Thursday, August 25, 2005, 12:06 AM

Humans as Smart Cards

Valery pointed to a great quote in the “Network Security – Private Communication in a Public World” by Kaufman, Perlman and Speciener, Prentice Hall 1995 ISBN 0-13-061466-1.
Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)
The way I talk about it is that there is an impedence mismatch between the human brain and digital security requirements.

Tuesday, August 09, 2005, 8:37 PM

Identity and Privacy in Security

As I reread my post on the problems with RFID passports (, it occurred to me that there is a more fundamental observation that needs to be made here...

When designing security systems based on strong authentication and identities, privacy is an important dimension to consider. The US State Department thought we could have better security by introducing strong(er) digital identities in passport via RFID tags. They forgot (or didn't realize) that without privacy considerations, the strong identity could be used, perhaps lethally, against the identity owner.

This reinforces my belief in the importance of privacy (and the works of individuals like Stefan Brands) to ensure the digital identity systems we build are actually usable.