-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discussion: Means of guaranteeing one identity per individual? #22
Comments
cc: @bitcoinsSG as I noticed your field was Computational Genetics & Proteomics :) |
Mostly just a lurker here, but I wanted to say I really like your idea of using DNA encoding. The "double spend/identity" issue seems very difficult to address using facial recognition and in terms of both reliability and processing cost to the network, seems like a much more effective solution. Though my understanding of genetics is relatively elementary, your banding solution seems to solve both the issue of health information privacy and the potential of generating the same key twice in special cases such as identical twins, if we were to use the entirety of the raw genome sequence. Correct me if I've misunderstood somewhere, but this solution seems very elegant and has great potential. If I'm not mistaken the primary obstacle now becomes implementing a simple user friendly process for genomic analysis and key generation? |
** some people have two DNA. will try to find link. Woman nearly lost her kids - accused of benefit fraud. Eventually they took samples from different parts of body... she had 2 DNA. Kept her kids. Can't recall all details but may have been connected with twin birth. DNA is not infallible. |
@dharmocracy I think you are talking about human chimera and this case |
@patcon @dharmocracy @jgsn If the keygen protocol specifies a specific area of the body to retrieve a sample from, a finger prick or cheek swab for example, then it shouldn't actually matter if we encounter a chimera type of scenario, should it? If an identity comes under scrutiny such that it has to be confirmed, say for a court case, a new sample could be retrieved to confirm a persons ID. Perhaps this is a simplistic view, but after reading the wiki on that woman, it seems that the only time the DNA retrieved differs is when samples are taken from different areas of the body. |
Agreed @ZeroCool2u. I suppose passport/ID issuance would probably need to be a two-part event if it were actually use genetic fingerprinting. One for collecting, and another for generating the ID. If we want any hope of even proof-of-concepting this in the near future, then we'd need a very very reproducible fingerprint. I guess I can't imagine that happening in some sort of DIYbio protocol in the near future :) Speaking of diybio, there's a fairly active diybio community in toronto. I've cc one of the organizers on Twitter and hopefully he can bring this up with the right people if he thinks it's of interest: |
Interesting thoughts from @jpahara:
Still thinking on it. Definitely a surprising analysis, but not sure it changes anything as far as we're operating |
@MrChrisJ I was listening to your Let's Talk Bitcoin episode on "Philosophy of Identity" today. (Awesome stuff, btw) Anyhow, I've realized that the premise of this thread, provably unique decentralized identity, may be counter to your goals. The whole episode is obviously worth a listen, but I'll post the deeplinks to the relevant bits once the episode is up on youtube (where deeplinks are possible :) Before I personally comment any further, in case I misunderstood, I'd love to hear where you stand on this discussion Chris! Also, I'm on IRC if that's simpler. If I'm online, you can find what rooms I'm in on freenode with the command |
Hey @patcon yes I have some ideas on how I want the biometric stuff to be handled. Your idea of breaking up the DNA sequence will be useful. I just don't want biometrics being stored in public databases, as it could provide incentives to take control of people's bodies. I would rather the biometric was used as a nonce or some kind of salt to a key. I like ideas around voice sampling and ECG heart rhythms, brain wave patters. Things that are more voluntary. Stuff like face recognition and DNA not so much because you leave your DNA everywhere and it's hard to stop someone from looking at your face without covering it. I will sort out the IRC. Any OSX client you can recommend. Might be good to do a voice chat on GTalk actually. |
OK, good to know. Does it make sense when I draw the comparison between Bitcoin's public ledger (required to prevent double spending between unique addresses), and this project's public portion including some universal unique identifier (required to prevent double-identity)? I don't think I see the potential in the project if it's not trying to prove singular personhood in a decentralized way. This requires making some uuid (photo or genetic) available in a ledger Anyhow, I have some counterpoints to some of the thoughtful things Andreas and yourself brought up in the podcast, and would love to speak about them via video chat if you have time :) And limechat is an amazing, simple IRC client on osx: http://limechat.net/mac/ |
I am not sure my thoughts will come across well - i will try,
