Systems of Magic, and a request

[rising_moon]

Recently I've read a few excellent fantasy novels which were written around believable, consistent, and reasonable systems of magic. Believable magic is one of the elements that will sell me on a writer. I've enjoyed The Abhorsen Trilogy, by Garth Nix, and, most recently, The Name of the Wind, by Patrick Rothfuss.

I've learned that Brandon Sanderson, who wrote this essay on systems of magic, is going to finish Robert Jordan's 12th and final novel of the Wheel of Time series. Depending on my Lady's response to his work, I might take up the first one. :)

Unrelatedly (maybe): can any of you recommend a good history (articles, blogs, anything) of technical approaches to affixing Identity? That is, assuring that individuals are who they say they are? I'm making a study of transaction psychology -- financial services inclined but not fixed -- and would love some background data on approaches to identity assurance. Thanks!

Comments

[goldsquare.livejournal.com]

To brief the topic briefly, one authenticates in one of two ways. One other proffers evidence of a shared secret, or each party proffers secrets.

The secrets are broken down into "what I have, what I am, what I know". An example of each is: a token that generates large numbers over a period of time -or- a fingerprint -or- a password". Highly secure systems use two or even three of those, and often use rotating systems of information, or variable challenges.

When passing the secrets back and forth, every single step of the way must be secure, or in the end the security is worthless. That means not just careful transmission, but careful handling. For example, some old software used to accept a password, and store it clearly, in memory. Users that wanted to break into the system could search used memory, or unauthorized memory or disks for patterns that contained those passwords.

Some of the more sophisticated systems use leased access concepts - where access is temporary, and must be periodically renewed automatically. (Kerberos was one such system, developed at MIT. The Jini software project used leases for everything, including access, and was developed at SUN Microsystems.)

One can proxy authentication to another system - meaning that the two systems can authenticate each other in a complex way, and then the proxying system will trust the other to do the work.

There are two major threats to authentication, although there are countless more. One is compromise of a secret, and the other is to play a "man in the middle" and somehow capture all traffic. Means of losing secrets are legion.

I hope this lecture is helpful. If not, please chalk it up to good intentions. :-)

[rising-moon.livejournal.com]

Now, I really enjoyed Last Call, particularly for stunts like the lead's imaginative approach to attending the title event. :) The hero/maiden/mother myth scene at the lake, though, kind of felt shoehorned in to fill out the rest of the archetype.

I'll return it with cookies. :)

[rising-moon.livejournal.com]

Oh, duh. Thank you. I'm sorry to say that I started Jonathan Strange and then The Ladies, feeling like I should enjoy them, since all my friends did, but I didn't quite gel with either one. I never really liked Mr. Norrell enough to get over his being painted as unlikeable... or something. Maybe you can convince me to pick up Strange again.

[rising-moon.livejournal.com]

*kiss*

[rising-moon.livejournal.com]

This end of user authentication is really what I'm interested in. The field of "what you know (data)" is pretty much set: very few people know your SNN, your DOB, and your parents' alternate names, but fewer know the color of your first car, the street you lived on two moves ago, etc. All good. "What you are" is simple biometrics, with their several technical challenges and ROI equations.

But "how you do what you do" is interesting! I explored "user fist" algorithms at my previous employer's, and for several reasons the system proved unreliable. That is, unreliable for the purposes of securing the information we were securing. But something like the "user fist" (or "user facility" in some other arena, like juggling) must be unique enough...

We need an individuated Turing Test.

[rising-moon.livejournal.com]

This is all familiar, but more detailed than I'd read before. Thank you! Most of my background on this topic was gleaned through working on the authentication application through my previous employer. I really don't know the history of systems security.

dilettante, below, proffers a fourth kind of secret that compasses unique physical skills/motions/behaviors (like the WWII "fist"). It wasn't cost-friendly, nor certain, to use the "fist" to authenticate the apps I was working on, but our research did make me wonder. Some day maybe we'll add "what I do" to the list. :)

Even a unique, individuated Personal Turing Test wouldn't solve for the "man in the middle" scenario, though. Hm.

[goldsquare.livejournal.com]

I think those are simply combinations of "what you know" (juggling) and who you are (motions). Gait analysis is another possible example.

A variant of that might be the "anti-drunk driving" tools that you can install on cars now. In addition to the car key (what you have), one is presented with a random number that must be pressed into a keypad within a time frame. Fail, and the car will not start. Fail enough times swiftly, and the car locks down for a while.

There are defenses against man-in-the-middle attacks, as well as "replay" attacks.

I find this stuff amazingly geeky and fascinating.

PS The asymmetric problem solving of primes is the core of what is now know as Public Key Encryption. It is a fascinating variant of "what you know". Do you know much about it?

[kyttle.livejournal.com]

Exactly, the factoring problem reduces to a secret that only you know. The awesome part is you can actually prove to the world that you know the secret without actually revealing the secret!

