© 2003 Intel Corporation
Security Issues with
Names
Carl Ellison
Sr. Security Architect
Network Architecture Lab
Intel Corporation
June 17, 2003
®
© 2003 Intel Corporation
Ceremony ( = Protocol )
Alice
A
B
C
•2•
D
Bob
Network Architecture
Lab
© 2003 Intel Corporation
Summary of the problem
 Security depends in part on the accurate
human use of the system.
 When humans are objects in the system,
they need to be named.
 It is becoming common practice to use
common names in these cases.
 Programmers and humans use names in
fundamentally different ways.
•3•
Network Architecture
Lab
© 2003 Intel Corporation
Programmer’s Use of Names
 Names are unique (file, path, variable, URL)
 sometimes globally
 sometimes within some block or directory
 The computer follows a name to the same
object every time.
 sometimes the wrong object, but that’s a bug
 The computer executes immediately.
 except perhaps with two-phase commit in
transaction processing
•4•
Network Architecture
Lab
© 2003 Intel Corporation
Human’s Use of Names
What Dave Did
 The confusion over Dave was resolved by
the end of the conversation.
 The confusion itself served a useful
purpose.
 Natural language tolerates a great deal of
ambiguity.
 It also teaches humans to be sloppy in the
use of names.
•5•
Network Architecture
Lab
© 2003 Intel Corporation
Sources of Failure
 Programmers write code expecting
computer-style processing of names.
 They assume that also for human names
processed by other humans.
 By using human names in these UIs, they
inadvertently invoke millennia of training to
be sloppy in the use of names.
 Then, when users exhibit that sloppiness,
they blame the users.
•6•
Network Architecture
Lab
© 2003 Intel Corporation
Some Samples
 John Wilson e-mail
 John Wilson at the airport
 Carl Carlson
 Ann Harrison
 David Nelson
Lesson: People whose last names end in “son”
are in trouble.
•7•
Network Architecture
Lab
© 2003 Intel Corporation
Why PGP > S/MIME
 Certificate sent with the mail, in S/MIME
 Some mailers display just the common
name of the DN.
 Humans would ignore everything else
anyway.
 PGP practice verifies incoming signatures
against the local key ring and the key ring
is filled only with personally verified
certificates.
•8•
Network Architecture
Lab
© 2003 Intel Corporation
General Problems
 ID PKI
 Matt Blaze:
“A commercial CA will protect you from anyone
whose money it refuses to take.”
 Corporate Authorization Directories
•9•
Network Architecture
Lab
© 2003 Intel Corporation
Solutions
1. Drop all names – but then what?
2. SDSI, EUDORA, PINE, …
3. Deferred Binding
4. ???
• 10 •
Network Architecture
Lab
© 2003 Intel Corporation
Conclusion
 Something must change.
 The problem has been with us since at
least the 1940’s, probably since the
industrial revolution.
 It’s getting worse, with the Internet.
 Modern S/W techniques make it worse
faster.
 We need to find a way to solve this.
• 11 •
Network Architecture
Lab