my analogy would be a train track junction.. the junction points where trains cross tracks and travel on different lines is how i see the card/passport. (maybe you tech guys can find better analogy ie camera lens as crossover point for external and internal image) The human can use the card to verify his online identities/ work / authenticity Unique Verification Identity Card - Human / Digital Interface -- i am not sure of the tech terminology but i am sure an acronym can be made to suit the needs of the card. In future the card could be used in many different ways.. as another track is added to the junction point. There is only ever one starting point - HUMAN birth..(like the rail yard where the train was created). This is important, for me anyway, as card would entitle everyone to Human Rights, something often denied to stateless people. This card would allow every human to have a unique "engine serial number".. i think that is the card hash key but pls correct if i have misunderstood. I hope i am not derailing the intended use of card or project .. i just think the starting point is very important. Multiple identities are not a concern if we look at it from a logical point of view.. one human acting in different capacity.. or wearing different hats. Some people have more than others. I myself have 3 different identities with official documents in different names (even birth certs!)..But i am only ever one human being.. and i should have one key that reflects this. I am sorry if my explanation is not very well explained, not good at thinking and typing..lol. I really want this tech to be used by the individual. Using Human Verification will stop companies and corps etc Moolah will not be issued a card. It would also help in suing people who hide behind a corp or a state... because we could locate the human behind those actions.. this would also make it very dangerous for people like Manning/ Snowden etc so double edged tech Using the inet digital info to identify the human and the human to identify or claim his digital work and identity is a good thing. Its almost like 2D and 3D worlds meeting point, like a mirror that you can walk through.. now if i was the only person who could walk through my mirror that would be great.. how to stop others using mine instead of their own is something i have no idea.. i will leave that to Chris and others who understand hashes & merkles etc. Apologies for long winded post. |
Maybe I'm misunderstanding, but this seems where we differ. I was hoping this project was solving the basic problem of finding (voting) consensus in a digital arena. Consensus is a fundamental social concern, as it's how communities make collective decisions. As soon as someone can create 2+ identities and get 2+ votes, then unfortunately everything breaks, as far as I'm concerned. I can't imagine how this project could work without exposing something unique about the physical person that prevents a second digital identity from being created elsewhere. I understand that in some countries, there might be punishment for subscribing to an alternative system. That unfortunately seems incompatible with a system that is trying to create a path to digital consensus :( |
I am one human - i have one vote i can vote in USA under one name and in UK under another.. i have two identities online dharmocracy (Acharn) and Citta Dhammo sometimes these identities cross over.. my family use both to contact me but i could put all this info on the card .. back to the train enginge-- i can haul coal or passengers, i could travel as an engine on its own or bring carriages with me .. but my capacity ie train cars cannot go anywhere without the engine... and i only have one engine. This is what i was trying to get across -- the human birth is unique. everything that happens is done through that.. i could put on many uniforms but i am still the person i was at birth.. and can only ever be identified as such.. all other identities are impossible to create without that birth. THIS is the problem for many people who dont have a birth cert.. proving you exist and who you are. |
Thank you, but it's not that I don't understand what you desire this to be. To be honest, I even think that's fair and wish you could have it both ways :) I just can't imagine how the system could work that way for you (preserving anonymity) and also work for what I was aspiring (consensus). And I mean that on purely technical merit. The reason the examples you gave allow multiple identities, is because each has internal consistency, but you are unique within each. And that uniqueness is provided either:
And we don't have those options if we want to use the project for finding consensus, when the system is audited by an ad-hoc network of trusted ID issuers. Genetic fingerprinting, to be clear, can prove birth and personhood while allowing you anonymity today, but as @jpahara alluded to, that is a temporary advantage that will disappear. And even if we went with that, a genetic test today would mean a very expensive ID into the foreseeable future. Assuming high price is a deal-breaker, that's not something that can act as part of the UUID portion of the ID for at least a few years. I was hoping to work on this immediately. I don't know how I can explain it any other way, but I'm confident our desires are in conflict, which is a total bummer. For what it's worth, I get the impression @MrChrisJ would rather develop the project aligned with your considerations :) |
