Workshop on Cryptographic Hardware and Embedded Systems 2005 (CHES 2005)

The Roxburghe Hotel
Edinburgh, Scotland
Monday Evening August 29th - Thursday September 1st, 2005

[CHES 05][PROGRAM][Ross Anderson][Thomas Wille][Jim Ward]

Dr. Ross Anderson

University of Cambridge

What Identity Systems Can and Cannot Do

Governments have reacted to recent terrorist scares by investing in identity systems. The USA now photographs and fingerprints many arriving travelers, and the UK government is trying to pass a law enabling a national identity card. These new systems typically involve such measures as biometrics, tamper-resistant tokens and online database checks.

They also raise a number of questions. For example, do identity management systems solve the right problem? The last UK government to consider identity cards, over a decade ago, concluded that they would not be worth the expense: the police knew who the bad guys were but did not have the evidence to convict them, while the security services knew their opponents' names but not their intentions.

For security engineers, interesting questions arise at several other levels. One - how they will affect behavior - spans usability and security economics. Will identity cards be accepted or seen as an imposition? Will they reduce the risk of fraudulent transactions, or will they be used to dump liability on customers thus creating moral hazard and leading to greater losses in the long run? How can such questions by analyzed?

Another is the general issue of naming in distributed systems. Naming is hard, and universal names can buy you a lot less than you think: the name service itself becomes a distributed system of the same scale (and security level) as the system you're trying to simplify. If directories are replicated, you may find yourself unable to read - or to write - depending on whether too many or too few copies are available. Names also imply commitments, and get in the way of organizational change; putting addresses in names harms flexibility while reusing names as access tokens can make revocation difficult. I will discuss a few interesting failure cases of this type.

Further down, we come up against the limitations of the component technologies themselves. Biometrics become more public the more widely they are used, and the world of tamper-resistant tokens has seen several cycles of an arms race between vendors and attackers. This workshop has seen a series of papers on mechanical probing, optical probing, power analysis, fault analysis - and I doubt the technology is stable yet. We may have to place more emphasis on resilience and maintainability. As an example, I will discuss a system (developed with Hao Feng and John Daugman) which combines a token, an iris biometric and a password in such a way that the compromise of one or two of these factors causes only the minimum necessary amount of security degradation.

I think that we are going to learn, over the next few years, that engineering robust identity systems is a much harder problem than these systems' proponents are yet prepared to admit.


Ross Anderson was one of the pioneers of hardware tamper-resistance, with early work on fault induction and on physical and optical probing. He later pioneered API attacks on cryptographic processors. He was also one of the inventors of Serpent, a finalist in the competition to find an Advanced Encryption Standard. More recently he was one of the founders of the study of information security economics, and chairs the Foundation for Information Policy Research, which has been active on issues ranging from surveillance through copyright law to ID cards. He is Professor of Security Engineering at the Computer Laboratory, Cambridge University, and wrote the standard textbook "Security Engineering -- A Guide to Building Dependable Distributed Systems".