I saw this tiktok where this guy was talking about how he’d get his hands on real social security numbers… this was a clip from a whole story he told about some criminal shit, I was too distracted by my thoughts on how to fix the exploits he used.
Block chains and cryptographic signatures would solve basically every one of his exploits. But regardless of the myriad of reasons as to why we won’t adopt cryptography into American laws and bureaucracy, imagine if we did do everything involving government and policy in a cryptographically secure environment.
Imagine if everyone who is born gets assigned a gpg secret key signed by the government and that is your government ID for everything from opening a bank account to paying your taxes to claiming benefits. IMPO I think this is a perfect solution (iif you ignore the human element).
So my question is why wouldn’t it be perfect, and what kind of exploits could bad actors use in a cryptographic bureaucracy?
SSNs aren’t tricky by design.
3 digit area number, 2 digit group number, 4 digit serial number.
https://www.ssa.gov/history/ssn/geocard.html
So 1,000 combinations x 99 combinations (00 is not a choice) x 10,000 combinations.
990,000,000 potential SSNs. The only trick would be determining which ones are valid and which are not.
(0… 0… 0… - 0… 0… - 0… 0… 0… 2 - DAMN YOU ROOSEVELT!)
In any given area and group there are only 10,000 SSNs.
Shit you could probably just ask an AI chatbot for one and get a valid one it scrapped off the (dark)web. CC#s, too.
This is no longer the case. Any SSN issued after 2011 is fully randomized
Additionally, the following SSNs are always invalid:
- Any SSN with “000”, “666”, or “900”-“999” in the former area number
- Any SSN with “00” as the former group number
- Any SSN with “0000” in the former serial number.
Yep. The weakest link in the security chain is between chair and keyboard. And you can’t encrypt that.
You already have a cryptographically secure government id: your passport.
Fraud is conducting business under false pretenses.
What you’re referring to with obtaining social security numbers is basically “identity theft”, a term which makes a lot of sense in cybersecurity.
An SSN is basically (terrible) authentication credentials. So it’s credential theft. If you want you can call a bundle of credential factors an “identity” and then real life and computer identity theft become the same thing.
So basically you can go two ways with it.
One is fraud’s still the same and that wasn’t fraud per se that you were referring to before (except technically, in the sense identity theft is a subset of fraud).
The other is that to get your hands on people’s credentials, you’d get a copy of that GPG key. Maybe that means physical access, stealing the key, whatever. If you said biometric then that’ll eventually be spoofable due to biotech.
A gpg key has to be stored on something, and that can be stolen or lost. (Or degraded over time).
You are essentially pushing for 1 factor authentication. Its a strong factor, but still just 1.
True,
There are many ways to do this, for example a person can sign a new key with their old key when their old key is due to expire, we have many rotating government IDs.
As for the human element, social security cards and driving licenses get lost/stolen/worn out too, crypto keys have the potential to be just as durable as existing solutions.
I hope I don’t have to remember all of my kids passcodes until they are old enough to have them themselves.
We’d need a purpose made gpg like system for this level of complexity so I have no doubt that there would be a way to have parents cryptographically prove they’re their children’s parents. It’s just a matter of design
If you provide people with the means to replace lost crypto keys, then you’ve lost the security gained from using them.
You have the same problems we have with passkey today. If the key is compromised, and you don’t have a separate recovery method, how would a third-party know if you rotated the key or the attacker did? Keys are the way to go for these things, yes, but processes and management at a human level are required.
Guys
Guys
Guys
Cryptography doesn’t replace people… Some bureaucrat will probably manually generate keys for new people… If you make new keys you’re probably gonna go get them signed maybe even in person.
It’s just supposed to replace the garbage ass id systems we have today with something more utilitarian
Any system is only as secure as the people operating it.
Giving everyone a gpg is a fair idea (with pros and cons), but I’m not sure what you mean by including blockchain?
Any and all public record keeping would be done on a block chain. For example it’s not a secret who owns a given house, you can look up property and tax records. Smart contracts on a block chain work just as well as paper contracts if they’re given the same respect by the courts.
The smart contracts that are full of bugs and are exploited all the time?
git gud?
Not today, CIA
if you ignore the human element
And that’s you problem right there. The same people that can get tricked into revealing their SN#, mother’s maiden name, etc. are the ones who would reveal their private keys to a scammer.
Fraud is a social problem, technology can assist in managing them, but not solve the issue. In the end, it’s all about the human factor.
I’m the tiktok that guy talked about how he just explained away why he needed an SSN to the bureaucrat. I just thought that better technology would prevent this.
Firstly blockchain will do nothing in this situation so let’s ignore that.
as for gpg the problem is in order to decrypt the data you need to share the private key which is the exact same problem we currently have. You need to share your SSN for checks to be done and the orgs you share your SSN with are terrible at keeping them secure.
While it is a nice thought experiment you aren’t doing anything new just replacing a SSN with a gpg all the same technical problems are there.
That’s kinda backwards, isn’t it? If I want to verify my identity to a company, they would send me something that only I could decrypt. Some government agency provides all the public keys of all citizens, the company takes my public key, encrypts some secret with it, sends it to me, and asks me to decrypt and return it. If I’m able to do so, I must be who I say I am otherwise I would not be able to decrypt the secret.
In an ideal world, the company (or, even better, the employee) would have a similar certificate that I could use to encrypt my response with.
True, but you know orgs are going to want your private key anyway. Remember ssn is not suppose to be an identification system, it was never designed to be and yet it is used as such.
If they are doing shit wrong with a SSN what makes you think they will do shit right with gpg?
In this theoretical system, ideally it’s illegal for anyone other than the person who’s supposed to have the private key to have it - excepting some subset of legal reasons (e.g. parents for their children). So, the only business that would be asking for people’s private keys are the kind that are already operating outside of the law.
Well if they properly embraced it, you wouldn’t get one PGP key implanted at birth. I mean if that private key ever leaks, you’re screwed for the rest of your life. And the blockchain has sever shortcomings, too. It’s not anonymous, everyone can see every transaction and it’s not fast enough for lots of applications.
It’d need to be implemented properly. And most importantly include privacy. You can’t just expose millions of people to every attacker. And please think of the not obvious cases… How someone operate it who’s in the hospital and unconscious… What if you lost your phone… How can you keep secrets from your (abusive) partner… What about separation of state and private companies… How to prevent a scifi dystopia…
I think if like a few hundred millions of people are subject to it, it needs to be done properly. And I think that’d be possible if the government payed some experts to come up with a really good solution.
Keys need to have sub-keys, IDs be randomized, there needs to be some human in the loop in case something goes wrong. Attestation and not just giving out everything to every company…
Not every blockchain is fully transparent, but I agree that most are.