D3.2: A study on PKI and biometrics

Title: SECURITY AND PRIVACY ASPECTS

Security Aspects

The concept of a global Public Key Infrastructure (PKI) has several inherent problems. These problems have been known for years and received extensive discussion in the security community, see for example Peter Gutmann’s X.509 Style Guide, Carl Ellison’s testimony before congress, Bruce Schneier’s 10 Risks of PKI [SCH00] or [LAN02]. Given below are just a few of them.

Hidden assumptions

The hidden assumption underlying public key cryptography, and thus PKI systems, is that secret keys always remain secret. In reality that would necessitate specially designed hardware and software for the exclusive purpose of signing. As long as secret keys are kept in general purpose machines with all their security shortcomings, the non-repudiation of digital signatures cannot be guaranteed.

Hierarchical PKI systems consist of trees of certificate authorities (CAs) with individual keys as leaves (“Subjects” in X.509 terminology). The CAs certify connections between subject names and public keys. The CAs nearer the root of the tree certify compliance to certain policies (Policy CAs) with their signatures. The policies define the strictness of checks to run on individuals who apply for certificates, among other things. When an application checks a subject’s certificate, this means that it has to check along the chain starting at the root CA (which has ultimate “trust”) up to the CA signing the subject’s key. 

The problem with this approach is that all CAs’ policies have to be at least as strict as the root CA’s policy. This monotonously increasing burden of “trustworthiness” does not reflect economic reality, i.e. the root CAs are run in high-security environments and charge highly for their services whereas less central CAs often cannot implement the same precautions. Another problem is the lack of checks on the implementation of policies.  

Certificate revocation

If a certificate holder suspects that someone may have copied her secret key (although knowing that might not be possible), she can issue a certificate revocation request to the CA that signed her key. The CA then puts the certificate’s unique number on a public list of revoked certificates, the Certificate Revocation List (CRL). For this reason, every signature check requires an authenticated query to the CA.  

This concession to the potential non-secrecy of secret keys breaks the elegant design of PKI. One might be tempted to ask, for example, why anyone needs signed certificates at all if one must inquire after the subjects’ keys at a central authority anyway.  

Square pegs in round holes

The established standard for certificates, X.509v3, was designed by committees not involved with the Internet and its inner workings. It is no wonder that the requirements of Internet applications do not map nicely onto the data fields of X.509 certificates. This has led to a multitude of non-interoperable adoptions to the standard, which again has delayed adoption of security protocols such as IPsec. 

Names in cyberspace

In the identity context, another problem with global PKI arises. If one were looking, e.g., for old John Smith’s public key, a PKI would most probably not help. Names which are globally unique (“John E. Smith with passport number 0X456DN34757”) cannot be memorised easily by people, whereas the naming schemes useful for people (“the John Smith from Baltimore, who works for Ann Miller”) are not easily formalised to allow automated processing.  

Longevity of signatures

If digital signatures were to replace handwritten ones, the non-material nature of digital signatures becomes a problem. If a contract’s duration is 30 years, and at the end of this span one of the partners claims never to have signed the contract, it is far from clear how this would be resolved. The CA which signed the certificates and kept the revocation list might be out of business. The signer’s key and the key that the CA used to sign the CRL might be broken by then by new algorithms or faster hardware, such that anyone could fake the signatures.  

Privacy Aspects

Traditional public key certificates contain information about the holder. Each digital certificate can be traced uniquely to the person to whom it has been issued (or to the device in which it has been incorporated) and can be followed around instantaneously and automatically as it moves through the system. In this respect, digital certificates offer no more privacy than social security numbers, credit card numbers, and health registration numbers. Consequently, digital certificates can be misused to deny a certificate holder access to services, and to block his or her communication attempts in real time. For example, certificate blacklists could be built into Internet routers. Also, transaction generated data conducted with target certificates can be filtered out by surveillance tools, and delivered electronically to third parties.

In spite of these threats, the protection of privacy has never been a core issue in the legal and policy discussions about PKI in Europe. Of course every PKI application has to be fully compliant with the provisions of the European Data Protection Directive 1995/46/EC. But the use of identity certificates as such has rarely been put into question since the European regulatory framework for electronic signatures was introduced.

Following the example of the German “Signaturgesetz” (see section ) of 1997 the European Directive 1999/93/EC provides that personal information used in this context should be directly collected from the person concerned and foresees also the possibility to use certificates based on pseudonyms. In practice however, the electronic identity card initiatives in the Member States which adopted PKI as a solution for authentication and electronic signatures do not make use of this possibility. Some of these initiatives even make extensive use of unique identifiers.

In Australia, the Federal Privacy Commissioner, on the invitation of the government, has issued guidelines for Commonwealth Agencies using PKI to transact with individuals. The guidelines include: the principle of choice for individuals to use or not to use a PKI-based government service, the necessity to conduct a “privacy impact assessment” before the introduction of a PKI-based solution, the prohibition to collect or to log unnecessary personal data, the individual’s choice between one or multiple certificates, an opt-out possibility for public directories, the principle of key generation by the subscriber, etc.

From a technological perspective, research has been conducted to find suitable alternatives for PKI based on identity certificates. One of these alternatives is the use of credentials. Following earlier research findings of David Chaum and others, Stefan Brands has described this alternative in his book “Rethinking Public Key Infrastructures and Digital Certificates”. The certificates he proposes function in much the same way as cash, stamps, cinema tickets or subway tokens: anyone can establish the validity of these certificates and the data they overtly specify, but no more than that. A “demographic” certificate, for instance, can specify its holder’s age, income, marital status, and residence, all digitally tied together in an unforgeable manner. Each certificate holder can decide for himself, depending on the circumstances, which part of the data encoded into a digital certificate to disclose. Also, a certificate can be presented in such a manner that no evidence is left at all of the transaction; this is much like waving a passport when passing customs. Alternatively, it can be presented in such a manner that the only information left is self-authenticating evidence of a message or a part of the disclosed property; this is much like presenting a paper-based certificate with crossed-out data fields so that a photocopy can be made. Furthermore, the self-authenticating evidence can be limited to designated parties.