Some More Topics on Digital Identity #2
Today’s theme is “Cryptography for Digital Identity” — Protection by cryptography can’t be above protection by login credential
Shall we consider a very typical case that a message is encrypted by a cryptographic module that can stand the fiercest brute forces attacks for trillions of years, while the digital identity of the recipient who is to decrypt the encrypted message is protected by a password that a PC can break in a matter of hours or even minutes?
Protection by cryptography can’t be above protection by login credential, passwords in most cases. The lower of the two decides the overall protection level.
This observation urges us to make the secret credentials the most solid and reliable where the data to protect is to be classified and encrypted. Here we propose that we can make use of operators’ episodic memory that is firmly inscribed deep in their brains for their secret credentials.
By the way, Prof. Hideki Imai, who pushed my back to move ahead confidently in 2001 when he was chair of Japan’s CRYPTREC, used to emphasize repeatedly how critical it is to get the credential data hashed whether online or offline. It is from him that I learnt about Deffie-Hellman Key Exchange, Elliptic Curve Cryptography, etc.
We jointly tried the methodology of using the high-entropy credential data generated by Expanded Password System (EPS) as the seed of RSA key pair; the user’s private key does not physically exist anywhere in the universe, but it can be re-generated in-the-fly out of the images that the user picks up for authentication for each login. It proved to work on the internet.
Thereafter, we took up the experiment of incorporating EPS into PAKE (password-authenticated key exchange). We were able to demonstrate that it worked with no friction in the lab environment. These projects, sponsored by government agencies, were completed in 2003–2004. In retrospect, we seem to have started these forward-looking projects a bit too early.
Cryptography helps our EPS identity solution, and our EPS identity solution helps Cryptography.
As an appendix to the series of ‘Identity Assurance by Citizens’ Non-Volatile Autobiographic Memory #1 — #19’, I am discussing some more topics on digital identity. It may well tell much more about the very broad scope of our activity
*P25 of “Fend Off Cybercrime with Episodic Memory”