The Problem of Identity on the Network

Type the query “WHOIS” into a search engine, and you will see at least a half dozen links offering services that will, in theory, help you identify the people behind various domain names on the Internet. This seems like a wonderful service, almost like the Yellow Pages for Internet domain names. But it turns out that verifying a person’s identity on the network is actually very diffi cult. In this lecture, we’ll try to understand why that is so and what we might do to fi x the problem, if it’s even a problem at all.
Obscurity in Domain Names and IP Addresses
 In any web address, the domain name is the portion of the address after http://www. Domain names are familiar ways to identify the webpage you are trying to reach or the e-mail address to which you are sending a message.
 Of course, computers use numbers instead of names to route traffi c.The domain name system (DNS) is, in effect, a translation system; it translates a domain name to an IP address, a numerical label assigned to every device on the network. The DNS/IP combination is both an identifi cation system and an address system.
 The DNS link works in a three-stage process. First, an individual registers a domain name, which is hosted on a server somewhere. Second, the server is identified by an IP address. Third, when a user wants to access a website by typing in its domain name, the DNS programming routes the request to the right server and returns the webpage to the user.
 The addressing function of the DNS is critical. If the DNS were corrupted or hijacked, then communications across the Internet would break down. Maintaining a registry of which domain names are in use is also critical. This function is performed by the Internet Corporation for Assigned Names and Numbers (ICANN), a nonprofi t organization that sets the rules for creating and distributing domain names.
 In theory, the DNS should be completely transparent. Knowing a domain name (the “cyber persona” of a person or company), you should be able to fi nd out who the real person behind the domain name is. Unfortunately, the system doesn’t work as effectively as it should.
 The obscurity of the DNS makes it fairly easy to hide your identity. For example, for a relatively small amount of money, you can create a shell company registered almost anywhere in the world. You could then buy a domain name from a registry company, such as Go Daddy (which works with ICANN to organize the sale of domain names), and hide behind the shell corporation to conceal your identity.
 Because domain name registry companies accept identifi cation that appears to be lawful and because they make no real attempt to verify the information they receive, the WHOIS registry is littered with errors, both accidental and deliberate.
Other Techniques for Masking Identity
 As we discussed in an earlier lecture, messages that transit the net don’t automatically come with authentication. You may receive a message that purports to be from your friend, but it could be a spoof, that is, a communication intended to fool you. Almost everyone
who uses the Internet has received at least one communication that’s a fraud.
 Even worse, many techniques exist to confound efforts to backtrack a message to an original source. It is a relatively easy technical matter to gimmick an IP address so that a message appears to come from one location while actually coming from another.
 Further, in a world where botnets allow malicious actors to control computers other than their own, it is quite possible to originate a message from a computer that doesn’t belong to the originating party.
 As a result, virtually every intrusion or attack on the network is obscured behind a farrago of false e-mail addresses, spoofed IPs, and botnets under the control of a third party.
Addressing the Problem of Attribution
 The difficulty of identifi cation is perhaps the single most profound challenge for cybersecurity today, but it’s not an insurmountable problem. As we saw with the GhostNet intrusion, the Information Warfare Monitor project was able to break into some of the hackers’ own computers to follow the trail and, in the end, traced the origin of the intrusion to servers on Hainan Island.
 Such efforts demonstrate that attribution is a question of resources and permissions. If you are willing to devote enough time, money, and personnel to the issue and if you have permission to perform certain acts that, in other contexts, might be illegal, then attribution can ultimately be achieved. The major problem here is that such efforts tend to take a long time.
 The good news is that we are getting better at identifying malicious actors. In October 2012, Secretary of Defense Leon Panetta said that the DoD was beginning to see returns on its investment in addressing the problem of attribution. For example, the National Security Agency has identifi ed roughly 20 separate Chinese networks of hackers that are causing most of the espionage damage in America today.
 It’s important to note that many of the actors in cyber crime live beyond the reach of American law. They often can’t be extradited and prosecuted. Likewise, though attribution gives us a better sense of when and how cyber espionage occurs, that knowledge doesn’t make a diplomatic response any easier.
Trusted Identities
 If we accept that we can’t achieve attribution by working backwards from the intrusion to the hacker, we need to invert the problem and try to establish identity at the human-computer interface. What this means in practice is fi nding a way to make access to the Internet available through “trusted identities.” Sometimes, this idea is caricatured as requiring a driver’s license to use the Internet. The idea here is to somehow control identity on the network when you sign on in a way that locks in an identity for tracking.
 In the United States, this trusted identity system would have to be voluntary. It is almost impossible to imagine that any system requiring mandatory identification would be politically acceptable, and such a system would probably be unconstitutional.
 Even a voluntary system, though, would be of some use. If you wanted to be careful, you could refuse to do business with any entity that didn’t have a trusted identity. You could even create your own private networks with only trusted users.
 The trend toward trusted identifi cation on the network can go a long way toward solving the attribution problem but at real cost to Internet freedom. We need to consider whether broader

