by Tim Heagarty
April 30, 2007
Introduction
Confidentiality can be considered the lost art of keeping a secret. Loss of the confidentiality of information is at the heart of identity theft, phishing, targeted "spear" phishing and a host of other criminal behavior found in online society today. This article focuses on the classic definition of confidentiality and how the purposeful or accidental loss of confidentiality affects the perception and the reality of security in today's online society.
Definition of Confidentiality
The International Organization for Standardization (ISO) defines confidentiality as "ensuring that information is accessible only to those authorized to have access." Confidentiality of personally identifiable information is considered to be one of the modern pillars of information security. Other prime points are the integrity of information and its continuous availability, which we will cover in other articles.
Naturally, the concept of confidentiality is much older than the computer age and is also used in other contexts, such as healthcare and the legal profession. We have often heard of attorney-client privilege relating to the confidentiality of discussions between a lawyer and client. The Health Insurance Portability and Accountability Act (HIPAA) is wide-reaching and partially aimed at assuring the privacy or confidentiality of patient medical information. Confidentiality in personal relationships and in business transactions is intertwined throughout the history of legislation and natural law.
Confidentiality, for the purpose of this article, describes the responsibility of one party to shield the information entrusted to them by another party. In the case of AOL Instant Messenger (AIM), the entrusted information is the AIM ID (screen name) and password of the user who is using the application. When we create and release an application that asks a user to input their ID and password, we set up a trust relationship between the user and ourselves represented by our application. As part of this trust relationship, we are required as AOL developers to include our privacy policy, as well as clearly visible links to AOL's privacy policy, within our applications. There are also a number of restrictions on the kind of traffic to which we may expose our customer/client. For more, see the AIM Developer's License agreement at developer.aim.com/license.
Losing control of the confidentiality of our customer's information will be considered to be a breach of security. That loss of control may result from the exploitation of a vulnerability in the client's operating system or, heaven forbid, a bug in our code. Purposeful disclosure of information and/or the source of the information is also considered a breach of confidentiality and will most assuredly get us in hot water with AOL and with the people whose confidentiality was compromised.
Methods of Maintaining Confidentiality
Let's examine a few basic methods that can be used to maintain confidentiality during an exchange of information. The information exchange may be in the simple form of logging on to our client application or sending messages. Transferring files must also be considered a private exchange, as the files may contain personal information such as medical history, business records, or other data that could be used to compromise our customer's identity.
We will focus on the processes involved in determining that a client is in fact who they say they are.
Identification
Since we decided that confidentiality means that we only disclose information to those with a need to know, we must be able to confidently identify those individuals with one or more factors of identity. Identity is claimed by producing, obviously, some form of identification; this identifier is known as a credential. In the physical world, the credential might be a driver's license, an automated teller machine (ATM) card, a debit/credit card, or a passport document. In most cases one or more anti-counterfeiting devices are used to assure the authenticity of the credential; e.g., holograms, watermarks, embedded metallic threads, etc.
In our world the credential is the AIM screen name. AOL goes to great lengths to guarantee to us that each screen name is unique and can be relied upon to represent a single entity. We determine the authenticity of the credential as soon as we present it to AOL and receive word of its validity.
For example, the IAccSession interface provides the primary means for accessing AIM functionalities. The Identity property is used for specifying an application's screen name, for example (see the AIM SDK Component Reference):
Listing 1. IAccSession identity example code
HRESULT Init(const char* userName, const char* password)
{
// 1. create aimcc main object, hook up for events
// 2. set information to identify this client
// 3. specify username and password, and sign on
HRESULT hr;
if (SUCCEEDED(hr = AccCreateSession(IID_IAccSession, (void**)&m_sp)) &&
SUCCEEDED(hr = Advise(m_sp)))
{
CAccPtr<IAccClientInfo> spClientInfo;
hr = m_sp->get_ClientInfo(&spClientInfo);
if (SUCCEEDED(hr))
{
CAccVariant desc(L"aatlbuddy (key=ju13LC0KMdgmkiO0)");
spClientInfo->put_Property(AccClientInfoProp_Description, desc);
if (SUCCEEDED(hr = m_sp->put_Identity(CAccBstr(userName))))
hr = m_sp->SignOn(CAccBstr(password));
}
}
return hr;
}
Here, put_Identity is called to enter the user's screen name into the software, for user identification.
Authentication
Once an identifier has been presented the alleged identification must be authenticated. In the real world, the recipient may look at the photograph or signature on the credential and compare it to the individual presenting the card or to their signature on a sales receipt or other document. If this authentication step is not performed, then an important factor in the proper identification and authentication of the individual has been compromised.
Authentication is why retail store clerks were at one time trained to always compare the signature on a credit card to the card bearer's signature. Many people now tend to rely on the electronic point-of-sale equipment to perform the authentication phase of the transaction. This reliance, though, only confirms that the plastic itself is a valid entity, not that the user has authorization to use the card or whether they are even the owner.
In the case of AIM, the authenticating factor is something that the user knows: the password. An AIM application sends the password to the server using IAccSession's SignOn
method (see Listing 1).
Other factors that are traditionally part of multi-factor authentication are something that a person has; i.e., an ATM card in combination with something that they know, the personal identification number (PIN).
Some authenticating systems use a combination of user IDs and software or hardware tokens that produce a piece of information used in the log-on process. The one-time sequence of characters is confirmed valid by a third-party system at the other end of the transaction and our multi-factor identification and authentication is complete, allowing the user access to the confidential information or data stream.
Biometric Identification
Biometric identification relies on something that the user is. This bio-identifying feature may be a fingerprint, with its unique pattern of ridges and whorls; the shape, color, and textures of an individual's iris (the colored part of the eye around the pupil); or even the distinct pattern of veins on the individual's retina at the back of the eye.
Of course, each of these bio-factors require increasingly intrusive methods to obtain the original sample, digitize it to be stored until the current scan is performed, and then matched to determine, once again, if this person is who they have identified themselves to be. The opportunity for misuse of the data, negligence, and plain old screw-ups rises with the complexity of these identification and authentication systems, which leads us into an entirely different topic and article, so I promise to get back to the point, which is confidentiality.
Authorization
Now that we have authenticated the identity of our client, we can determine if they are in fact allowed to perform the function that is being requested. This phase of our process is known as authorization. Is the client authorized to view the materials that they are requesting? Can they make a purchase of the amount requested?
In a previous life, I wrote software for the systems that financial institutions use to keep bank branches secure. We would, in some cases, use the time of day as part of our authorization criteria. An individual may have just successfully identified themselves as a member of the cleaning crew that is allowed access to the branch after hours, and may have entered the correct PIN authenticating themselves, but the authorization rules clearly state that they are not authorized to be in the bank branch at two o'clock in the morning! You can provide the same kinds of security in your client application to restrict when certain classes of users are allowed to use your client, thereby increasing the likelihood of protecting the confidentiality of your, and your client's, information.
Conclusion
We discussed identification, authentication, and authorization as primary checkpoints when maintaining the confidentiality of information. The AIM screen name is our prime identifying credential and is only trusted because of the work that AOL has done in supporting the uniqueness of the credential. In AIM applications, credentials are verified and processed using the IAccSession interface. Proper utilization of the methods and properties in this interface will be a key component in any AIM application that authenticates users while also preserving the confidentiality of their information.
Authentication is done for us by the AOL servers when the client logs onto the service. The authorization of the user to access our resources is now in our hands. If you as a developer keep these points key to your development process, you can keep your information private and deserve the trust and support of the enormous and growing AOL customer base.
OpenId!
Is all : )
Bst Rgds,
Michael B.