You explained it very well. I apologise for interfering in thread issue. I am not really interested in voting rights and have nothing to add on that topic. The anonymity is an issue that is very important. I am here to learn from you tech guys and try to implement your tech in my own projects or concepts. Thanks for taking the time to give a fully detailed answer (in language i understand). The time stamping and hash keys are important tools but my tech level too low at present to fully understand the system. I think Chris wants a system / method that can be used (forked?) by others. It has certainly created discussion and interest.. which is great. ( i will be lifting some of your terminology used here, i am sure you wont mind). Perhaps this is where the card carrier decides which info he/she wishes to include. PS monastery checks gov ID also. it seems all ID is based on gov issue and if Chris can change that then i will be 100% behind that in whatever form or direction the project goes. |
Oh hey, no problem at all! I guess we just wait for others to chime in at this point (if we haven't scared everyone away :) |
I most certainly do see a role for biometrics and the value for a single UID is clear and worth striving for. I just don't know what form it will take yet. Remember that I am treating this as a gradual learning exercise, I just want to try and do one thing really well, one step at a time. I think this needs more pacing up and down with coffee and lots of these chats :) I am on Skype btw. Sorting out Limechat too. |
👍 |
Just how I like it. I DM'd you on Twitter |
I have to go to bed soon but this is what I am looking at re biometric: Then there is this CheapID by Vinay Gupta (whom I know by complete coincidence). It's a long read so skim through it but I like this idea of hashing and salting the biometric data and hiding it in a giant database so that it can only be retrieved under certain conditions. I will sleep on this and talk more tomorrow. |
Oh hey, missed that question @ZeroCool2u, but yep, although I worry that cheap genetic fingerprinting won't happen for a few years, even if we concede to doing it off-site. And thanks @MrChrisJ -- I'll read up on cheapID. Came across it after seeing one of Vinay's interviews, but the length forced it onto the backburner :) I remain uncertain how Nymi helps us, given its apparently poor reputation for authentication. Especially considering its cost. But hey, a public database is the only difference between a protocol that would satisfy you and one that would satify me. So it still totally makes sense to work together :) |
Just saw the notification for this in my e-mail, thanks @patcon for the inclusion. Yes this does fall into my specialty. Will give a detailed response later after I read the entire thread, but so far I can provide some a preliminary response. Canonical DNA finger printing is a fairly trivial exercise that segments the entire genome into smaller pieces, which, as a collection(permutation) provide enough uniqueness for a person. @dharmocracy I wouldn't worry about the scenario you proposed as @jgsn correctly pointed out that this is an extreme case. @MrChrisJ DNA fingerprinting allows for a special case where an attacker wouldn't need to "take control" of one's body in violent manner as it is readily available in any part of the human body, including hair, skin etc. Whole genome sequences, unlike DNA fingerprinting, reveal deep private clinical information about the person and probably should be avoided at this point. I think someone also mentioned acquiring DNA form specific parts of the body; this is a non-issue as DNA from any part of the body will result in the same DNA finger printing regardless of origin. Interestingly enough, DNA does differ in different parts of the body specifically in the telomeric regions that specify the age and damage to the tissue/organ etc. Yes, parts of your body age differently. Biologically speaking, the correct age of a person is the median age of all the vital organs of the body. However, DNA fingerprinting accommodates for this. Ofcourse, as most of you can imagine, unlike a photograph, verification of a DNA fingerprint does take longer and may not be as feasible from a pragmatic stand point if real-time verification is desired. What would be interesting is if teleomeric regions, including flanking regions of a certain tissue type could be sequenced for a person. This would be an indication of biological age that encompasses uniqueness, not unlike Bitcoin block chain merklee root. At any point in time in the future one could take a another sample from the same person and tissue, such that the one could verify whether it is the same person and how much biological time has surpassed. The teleomeric region varies in a semi predictable manner, and can serve as a good indication of delta time. Changes in these regions would also incorporate lifestyle habits, including for example, how much a person smoked etc. There is something here and I will get back to it, but I am very busy at the moment and will be for the next 3 weeks. ttyl. |
