Letter to Senator Sam Brownback
Greetings Mr. Brownback,
My name is Eric Hill. I was born and raised in Wichita (technically Garden Plain, but same locale) and currently live in Wichita with my family. I have worked in the computer field for over a decade, and am the lead technology person for Pioneer Balloon Co, also headquartered in Wichita.
I am writing you today in an effort to give you a possible alternative to the Real ID Act (http://en.wikipedia.org/wiki/REAL_ID_Act) that may have far less thorny side-effects than the current plan. Much of what people are complaining about (http://www.realnightmare.org) stems from a few simple principals. First, a centralized database is a prime target for fraud, attack, and denial of service. Second, just one single wrong entry in a centralized database becomes a massive headache very quickly since it is a single point of failure. Lastly, it feeds the fire of conspiracy theorists that the government has ultimate control over a citizens life, rather than the citizen controlling their own destiny.
I have an idea that may let the US be a shining example of the rest of the world at how a true democracy can work.
The problem with Real ID comes down to trust and authority, and the delecate balance between the two. Users of the system (citizens) do not have complete trust in the system, and the system is built specifically because it doesn’t trust the users. We have EXACTLY the same problems in the computer world. You have servers that must serve client requests, but need to ensure that a rogue client doesn’t gain access to privileged resources. This problem is ALREADY SOLVED, and has been for many years now. By the people at MIT no less.
Bear with me, for the next few paragraphs get a little technical.
The solution in the computer world is called Kerberos, named after the Greek mythological three-headed gueard dog of Hades. It is amazingly elegant, and a global standard for security. It’s purpose is not to be an all-knowing master to all other clients on the network, but rather to be a secured coordinator of communication. The elegance and simplicity of this system is its’ biggest strength. Instead of trying to be all things to all clients, it is a clearinghouse for connecting two independent parties together.
Imagine a scenario where you would like to communicate a simple message to the President. Imagine yourself writing a secret letter and placing it into a lockbox. To communicate securely, both you and the President would need a key to the lockbox. This is called a pre-shared key. Simple, right? What if you needed to communicate securely with each member of the House of Representatives. Now you have to maintain pre-shared keys with 435 different people. Secured communication just became a nightmare.
Enter Kerberos. Kerberos acts as a secured communication coordinator. Now, imagine that you have a single pre-shared key with the Kerberos server. The President has a single pre-shared key with the Kerberos server. All 435 members of the House have a single pre-shared key each.
We have reached the “magic” of Kerberos. Lets go back to the example of you communicating securely with the President. First, you send a message to the Kerberos system that says “I (Sam Brownback) would like to communicate with George Bush”. The Kerberos system looks in it’s system and finds George’s pre-shared key. It then creates what is called a ticket that says “I, Kerberos, say that this message will come from the real Sam Brownback” along with the current date and time. It takes this ticket, puts it into a lock-box secured with George’s pre-shared key, then puts that box into a lockbox secured with your pre-shared key and hands the whole thing to you. You unlock that box to remove the inner box (which you cannot open), and you send it to George saying “I would like to send you a message, and here is proof that really am who I say I am”. Only George can open the inner box, and the message contained within proves that you are who you say you are. We call this a “session” in the computer world. You have just proven to George that you really are Sam Brownback without sharing any private information with each other. You accomplished this task through a key-clearinghouse called Kerberos.
Here is my solution. The problem of identification can be broken into two pieces. First, you have the trust aspect of whether or not the identification is valid or not. Secondly, you have the credentials of what the identification provides access to. Instead of trying to create a single, national identification system that tries to solve both problems, we need a government-run system that is simply a pre-shared key clearinghouse and no more. This clearinghouse should do NOTHING more than act as a trusted key authority. It should NOT maintain user names, bank account information, drivers licenses, or any other identifying piece of information about an individual, only a “user number” and pre-shared key. It should be a separate section of government (not affiliated with the FBI, NSA, CIA, etc.) and conduct operational affairs in the public forum. In addition, this body should be open to foreign key servers as well (known in the computer world as a cross-realm trust) so that we can openly share keys with other governments and they can run their own key servers without fear that the US is trying to take control of the system.
Next, other entities (government, business, organization, etc) register with this clearinghouse to get pre-shared keys. This means that the Kansas State Department of Motor Vehicles (KS DMV) would have a pre-shared key. Business, such as banks, that so choose would also get pre-shared keys.
Lastly, each citizen would get two cards. The first card would be a pre-shared key with the master key database. It would be the citizens responsibility to keep this card secured, just as they would any other important documents. The second card would be a global “session card” that has a second pre-shared key bound to the user account, and a validity period just like drivers licenses have (good for a year or two). It is this “session card” that would be carried in a wallet and presented as the master form of identification.
With this infrastructure in place, lets set up an example transaction. Eric Hill in Wichita would like to buy a car from Joe Self Chevrolet. Joe Self first needs proof that this “Eric” character is really who he says he is. Joe Self requires a government identification be present, so Eric presents his session card and Joe Self is able to confirm that the KS DMV has a record on file for Eric, along with a photo. The brilliance of this scheme is that Eric never has access to Joe Self’s pre-shared key, and Joe Self never has access to Eric’s pre-shared key. If a session card is lost or stolen, a single call from the victim to the key clearinghouse immediately voids (expires) the session card and a new one is issued.
I can go on for hours about this solution (I am a geek after all), but it lends itself to the next generation of cooperative trust between businesses, the government, and citizens without being overly draconian. It provides a high level of trusted security, has been available for nearly two decades, and you’re already using the technique without even knowing it as it’s been a part of the Windows operating system since Windows 2000.
I would love to take the time to sit down with you and help you draft a simple and elegant solution to the problematic Real ID system. Please don’t hesitate to contact me.
My email address is eric [at] ijack [dot] net, and my cell phone number is xxx-xxx-xxxx.
I look forward to your response,
Eric