Header Ads

A Secure Digital Identity


It’s true – while your greatest accomplishments may barely see the light of day, it’s your most embarrassing moments that will most often reach a wider audience. While we try our best to live our lives in frivolous anonymity, we are on some level aware, that we leave clues to our identity as we move through our lives. We may call up work and say we are sick with a fever while we watch a film, all the while knowing that all it takes is a simple call home to confirm our dishonesty.

A digital identity

As the internet draws inroads deeper into our personal lives, we find ourselves increasingly concerned about our online personality.

Today, a simple Google search can yield all your tweets on Twitter, all your blog posts, your forum interactions, your video posts, the list goes on. All the breadcrumbs Hansel and Gretel need to reach the deepest recesses of your identity.

One rarely worries about the implications of what we leave behind, and often forget who all can see it. The ease and seeming anonymity of the internet are just too lucrative. What many people do online is the equivalent of carving every bench, every tree, every wall we encounter in our lives with our thoughts at that time. It’s all well and good to see proof of your love for your girlfriend carved on a tree years in the future, but it can get embarrassing with your wife standing next to you.

The biggest threat our online identities face is the damage that can be caused by unscrupulous and unauthorized intrusion. Many of us have been through the embarrassment of emails sent with our good name to unsuspecting habitants of our address books, and the sheer horror that follows. The messy explanations, “No, I’m NOT selling ‘enhancement’ products” OR “No, I don’t have any relatives in Nigeria”.

The worry some fact is that this is so very easy in the digital world. Even though new forms of communication have become more popularized, and better secured, a large portion of our online persona lies in our email boxes.

Stories may be spun and rumors may fly, but when it comes right down to it, in the world outside computers, it is your signature that defines the authenticity of the written word. Flawed as it might be it is a system that provides a measure of security to our transactions.

Digitized validity

How would you share a secret? Perhaps by whispering it to a friend, or discreetly slipping a note of the same. However, in most situations neither is an option. We may need to get secretive or sensitive information across, however the party delivering the message cannot be trusted with it. When we look at computers transmitting information over the internet, what we have is a communication being sent over a possibly unsecured channel that could be monitored or even tampered by adversaries. Depending on the content of the message, and its target audience, we relate to different security schemes. In some cases verifiability of a message’s authenticity is all that is required, while in other cases the authenticity of the source is more important.

Here lies the difference between the concepts of digital signatures, message authenticity verification and encryption.

Digital signatures

A digital signature may be taken pretty much in the same terms as a physical signature, it identifies the authorship of a document, thus authenticating the source. It gives security to the author, as he is only liable to accept authorship of documents with his signature.

A signature is something that anyone can read and possible verify, and as such it gives no security to the contents of the documents. Like any form you fill (in quadruplicate) for a government organization, your signature just verifies that you filled the form, the contents of it are still open for perusal by the dozens of people it bounces between before reaching its destination or the Recycle Bin.

Any signature scheme needs to enable anyone to 1) easily and effectively sign their own documents 2) easily verifiable and identifiable as yours (or anyone else’s), and 3) be very difficult if not impossible to forge. We see this in our day-to-day signatures, since they are almost a part of our identity, they are easy to produce. They can be verified by matching with a copy, and it is difficult to produce someone else’s signature. A digital signature by comparison provides much more security than an ink signature as it is practically unforgable.

Authenticity verification

Authenticity verification is more to do with ensuring that the contents of the document are safe from modification, and any modification made by unscrupulous entities can easily be detected. This is similar to laminating a paper document with a plastic sheet, this prevents modifications, and any forced modifications made are liable to be easily detected.

Here, the source of the document is not important, what is important is the validity of the document. Although such is the case with the example of lamination, it is not necessary everyone should be able to detect unauthorized modifications. We can take the example of a document written in special ink which cannot be differentiated from normal ink by most people. In such a case, only people with the ability to differentiate the special ink will be able to detect whether there has been any unauthorized modifications.

Again as in the case of digital signatures, authentication tags need to be easy to produce and verified for the parties involved, but impossible for an outsider to produce.

Encryption

Encryption is the most effective way to keep things away from prying eyes. Unlike authentication tags and digital signatures, encryption garbles the content of the message / document / data in such a way that only the intended parties can decode it.

