MicroID

Last updated

MicroID is a decentralized identity protocol. It was originally developed in 2005 by Jeremie Miller . A MicroID is a simple identifier comprising a hashed communication/identity URI (e.g. email, OpenID, and/or Yadis) and claimed URL. Together, the two elements create a hash that can be claimed by third-party services.

Contents

Ben Laurie demonstrated privacy problems with it in 2006 , [1] as did Chris Erway in a Brown CS Technical Report in 2008 [2]

MicroID exchange

Here is an example of a MicroID hash, in pseudocode:

MicroID = sha1( sha1("mailto:user@example.com") + sha1("http://example.net/") );

The computed MicroID would then be placed on a web page to be claimed. A verifier, which would independently generate the MicroID, would then visit the page to see if the generated MicroID is the same as the MicroID on the page. If they are the same, a claim exists.

MicroID is based on a communication URI. Since both the MicroID provider and verifier can verify the communication URI, a proper MicroID implementation allows for trusted identity claims.

Security limitations

A MicroID is essentially a content URI signed with an email address or other attribution. Since the content URI is known for comparison purposes, a MicroID claim can be forged by anybody who knows the communication URI (e.g. email address) associated with the identity.

In particular, since a verifier must generate the MicroID in order to compare it, it follows that any party who is trusted to verify a user's MicroID must also be trusted to generate new authorship claims with it.

So if you can verify - you can forge.

Or in other words anyone (e.g. Alice) who can verify someone (e.g. Bob) their MicroID on a resource 'X' can also generate (spoof) a MicroID on any other document (e.g. Alice can generate a valid MicroID for a document Y, not equal to X, in Bob's name).

Assuming the identity is not known (e.g. 1) the publisher has chosen to remain anonymous and 2) denies others the ability to verify the MicroID claim until a time in the future when the use reveals their identity) then someone with email addresses can perform a trivial dictionary attack to find ownership of resources, someone with a URI can perform a trivial dictionary attack to find an email address.

So the (only) remaining usecase is where an entity generates a strong cryptographic nonce (e.g. a UUID); uses this to publish documents over time—and at some time in the future reveals the UUID as to prove that the use wrote those documents (and accepts that from that point forward anyone can make any claims on his or her behalf).

Privacy limitations

As explained above, a MicroID is a hash made from a public URI and a semi public email. Those who know both can verify the identity claim on a page. The hashing helps to hide the semi public email address to people that should not know it, in particular spammers.

However, research [2] on popular social websites such as Last.fm, Digg and ClaimID show that a brute-force attack can decrypt the email address in 20–25% of the cases.

The brute force attack guesses email addresses derived from the public user name and other information available on the social websites, and thus only checks a dozen or so candidate addresses per MicroID. Despite this, the study showed a simple attack like this one could still be successful one quarter of the time while spending a fraction of a second to check all candidates for each user. The hashing scheme thus does not guarantee the privacy of the email address.

Architecture of a MicroID claim

An example of a successful MicroID claim is as follows:

  1. A user signs up for a web service. That web service verifies the user's email, and creates public web pages for the user that contain a MicroID. That MicroID comprises the hashed email (communication URI) and the URL of the webpage.
  2. The user then signs up for a verifier service. The service also verifies the user's email.
  3. The user inputs the URL of the page she wishes to claim into the verifier service. The verifier service computes the MicroID and attempts to verify the MicroID in the claimed page.
  4. If the MicroID in claimed page is the same as the one in the verifier service, a claim exists. The verifier will then claim ownership of the page.

MicroID and the DOM

MicroID allows for the claiming of semantic HTML elements. For example, a MicroID inserted in a block-level element will constitute an ownership claim of anything in the element. A MicroID inserted in the header of a page will constitute an ownership claim of the page. Claims are only verifiable at the granularity of URIs.

