No matter how you try, it’s impossible to protect your identity online. Researchers have found a major gaping security hole.
You enter your code and password. You click OK. But you get nowhere. So you check if you have entered the right information, not once, but several times. You get annoyed because the bank is so useless.
You call the special number, the number that is supposed to be staffed with someone who can tell you what is going on. “No, I’m afraid that account does not exist”, the woman on the other end of the line says.
This is just the first in a series of odd events that leads you to realize that you have been a victim of identity theft.
You are not alone. In the United States roughly 10 million people each year have their identities stolen, according to American consumer organizations. There are no official figures for Norway, but ID theft is now generally considered to be the most profitable of all types of crime, even more profitable than drug trafficking.
Maybe you were careless with your card or code, perhaps someone has been inside your computer – who knows. With the jumble of passwords and codes you have, something had to go wrong sooner or later.
Luckily there will soon a solution to this nightmare – a separate electronic ID that can be used for everything. It should be sufficient to address all problems, and thus will make everything much safer.
A hole in the net
Over the next year, Norwegians who want a new identity can get one – an electronic identity, that is. With an e-identity you can avoid long queues and lost work days if you have to deal with public officials. Everything could be handled safely via the web – everything from the prescription you get from your doctor, to dealing with the Norwegian Labour and Welfare Office, the tax office or the bank.
But what do you do when you’ve followed every data security guideline, and you find that it’s just not good enough?
Researchers at NTNU’s Centre for Quantifiable Quality of Service in Communication Systems, Q2S, have found a major security hole in what is supposed to be a tightly knit network. And the biggest hole is deeply buried at the most fundamental security level.
As a result, the standards for basic encryption must simply be rewritten.
Secure – like a house of cards
Svein Knapskog is a professor of telematics at Q2S, and explains what this digital house of cards is all about.
“Individuals are the greatest security risk. Even if you are meticulously careful, and have virus protection software and a phishing filter, and never do anything stupid with your PC, it’s still not enough. From a security perspective, the Internet is a digital house of cards. There are many gaps in the technical solutions that we use today, and rich opportunities for freeloaders and crooks to exploit them.
We should certainly think things through thoroughly before we launch the large-scale use of national electronic IDs. We have work to do on the security front first. We actually need to rewrite some of the basic international standards for how to securely encrypt data sent over the Internet. When this has been done, then we can relax a little bit.”
Key to safety
“What we’re talking about here are keys: the keys that lock and unlock the information packets we send via the web. The keys that ensure that people who are sniffing around in that sea of incomprehensible ones and zeros are not able to read them the way that you and I can because we have the keys.”
But NTNU researchers have discovered something unusual about these keys: if the same key is used twice, it’s no longer secure. How do you explain that?
“Think back to the old days”, says Knapskog, “and pretend that we want to deliver a letter that contains secret information. Maybe it’s a spy who has found something that could change the outcome of the war. Maybe it’s a secret love letter between two people who aren’t supposed to meet.
Whatever the case, the idea is that no one else should be able to access the contents of the letter, and the parties agree to a secret code that enables them to read the letter. People who don’t know the code will not understand anything, while those who have the code can read the letter with ease. Nowadays we use a separate computer program, called an encryption library, which uses digital keys for digital transmissions that need to be secured and encoded.
What we’ve found is that when we use this kind of encryption library, where people at each end of the message have the same code key and use it more than once, outsiders can read the information without having access to the key. It’s as if we didn’t use an encryption key at all.”
So we need to establish a standard for how this kind of encryption library is created, so that the same code key is never used more than once. That’s not the standard today. Current specifications are such that it’s possible to believe that it’s okay to use the same keys all the time.
Thus, the critical concept is management. Knapskog and his team of researchers have for some time been working to learn more about how keys are handled in different security situations, so they can come up with information that will be important in designing a Norwegian electronic ID. Now things are beginning to get interesting.
Safe – on paper
So you think perhaps we have a government oversight agency that checks and approves how security is handled in companies that will take care of your private information? As a consumer, you expect that there is a regulatory framework that will protect you, at least when it comes to the sharing of personal information – that your password and that little calculator-like thing protects you from digital identity theft, and from having money taken out of your bank account.