I only know of two generally accepted forms of authentication: knowledge of a secret (in many variations) and possession of an object (which many be your body). The idea of authenticating someone based on how the do something is really cool, but I've never seen it actually used. If you've heard of something similar used in practice, I would love to hear about it.

I wonder how consistent people really are and how quickly their skills change. It's like voice recognition: it seems like a great idea, but what if I have a cold?

[kyttle.livejournal.com]

I find this stuff really fascinating, too, and spent part of high school trying to get a teacher to support me in an attempt to write a program that could identify an author by their style (no luck, sadly).

This problem is reminds me a lot of determining whether or not a sequence of number is random. Please pardon the obligatory Dilbert comic:

Any attempt to read a sequence of actions and determine if it was generated by a specific person is going to have to be probabilistic, just like a test for randomness. It seems to me like the trick is accurately calculating that probability. Take identifying someone by their typing style, for instance. We can ask someone to type some passage of text and measure the accuracy and time between keystrokes to try to identify a user. But users will vary, and it is almost certain that in a large enough pool of people there will be two whose variations overlap somewhat. The users won't be identical, but there will exist certain output sequences that will be plausible for either user. Then the trick is determining which user is more likely.

I feel that this is a problem that humans may be a lot better than computers at.

Another point of interest: people change over time, so the authentication will have to change as well. Skills improve or deteriorate. If you ask a user to type a specific passage to identify themselves a lot, they will get better at typing that passage, and maybe at typing in general. When I was researching identifying authors by their writing styles, I found out that authors change style a lot over the course of a lifetime, to the point that an author's early work and later work may be less similar than some different authors are.

On a practical level, how would you maintain the authentication scheme in the face of changing skills? On a philosophical level, if a person's skill changes so much so that they no longer authenticate, is the authentication test right? Are they a different person?

This would make a great discussion over a bottle of wine some day

[kyttle.livejournal.com]

Apparently, part of an O'Reilly book is on identifying users based on their typing: http://safari.informit.com/0596008279/securityusability-CHP-11-SECT-1

It looks like the book has good references in it based on the preview that they put on the web. Maybe it'd be worth checking out. Or at least finding someone with a subscription to their books...

[dilletante.livejournal.com]

yeah, i think "user fist" (great phrase, btw) can be considered biometrics-- like gait analysis, as you say. user skills, like juggling... hm. probably fall into the same category as making two people turn keys on opposite sides of the room at the same time, which probably falls into the same category as having a key with bits that are placed to turn a bolt without being blocked by wards, which is classically considered a "what you know" thing. but it keeps seeming like there's a difference, to me; maybe because for humans, procedural and declarative knowledge are distinct. hm.

[rising-moon.livejournal.com]

This is the first place I've heard about a "what you can do" authentication method. It sounds intriguing. I wonder if I might be able to register a bunch of unique identifiers with some agency or other, in the event that my ID gets challenged and I some day have to prove what data belongs to me.

That's the next challenge, I suppose: Linking ME to MINE.

but what if I have a cold?

Ah, right. Or a broken finger, or a sore knee, or a momentary bout of forgetting how to play "Danny Boy". (It happens.) This is a good point.

[rising-moon.livejournal.com]

(note to self)

Refer to the Media Lab "Amulet" project, i.e. the Wireless Universal Key.

While the professor rummaged in his pockets I hopefully imagined a tidy little lozenge like the old SecureIDs. Seeing the actual artifact, it occurred to me that cultural resistance to inelegant visual/physical design might trump other constraints to a system's adoption. (The Amulet is kinda big. I don't want to wear one around my neck -- which is where my magical mind expects to put an amulet.)

[goldsquare.livejournal.com]

I think you final point is key, because I am finding the three-fold ontology (what you have, know or are) to be sufficient. You seem to be trying to create a fourth ontological distinction out of the intersection of "know AND are".

My rule of thumb is that if an idea can be expressed in terms of an existing ontology, it is refinement (perhaps) to expand it, but the expressive power of the enclosing ontology is sufficient.

But I like set theory, and unions and intersections, and saying "ontology" a lot. :-)

[goldsquare.livejournal.com]

You are having a great deal of fun at the intersection of probability and statistics. :-)

There are great books on issues of identity, from a non-rigorous standpoint. There is a famous medical case of a man who took an iron bar through his skull. Upon removal, he was "himself", but had a different (and far more irascible) personality.

The old man is the infant, in terms of identity. Because of continuity. The weaknesses of security (as I said above, what you have, are or know) is that all of them can be disrupted. You can lose your key, lose a hand or fingerprint, or forget a rarely used password.

(People know my father-in-law for his incredible roller-blading abilities. But thanks to Parkinson's, he hasn't strapped on skates for a decade. Is he still the same identity?)

