Group topic: Authentication, Identification & Key Management

Topic for today

Finally, we will show that many of the authentication services and systems in use right now, like the X.509 PKI standard, are a poor idea. Some are not only insecure, but also a privacy hazard. Stefan Brands, now an employee of Zero Knowledge Systems (www.zks.net), wrote a thesis (http://www.zks.net/media/credsnew.pdf) on anonymous and private credentials. We'll be going over why these 'tokens' are better than identity certificates and some of the technology that makes it all possible.

Readings to do before class

1. Read Chapters 2-4 of Marc Branchaud's Masters Thesis: A Survey of Public-Key Infrastructures. This is a little out of date, but covers most of the basics.

2. Read Microsoft Hailstorm whitepaper and browse the Microsoft Passport page.

3. Browse the Verisign website and download a free trial Digital ID if you trust Versign with the information they ask for (http://www.verisign.com/client/enrollment/index.html) Note: It is not necessary to provide them your credit card information.

4. Browse the Etrue website and pay particular attention to the technical features of their products (e.g. the technology used in face recognition (http://www.etrue.com/solutions/face_truetech.htm).

5. Browse http://www.ecitizen.gov.sg/ and http://services.s-one.net.sg/smartcard/faq.html and read the following excerpt:

   "All cars in Singapore are equipped with these special card readers that are mounted on the dash. You insert a smart card into the device. When you're driving down a road and you pass into a busy area, you'll drive under this sign that hangs over the road (these are called ERP gantries). The sign has a special radio link in it that talks to your card reader when you drive under it, and it automatically takes a dollar off of your smart card. If you do not have a reader installed or if you don't have an ERP card inserted, then there is a camera that takes a picture of your license plate, and they mail you a fine. The ERP card is a debit card, so you have to "top up" your card when it gets close to being empty. You can do this at any 7-eleven or some gas stations. There is another card called a "cash card". Like the ERP card, it is a debit card that uses a smart card chip to keep track of your balance. However, this card can be used to buy things all over town. You can pay the fines for overdue books at the library. You can pay the fees for some government services like taking the drivers license test. I discovered this card when I crossed the border into Malaysia. Apparently, the only way to pay the toll at the border toll booth is with a cash card. I didn't have one, so I had to park my car and walk to the office and pay with cash, and it cost S$12.50 instead of the normal S$2.50."

6. Read the white paper created by Zero Knowledge systems based on Stephan Brands' thesis on anonymous and private credentials while at MIT (http://www.zks.net/media/credsnew.pdf)

You might also want to browse the project resource page for this topic.