Hidden identities
AxiomaticId empowers people to create digital
identities which can be hidden from other people. For instance,
if the computer (on which AxiomaticId is installed) is stolen or
taken by force, the hidden identities would remain hidden from
the aggressor.
The identities are
hidden using a simple trick: for every visible identity created
by the user, a fixed amount of space is attached to it so that it
could store a hidden identity.
Each hidden identity is protected by its own
passphrase and is so stored that it is impossible for someone who
doesn't have the correct passphrase to see if the identity even
exists.
This technique
provides a very important security feature: spies can't use
snapshots of the database with identities taken at different
times (for example, for backup purposes) in order to positively
see that hidden identities have been used.
Normally, if the
hidden identity would be stored independently (of any other
identity), and the user would change it's content and then make a
backup, a spy could simply make a binary comparison and see that
the hidden identity has changed, and thus has been used (/ is
usable).
However, when the
hidden identity is attached to a visible identity, whenever a
change to the visible identity is made and this is re-encrypted,
the hidden identity is also re-encrypted. This means that even if
a spy has the passphrase for the database and could see the
visible identities, he could still not see if a hidden identity
was used / modified.
The only problem with
this technique is that whenever the user makes changes to the
visible identity, if he has used its attached hidden identity
(and wants to preserve the it), he must provide the passphrase
for it. This isn't a big inconvenient because the passphrase must
be provided only if the user makes changes to the visible
identity, and not during normal use of it.
Plausible deniability
There is one thing
which could break the plausible deniability offered by hidden
identities.
When a user sends a
signed document to an online service provider, he receives back a
confirmation document. If this document would be encrypted with
the public part of the identity he used to sign the document he
sent, and if the document was sent by the user from his home
computer, it's possible for a spy who can intercept the user home
traffic to know exactly what identities were used by the user.
Later, if the spy
could force the user to expose all his identities, he would see
if all the identities which were used by the user are indeed
exposed. If some identities from the documents are not linked to
any of the exposed identities, that means that there are hidden
identities.
But this isn't really
a problem because a response received by a user is symmetrically
encrypted with the session key which was sent together with the
user's document.
It is still
recommended for a user to send documents to online service
providers only from a public computer, after they were generated
in a safe environment.
Still, if the spy
could force the service provider to hand over all the documents
sent by the user, he would see the identities which were used to
sign the documents.
Asymmetric encryption
Here it is explained what asymmetric
encryption is and how it works.
Characters in the story
Alice = Our beloved neighbor who communicates
with Bob, her business partner.
Bob = Alice's business partner. We don't like
him much, but hey, Alice is an independent woman...
Laura = The Law. Eh... [cough] we don't want no
trouble with the law!
Tom = The tomcat, the thief in this story.
George = The lazy programmer who developed
AxiomaticId. He's of no importance in this story, but he's the
nosy type, so he's in.
Needs
Asymmetric encryption is useful when two people,
Alice and Bob, need to exchange documents which are authentic and
private.
By "authentic" we mean to say that Bob
must somehow be sure that Alice is the one sending documents to
him, and that Alice must somehow be sure that Bob is the one
sending documents to her. To authenticate a digital document is
similar to signing a paper document.
By "private" we mean to say that the
documents exchanged by Alice and Bob can't be read. This means
that the documents must be placed in an envelope in which a
thief, Tom, can't look. To make a digital document private is
similar to putting a paper document in a paper envelope.
How it works
In order to fulfill the needs for the exchange
of documents, a mathematical process called "asymmetric
encryption" is used. Both Alice and Bob have an "asymmetric
key pair", that is, two keys, one private and one public,
with which they must be garble their documents before they are
sent to the other and restore them after they are received from
the other.
An asymmetric key pair has a special
mathematical property which allows us to garble a document with
one key and restore it only with the other key.
Before Alice and Bob can exchange documents,
they must each generate a key pair. They have to keep the private
key for themselves and send the public key to the other.
When Alice wants to send a document to Bob, she
garbles the document with her private key in order to
authenticate it, then she garbles the document with Bob's
public key in order to make readable only by Bob.
Since the document was garbled with Bob's
public key and since asymmetric encryption allows a document
to be restored only with the other key, Alice is certain that
only Bob can restore the document with his private key.
When Bob receives the document, he restores it
with his private key and obtains the document which was garbled
with Alice's private key.
Since the document was garbled with Alice's
private key and since asymmetric encryption allows a document
to be restored only with the other key, Bob is certain that only
Alice could have garbled the document with her private key.
At this point, Bob is certain that the document
was sent to him by Alice and that only the two of them saw the
document.
|