Yes – there are rules, called privacy protection laws and data oversight. But there’s no rule that says that data security will be checked. It just means that a company, bank or government agency must have documents that certify they have good security routines.
It is only when the country’s security is threatened, that safety really must be checked and the National Security Agency (NSM) gets involved. The personal information that you enter on the Norwegian Labour and Welfare Agency’s website, or the Norwegian Tax Authority’s website is not important enough.
Do we dare?
Companies themselves also define the level of security risk that they face, and make certain that they have the appropriate security measures in place. Once a company has determined its security risks, the Data Inspectorate comments on the safeguards in place, and hands out a license. They don’t actually go into the company’s computers and physically check the technical solutions.
«We should certainly think things through thoroughly before we launch the large-scale use of national electronic IDs.»
Professor Svein Johan Knapskog
Then there’s the Post and Telecommunications Authority, which regulates and monitors telecommunications in Norway. They operate what is called oversight by declaration. This means that they ask you to document how your website will ensure that any information on it is secure. This government agency does not conduct a specific check of the security safeguards either, unless it has good reason to suspect there is a problem. They can do a complete ITaudit, if they want to, but it is not something that happens without reason.
And it means that they mostly approve approaches on paper, but they have no approval scheme for IT solutions. This is just something that you don’t find in Norway. But it would probably be a good idea to audit our IT security sometimes. Do we really dare to take a digital leap when there’s no documented security?
Market for security
The bank and the other Internet sites you use say that they are secure. They have done what they can. There is a huge market for security-related products, whether it’s consultants who will help you improve your security, or software to protect your identity online. If you want a technical product to be checked, you can get an IT laboratory to do the evaluation.
Norway has two companies that are approved by Sertit, the certification authority for IT security. Secode is one of them. “When we help a business with security, we use products that have good track records in the market. We obviously check to make sure that the products contain encryption and key management specifications that meet the customer’s demands. But customers very rarely need us to test the vendor’s claims about the encryption method and key management”, says Arne Tjemsland, who works for Secode as a consultant.
“But it is clear that it’s important for researchers to find weaknesses or security functions that have to be improved or included in new products. History shows that this is an important contribution to improved security”, says Tjemsland.
No public key blunders
By now, we are all quite comfortable with online banking and e-shopping. But perhaps you have also filed your tax return online? Then you would have used the Norwegian Tax Authority website. But are these pages secure Buypass AS is the company that provides technical support for the Tax Authority and a number of other public services on the Internet. We presented Knapskog’s findings to John Arild Johansen, security chief at Buypass.
“Knapskog’s article is interesting reading and points out a principle (Key Separation Principle) that is important to be aware of, but easy to overlook. At first glance, we are relatively confident that this does not represent a problem for Buypass”, Johansen commented.
But he asks if he can return to the matter. He would like to check whether Buypass products are actually safe in relation to what Knapskog has found out. After a couple of days, we learn that in fact, Knapskog’s findings are relevant because they address symmetric cryptography, which is frequently used in Buypass products.
“A security hole caused by poor key management actually comes from poor design,” says Johansen. “But since it can happen under the recommendations from the current standards, it’s understandable that it might occur. It is still not an issue for our products. Buypass hasn’t made this kind of mistake, and our products are safe.”
Adequate security or not?
The Norwegian government has set aside NOK 20 million in 2008 for work on electronic IDs (EID), which will include establishing the terms and conditions for security, among other tasks.
Tor Alvik, at the Agency for Public Management and eGovernment, says his agency is still in the early stages of working on security requirements. “The agency will establish the new requirements in cooperation with a number of other government agencies. Cryptographic methods are one of the security challenges we will take up in this work”, he said.
Professor Knapskog is not convinced.
“I hear what they say, but so far we have not received all the answers that we need. We will wait and see if there’s adequate security in place, or whether it is up to online criminals to figure out just how secure your e-identity really is.”
Hege J. Tunstad