[Random-bits] Robert Reese on CPT Statement on E-Sign bill

Sat, 1 Jul 2000 10:11:12 -0400 (EDT)

---------- Forwarded message ----------
Date: Sat, 01 Jul 2000 04:04:38 -0400
From: Robert Reese <robert.reese@mindspring.com>
Subject: Re: [IPN] CPT Statement on E-Sign bill

  [snip]

Dear Jamie and group,

This law deeply concerns many privacy advocates as well as civil
libertarians.  While we believe this took a step in the right
direction by allowing digital signatures, there is a significant and
disturbing difference between an Electronic signature and a Digital
signature.  A digital signature is provable: it provides nearly
iron-clad proof that the signature belongs to the signer.  It also
undeniably proves that the document has not changed since the
signing.  On the other hand, an Electronic signature is simply an
assertion to one's identity; it is not provable.  If I were to email
someone with some type of agreement contained within, the simple fact
my name was on the email is enough proof for this law.  That isn't
good enough for me.  Here's why:

*It's A Security Issue*
Sadly, it is extraordinarily easy to falsify email and even a web
presence by either "spoofing" (faking) an IP address(1) or breaking
into a poorly guarded ISP account.  Take your own ISP account - it is
probably protected only by a PASSWORD; not a passphrase, nor a PKI(2)
system, nor a PASSPHRASE, nor any other secure protocol.  Very few
people have available a Virtual Private Network (a.k.a VPN) for
secure communications to their ISP.  taking your PASSWORD again, how
many ISPs even allow a password longer than eight characters?  There
are only 95 available characters on the standard US keyboard.  There
are actually up to 255 theoretical characters without "unicode", but
those special characters are inputted via special key combinations.
Few people know of the existence of these characters, less know how
to apply them, and almost no one uses them.  As is often the case,
let's say your PASSWORD is uses only the keyboard characters.  Well,
many systems cannot handle the asterisk (*) nor the question mark (?)
as characters, leaving 93 characters left.  Out of those, only 63
characters are most commonly used - the upper- and lower-case
letters, the numbers, and the seldom used space bar.  Very few many
people use all eight available places in the PASSWORD, so let's say
the average length is 7 characters.  Assuming for simplicity that
rare characters are used as often as common characters ('x' as often
as 'e') AND you don't have to make sense, you get the following
formula for the average number of passwords a hacker has to try
before accessing an ISP account: (63^7)/2 or 196,949,032,000.

Quite a big number you say?  How many people do you know that have a
PASSWORD such as this: "x5PqAE2"?  Not very many.  No, the actual
number a hacker has to try is significantly lower because folks use
their spouse's birthday or their child's name, etc.  There are
programs specifically designed to attack PASSWORDS such as these.  In
testing, I have used a dictionary attack on an 8-character
password-protected zip file.  My dictionary contained over 100,000
entries.  The zip file was broken in less than 10 seconds!  The
PASSWORD was all lower case, and was a proper name.  If the PASSWORD
was like the example "x5PqAE2", the dictionary would have been cycled
through, and then a "brute-force" attack would have to be used.
Instead of mere seconds, it now could take hours or even days to
break.

The _only_ protection you have from someone accessing your internet
account and your now legally-binding email account is a crummy little
PASSWORD that probably can be broken in less time than it took for
you to read this post.  Remember, it's now your key to your identity,
not just your internet password!  Do you feel comfortable trusting
your entire life to 8 little bytes?  Digital signatures provide far
more protection, as it is necessary to possess the private key AND
the PassPHRASE.  Yes, the passphrase can be as insecure as a
password, but hopefully someone that is concerned with the importance
of a digital signature will recognize the importance of the
passphrase protecting it.

