The JW Secure Informer logo

archive blog contact

Identity Theft
and Derived Credentials

JWSecure informer imagery

Avoid the Cavalcade

The recent cavalcade of identity theft attacks making front-page news reminds us of two disturbing trends:
  • Our electronic and physical identities are becoming increasingly intertwined.
  • We lack adequate control over the data that is shared on our behalf in order to access services.
The most obvious example of these trends United States is the electronic storage of large numbers of Social Security numbers and banking access codes that attract criminal attacks from any country with a computer science school. For any service that is regulated by the government, like healthcare, banking, and enterprise payroll systems, the SSN is the unique key that the service provider uses to identify each customer and employee. The end user is given no authority on how the SSN is protected and shared.

Security and Murphy's Law

It's not Murphy's Law that dictates the inevitability that such data eventually becomes compromised. Indeed, data loss happens all the time: confidential files are inadvertently shared on the Internet or saved to a smart phone and then left in the back of a taxi. We rarely hear about it.

The opportunity for the IT industry is to ensure that loss and theft of electronic storage media, such as smart phones and laptops, does not imply data compromise. We can do this by ensuring that the data are always encrypted and that decryption always require strong authentication.

The Importance of Disclosure

Government regulation plays an important role in consumer disclosure. When Social Security numbers or credit card numbers are exposed, the citizen has a right to be notified. But government regulation moves too slowly to stay current with the latest threats. For example, regulation tends to focus on data encryption requirements without wading into the complex interaction between authentication, authorization, and access to electronic data storage. This approach leads to "check box security" which is easy for compliance checking, but ineffective at improving the real security of users on the internet.

Humans are Bad at Passwords

What is needed is a user identifier and credential that is of no value to an attacker. With current systems, users share sensitive personal information and passwords across a broad swath of online services. This is done for two reasons: first, human memory is not designed to keep track of information that is sufficiently random to compose even a single strong password, let alone a different strong password for every website. Second, regulated markets, lacking competitive pressure, are only accountable for user privacy to the extent that the government says they must be.

Nevertheless, there are two positive trends. First, while human brains are bad at creating computer passwords, computers excel at it. And a critical mass of consumers now carries a computer in their pocket everywhere they go. Second, while online privacy controls continue to lag, there is a shared desire among firms to avoid fines, lawsuits, and bad PR. In other words; these firms have an interest in protecting privacy so long as the cost in lost sales does not overwhelm their profits.

What are Derived Credentials?

Derived credentials are a solution proposed by the National Institute of Standards and Technology for use in government agencies. An example of this is the potential link that can be created between the Common Access Card (CAC aka PIV)—a combined identity badge and smartcard—issued to every DOD employee, that can be linked to those users' smart phones.

The smart chip on the CAC stores a strong cryptographic credential. A picture of the user's face can be printed on the plastic, and ownership is clear: the CAC belongs to the government, not the user. To be useful, the card just needs a nice user interface, an Internet connection, and a widely supported app model. All of those needs are met by the great user experience available with any modern smart phone. As shipped the smart phone app model does not have the capability of storing secrets securely, nor does it easily allow the CAC to be read by the smart phone. Yet the hardware that powers the smart phone does have the capability to store secrets securely and act in every way just like the CAC. All that is needed is an innovative solution to bridge the gap between the CAC and the smart phone's capability.

The solution is to use the primary credential (protected on the CAC) as a means to bootstrap a secondary credential derived from that onto the smart phone. New hires and recruits are issued a CAC only after nationality and tax identity have been verified. That has been a common pattern for employer and bank issued identities for many years. Birth certificates and national identities are verified, usually in person, and then a credential on a CAC is issued to signify employment or some other organization-specific identity. In fact, employer and bank credentials frequently come in two parts, a physical identity (ATM) card plus an online logon account.

Find the Weakest Link

The pattern, or chain, of identity credentials is therefore typically: national birth or naturalization identity, followed sometimes by state issued identity such as the driver's license, followed by one or more employer issued identities, followed now by a derived credential that enables secured credentials to be carried around in a mobile device that already is in the hands of most users. But now we need to address the long certificate chain form the government to the employer to the smart phone that is owned by the user. This is the weak link, the security of the smart phone in the user's control. That weak link is where innovative solution must be found so that the use of the derived credential can be trusted to maintain the security of the credential by the employer, and, in some cases, by the government itself.

Phone Based Authentication

Generally, since typing a complex password into a mobile phone keyboard is painful, phone-based authentication systems achieve an acceptable balance of security and usability by storing a portion of the user credential in a browser cookie or password vault. Then, each time the cell number must be verified; an automated system calls the user and prompts for a short PIN. It is more convenient to type in the PIN than to reenter the complex password, and the average user is vastly more vigilant about not losing their phone than about picking and remembering strong passwords. More information about how phone-based authentication systems work can be found in our previous articles, Protect Your Online Identity Using Your Phone and Use Two-Factor Authentication to Mitigate Fraud.

