1993-10-01 - Ultimate privacy/security

Header Data

From: doug@netcom.com (Doug Merritt)
To: cypherpunks@toad.com
Message Hash: e789ad2b6d68d366e83407ac7236abf918a46273dafa09ca015e4ed9e74923f7
Message ID: <9310010151.AA25664@netcom5.netcom.com>
Reply To: N/A
UTC Datetime: 1993-10-01 01:52:29 UTC
Raw Date: Thu, 30 Sep 93 18:52:29 PDT

Raw message

From: doug@netcom.com (Doug Merritt)
Date: Thu, 30 Sep 93 18:52:29 PDT
To: cypherpunks@toad.com
Subject: Ultimate privacy/security
Message-ID: <9310010151.AA25664@netcom5.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


The following starts out in a very philosophical way, but that's only to
explain the thinking behind an algorithm I've been developing. The algorithm
is nonetheless extremely unorthodox, so if you've no taste for that sort
of thing, skip this.

On the other hand, the following long term thinking is what lead me to
join cypherpunks, so it's not just a passing fancy.

* 1. Pitfalls of every previous scheme:

It would be nice to find ultimate measures of security and privacy,
but there always seems to be a hole somewhere. The point of passwords
and encryption keys is to verify identity, but of course they can be
stolen/intercepted/etc. If you have a highly secure 10K bit password,
preferably generated by an analog hardware random number generator,
you'll have to store it somewhere, e.g. in your wristwatch, and *that*
could be stolen or taken by search warrant.

Similar comments apply to favorite science fictional devices that are
now becoming possible or even commercially available, such as retinal
pattern checkers and prompted voice signatures...e.g. it's quite possible
to record someone's voice print (a staple of movies by now), or in
principle even synthesize their voice uttering a brand new sentence
in response to a challenge.  DNA authentication is *almost* possible in
real time (give it a few years), but pretty much the same problem there:
someone could easily steal a few of your skin cells.

So is there any ultimate method of identity authentication? I thought of
one, but it is philosophically unsettling, not to mention problematic
in implementation.

* 2. Getting to the roots of the issue:

Why do we care about authenticating identity? It comes down to a matter
of trust. Different people have different goals. We can't trust everyone
else to share our goals; they may be malevolent from our point of view.
We trust ourselves, in the sense of security issues, but to be on the
safe side, we trust no one else. Therefore our identity is the issue.

The problem is that passwords, voice prints, retinal prints, handwriting
signatures, DNA signatures...none of these things actually guarantee
identity. All of those can potentially be usurped by those who do not
share our personal goals.

And that points to a solution:

* 3. Goals as the definition of identity:

If we had a method of authentication that assured that the person in
question shared our personal goals, then we would have the ultimate
security/privacy scheme. If we cloned our mental selves, then that
second occurrence of our own minds would be as trustworthy to us
as *we* are to ourselves. So a hypothetical authentication scheme that
managed to somehow authenticate the (relevant) goals of the person being
tested as being identical to our own would assure us that the person
may or may not be us, but is nonetheless trustworthy.

In fact, such a scheme would have the unusual safety factor that it
would protect against we ourselves having a change of heart and "going
over to the enemy."

Sounds good. Also sounds impossible. Maybe. However, I do have an
algorithm in mind that *partially* satisfies the above criteria. In its
current form, it is susceptible to forgery...what's to prevent bad guys
from pretending to philosophies and goals that they don't truly believe
in?

This is essentially the same weakness as all previous schemes, so there
would be no advancement in that sense (without some further strengthening
of the scheme, if possible). But at least now we're operating on the
absolute fundamentally direct level, where other schemes are indirect.
Is this a strength or a weakness? (And what if the forgery-hole were
plugged somehow?)

I don't have an answer for that yet. I'm working on it, but it may be
an insoluble problem...or maybe not, we shall see. Meanwhile, aside
from the details of the algorithm, I'm interested in hearing people's
thoughts about the strengths and weaknesses of this general approach
as opposed to other authentication philosophies.

Getting feedback about this is why I joined this list, but I've been
a bit shy about bringing up such an unorthodox approach...not to mention
learning what people here are like, and learning from the example of
Tim, who consistently teaches me by being simultaneously insightful
and supportive of people here. That is an approach that I long to emulate...
thank you for the example.
	Doug
P.S. Some of you high powered people out there will shoot the above full
of holes, which is fine, that is helpful in itself; others *might* find
some material to use in their professional research. Also fine, if that
happens, but please mention my name if it leads to anything. I rarely
manage to take things to the point of publication, so an acknowledgement
here and there is gratifying. Thanks. :-)






Thread