Ah this may be of value to us: Private Biometrics
Please read the references at the bottom. I found out that the new UK passports use face recognition though apparently it is still possible to fake a UK passport if you are able to get hold of the original because they don't use a blockchain and the data is not encrypted on the chip! I think to get around the violent takeover of someone's body you're going to have to include other factors in to the signing process. So we don't just allow something you are but we also need something you know (password) and someone who knows you (nominated people from your social network) before we let you perform any important tasks like the creation of a new key. I also met with a friend last night (before I spoke with you @patcon) who told me that it is standard practice in his company to boot a Virtual Machine (VM) create a certificate on it and generate a handful of subkeys all with different rights for different tasks. Then to encrypt the VM and put it in cold storage like a safe or something. Having done some DuckDuckGo (It means 'to google') today I found out that many of the issues we are facing are also being faced by the industry at large. Except we have something they don't, which is open source affordable tools and a strong self motivated community willing to educate anyone who is willing to learn. I am going to talk to Vinay Gupta and get his thoughts on it because he came up with the CheapID project back in 2007. Thanks so much for everyone's enthusiasm and commitment to this project. I am going to be doing a talk on it next week in Rennes, France! Keep the ideas coming. |
@bitcoinsSG this has to be an area worth exploring, it sounds like a lamport signature for the human body (a one time password). |
@MrChrisJ V true, there r parallels here with Lamport sigs, what's also interesting is that we may be able 2 use this for invalidating an old BlockhainID(stolen/lost etc) and issuance of a new one that may not require all of the original parties to be present or even participate. I think I would need to gather my thoughts in a more organized fashion possibly a whitepaper or just separate enhancement proposal here, as I have a feeling it may resolve errors in canonical DNA fingerprinting associated to identical twins & genetically close relatives as well. |
This is very promising but I fear that while fruitful in the long run won't meet our criteria of being affordable now. I have however just spoken with Vinay who has told me to get in touch with someone about Iris scans (note not retina) that can create a cryptographic digest using a mobile phone! I have sent him a link to this thread. So let's see what that yields. Thanks for the energy everyone. |
Ding dong!
But the tech didn't make it on to the Galaxy S5 by the looks of it. |
My proposed methodology which is an augmentation of DNA fingerprinting is not pragmatic, I think I made a point that even DNA fingerprinting is not pragmatic for real time verification. Hence, the intention to separate it out as a white paper or a new enhancement proposal that can be filled at some later point in the future. Although the implications of my methodology may even surpass those of this project, I agree that we should use something readily available & affordable; this tech needs to mature from alpha to production soon if not now. Iris scans may actually be a better fit; ease of verification, biological uniqueness, affordability, and deployable. |
Thanks for chiming in @bitcoinsSG! Reassuring to know someone else with background is vetting the ideas :) |
In our skype conversation the other day @patcon you said that one of the benefits to using single signup with biometric was to enable fair voting systems for democracy. I hadn't thought about that use case but you're right, that would be powerful. Also it could help with ideas like Universal Basic Income and other 'air drop' like scenarios where you need to guarantee that each participant is one person and not subjected to Sybil attacks. If you can get the error rate down to <1% then I would say that is a massive departure from what we have at the moment. |
YES! I clearly did a poor job of explaining how badass it would be, but an airdrop or any crypto-asset bootstrap is the exact sort of relevant articulation I was lacking :) |
I'm eyeing this project with particular interest, since a one-to-one mapping of a meatspace identity to a cryptographic identity is very relevant to a cryptocurrency I'd like to begin work on someday soon. Any biometric solutions we use will, of course, have to be simple and quick enough to do on site and in the presence of all gathered. Shipping samples off to a lab introduces too many potential points of failure, in my opinion. Iris recognition comes close, but contacts lenses and glass eyes could easily thwart it. Thumbprint scans might be viable. Even several pieces of government ID combined with a background check could work as a point of verification in these early days. All of that to say this: maybe there ought to be a grading system involved with the issuance of these passports. The more identification points given during the passport's issuance, the higher the passport's grade. It adds more nuance to these IDs, but it also allows for the easy incorporation of whatever higher-security biometric schemes we might devise going forward, and it also opens the possibility of getting started with lower-graded passports using the weaker schemes available to us now. |
