Security vs. Privacy—Are IP addresses outdated for authentication?
We recently participated in pretty interesting webcast from G+ (a community of academics and entrepreneurs sponsored by the Gerson Lehrman Group – not Google +). The webcast was on the topic of security vs. privacy, with Dr. Tim Gibson, assistant director of cyber systems at Draper Labs, talking about the state of authentication in the Internet and how – as industry – we can improve authentication credentials. So naturally, we wanted to share nuggets from this conversation with all of you. Here are the main topics and what we learned.
IP Addresses can’t identify users
- We use IP addresses to identify the user, the machine, and the routing indicator. The problem with this is, having an IP address only gives you the region and the provider.
- Bottom line: IP addresses are pretty useless when trying to identify people.
Why do we still use IP addresses?
- It’s not feasible to eliminate the IP addressing scheme and start from scratch.
- But providing attribution is not practical with just an IP address.
What has changed since IP was designed?
- Memory and processing power are much cheaper.
- Overhead is manageable with flow managing devices for high data rates and QoS.
How can we enable attribution and network control?
- Users authenticate themselves to their communications or computing device. For example, Joe Smith, NCP engineering, <digital signature>, <public key>, true machine IP and port, true machine name.
- A local network device is programmed with the organization it represents. For example, NCP engineering, city, state, country, street. <digital signature>, <public key>.
- When a user makes a connection request, a sending device combines all the identity data in the new connection request, and a control device at the receiving end decides whether it wants to accept the connection.
- There should be protected places on the Internet—gated communities—where you have to show credentials to enter.
How can we protect privacy?
- Users must be allowed to “opt out” of the authentication scheme.
What do you think of this security vs. privacy debate? Do you agree with rethinking IP addresses or that in the future, there should be protected “gated” communities on the Internet? Weigh in.