Monday, January 5, 2009

Chain of distrust

Communication is a collection of trust between the involving parties. Unfortunately, the trust is eroding in Internet, or in the society itself; and I see the emerging chains of distrust.

An idea called Chain of trust is a practical implementation of authentication.   Let me put it in this way; when Alice trusts Bob and Bob trusts Carol, then Alice assumes Carol is trustable.  In this way, Alice doesn't have to directly authenticate Carol.  Internet is another good example of chain of trust; each router assumes the peer routers will forward the packets originated from itself. 

But the chain of trust is not what should be taken as it is, in the real world.  In the Alice-Bob-Carol case of the previous paragraph, the peer-to-peer trust relationship between Alice and Carol is not necessarily established; the existence of distrust between Alice and Carol is even possible, and they may don't want to talk to each other.  Communication through a proxy is in fact quite common between the distrusting two parties. Should I call this a chain of trust?  I should rather call this a chain of distrust.

The current Internet is full of chains of distrust. Maybe I should rephrase it for accuracy; the chains of limited trust. For example, your employer will not unconditionally trust you to protect the employer's privacy, so you have to communicate outside the employer's network through a firewall, usually made of packet filters and proxy servers.  Your employer gives you a limited trust for the external communication.  This sort of limitation may cause your distrust to your employer, but the employer usually considers this is a security feature to protect the relationship with you.  The difference of interpretation to the situation of limited trust can be a source of distrust.

In a set of trusted parties with a limited size, each party does not have to spend time on authenticating each other for every packet they communicate with each other. The trust is proven through the physical connection and perimeters.  Internet's packet forwarding system extends this idea of physical connection to the chains of trust by reliable communication with discrete packet deliveries, and the idea has worked well in a limited community where the people are trustable with each other. The end-to-end principle [1] has worked so effectively that the engineers of Internet firmly believe in it.

The reality we are facing, however, is that the people are no longer trustable with each other and rather distrusting one another. People are seeking for a safe haven by creating a chain of distrust, which is apparently a false sense of security, considering that the chain of distrust is easily broken if the proxy between the distrusting two has a malicious intent.

We are heading into the very difficult times, where the security engineers ought to secure the chains of distrust as well as the chains of trust.

Reference:
[1] Blumenthal, M. S. and Clark, D. D. 2001. Rethinking the design of the Internet: the end-to-end arguments vs. the brave new world. ACM Trans. Internet Technol. 1, 1 (Aug. 2001), 70-109. DOI=http://doi.acm.org/10.1145/383034.383037