American interests are advanced by the widespread adoption of trusted identity rules. Trusted identity can enhance security, but in authoritarian countries, Internet identifi cation could be a way of suppressing dissent.
 Some network engineers are working to keep the Internet free with such tools as Tor, a free software program designed by The Tor Project. Tor is an anonymizing tool used by journalists, human rights activists, hackers, law enforcement offi cers, and others. It encrypts messages and uses a volunteer network of servers around the globe to “bounce” encrypted traffi c in a way that evades detection. Tor protects privacy for individuals and secrecy for governments, but it can also be used by criminals to conceal their actions and identities.
Domain Name System Security Extension (DNSSEC)
 One major effort in trying to make identity on the network more easily verifiable is the domain name system security extension (DNSSEC). Under DNSSEC, a new authentication security feature would allow users to be sure that when they attempt to connect to a domain name, such as whitehouse.gov, they are reaching the true whitehouse.gov website and not a facsimile. Basically, each website (or e-mail address or other device) would come with an authentication certificate.
 One benefit of this type of system is that it would eliminate “manin-the-middle” attacks. Those are attacks where the malicious actor steps into the middle of a conversation and hijacks it by making independent connections with the victims. From the middle vantage point, the third party can relay messages between the victims, making them believe that they are talking directly to each other over a private connection, when in fact, the entire conversation is under outside control. For example, without DNSSEC, your request to connect to your bank could be redirected to a phony website. There, the malicious actor could record your bank password before passing it on to the real bank. Because you actually make the connection to your real bank, you never know there’s a
problem, and the thief can return to the bank website after you log off and access your account. Once DNSSEC is deployed, however, a “security resolver” function will be built into web browsers to check the authentication certifi cates of websites.
 DNSSEC sounds like an easy answer, but it is difficult to accomplish for a number of reasons.
First, DNSSEC must be backward compatible; in other words, it has to work even with portions of the Internet that have not deployed the new security protocols. Otherwise, changing over to DNSSEC would disconnect you from the broader web. Second, there is a substantial cost for upgrading and deploying
DNSSEC across a global range of servers and systems. The process will take years to complete. The biggest difficulty is establishing a “chain of trust” for domain name authentication. At some point in the chain of authentication, there must be an original root authentication that serves as a “trust anchor.” Currently, the trust anchor is provided by ICANN, but some people outside the United States don’t trust this American company.
 Of course, if there is a chain of trust to establish identity for domain names, we can also be sure that bad actors will seek to undermine it. That happened in July 2011 when a hacker claiming to be an Iranian student penetrated a certifying authority in Holland and generated false certifi cates for real companies and government agencies. In the end, the only way to beat this attack was for the web browser manufacturers to revoke all the certifi cates issued by the certifying authority.
 The promise of robust attribution and identifi cation is a bit of a chimera. Attribution is clearly possible in many cases, but it is also clear that creating a world of trusted and secure identities on the network is a nearly impossible dream. We can make a great deal of progress in some aspects of the effort, but in the long run, we need to understand that anonymity is a feature of our current Internet architecture, not a bug.
Important Terms
domain name system security extension (DNSSEC): A proposed suite
of security add-on functionalities that would become part of the accepted
Internet protocol. New security features will allow a user to confirm the
origin authentication of DNS data, authenticate the denial or existence of a
domain name, and ensure the data integrity of the DNS.

**Internet Corporation for Assigning Names and Numbers (ICANN): **
A nonprofit organization that sets the rules for creating and distributing domain names. Originally chartered by the U.S. government, it now operates on a multilateral basis from its headquarters in California.

Questions to Consider

1. If the United States had a voluntary trusted identity system, would you join?

2. Most Americans are happy to trust ICANN to run the naming network. Most of the developing world isn’t. Why do you think that’s the case?