Computer Security is important, especially in an age where we do banking online, use Facebook and Twitter and for some of us, interact using the Internet more than in real life. First, let’s define what security is. In the class I took, one definition for security is CIA, Confidentiality, Integrity and Availability. Confidentiality states that only the people who have authority to access the data can access the data, preventing any unwanted third party from knowing the secret. Integrity states that the secret data that you see is the correct one when you request and see it, ensuring that the data is not tampered with when it is transported to you. And availability states that when you request the secure data, it is available for you. While all three are important, let’s mostly focus on confidentiality.1
So with confidentiality, only the authorized parties can have access to the object in question, but the main problem is that how do we know if someone is 1) a member of the authorized parties 2) the person is really the person that he/she said that he/she is. To do this, we need to both identify and authorize the person, to know the identity of and to know if the person is really the identity that he/she put forward as. In a simple website example, putting your username would be a form of identification, and putting your password would be authorization, as the password should only be known between the website and the person who registered as the given username. Obviously this is easier in real life than through the Internet, since in real life, the person, say Bob, doing the authorizing can physically see the person, say Alice, and can easily use a series of information for authorization (speech, look, body actions), especially if Bob have prior interactions with Alice. The amount of information that Bob can use to authorize Alice would most likely be a lot less if they had interacted through the Internet. 2
So….how does this have to do with anime? Well, in chapter 28 of Sayonara Zetsubou Sensei, Zetsubou-sensei just deals with the issue of authorization. Chapter 27, we see the entrance of Majiru, of which he was brought to Zetsubou-sensei’s classroom. Zetsubou, having not seen Majiru since birth, and to start the issue of chapter 28, questions if the Majiru in front of him is the real Majiru (and not just some kid masquerading as Majiru), of which he then generalizes the issue and ask the whole class for each of their authorization, or proof of who they say they are.
At page 6, Zetsubou outlines the definition of what is needed for authorization, something that “only the real you would know”, let’s see how efficient Zetsubou is in getting proper authorization from his students.
First he asked Chiri for authorization, of which Usui suggested her to reveal her breast size for authorizing. While breast size is a private information and hence wouldn’t be known by most people, the fact that most health record of Chiri would have such information, and hence anyone that have access to such health record can know such information, and that if someone is pro enough, he/she can guess Chiri cup size with a small margin of error. Since there is a small set of people that can know Chiri’s cup size without being Chiri, strictly speaking, her breast size is not the best way to proof her identity. Obviously knowing that cup size is not good enough for proof, Chiri showed that her hair is not naturally straight, but really curly, to which Zetsubou laughs off as interesting and authorizes Chiri.3 …Now really, not only is her curly hair not arguably an information that only she would know (surly her parents [which she might have killed off already] and her elementary school classmates would know [assuming that if any of them are still alive…Harumi is her friend since elementary school right?...so Harumi could pretend to be Chiri using that information]), but that Zetsubou-sensei has no way to prove that the information is something that is true to the real Chiri. Using the same example with Alice and Bob, Bob request something that only Alice (not even Bob) would know, but this does not stop Mallory coming in to tell Bob something is that only Mallory would know. Since Bob cannot know what this information is beforehand, and if he is like Zetsubou-sensei, he would just accept Mallory as Alice (which ends up breaking the whole idea of authorization). By this alone, we see that using Zetsubou’s method is totally useless for proper authorization, and hence I suggest that the information used to decide proof one’s identity should be shared by both parties (and only the two parties).
After authorizing Chiri, he asks for Abiru’s authorization, which she declines, and I donno, I guess he accepts her identity precisely because of her decline (as he guess the secret have to do with domestic violence).4 Really now, the lack of information to authorize something, this is something new to me. While, I can guess the Zetsubou is using more of the five senses as data for authorization, the cynical in me is saying that anyone that know Abiru’s rumors can pretend to be like her and be all bandaged up.
Nami passes with giving a normal answer. So normal. Well, I guess it prevents her from being masqueraded by un-normal people, which SZS is full of.5
As for Maria, who we all know got into the class from buying the identity of Sekiutsu Tarou-kun, and hence has been a fake from the very beginning. Instead of asking weird secret information as he did with Chiri, he asked background related information about Tarou-kun, and which Maria was able to correctly answer all of them. The teacher asked Tarou’s permanent resident, middle school, blood type and his father’s name, all of which are information that can easily obtained with a bit of research.6 This shows the lack of security by using publically accessible information as a proof for your identity (and hence the idea of security questions for security is just pure bull).
Finally coming to full circle, the idea of using a secret information for authorization that is not shared between the two parties came back to bite Zetsubou, where his students asked for his authorization. He first tried to show proof by dying, but the students objected, saying the information that they stored related to the teacher is not what he provided (different look, different personality).7 Obviously he didn’t know that is what the students had in mind of him (it is secret), similar to how he didn’t know that Chiri had curly hair, and was not given authorization even though he was really the teacher. The catch is that if the secret is not (partly) shared between the two parties, there is no way that a proper authorization scheme can work (you might end up authorizing the incorrect person or not authorizing the correct person).
For the people that know a bit about security or cryptography you might object saying that it is possible for the same secret to be not shared between the two parties but still have a perfectly working authorization scheme (public key cryptography). Well, yes….but the two parts of the keys are created in such a way that makes it possible. Here I’m saying how it is possible for Mallory to make a completely random secret and will be accepted as Alice.
- University of Waterloo, CS458 Winter 2012 Slide 1-19
- University of Waterloo, CS458 Winter 2012 Slides 3-29-32
- Sayonara Zetsubou Sensei, chapter 28, page 6
- Sayonara Zetsubou Sensei, chapter 28, page 7
- Sayonara Zetsubou Sensei, chapter 28, page 8
- Sayonara Zetsubou Sensei, chapter 28, page 9
- Sayonara Zetsubou Sensei, chapter 28, page 11