VCerf: Need for unforgeable user identification
J Paul Holbrook <ph@cert.sei.cmu.edu> Mon, 13 August 1990 17:36 UTC
Received: from [128.237.253.35] by NRI.NRI.Reston.VA.US id aa12151; 13 Aug 90 13:36 EDT
Received: from localhost by taos.cert.sei.cmu.edu (5.61/2.3) id AA12437; Mon, 13 Aug 90 13:35:40 -0400
Message-Id: <9008131735.AA12437@taos.cert.sei.cmu.edu>
To: spwg@NRI.Reston.VA.US
Subject: VCerf: Need for unforgeable user identification
Reply-To: vcerf@NRI.Reston.VA.US, spwg@NRI.Reston.VA.US
Date: Mon, 13 Aug 1990 13:35:38 -0400
From: J Paul Holbrook <ph@cert.sei.cmu.edu>
Status: O
Security Policy WG folks: The following memo was written by Vint Cerf to address one of policy topics we talked about at the Pittsburgh IETF in May. I transcribed this from Vint's hand-written draft; please blame any typos and the formatting on me. Forwarded with permission from Vint. Paul Holbrook ----------------------------------------- Vint Cerf CNRI July 31, 1990 The Need for Unforgeable User Identification FIRST DRAFT Summary ------- This brief memorandum motivates the need for Internet mechanisms and facilities for authenticating user identification and for assuring that such identification cannot be forged. Introduction ------------ The Internet has reached a point in its evolution where some of the services accessible require compensation from the using parties (or an entity which accepts responsibility for paying for services rendered). At the application level, such compensation is required for use of information services such as bibliographic databases (National Library of Medicine MEDLARS; Research Libraries Information Network, etc.) Commercial electronic messaging providers (e.g. MCI Mail, Compuserve, ATT Mail, Sprint Mail, BT Dialcom, QUIK-COMM, etc.) normally charge for their services. Some, such as Compuserve and MCI Mail provide access to commercial information services (e.g. Dow Jones News & Retrieval). Under the present terms and conditions, commercial email services do not charge Internet users for delivering email sent from Internet sites to commercial email boxes. Even if this provision remains in place, there are other services such as fax and hardcopy delivery, bulletin boards and information services which, at present, are not accessible to Internet users because there is no secure way to identify a billable account to which to charge these special services. Passwords carried in plaintext form across the Internet, whether in a Telnet session or via email, are not sufficiently protected to make the risk of compromise acceptable. Moreover, there is no currently standardized means of authenticating whether the use of a particular billable account is legitimate (once a password is compromised, it can be used at will, for simple, password-based account identification methods.) Example Requirements --------------------- At least two applications need reliable, secure account authentication capability: (1) remote login (2) email store and forward services In the first instance, it is required that the user/account identification provided to the server be protected from capture and re-use by hostile third parties and that the serving site can verify that the identification has not been forged. In the second case, it is required that at an email relay, an arriving message to be passed into the next email system can be reliably and authentically associated with an account in the next email system, if necessary, for purposes of accounting and validation that the message originator is authorized to use the services requested. For example, it should be possible for an Internet user to send email to fax recipients by way of ATT Mail and for ATT Mail to correctly account and bill for this usage. This means that the originator must supply information associated with a message which identifies ---------- account information needed to complete processing of the message at the Internet/commercial email interface. The provision of this account identifying information needs protection from compromise and validation that its use is legitimate. Questions --------- 1. Can the same techniques work for remote login and store-and-forward services? 2. Even if a "password" can be encrypted for confidentiality and signed for authenticity, how can the recipient be sure that the encrypted and signed object has not been hijacked by an abusing third party? (i.e. "stealing and reuse") 3. Given that there must be some kind of authenticated exchange between user and server just to set up an account, can we take advantage of this to carry out any additional exchanges needed to support the confidentiality and authenticity required for these account validation applications?
- VCerf: Need for unforgeable user identification J Paul Holbrook