Encryption gives security to the content by making it impossible for anyone to access it unless they specifically know how. If digital signatures are similar to putting a name tag on your lunch, and authentication tags are like wrapping it in plastic, then encrypting is analogous to locking it in a 10-tonne stainless steel safe.

Encryption relies on algorithms for which the coding is far simpler than the decoding. The encoding operates on two things, the data, and the key. The algorithm is designed such that without the key it is nearly impossible (or unfeasible) to get the data back from the cypher. However unless combined with a digital signature mechanism, you have no way of knowing if the encrypted data is from right source.

Data encryption solutions will help any business secure sensitive data in any database they are currently using. Not only will it protect information circulating around the company, but it will also include their applications, storage systems, virtualized platforms and cloud solutions. Companies have a direct access to control and key management capabilities they need to effectively and efficiently secure any kind of information circulating around the organization.

Encryption schemes also present another conundrum. How do you transfer the encryption “secret”? Whether it is an algorithm or a key, transferring it through an insecure medium is as good as not encrypting at all.

Private-Key encryption

The private key encryption method is one that most people are aware of. Two parties agree on a secret key which will be used to encrypting any further communication. This initial communication where the key is exchanged can be done in person or via a secure channel. Much like whispering or passing a note.

The obvious disadvantage here is the need for a secure way of communication, and if that is available, the whole need for encryption becomes a little moot.

In simple cases, we may share a password over telephone with our friend for files we are about to share. When it is your job to be paranoid about your companies security however, that doesn’t cut it, and a security enabled channel will be used. If having a secure communication channel is expensive, we can use the channel merely to exchange the key. After which the internet can be host to further communications which have been encrypted with the private key.

Public-Key encryption

Unlike the public key system, which is symmetric, i.e. the encrypting key and decrypting key are the same; public-key encryption uses different keys for encrypting and decrypting data. This may seem counter-intuitive, but is incredibly useful. In a Public-Key encryption, the encryption key is openly published for anyone to see, while the decryption key is kept secret. What this essentially means is that while everyone is capable of encrypting messages that you can decrypt, however they are unable to decrypt any messages encrypted by the public-key even the ones they encrypted themselves! In this case, a secure line of communication can be obtained by having the participants exchange public keys, and use them for any secure communication. A secure channel is not required for sending the keys in this case, since the key is only capable of encrypting and not decrypting, furthermore, it is impractical to determine the decrypting key given the encrypting key. Even if your adversaries were to gain access to you public key, it would only enable them to encrypt data with your key, they would still be helpless to decrypt any data that they intercept. In this kind of system, the sending party encrypts confidential data with the public-key of the party which is to receive said data. The recipient of the data is then able to decrypt the message since they have a decryption key (their private-key).

When we use digital signatures practically, a software generates a signature for our given message. The signature is such that if any part of the message / document is changes, the signature would no longer match and we would know immediately that someone has tampered with the message.

Digital signatures aren’t limited to email messages or documents, they are not used in almost every field where the source of the data is important. Microsoft uses digitally signed certificates for drivers it has tested, and warns the user if an unsigned driver is being installed. Digitally signed files, if modified by a virus, will invalidate the signature, which can serve a warning to the user.

A signature is only as good as the one who signed it. A million dollar cheque will do you little good if the signature is of a pauper. Likewise, a digital signature by its nature needs to be easy to produce and as such by itself shouldn’t inspire any confidence. A digitally signed virus which deletes all your files, will only do its job if it’s signature is intact.

For simple cases of authenticating your emails and files for personal purposes, digital signatures are almost free to use. There are many tools capable of generating signature for your messages and documents. Software that work with documents have some support for digital signatures. Microsoft Office products, for example, allow you to generate and attach a digital signature to your documents.

Conclusion

As we see our digital identities take a increasingly important role in our lives, we need to protect it as much as we can. With digital signatures and encryption we can ensure that our message gets across unhindered and without misrepresentation. The need for security is thus becoming more apparent. The measures of security and privacy are becoming a more integral part of every online service.

The internet is no longer just for communicating with people far away. We use it daily to communicate with people in our schools, offices, with our neighbors or even the people in our own homes. This makes what we do online even more important and relevant to our daily lives. There is no longer a Neo and Mr. Anderson, we now have one personality of which the internet is a part.

The ease with which we can create online identities for ourselves only exacerbates the fact that it is as easy for someone else to assume our identity online as it is for us.