[goldsquare.livejournal.com]

Consider, for example, the subcutaneous RFID chip. Something which is, apparently, quite common at some of the Euro-trash bars in the Caribbean. Apparently some of the attendees wear swim suits so skimpy that carrying a credit card is impossible, and they don't want to carry a bag or purse.

[rising-moon.livejournal.com]

From the point of view of his banking institution, yes, your father-in-law and the Iron Bar Man are their self-same identities -- but I see what you're getting at: for the purposes of proving he is who he is, a man's store of proof is impaired or changed over time.

That is true of any identity measure. I would argue that those cases illustrate the importance of improving the accuracy and affordability of biometric identity measures, but also, by extension to other kinds of accident or mishap, the importance of layering the modes of measure. I'm all for stacking the modes if it means decreasing the likelihood that someone can pretend to be me.

People know my father-in-law for..

Hmm. This starter might actually be the only real measure: who you know. :)

[rising-moon.livejournal.com]

Hey, cool! I mean, ghastly but cool. I wondered who would start using that type of ID first.

I don't want a chip, myself, for any reason, but the subject been my standing joke for years: "Wait 'til we all have chips in our heads." I suppose we've arrived.

Where does the chip go? The wrist?

[goldsquare.livejournal.com]

The wrist end of the forearm. Easy to wave over a scanner, but not interfering with all them little bones. :-)

[goldsquare.livejournal.com]

Hmm. This starter might actually be the only real measure: who you know. :)

Which is a nice entry point into your learning about the notion of "web of trust" and web-based certificates. :-)

As a Software QA professional, let me dazzle you with math. Let us say that we have something we want to secure, and so we secure it with 3 methods: what you have (H), what you know (K) and who you are (U).

Let me make the math easy: the false-positive rate (how often a person can fake a method) is 10%, meaning 1 time out of 10 you can fake your way in past any single method. The probability you can fake your way past all three methods is H-fail * K-fail * U-fail = .10*.10*.10 = .001 or 1 failure in a thousand. That's GREAT.

Now, let's pretend that the false-negative rate is half that. Half the time you should be able to log in, you can't. What's the rate of that? It turns out it is H-not + K-not + U-not = .05 + .05 + .05 = .15

You've spiked the lockout rate, hugely. Whatever your guarding had better be worth it, because a lot of legitimate access is going to be denied. This is the crime of probability, for when unlikely things have to happen together, you multiply the probabilities, but when they happen separately you add them.

Now: let's say you want to fix the false negatives, by having some way to replace "what you have, are or know". You've moved the problem because all the Black Hat has to do, is force the replacement process to fail and give him access, 3 times. Perhaps as few as twice. (If you'll replace what I had and lost for me, using only who I am or what I know, you've essentially removed the what I have requirement.)

How many repetitions of fixing false negatives will you allow? If they are infinite, the odds of a determined attacker winning are very good. If they are not, you are starting to help yourself more.

There is a reason why most systems are secured by only one layer of security.

[rising-moon.livejournal.com]

Eeuch. Well, I suppose we were getting there with the rise in sub-cute bodymod. :)

[goldsquare.livejournal.com]

What bugs me about it, is the lack of controls. Now, any place these people go, they can be traced whether they will it or not. Provided only that the people who have the mapping from RFID to person, share it.

Like they won't....

Part of privacy is the ability to stop asserting your identity, or even obscure it. These kids lost it forever.

[rising-moon.livejournal.com]

Part of privacy is the ability to stop asserting your identity, or even obscure it. These kids lost it forever.

This is exactly the thought that sparked my pursuit of Identity Assurance methodologies in the first place. Whither personal data?

[goldsquare.livejournal.com]

If I can recommend - although it is old, consider "Database Nation", as well as looking at the European Union's data privacy regulations and rules.

In America, we are the Wild Wild West. We have limited rights to our data, and no real rights to correction, amplification, modification or destruction. HIPAA isn't doing much, and the old Consumer Credit laws are showing lots of age. The various incarnations of Patriot Act style laws have not helped, and the simple fact that the Bush Administration wouldn't observe those is also concerning.

[dilletante.livejournal.com]

hah! i figured out what's different about user-capability: faking the credential has a known cost.

here's an early example of user-capability security: penelope saying she'll marry whoever can string her missing husband odysseus's bow. she was able to know not only that none of the men likely to vie for her hand could string it, but that none of them could become strong enough to string it within a short time-frame (hopefully long enough for odysseus to return).

one could as well simply ask users to pay a fixed fee to be authenticated. in fact, i bet casinos do some version of this somewhere... and atm enclosures have locks that open if you produce any card with a mag stripe, thereby proving that you have a card with a mag stripe and so might be a customer.

cryptographers do make calculations based on the cost of breaking their systems by brute force. but that assumes there's no flaw in the algorithm. with user-capability authentication, there is no flaw in the algorithm: what you see is what you get. so calculations of how difficult it is to duplicate the authentication ought to be straightforward.