Hopefully soon ISPs will now offer the ability to secure your acount
via one or a combination of the following options.  Bear in mind this
is only a partial list of different methods and protocols - many more
exist, and many more are being developed:

	PASSPHRASE:  A good passphrase not only takes a large number of
characters, but also replaces characters with less-used characters.
Additional precautions may include misspellings, munging, character
replacement with a phonetic or symbolic/iconically similar character
or string of characters, random strings, and nonsensical
combinations.  An example may be: "#mArEE h@d & -L1ddL3 7@mB!* xJC24"
  You need to only remember that Mary Had A Little Lamb followed by
xJC24, plus how you changed it.  Thankfully, once you type the
passphrase a few times it is surprisingly easy to remember the key
sequence as you think of the phrase.  Of course, a passphrase need
not be a phrase at all.  Any combination is fine, but the longer and
chaotic the better.

	USER ENTROPY: Answer a few questions only the user would know.  More
advanced than a simple "City of Birth" or "Mother's Maiden Name".
Can be compromised, but is pretty good for most applications.

	BIOMETRICS: Fingerprints, voice-print analysis, facial recognition,
handwriting recognition

	(2) PKI  aka PUBLIC KEY INFRASTRUCTURE :  Pretty Good Privacy (PGP),
RSA Security, Etc.  Uses a private/public key scheme whereby the user
presents a private key protected by a strong passphrase, or
biometrics, or etc. to the host containing the user's public key.
The user in turn verifies the host's private key with the host's
public key which the user already has in his or her possession.

	KERBEROS:  Been around for a long time, somewhat obscure, but is
making a resurgence.  When done properly it is highly reliable and
secure.

	VPN aka VIRTUAL PRIVATE NETWORKS:  Not so much as a protocol but a
type of connection.  The user and host authenticated each other and
then the pathway is encrypted / secured for the duration of the
connection.  Someday all connections will be VPN or a variant
thereof.  Similar to SSL used of secure online purchases.

	SMART CARDS:  Typically secured like PKIs, with strong passphrases,
biometrics, etc., but not always and  therein lies their danger.
Personally, I feel there are too many problems with these.  However,
they are better than just a password.

The two above best, in my opinion, are the passphrase and biometrics.
  These protect other methods and protocols such as the VPN or the
smart card.  They are required for the private key; otherwise it is
worthless if a copy gets loose.  Just like any other serious security
project, the more layers on your system the better.  A good scenario
would be to use a passphrase to verify the smart card that opens the
biometric database containing the pattern to unlock the PKI private
key (in lieu of it's own passphrase) that verifies the VPN.  In fact,
with a properly configured secure communications system, it is far
safer and more secure than physical mail.

*A RECOMMENDATION*
PGP is an excellent PKI program, and is freely available for
non-commercial use.  In addition to the well-known encryption
properties, the true power of PGP is the DIGITAL SIGNATURE
capability.  To give folks an example of what a PGP Digital Signature
looks like, I have signed this post using my private key.  Anyone can
obtain my public key off the public key server at
http://pgpkeys.mit.edu:11371 or ldap://certserver.pgp.com.  I could
have used an x.509 certificate had I chosen; it is another method to
provide digital signatures.  Also, added benefits of the later and
purchased versions of PGP are an included VPN plus something called
PGPdisk, a utility that creates a secure "container" on your
harddrive or removable media.  The free versions can be found at
http://web.mit.edu/network/pgp-form.html.  PGPdisk is only available
in the licensed versions.

"Security is a process, not a product." - Bruce Schneier, Counterpane
Internet Security (http://www.counterpane.com)

Sincerely,
Robert Reese~
Owner - RE6 Computer Services
Cedartown GA

My PGP Key ID# is 0x2F644E48 and the "Fingerprint" is ED06 4800 FAE3
1739 3D4D  F5EA AA5D C3C5 2F64 4E48

NOTE (1): An IP (Internet Protocol) address is the unique address to
which you are known to the internet world.  Each address cannot be
duplicated, and therefor serve to identify computers/devices
connected to a network and the internet.  A computer or device may
have more than one IP address.  Most dial-up accounts use a method
where a customer is assigned a dynamic IP address that has a limited
life for that particular user before expiring.  This actually
promotes security and privacy on the internet, but significantly
prohibits many current and future applications.