resource is open.
5. Resources can further set that locks can be added / removed only with a certain key combination.

Opening and closing locks:

At the time that a lock is open:

1. The keys and the lock must have a secure mechanism to communicate to each other. This is necessary to prevent possible duplication of keys.
2. Opening of the lock is user initiated to prevent accidental opening of the lock.

Some use cases:

1. Securing the house for a family of 4

• User goes out to purchase 6 keys cards and 4 RFIDs, and creates 1 password key
  
• 4 of the 6 key cards are identical. (KC_ID 1)
  
• 2 of the key cards are unique (KC_ID 2 & 3
  
• 4 RFIDs are identical (RF_ID 1)
• Password Key (PW_ID 1)
  
• Mom create a lock that can be opened with 3 key combinations on her iphone
  
• KC_ID 1 & RF_ID 1
• PW_ID & RF_ID 1
  
• KC_ID 2 & KC_ID 3
• Mom hands out the keys
• Each family member gets a KC_ID1, and places a RFID in their shoe
• Each family member is told the password and told to not tell anyone else.
  
• KC_ID 2 & 3 are handed out to good friends, and are told never to admit to having the key to other friends unless the entire family dies
• Mom puts copies the digital lock from her iphone to all 4 doors of the house
• Mom removes digital lock from her iphone
• Pros:
• Family members will be able to get into the house, even if they forget their key card. If they are really stupid and forget their shoe or password, the family member can just wait for another family member
  
• Family members can contact friends to get KC_ID 2 & 3 in the even that they cannot wait for their family member.
• Family members will know really soon if their house is compromised - there is very little chance that a robber will steal both the key cards and the shoes without them knowing it.

2. Securing the Internet in public and private places.

• Sally has a key_card (KC_ID 1) and a secret password for herself (PW_ID 1). Sally has a RFID (RF_ID 1) in her shoe. Sally's monitor at home has a key card built in (KC_ID 2).
  
• Sally creates a lock that can be opened with 2 key combinations:
• KC_ID 1 & RF_ID 1 & PW_ID1 - Public internet access
  
• KC_ID 2 & PW_ID1 - Private internet access (upstairs bedroom)
• Sally puts the lock on all websites that she has private information
  
• In public, Sally usually has her wallet (with KC_ID 1), shoes, and usually remembers her password. Sally is able to access the internet outside.
  
• In private, Sally doesn't wear her shoes and frequently leaves the wallet downstairs. Because the KC_ID2 is built right into her monitor, she still can surf the internet at home.
• Pros:
• Password isn't the only thing that protects you, even if your password is compromised outside (e.g. keyboard logger), the thief needs Sally's shoes and wallet
• Sally's home computer is protected by a door. Even if a thief breaks into the house, they need to know Sally's password to access her internet account.

Conclusion:

By rethinking digital security using locks and keys, I believe that we can simultaneously improve usability, manageability, and security in this digital age.