+1 for graded verification of human GUID :) |
(I meant to send this ages ago, sorry!) Hey @ryepdx thanks very much for coming over and taking part. I think you're right to jump on this issue and I appreciate your insights on the flaws with Iris scans. The other day when I was coming back to the UK I had to go through a face scanning machine that matched my face to my passport photo. I didn't realise how much further governments had come along. There are concerns with it too. We don't have control over who sees our face without covering up and there is now a large government database which could consolidate all our other data with face patterns on file compared to potentially thousands of hours CCTV footage. Perhaps the Iris Scan technique deserve a little bit more time just to elucidate the technology. Here is an old open source project in Java bernii/IrisRecognition. Perhaps we could test a range of options including thumb print etc to see what problems arise in a real world test? We might be surprised to find that simply asking people to remove contact lenses etc isn’t as much hassle as it seems. I wonder how difficult it is to detect. Also remember that another touch point to offline identity is the Social Networking sites like Keybase: https://keybase.io/chrisellis That works well for people like me who are quite public but obviously a problem if you prefer to quiet life but as we start to see the new age of social networking that doesn’t have so much emphasis on advertising that might change. Sorry again this was so late. Thanks for coming in with suggestions, I would like to get some real world testing done in the new year. |
Oh hey, this thread never got cross-referenced, but @MrChrisJ posted about a relevant session at a conference he attended: Seems @gcollet created a small genome assembly computer with a rhaspberry pi, which can assemble a 100M bp genome in a day. (Humans have 3.3B bp) As far as I can tell from skimming, the actual data collection happened previously -- this just does the data work-up. |
@MrChrisJ, thanks for putting this together and for the link to the iris scanning project.
I'm more concerned with intentional subterfuge of the system. Asking a bad actor to remove any contact lenses they might be wearing wouldn't be very effective. And I'm not very hopeful about being able to automatically detect contact lenses either, to be honest. Where biometrics are concerned, I have a feeling that we'll need to find standardized hardware for taking measurements as well as a prescribe standardized methods. For example, if taking the right thumbprint is standard, what do we do when someone is missing their right thumb? Do we default to the left thumb, or to the right index finger? Do we just take all of their fingerprints and treat each one as a separate factor in an n-of-m identity proof? (We will most certainly need an n-of-m system if we are going to allow lifelong, continuous mappings of physical identities to digital identities, since there is no such thing as a stable biometric. Even DNA can be changed with gene therapy.) |
@patcon That's pretty awesome! Went StartPaging and found some relevant links which I'm sharing here for anyone who's interested. This appears to be related, but I'm not sure: https://gatb.inria.fr/assembling-raspberry-on-raspberry-pi/ These are definitely related: Twitter and personal homepage of the guy who appears to be behind the Picontigotron project: |
@ryepdx thank-you for thinking so hard about this. To begin with it's important that we explain clearly what the ID card represents and what it doesn't. This early on people need to understand that it is not a hard proof that relates categorically to someone's biology. But that it can be used as good enough proof in conjunction with Social Networking assuming the owner is sufficiently public enough. Eg it would be difficult for me to fake an identity given how active I am online. However not everyone is so active and we don't want to push for social norms where needing to be public is a requisite for having an ID. So by the sounds of it we need to short list a series of methods each a separate factor with a list of recommended hardware and resources. So the protocol has these n-of-m proofs and this could be displayed on the ID itself almost as a rating system? This way someone seeing the card can decide for themselves how much they wish to trust it. For example I can see that governments could create their own published Keys and sign citizen's ID cards with it and that would add further weight to its trust. Combine that with the point-of-presence (proof of a physical meeting) and you have something pretty powerful. Thinking about it from the point of view of social psychology I think we should remember that with all these reputation systems people are just looking for a reason to enter an interaction. If I see you have some endorsements on LinkedIn and I hire you as an employer I am using LinkedIn as a "Cover Your Ass" process so that in the event I am wrong I can say to someone else "It's not my fault, someone said they had great inter-personal communication skills on LinkedIn" :) |
