NSTIC – The Right Step, But is the Direction Right?

Monday, May 02, 2011

Eli Talmor


NSTIC = The US National Strategy for Trusted Identities in Cyberspace. Why We Need It: Shopping, banking, social networking, accessing your employer's intranet - these activities and more are all routinely done online.

The increasing availability of these services results in greater opportunities for innovation and economic growth, but the online infrastructure for supporting these services has not evolved at the same pace.

The National Strategy for Trusted Identities in Cyberspace addresses two central problems impeding economic growth online:

  • Passwords are inconvenient and insecure
  • Individuals are unable to prove their true identity online for significant transactions."

The NSTIC Strategy Highlights :

"NSTIC provides a framework for individuals and organizations to utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice and innovation".

"The user-centric Identity Ecosystem described in this Strategy. It is an online environment where individuals and organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities and the digital identities of devices. Identification, authentication, and authorization provide the information and assurances necessary for the parties within a given transaction to trust each other."

"An identity provider (IDP) is responsible for establishing, maintaining, and securing the digital identity associated with that subject. These processes include revoking, suspending, and restoring the subjects digital identity if necessary. The identity provider may also verify the identity of and sign up (enroll) a subject Alternatively, verification and enrollment may be performed by a separate enrolling agent. A relying party (RP) makes transaction decisions based upon its receipt, validation, and acceptance of a subjects authenticated credentials and attributes".

Right step

There is no doubt that there is a need for Government intervention since the market that reportedly runs over $10 trillions annually has the potential of major failure. This is a right step.

And we are proud to be Identity Provider, providing its users strong authentication and data authorization.

Wrong direction

That being said I think that the direction is not adequate to the problem we are facing today. FFIEC issued guidance to the banks in 2005 that passwords are insecure. To repeat that in 2011 is a little bit out-of-date... As prominent researcher Steven Bellovin notes:

"The fundamental premise of the proposed (NSTIC) strategy is that our serious Internet security problems are due to lack of sufficient authentication. That is demonstrably false. The biggest problem was and is buggy code. All the authentication in the world won't stop a bad guy who goes around the authentication system, either by finding bugs exploitable before authentication is performed, finding bugs in the authentication system itself, or by hijacking your system and abusing the authenticated connection set up by the legitimate user. All of these attacks have been known for years".

Buggy code is the fact of life and the result of software complexity. It is being exploited by malware. Surprisingly, the word malware appears only once in this 52 pages document.

But as was already published in the past that "Security measures such as one-time passwords, smart-cards, biometrics and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud", a 2009 report from research firm Gartner Inc. warns.

As a result US FS ISAC alert urged business bank customers in 2010  to "carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."

The passwords are indeed insecure, but other security measures are insecure as well !

So if you are worried about $10 trillion market - you should be worried about malware.

And we cannot wait that long.

The malware problem is an imminent threat and it will not wait 3 to 5 years for Identity Ecosystem to reach its interim benchmark as document says.

Cross-posted from http://www.sentry-com.net/blog/

Possibly Related Articles:
Passwords Authentication malware Login NSTIC Universal Identity
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.