Security vs. Privacy—Are IP addresses outdated for authentication?

Posted: August 4, 2011 in 2 Factor Authentication, Expert Q&A, Rethink Remote Access
Tags: , ,

We recently participated in pretty interesting webcast from G+ (a community of academics and entrepreneurs sponsored by the Gerson Lehrman Group – not Google +).  The webcast was on the topic of security vs. privacy, with Dr. Tim Gibson, assistant director of cyber systems at Draper Labs, talking about the state of authentication in the Internet and how – as industry – we can improve authentication credentials. So naturally, we wanted to share nuggets from this conversation with all of you.  Here are the main topics and what we learned.

IP Addresses can’t identify users

  • We use IP addresses to identify the user, the machine, and the routing indicator. The problem with this is, having an IP address only gives you the region and the provider.
  • Bottom line: IP addresses are pretty useless when trying to identify people.

Why do we still use IP addresses?

  • It’s not feasible to eliminate the IP addressing scheme and start from scratch.
  • But providing attribution is not practical with just an IP address.

What has changed since IP was designed?

  • Memory and processing power are much cheaper.
  • Overhead is manageable with flow managing devices for high data rates and QoS.

How can we enable attribution and network control?

  • Users authenticate themselves to their communications or computing device. For example, Joe Smith, NCP engineering, <digital signature>, <public key>, true machine IP and port, true machine name.
  • A local network device is programmed with the organization it represents. For example, NCP engineering, city, state, country, street. <digital signature>, <public key>.
  • When a user makes a connection request, a sending device combines all the identity data in the new connection request, and a control device at the receiving end decides whether it wants to accept the connection.
  • There should be protected places on the Internet—gated communities—where you have to show credentials to enter.

How can we protect privacy?

  • Users must be allowed to “opt out” of the authentication scheme.

What do you think of this security vs. privacy debate? Do you agree with rethinking IP addresses or that in the future, there should be protected “gated” communities on the Internet? Weigh in.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s