In regards to one vote, one person, it's seems like a reproducible, unique ID would be possible using a key hashed from the data of one human's any two fingerprints with further grading for iris, DNA, et al. Apple's Touch ID system seems like one possible capture device already in use by millions along with the plethora of similarly accessible scanning technology available to convert a set of fingerprints into a unique hashable dataset that would reproduce the same private key with every scan. Apologies for any diversion or sophomoric input here. I've been lead here by an idealist train of thought regarding the inevitable and necessary contrivance of unique IDs on an Earth in need of a reliable global level to local level consensus apparatus in order to better reflect the reality of our collective consciousness in any given matter whether political, geographical, economical, resources, emotional or commonly practical. Where or how can I learn what's happening now and how I can facilitate? |
That's a great idea. Say, use Multi-signature technology to use multiple biological markers. If they change (i.e finger gets cut off etc) any 2 out of 5 might still work to prove your identity .... |
A multi-sig type format for each biomarker or unique identifier is also a great idea. This could correspond to the suggested 'grade' of authenticity of the whole ID. Likewise, one iris scan is good, but two are better! In regards to the finger print bio-marker, why not have all 10 fingers available with a minimum of two prints to validate the bio-marker? Alternate methods would also have to be included as discussed above in order to accommodate the finger and eyeball challenged. There seems to be six or seven unique identifiers and bio-markers mentioned here so far. Maybe 5 of 7 unique identifiers is the highest grade considering all are not able to access the required technology (i.e. DNA scan) or otherwise have eyes or fingers. |
Would one method of doing it be having selected Oracles who you can choose to trust or not, and they identify you by more traditional means. For example BitStamp could sign off my existence post-verification and publicly disclose a common element from the ID to match against (for example DoB, names, etc) |
The Oracles might be useful to verify biomarker data against an existing ID for authentication. i.e. This ECG matches this ID. If Im thinking right, oracles are a good idea for storing larger amounts of encrypted biometrics for this purpose and prevent data bloat in the blockchain. Storing human readable data like legal name, DoB, SSN and other sensitive info should be left up to third parties and their own applications as well as at the individuals discretion, like printing an ID card or attaching his legal name in a public database like the county recorder. One person, one vote only needs to require Proof of Life. |
Also, the traditional means @mrdunne refers to do not address bad actors attempting multiple UIDs. Digitizing biomarkers are the only way to begin authenticating proof of life. |
Just want to add that I use multiple UID depending on which capacity I am Citta Dhammo I try to keep for monastic only. My intention is to use dharmocracy / Acharn for all other content. I may also in future use btcbhikkhu to create content. There is no secret about my multiple UID, I simply want to act in different In life many people may want to do this. A school teacher just wants to be On Monday, March 23, 2015, relabit [email protected] wrote:
|
@dharmocracy Of course many people wear different hats with a variety of capacities. However, they are still one sentient, living individual. You could potentially attach your various non-universal identifications to the one UID/Proof of Life that I understand is the topic here. One person, one UID, as it were. |
@dharmocracy I feel that point has been discussed exhaustively in this issue, so unless there are separate concerns, it would be great to keep this conversion focused :) |
Here's an interesting ECG device for smartphones that might be useful. http://www.alivecor.com/home |
@dharmocracy Unique ID joined with non-unique aliases seem to serve your purposes of different hats effectively and are well documented (EX: Steam UID's), so I would have to agree with @patcon that our focus should be the proof of concept for a true provably unique ID. @relabit ECG is both reasonable and significantly more cost-effective than DNA based methods, though viewing this technique from the point of an adversary attempting to impersonate a given identity immediately suggests the most viable attack vector would be capturing multiple periods of cardiac cycle data. Because the most accurate forms of ECG recording are based on metal contacts attached to leads recording direct electrical impulses, capturing this data using a MIM attack or even potentially recording this data from a short