Known MicroID providers

The following web services provide MicroIDs to their users:

Known MicroID verifiers

The following web services verify MicroID claims:

Related Research Articles

Digital signature Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authentication), and that the message was not altered in transit (integrity).

Universally unique identifier 128-bit label used to identify information in computer systems

A universally unique identifier (UUID) is a 128-bit label used for information in computer systems. The term globally unique identifier (GUID) is also used, often in software created by Microsoft.

Public key certificate Electronic document used to prove the ownership of a public key

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

X.509 Standard defining the format of public key certificates

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

Cryptographic hash function Hash function that is suitable for use in cryptography

A cryptographic hash function (CHF) is a mathematical algorithm that maps data of an arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes. Cryptographic hash functions are a basic tool of modern cryptography.

Hashcash is a proof-of-work system used to limit email spam and denial-of-service attacks, and more recently has become known for its use in bitcoin as part of the mining algorithm. Hashcash was proposed in 1997 by Adam Back and described more formally in Back's 2002 paper "Hashcash - A Denial of Service Counter-Measure".

One-time password

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

Email authentication, or validation, is a collection of techniques aimed at providing verifiable information about the origin of email messages by validating the domain ownership of any message transfer agents (MTA) who participated in transferring and possibly modifying a message.

A digital identity is information on an entity used by computer systems to represent an external agent. That agent may be a person, organization, application, or device. ISO/IEC 24760-1 defines identity as "set of attributes related to an entity".

OpenID Open and decentralized authentication protocol standard

OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by cooperating sites using a third-party identity provider (IDP) service, eliminating the need for webmasters to provide their own ad hoc login systems, and allowing users to log into multiple unrelated websites without having to have a separate identity and password for each. Users create accounts by selecting an OpenID identity provider, and then use those accounts to sign onto any website that accepts OpenID authentication. Several large organizations either issue or accept OpenIDs on their websites.

In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint."

Skype is a Voice over Internet Protocol (VoIP) system developed by Skype Technologies S.A. It is a peer-to-peer network in which voice calls pass over the Internet rather than through a special-purpose network. Skype users can search for other users and send them messages.

Privacy-enhancing technologies (PET) are technologies that embody fundamental data protection principles by minimizing personal data use, maximizing data security, and empowering individuals. PETs allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications. PETs use techniques to minimize possession of personal data without losing the functionality of an information system. Generally speaking, PETs can be categorized as hard and soft privacy technologies.

Information card

Information cards are personal digital identities that people can use online, and the key component of an identity metasystem. Visually, each i-card has a card-shaped picture and a card name associated with it that enable people to organize their digital identities and to easily select one they want to use for any given interaction. The information card metaphor is implemented by identity selectors like Windows CardSpace, DigitalMe or Higgins Identity Selector.

ClaimID was a website that allowed users to create unique profiles that showed personal websites, profiles at other sites, and other biographical information. The goal of ClaimID was to help users collect and screen information created about them and by them on the web, to help them manage their online identity.

Microsoft account User account required for Microsoft-owned services

A Microsoft account or MSA is a single sign-on Microsoft user account for Microsoft customers to log in to Microsoft services, devices running on one of Microsoft's current operating systems, and Microsoft application software.

Mozilla Persona was a decentralized authentication system for the web, based on the open BrowserID protocol prototyped by Mozilla and standardized by IETF. It was launched in July 2011, but after failing to achieve traction, Mozilla announced in January 2016 plans to decommission the service by the end of the year.

Account verification is the process of verifying that a new or existing account is owned and operated by a specified real individual or organization. A number of websites, for example social media websites, offer account verification services. Verified accounts are often visually distinguished by check mark icons or badges next to the names of individuals or organizations.

References

  1. Laurie, Ben (2006-03-28). "MicroID" . Retrieved 2009-05-08.
  2. 1 2 Erway, Chris (2008-08-22). MicroID considered harmful (to privacy). Brown University Computer Science. Retrieved 2009-05-08.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.