Phone-based authentication systems are good from the perspective of helping to mitigate the threat of online password guessing attacks, but there are vulnerabilities in the registration process. For example, if an attacker guesses your password, then that's all he needs to protect your account with his cell phone number. Of course, you'll notice next time you use the account that you can no longer sign in, and you'll contact technical support in order to get the problem fixed.

As stated previously, phone-based authentication is a bit of a special case, since even though the original account password is only rarely manually typed by the user, the password is still being presented automatically on behalf of the user by the web browser (or similar client software). The phone number is therefore additive. In contrast, when you present your employer ID badge in order to access a secured building, you don't also present your birth certificate. In order to get your employer badge in the first place, you only had to present your government ID once. Thereafter, you just use the former, and that's usually the way derived credentials work.

Bootstrapping Challenges

It's instructive that the bootstrapping procedure of the derived credential is subject to the same vulnerabilities as the initial credential. In the case of phone-based authentication for online accounts, the net result is better protection against password guessing and account hijacking. However, in the case of other identity theft scenarios, a forged government ID, or even just a convincing liar, is enough to obtain a derived or replacement credential that is very difficult for its rightful owner to discover and undo.

Proper care must be taken to assess the security of the issuance procedure for the derived credential. The integrity of the identity conferred by a derived credential is based on assumptions made about two separate vetting processes. If the original identity is bogus due to weak vetting, then a successfully obtained derived identity has essentially laundered it. Future newsletters will focus on these challenges.

Vetting is Hard

In an enterprise setting, this is a reason that derived identities — a smart card, say, or a phone-based credential — based purely on knowledge of a static password should be avoided. Most likely, the user account was originally created after the new employee signed some papers and submitted a W9. In many industries, no government ID is required for employment; you just have to show up and do the work. Thereafter, the user might reuse the same password in five different online accounts, tell it to his girlfriend, and save it in a file named passwords.txt on his desktop. If the vetting process for the derived credential is based solely on knowledge of the user password, even if the user has to show up at an official administrative office to type it in, how do you even know it's the right guy?

User identity vetting procedures present the usual challenges and trade-offs one expects when the real world intersects the electronic one. On one hand, in-person verification is important when deriving a credential from a government photo ID. On the other hand, such manual steps are vulnerable to social engineering. Likewise, electronic identities can be attacked anonymously by hackers on the other side of the world. But, unlike a desk clerk, strong digital credentials cannot be tricked or bribed.

This again is the type of conundrum that entities such as the DOD face in attempting to derive a relatively more convenient mobile credential from a relatively more secure physical one. In fact, these days, smart phones are capable of hosting strong credentials including cryptographic keys and biometrics. However, a virtual chasm exists between a DOD employee's smart card badge and cell phone, even if both items happen to be in the same pocket.

Physical to Digital

Technical solutions do exist for crossing the chasm from a smart card badge to a new digital credential on a smart phone. For example, since phone compatible smart card readers are not widely used, one approach is to introduce an intermediate hop. That is, use the badge to derive a credential on a PC, where USB smart card readers are relatively inexpensive and convenient to use. Then use the PC credential, together with some second factor of authentication, to derive the digital credential on the phone. This is another example of a chain of credentials that can be linked to enable the user to strongly authenticate from the personal device that is carried everywhere. The JW Secure StrongNet Secure Admin solution demonstrates the way to make the user's PC a secure source of credentials. We do this using the Trusted Platform Module (TPM) security chip (or secure firmware) that is installed on every modern computer. Please explore some of the related information below from JW Secure and other sources.

Read More about Protecting Identity and Credentials

Network Access and Identity
Endpoint Security: describes the protection provided by a TPM
High-Integrity Internet-Scale Device Authentication
Guidelines for Derived PIV Credentials (NIST SP 800-157): describes an alternate token for mobile
Public Key Infrastructure: defines the credential to be the private key and certificate to contain the user identifier linked to the public key. These two concepts are often confused in the technology literature.


Keep in touch


Just for laughs

JW Secure Informer cartoon

Quote of the month

If there is anything that a man can do well, I say let him do it. Give him a chance.
- Abraham Lincoln -

Thank you for reading the JW Secure Informer

The JWSecure Informer is a bimonthly newsletter that can be sent directly to your inbox. Please add to your safe sender list. To subscribe, or contact Customer Care, use the links below.
Update Your Preferences | Subscribe | Contact Us | Privacy Policy
This information has been organized and published by:
JW Secure, Inc.
1752 NW Market St. • Suite 227 • Seattle, WA 98107
© 2015 JW Secure, Inc. All Rights Reserved.