distance while the victim is unaware is not out of the question. Imagine a nation state adversary with trained HUMINT actors, how hard would it be for one of these actors to 1. Establish social contact with an acquaintance 2. Squeeze their shoulders or pat their back casually while recording multiple periods of cardiac cycles from hidden contacts on their hands. Even easier, an actor lets the victim borrow their phone. The phone has a metal body modified to passively record ECG data. Honestly, this wouldn't be hard for anyone moderately trained in social engineering. I don't mean to rag on your idea specifically @relabit my point is only that while all of our methods of authentication that we've discussed here are somewhat viable, each has its own non-trivial weakness. Ultimately, it seems that multi-sig is the best option in terms of security, but this is not necessarily practical from a real world perspective, because no one WANTS to use 2 factor auth, it's a pain in the ass, but it's magnitudes more secure than a single password, so we deal with it. It seems to me that a combination of these authentication methods implemented in a passive manner would be the best balance of both security and convenience. Just off the top of my head, perhaps a wearable like a watch could passively record ECG data with electrical contacts on the wrist. To prevent battery drain, the recording could be limited to timed intervals. Smaller intervals imply greater security, but this must be balanced with battery drain. To solve the multi-sig convenience issue, we would ideally develop a second method of passive authentication. EEG would be another obvious choice, though mobile recording this data would be somewhat more challenging at present, it's not hard to imagine something like the moto hint or even a small earring style sensor for recording this data with a similar recording interval. Keep in mind this is just off the top of my head, but I think it's fairly easy to extrapolate from this example that a passive bio based authentication solution could be a elegant solution as the availability of cheap electronics and sensors increases. This does pose an issue for 3rd world countries and those stricken by poverty, but maybe combining this passive method with a one time DNA based key generation could mitigate these issues to an extent while sacrificing some security. |
@ZeroCool2u @MrChrisJ mentioned that Nymi band which has a developer kit, SDK and an emulator. It directly addresses some of your security issues. There's active and relevant conversation going on in the forum there there too relative to ECG as identity. I am with you that each biometric method has it's own non-trivial weakness. But, when you include more than one method as an authenticating factor they collectively become much less trivial. Impersonation becomes exponentially less likely. But, when UID impersonation, loss, theft or coercion happens it should also be necessary to reprovision an entirely new UID. Regardless, why not use the various biometric data as a nonce or salt to hash a single, original set of keys with? Wouldn't it be better if the biometric data was referenced as minimally as possible? The first time would be for the keys provisioning process. The only other time it's directly referenced is as a private key recovery mechanism like as a biometric mnemonic paired with Something You Know and Something You Have. The biometric data may also be referenced later to verify the UID by at least one biometric and Something You Know. The biometric mnemonic would have to include some sort of fuzzy logic or error tolerance to accommodate for readings from the varied biometric apps and devices for later comparison. The biometric data itself for this comparison/verification would need to be encrypted across a network of nodes or oracles. The various biometric data like iris, ECG and two or more fingers, collectively, should be able to accommodate a margin of error sufficient to verify the biometric mnemonic. I might add that which two or more fingers might be an added Something You Know. All this along with Something (else) You Know and Something You Have could be used to recover the lost UID private key. Then what happens in this scenario when a UID private key is stolen? It should be cancel-able and then of course dissociated with all other IDs, licenses, permissions, properties, etc. Maybe a type of re-provisioning process using the biometric data again could be part of the solution whereby the old keys are destroyed and new keys are created. Now what about forgery? What about the instance where a bad actor manages to get his hands on a hi-res image of your iris, a recording of your ECG and your finger prints in order to continually forge his UID as you continually attempt to reprovision your own? The simplest solution might be in coupling the biometric data (which is really a Something You Have) with your own sequence or pairing for submitting each metric (Something You Know). Like submitting certain fingers in a certain order. By using biometrics and Something You Know to create, recover and reprovision UID keys themselves, each individual is always guaranteed a UID. Ok, Im a total amateur at this type of logic so please excuse any gaping holes in it and also point them out. All this aside, there's still the problem of bad actors when it comes to creating a UID with someone elses biometrics or a combination of peoples biometrics for extra votes and consensus in general. What do you think? |
