politics: May 2007 Archives
Talking to a friend over a pint this weekend, the subject of authentication versus identification came up. I was surprised that he didn't know the difference so here's a brief explanation of how I see it: authentication tells you something (or someone) is what (or who) you have been told it (or they) are; identification tells you what (or who) something (or someone is).
When you apply this to the farcical National ID Card scheme the gubmint is intent on implementing you can start to see why authentication is more secure than identification. Suppose I have one of these ID cards and someone steals it. Assuming they will be able to read the data on the card (and seeing as the gubmint can, they will) they will know my name, address, age, height and so on. What if that someone steals it off me at the airport? They will then have a fair guess that nobody will be home for a week or so. So they cruise around, break in, and take their pick of all my belongings.
Now imagine the card can only authenticate who I say I am. Someone steals it. What will they know? They'd have to guess triliions of names, addresses, ages etc. combinations and keep testing the card to see which one authenticates. In fact, it'd take them so long to ever come up with the right combination they are more likely to be dead from old age than extracting all my possessions from my house.
Authentication instead of Identification is entirely possible: you take all the vital details that form your identity and you encrypt them (one way encryption, of course) and maybe encrypt that several times more. No feasible way to go backwards from an encrypted key to the original data that the key represents, you now have a magic key that only you can turn.
This is one of the many things that is wrong with the National ID Card scheme. We are going to be made to pay hundreds each to have a piece of card that makes your identity less secure. All the substantial benefits touted in favour of the scheme can be achieved with authentication, and some of the major problems can be avoided with authentication instead of identification.
When you apply this to the farcical National ID Card scheme the gubmint is intent on implementing you can start to see why authentication is more secure than identification. Suppose I have one of these ID cards and someone steals it. Assuming they will be able to read the data on the card (and seeing as the gubmint can, they will) they will know my name, address, age, height and so on. What if that someone steals it off me at the airport? They will then have a fair guess that nobody will be home for a week or so. So they cruise around, break in, and take their pick of all my belongings.
Now imagine the card can only authenticate who I say I am. Someone steals it. What will they know? They'd have to guess triliions of names, addresses, ages etc. combinations and keep testing the card to see which one authenticates. In fact, it'd take them so long to ever come up with the right combination they are more likely to be dead from old age than extracting all my possessions from my house.
Authentication instead of Identification is entirely possible: you take all the vital details that form your identity and you encrypt them (one way encryption, of course) and maybe encrypt that several times more. No feasible way to go backwards from an encrypted key to the original data that the key represents, you now have a magic key that only you can turn.
This is one of the many things that is wrong with the National ID Card scheme. We are going to be made to pay hundreds each to have a piece of card that makes your identity less secure. All the substantial benefits touted in favour of the scheme can be achieved with authentication, and some of the major problems can be avoided with authentication instead of identification.
Thanks to The Inquirer for this article which details how the details of passport applications of millions of people can be viewed online by a bit of simple URL tweaking (reminds me of the good old days of online games where session IDs consisted of an incremental number making it easy to hijack someone's session). What's more, it's been known about by the authorities for a year. So even before you receive your insecure RFID chipped passport someone could quite easily have received all your details anyway.
Beggars belief.
Beggars belief.
Road Tax is inefficient. It creates an easy to commit crime. It also penalises you for using your car less than others do. It's also inconvenient: paying a lump sump once or twice a year by filling in a form and queuing in a Post Office during working hours. Abolish it (for private & light goods vehicles) and increase fuel duties to recoup the lost revenue. The more you use fuel the more you use roads and the more you pay, which makes sense, right?
It also reduces Police and court time spent enforcing an archaic, regressive tax. It would also reduce the amount of people facing hefty fines for non-compliance - and these are more typically people who couldn't afford a hefty fine in the first place (hence they didn't buy their road tax). Additionally, people with overseas registered cars would be paying their way better. If you have, say, a car registered in Italy, you pay no road tax. What's the sense of that?
It also reduces Police and court time spent enforcing an archaic, regressive tax. It would also reduce the amount of people facing hefty fines for non-compliance - and these are more typically people who couldn't afford a hefty fine in the first place (hence they didn't buy their road tax). Additionally, people with overseas registered cars would be paying their way better. If you have, say, a car registered in Italy, you pay no road tax. What's the sense of that?
And raise tax allowances. Much simpler, and the most benefit goes to the most needy. In fact, the only thing the gubmint needs to do when it comes to budget day is work out how much less tax it needs and raise tax allowances accordingly. A £1000 tax free is worth a lot more to someone on £15,000 than it is to someone on £60,000.
It's also incredibly more efficient than a 12-page form, separate IT systems, separate rules and procedures. The savings in red tape costs can be passed on as well - by raising tax allowances even more.
And get rid of National Insurance altogether. Add a bit to basic rate income tax to cover the lost revenue, and raise tax allowances a bit to show the savings made in less administration. Currently, National Insurance creates a poverty trap: under a certain amount you pay nothing; over that amount you pay on everything you earn, which can leave you with less take home pay than if you were paid a quid less. National Insurance also represents an easy way to raise income taxation for gubmints by not so stealthy means. Get rid of it.
Imagine a scenario where the basic tax allowance reached £15,000. Anyone on a really low income would see 100% of their pay, and anyone of a really low income would need every penny they had earned. It makes sense, right?
It's also incredibly more efficient than a 12-page form, separate IT systems, separate rules and procedures. The savings in red tape costs can be passed on as well - by raising tax allowances even more.
And get rid of National Insurance altogether. Add a bit to basic rate income tax to cover the lost revenue, and raise tax allowances a bit to show the savings made in less administration. Currently, National Insurance creates a poverty trap: under a certain amount you pay nothing; over that amount you pay on everything you earn, which can leave you with less take home pay than if you were paid a quid less. National Insurance also represents an easy way to raise income taxation for gubmints by not so stealthy means. Get rid of it.
Imagine a scenario where the basic tax allowance reached £15,000. Anyone on a really low income would see 100% of their pay, and anyone of a really low income would need every penny they had earned. It makes sense, right?
