This is part of a series on Digital Certificates.
Before we get into the details of digital certificates we need to take a big step back and ask what an ID means in the big picture.
Any ID has several mandatory characteristics:
1. it is tangible. (Yes, computer files are tangible.)
2. it identifies a “subject”. For instance, the citizen of a passport, the driver of a state driver’s license, the employee, the student.
3. it identifies an “issuer”. In the examples above this is the country issuing the passport, the state issuing the driver’s license, the employer, the school.
4. it has some way to bind the subject to the person or organization. At a minimum it’s a photograph and/or signature, perhaps with basic biometric information like height and weight.
5. it has some way to bind the issuer to the document. For an employee badge or student ID this might just be a logo. For high security documents you may add watermarks, holograms or even laminated layers containing fluorescing content.
6. it is reasonably immutable.
An ID may include additional characteristics:
1. a unique serial number.
2. an expiration date, and possibly a ‘not valid before’ date as well.
3. usage restrictions. (E.g., there may be driving hours restrictions on a driver’s license.)
4. alternate names for the subject or issuer.
Vulnerabilities and Attacks
What are the vulnerabilities of IDs? How can they be attacked? Entire books have been written on this subject but we can quickly hit the highlights.
Impersonation
We can check that the person presenting the ID matches the description on the ID… but how can we trust that the person going to the issuer isn’t impersonating somebody else? It’s a valid ID issued to the wrong person.
What about the issuer itself? How can we trust the issuer is who it claims to be? Consider the classic student fake ID.
Outdated Information/Revocation
What do you do when the subject dies (if a person) or is acquired by another organization (if a business)? What if the student graduates? Drops out?
A variation on this is when the state suspends a person’s driver’s license. It’s no longer valid as proof of authority to drive but it’s still proof of identity. How to you make sure third parties have the most current information?
Tampering and Forgery
An ID should be immutable but it may still be possible to tamper with it. E.g., paste a picture of one person on top of the picture of a different person on a driver’s license. How easy will it be to detect that if you only look at the ID through a plastic sleeve?
This is a key point to remember – fake IDs don’t need to be perfect. They only need to be “good enough” for the intended purpose. That can be a shockingly lower barrier than you expect.
Lack of Due Diligence
This vulnerability is the nastiest – how can you trust the issuer to do a good job? In some cases this is sloppiness, but there’s also the structural questions of who pays the cost of investigating the subject and who pays the cost when the issuer is mistaken. An issuer who is expected to pay the costs for the investigation but will pay no penalty for mistakes isn’t likely to put much effort into the investigation. Make no mistake – they may not make intentional errors. They just won’t be zealous about doing an in-depth investigation.
On the other hand an issuer who faces a serious financial risk if they misidentify the subject will naturally make a much more serious effort to get it right.
Lessons
We can summarize this in two observations:
1. A third-party certificate authority will put its own interests above yours.
2. Your own certificate authority will still need to invest substantial resources to prevent impersonations, tampering, forgery, etc.
The bottom line is that Digital Certificates are a powerful tool but they are only a tool. They are not a silver bullet.
Danger, Danger, Will Robinson!
If you read nothing else in this series, read this!
Everything you Never Wanted to Know about PKI but were Forced to Find Out (Peter Gutmann)