this post was submitted on 05 Feb 2024
214 points (97.8% liked)
Technology
59438 readers
3154 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Good. This just shows how pointless identity cards are.
ID cards without chip are pointless. I’d like to see them try to fake a chipped document.
Chip cards wouldn't work online unless we had some sort of reader in electronics to insert the chip into like the credit card terminals. But yes, that would help a lot.
Good news then. We do have a reader. Chances are you are looking at one right now.
Almost all passports have chips (with the exception of a few developing countries, but even they are starting include them) and a lot of ID cards do as well (most ID cards in Europe already do and new ones are required to have then).
You might not see them, as they are contactless chips. They can be read by the NFC reader in your phone.
If you want to try it, search in the App Store or Play Store for an app called “ReadID Me” and test it on your passport.
Isn't NFC pretty vulnerable to short-range cloning attacks? Obviously it's better than nothing but it still has issues compared with a chip that requires electrical contact in order to be read.
The chip in a passport or ID card is not a simple data storage device. It's more like a tiny computer that the reader talks to. This is unlike a simple NDEF tag that you can easily clone, there are several layers of protection.
First, you need a key to even access the chip. This key is derived from 3 pieces of information on the document: the document number, the date of birth and the date of expiry. The idea is that to get this data, you already have to be looking at the data page of the passport, that is: to access the privacy-sensitive data inside the chip, you already have to be able to look at that same data printed on the page.
This data then goes into a key derivation function. Some handshake messages are exchanged which I won't bore you with, and both the chip and the reader should at that point be able to derive another key that will then be used to encrypt any communication between chip and reader. There are actually 2 different mechanisms for this, the older BAC mechanism (Basic Access Control) and the newer PACE mechanism (Password Authenticated Connection Establishment). The latter uses newer and even more secure crypto.
This prevents eavesdropping and ensures you cannot remotely read the document.
Once the connection has been established, the reader can request certain chunks of data from the document. This includes everything that is printed on the data page, as well as a higher-quality color version of the photo on you document.
The data that can be read from the document is digitally signed by the government of the issuing country. You can verify this signature against a list of trusted certificates. Only the government that issued the document should have access to the corresponding private key and as such you cannot forge this data (unless you are able to break certain cryptographic standards, but if someone can do that we have bigger problems than fake IDs). This is called 'passive authentication'.
Now, if you get your hands on someone's passport, you could still copy the data, you can't modify it, but you can clone it. To prevent this passports also have a clone detection mechanism. Again there are multiple versions of this, but the most basic form is called Active Authentication. Part of the data read from the passport, is a public key. The chip in the passport has the corresponding private key, but there is no way to read this key. You can confirm it's not a clone by sending a piece of random data to the passport and asking it to sign that data with its private key. You then use the public key to check the signature and confirm the document is in possession of the corresponding private key. You can also confirm the authenticity of the public key, because that is also signed with the private key of the issuing government.
Now, theoretically you could try to extract the private key used in clone detection from the physical document, you would need some extremely advanced tech to do this, and the chips in ID documents have all kinds of physical protections against these kind of attacks. Maybe some intelligence services would have this capability, but it would only allow you to clone a document, not forge one.
After reading about all the trouble they go to for passports, social security numbers are hilariously fucking inadequate by comparison (or even in absolute terms, for that matter).
Thank you so, so much for this explanation! I’ve been wondering for years and years and I finally get it, it’s so cool to see public key cryptography being used for clone detection.
Okay, I was not aware of that and I can't use the Play Store because I have lineage OS on my phone with no Google Play Services so it's likely an app like that would break.
You can just use the Aurora store, and I'm sure there's an NFC reader app that doesn't rely on GPS, maybe even on F-Droid.
$15 for a USB ID card reader on Amazon and many laptops ahead have this built in. It's usually some unremarkable slit on the side.
You use cards for offline authentication (bars/festivals/etc.), and use a different process for online authentication.
Proving someone has the physical card in their possession (which is what a reader does) isn't really useful for proving identity when you can't also check the picture.
Mmm. Good point. Otherwise, somebody could just steal the card from you and insert it into the reader and would therefore be you. My guess is something like that would at least require some sort of OTP 2 factor authentication. If you were going to do it that way, and it would have to be application based and definitely not text based.
Mhm. We need everyone to submit to DNA sampling and iris scans, so our overlords can keep more reliable records of our doings. /s
Or maybe we need to overthrow the overlords and do what we want LOL.
This shows that anything is pointless if the other side believes in kinds of verification which can be manufactured the way you can't distinguish it from the real thing.
Frankly I'm feeling a bit of love now to banks which don't allow you to do anything scary without visiting their office in person.
And I'm on the completely opposite end where the person I trust to have my best interest at heart is me. So I have crypto and manage it myself.
Too bad it's not actual money.
Money is what people say it is. And enough people see crypto as money to make it money. As an example, I have been buying my groceries with it for over a year now. And if it were not money, I would have starved.
I agree that money is what people say money is, but if it's too volatile, it may still be a good asset, but bad currency.
I use Monero, which moves about 15% from its one year simple moving average before reverting. And while that is quite a large move for somebody from the United States, for people from other countries that is not a very bad move, but I do see your point. I base my expenses off of the one-year moving average and save some for when the price is below that and I need to use a little extra.
Pay your taxes in crypto and then we'll talk
I can’t pay my taxes with euros, doesn’t mean they aren’t money
You can, if you're a Euro citizen. Is 'make dumb comparisons' a prerequisite for being a cryptobro?
Ok lolbertarian.
That can't be done since the government goons will only accept the fiat that they provide as taxes. So use crypto for everything else. And then each year convert just a little of it to the currency they want, which you find worthless to pay your "taxes" with. If somebody gave me the choice between Fiat and crypto for a thing that owed me, I would take the crypto immediately because it is worth the same no matter where I go.
Yawn