Identification done securely
-
-
The key is the ability to brute-force the PIN that encrypts the data. Since it’s only four digits long, there are only 10,000 possible combinations. Using publicly available scripts and a commodity computer, someone can learn the correct combination in a matter of a few minutes,
-
Well, that reminds me of car registration plates. Some when in the 1990ies, Germany got a new style of number plates. And they came with a new (ugly) font. That font was said to make forging the number plates near impossible...
-
@BernieTheBernie I suspect that is the same change that happened here at some point - it does not make forgery easier per se, but it prevents altering an existing plate with paint only by doing something like changing a P to a B.
-
-
@BernieTheBernie The old typeface was DIN 1451, and if you look closely at that, it’s clear that it’s very easy to change certain letters and numbers into others with a bit of paint and/or tape. Sure, the back of the plate might have been reflective (not sure) so it will stand out if you look closely or shine a light on it, but from a distance if the plate is a little dirty, it should not be hard to make an F into an E, for example, or a C into a G.
The current typeface makes that a fair bit harder. Of course you still can, if you overpaint bits of letters in white as well as use black paint, but it’ll be harder to do it well and is probably easier to spot.
-
“Tough to forge” digital driver’s license is… easy to forge
the government of New South Wales in Australia
They must have gotten it the other way round
-
Oh for fuck's sake...
Seems they never heard of Public-Key Cryptography, or to never trust whatever device the person you're asking the identity of shows you.
Ideally the app should have asked the user "what data do you want to share", generate a QR and then let the police decode, verify, and display whatever data was in the QR.
EDIT: With this system the QR codes could even be generated ahead of time, they only need to be protected against identity theft. The only big problem is that a QR likely can't contain enough data to make this scheme work - you would need some NFC or Bluetooth connections to pipe data through and that introduces additional risks.
-
@Gurth Meanwhile, over here you can go to a shop where they make license plates and they probably won't even ask for your registration.
-
@Zecc In the Netherlands, plates can only be made by companies licensed to do so, which I suppose means there is some oversight that they’re not selling any off the record. OTOH, if you look at where these are (choose “Kentekenplaten laten maken” on the left and type any Netherlands place name you like in the field above that), I spot half a dozen of those in most medium-sized towns I tried, so it’s not like there is only a handful of manufacturers that cover all of the country …
-
@Gurth see https://www.rdw.nl/particulier/voertuigen/auto/de-kentekenplaat/kentekenplaat-verloren-of-gestolen (in Dutch). You need to provide id and proof of ownership, and you will get new plates marked with a sequence nr. The certified license plate maker will report to RDW that they created the plates, which will invalidate the unmarked (or with previous sequence) plates.
-
@BernieTheBernie said in Identification done securely:
Well, that reminds me of car registration plates. Some when in the 1990ies, Germany got a new style of number plates. And they came with a new (ugly) font. That font was said to make forging the number plates near impossible...
I don't think so, they changed the font to make OCR easier. Which makes sense, if you're into that kind of thing. Although with the series of morons Germany has had for transport ministers I wouldn't put it past them to have advertised it as something something forgery.
Edith: yeah, and what @Gurth said
-
A hologram implemented in an an app using the accelerometer, as a security feature, that's really a kind of stupid that only police can come up with
-
@robo2 said in Identification done securely:
The certified license plate maker will report to RDW that they created the plates
And that’s the weak point right there: it assumes everyone working in one of these places, is honest and can’t be bribed.
What you’d need to (mostly) prevent plates being made illicitly, is something like putting a serial number on the actual aluminium plates and keeping a close eye on which ones are issued, destroyed, stolen etc. Coupled to some way to quickly check that number on any given vehicle, whether stationary or in traffic, I suppose.
-
@JBert said in Identification done securely:
The only big problem is that a QR likely can't contain enough data to make this scheme work - you would need some NFC or Bluetooth connections to pipe data through and that introduces additional risks.
It technically can, just that the code density is really difficult for some off-the-shelf readers to parse in less-than-optimal conditions. See SmartHealth QR codes for an example...
-
@Tsaukpaetra said in Identification done securely:
See SmartHealth
With a name like that, it's almost certainly neither smart nor healthy.
-
@HardwareGeek said in Identification done securely:
@Tsaukpaetra said in Identification done securely:
See SmartHealth
With a name like that, it's almost certainly neither smart nor healthy.
'tis not.
-
@Tsaukpaetra 'Tis also not useful (to me, at least). The only thing my phone does with that is copy it to the clipboard.
-
@HardwareGeek If it's anything like some other big number encoded QRcodes, you could theoretically decode it into some json containing some spicy personal info
-
-
-
@hungrier said in Identification done securely:
@HardwareGeek If it's anything like some other big number encoded QRcodes, you could theoretically decode it into some json containing some spicy personal info
It might well be encrypted inside there. There's a whole spec for that sort of thing. (I stumbled across it while studying how OpenID works; it reminds me of the same thing for XML.)
I've not checked if that is really there, of course.
-
@HardwareGeek I get
shc:/
, no second slash, followed by a long string of decimal digits. to investigate further.
-
@dkf said in Identification done securely:
It might well be encrypted inside there. There's a whole spec for that sort of thing.
Or it might not. The European COVID vaccination QR code included a proper digital signature, but the personal data was in the clear (it was just compressed and encoded using a weird scheme).
-
@Zerosquare said in Identification done securely:
@dkf said in Identification done securely:
It might well be encrypted inside there. There's a whole spec for that sort of thing.
Or it might not. The European COVID vaccination QR code included a proper digital signature, but the personal data was in the clear (it was just compressed and encoded using a weird scheme).
Why does this matter? It was written in clear text on the paper version as well. It's on ANY ID type in clear letters.
Let's just switch to randomly assigned GUIDS at birth instead of names. That would solve so many problems.
-
@Luhmann perhaps a hierarchical naming convention, a la “Seven of Nine, Tertiary Adjunct of Unimatrix 01”?
-
@Arantor said in Identification done securely:
@Luhmann perhaps a hierarchical naming convention, a la “Seven of Nine, Tertiary Adjunct of Unimatrix 01”?
But will we get the great bazookas to go with the name?
-
@izzion said in Identification done securely:
@Arantor said in Identification done securely:
@Luhmann perhaps a hierarchical naming convention, a la “Seven of Nine, Tertiary Adjunct of Unimatrix 01”?
But will we get the great bazookas to go with the name?
That will depend on your chosen options from the gender matrix
-
@Arantor said in Identification done securely:
Unimatrix 01
-
@Luhmann said in Identification done securely:
Why does this matter? It was written in clear text on the paper version as well. It's on ANY ID type in clear letters.
The clear text on paper is read by a human, who's not going to remember (or even attempt to) the personal data of everyone he's checking.
On the other hand, the QR code is checked with an app on a phone. You have zero guarantee of what happens to your personal data at this point. And even if the app itself is trustworthy, the phone may be compromised by malware.
-
@Zerosquare
So ... as safe as that piece of paper being abused. Got it.
-
On paper (), yes.
In practice, no. You only show the paper to a person for a few seconds, and they don't make a copy of it, or show it to a camera. Massively collecting data from this would be difficult.
Meanwhile, recording every scanned code along with the time and the location is trivial.