@relabit Sounds like you and I are thinking about the exact same thing, I like where you're going with this. Your salt & hashing methodology is exactly what I had in mind, but I wrote up my last post during my bio lecture and couldn't communicate it as precisely as I would have liked. That being said, I agree with all your assertions. The only serious issue I can foresee would be the new ID generation. It seems like it would be necessary to link the old/compromised ID with the new one, so we don't have random users that "slip through the cracks" if you will. My reasoning is such that it seems pertinent to be able to follow every users history back up to the inception of their original ID, perhaps it would be more effective to somehow link the ID's normally, but be able to tag a given ID as compromised and mark it as invalid? I suppose ultimately what I'm getting at, is that while our system is designed to be fool proof in terms of security, we really should try to imagine a built-in protocol for an event in which an ID is compromised and a new one needs to be generated, such that the system can keep track of both the compromised ID and the new ID, as well as allow a user to report an ID as compromised while generating their new ID instantaneously. I know our goal is to create a system in which it is physically impossible to impersonate a user, but not having a set plan and protocol in place for a compromised ID seems rather foolhardy. Seems like that would be similar to how CC companies handled ID Theft back in the day and just tried to hold customers responsible for all charges. I like the nymi band and it's a solid ID, but it seems like there might be at least a couple of flaws in terms of their security model based on what's happening here: http://forums.nymi.com/t/nymi-trust-model-stronger-security-scenario/253/4 Another thing to consider is if our goal is for a global ID, the hardware used will more than likely need to be open source, a proprietary model simply does not suit our purposes considering we can't verify the the hardware designs etc. |
http://33bits.org/2009/12/02/the-entropy-of-a-dna-profile/
|
This post builds on #21 in particular.
This might be out of line with how some imagine this system working, but my hope is that it's a step toward creating a non-governmental system that can effectively guarantee one unique identity per person, and no more.
Most obvious safeguard: Photos
If the goal is making sure that this passport confers one identity per person, then in the future, I can imagine part of the protocol of issuance should involve a search of passport photos for possible duplicates.
This cannot be done unless the system and its photos are open, just as bitcoin can't be a ledger and avoid "double-spends" unless all the important data is open. A double identity strikes me as a failure analog of bitcoin's double-spend.
Alternative: DNA fingerprinting
Note: My background, although a bit rusty, is in biochemistry.
It's understandable that people would be uncomfortable with their faces in a public database, so perhaps we can eventually find a better solution. I can imagine a future where photos might not be necessary. This could arrive once a simple and cheap genetic fingerprinting can be carried out at one of these events. If we know to a high degree of certainty that each fingerprinting will be unique among the world, then we can carry that out as part of the process, and store that as the record to prevent double identities.
To make it clear, a genetic test does not necessarily give away any relevant health information. Nor does it give more information away (in bits) than it is strictly designed to for purposing of unique identification. So in other words, we can design something that only reveals enough bits of info about your DNA to uniquely identify you in the world, which is a surprisingly infinitesimal amount compared to your whole genome. A set of tests can be designed to cut DNA at random places where a short genetic sequence takes place. Since everyone has different genetic code, the snips happen at different places, and so the fragments are different sizes for different people. Running these DNA fragments through a gel, separates them out by size, and creates a characteristic banding pattern. Use several different DNA-cutting enzymes, that recognize and cut at different short sequences of DNA, and you can get different banding patterns from the same person. Put of few of these "banding patterns" together for each person, and you get a unique fingerprint that when digitized (unlike photos), they won't reveal something as personal as a face.
Phewf. That was a brain dump. Sorry, been thinking about non-governmental ID system for awhile, so this project was perfectly timed :)
The text was updated successfully, but these errors were encountered: