Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Protecting Online Identity Through Cryptography

ScuttleMonkey posted more than 6 years ago | from the don't-show-me-yours-and-i-wont-show-you-mine dept.

Privacy 87

A new startup, Credentica, hopes to offer the ability for you to perform secure transactions using the smallest amount of personal information possible. Their goal is to both protect privacy and enhance security, which they hope will be a mutually inclusive process. "The technique employs secure multi-party computation, a branch of cryptography that can calculate meaningful answers about secret information by knowing only some non-revealing clues about that secret. The underlying theory was demonstrated in 1982 by Andrew Yao in the so-called Millionaire's Problem [...] U-Prove employs an ID token, a special kind of digital certificate that allows for minimal selective disclosure. The tokens can store all kinds of information, but users can disclose only the minimum amount of data required in any given transaction. They leave no unwanted data trails and permit both anonymity and pseudonymity."

cancel ×

87 comments

Sorry! There are no comments related to the filter you selected.

Why do we need spy tools? (0, Troll)

ShieldW0lf (601553) | more than 6 years ago | (#22358132)

Why should good, upstanding citizens of the world need espionage tools like this? Whose interests is this supposed to serve? Not anyone good.

Cause we want to fuck you over, that's why !! (0)

Anonymous Coward | more than 6 years ago | (#22358140)



And to steal a few movies while we're at it. Perp a scam on ebay. Stalk children. Whay else? We are cuplrits that must hide in plain sight.

Re:Why do we need spy tools? (3, Insightful)

timmarhy (659436) | more than 6 years ago | (#22358208)

i certainly hope that was an attempt at humor

Re:Why do we need spy tools? (0, Flamebait)

ShieldW0lf (601553) | more than 6 years ago | (#22359328)

No, it wasn't. I don't want privacy and anonymity. I don't trust people, so I won't support technology that allows them to operate from the shadows with impunity. As far as I'm concerned, if you use it, you're guilty.

Re:Why do we need spy tools? (1)

bhima (46039) | more than 6 years ago | (#22361000)

Just out of curiosity:

Would you call yourself technically adept?
Would you say you are socially liberal or socially conservative?
Is there a political ideology which resonates with you or your priorities? If you've found one which is it?
Do you adhere to a religion? If so which one?

Have you studied many different perspectives in order to acquire these ideologies or are these those you grew up with? (Those of your parents and community)

Re:Why do we need spy tools? (1)

ShieldW0lf (601553) | more than 6 years ago | (#22363204)

Sure, what the hell.

Yes, I'm technically adept.

I don't believe in party politics. Liberal and conservative are equally bad.

The ideology that resonate most with me are such as Anarchist Communism, but I don't think they're realistic as they have been put forward in the past.

I favour mandatory non-discriminatory involvement by all citizens in the infrastructure that supports their lives, and the absence of compulsion at any level beyond that.

Every person should be involved in the various systems that are required to maintain life, like food production, transportation, energy generation, material harvesting, etc.

For achievements beyond the mandatory systems that are necessary to sustain life, there should be leadership instead of compulsion. Contracts should not exist, money should not exist, personal possessions should be respected, but private property should not.

I think religions, despite being the container for much wisdom, are evil in all forms, because they subjugate the intellect and consideration of consequence. If you made the perfect way of life for the world as it exists now, and you convinced everyone God said that was what they should do and they created Utopia, it would still be bad because there is no "This behavior is contraindicated by the following world symptoms" in religion, so it will inevitably lead to catastrophe with the passage of time.

I've studied a number of perspectives in the fields of philosophy, religion and politics in order to be able to speak effectively on my ideology, but I created it by the observation of the world.

I also favour a modified democratic process for the election of leadership, in which ever individual can vote on any issue, or they can vote for any person, adding their vote to the decisions that person makes. They should be able to revoke that attribution of political power at any time and reclaim it for themselves or transfer it to someone else.

I'm not interested in compelling people to do what I say, but spend my time working on developing systems that might one day provide the infrastructure to support what I'm describing.

I hate my culture, my parents culture, my community culture. They're sick. I've known they were sick and twisted all my life. I mortified my parents telling a 70 year old Nun that I thought she was a bad person for trying to make me believe a bunch of stories were literally real and mess my head up. I was six.

I find it very difficult sometimes not to be angry with the people I live amongst, because they're all have such a small, narrow and self-centered focus that, coupled with the sense of entitlement that they have, makes them part of the problem.

I hate the attitude that freedom comes from passing the buck to someone else rather than facing the real needs the world imposes on us all and co-operating to make them less weighty.

At the end of the day, I believe that if there was an infrastructure around that made these ways of life practical, 99.9% of you would just shut the fuck up with your opinions and ideologies and sign on because you're greedy and this way of living will give you more for less. Therefore, I work in my spare time to build such systems, and use places like Slashdot to find challengers to my ideology so I can refine it.

Privacy means ignorance, and ignorance renders people incapable of intelligently running their lives. Therefore, I am utterly opposed to these types of enterprises, because the consequences are dire for anyone who isn't already in a position of power. All these "privacy after the fact" attitudes do is feed into the system where there are the watchers who know everything and the watched who get fucked.

Wow, that was cathartic. Thanks for asking. I'm going to go play with my kid now.

Re:Why do we need spy tools? (0)

Anonymous Coward | more than 6 years ago | (#22364918)

At the end of the day, I believe that if there was an infrastructure around that made these ways of life practical, 99.9% of you would just shut the fuck up with your opinions and ideologies and sign on because you're greedy and this way of living will give you more for less. Therefore, I work in my spare time to build such systems, and use places like Slashdot to find challengers to my ideology so I can refine it.

Privacy means ignorance, and ignorance renders people incapable of intelligently running their lives. Therefore, I am utterly opposed to these types of enterprises, because the consequences are dire for anyone who isn't already in a position of power. All these "privacy after the fact" attitudes do is feed into the system where there are the watchers who know everything and the watched who get fucked.
Ah, another idiot who thinks '1984' [wikipedia.org] is a howto book. The Anarchist communist bit make him sound like he was in the Revolutionary Communist Party (RCP) in college and then the USSR broke up and its founder got busted for Heroin, Sad really

Re:Why do we need spy tools? (1)

ShieldW0lf (601553) | more than 6 years ago | (#22365078)

Ah, another idiot who thinks '1984' is a howto book.

Actually, I do think that some of the ideas put forth in 1984 have a lot of potential to liberate people from manipulation if they were employed properly and for higher purposes.

http://slashdot.org/~ShieldW0lf/journal/195726 [slashdot.org]

Re:Why do we need spy tools? (2, Insightful)

kaidadragonfly (993636) | more than 6 years ago | (#22362246)

I don't want privacy and anonymity.
Can we get your:
  • Real name: first and last
  • Credit card numbers
  • Bank account numbers
  • Social Security Number
  • And for good measure, your mother's maiden name
Please, show us how you don't want privacy or anonymity. Or did you mean you want it only for yourself?

Re:Why do we need spy tools? (2, Insightful)

harlows_monkeys (106428) | more than 6 years ago | (#22364674)

You seem very confused. If you don't trust people, you should love this technology. It will allow you to deal with those untrustworthy people without you having to give them your private information.

Re:Why do we need spy tools? (1)

Dan541 (1032000) | more than 6 years ago | (#22366770)

No, it wasn't. I don't want privacy and anonymity. I don't trust people, so I won't support technology that allows them to operate from the shadows with impunity. As far as I'm concerned, if you use it, you're guilty.
Not sure if a read that correctly.

But you don't trust people so you DONT want privacy or anonymity from them.

I don't trust people so I WANT this technology that allows people to protect themselves.

As far as your concerned people are guilty until they can prove their innocence?!

~Dan

Re:Why do we need spy tools? (1)

ideatheft (1236288) | more than 6 years ago | (#22361696)

These ideas have been around for over twenty years. They have been demonstrated by at least two major EU funded projects.

Re:Why do we need spy tools? (0)

Anonymous Coward | more than 6 years ago | (#22368646)

i certainly hope that you come to realize that it should not have been.
did i miss your </irony>?
now stop already wasting your modpoints on generalised statements on both sides!

Re:Why do we need spy tools? (3, Insightful)

Brad Mitchell (1236086) | more than 6 years ago | (#22358240)

We live in an age where anonymity is almost totally gone. We can hope, now, only for privacy. And the best way to do that is by vigorous demand for encryption methods and other tools that prevent a company or entity from asking a thousand and one personal questions just to pad their database.

Re:Why do we need spy tools? (1)

SpaceLifeForm (228190) | more than 6 years ago | (#22358308)

Years ago, there was a thing called coinage.

Anonymity and privacy were features that were built in.

Re:Why do we need spy tools? (2, Informative)

slashqwerty (1099091) | more than 6 years ago | (#22358496)

Years ago, there was a thing called coinage.

Anonymity and privacy were features that were built in.

We also have electronic cash [wikipedia.org] which uses zero-knowledge [wikipedia.org] systems to protect privacy. Note real implementations are far more sophisticated than the simple example at Wikipedia. The only information you can get from the cash is the information necessary to prove it has been paid to you.

Re:Why do we need spy tools? (1)

Vectronic (1221470) | more than 6 years ago | (#22358642)

"Anonymity and privacy were features that were built in."

Im a huge fan of coinage, especially really shiny ones, but even paper money too although its not real... but Anonymity with coinage/physical money? ...what?... yeah, sure, if you leave it in a bag under a bridge at 3:00AM on a Sunday... last time I checked, you had to personally hand it over, and when it comes to cheques, that has your name on it, maybe even the company you work for, if you want to send money in the mail, that has your name on it too, aswell as your address, cause sure you could send it with nothing on it, but how the hell would the perosn you are sending it to know it was you?... unless, you set it up previously, like if an envelope arrives with a picture of a dog eating a cat, it must be John Smith of Oakland California.

Re:Why do we need spy tools? (1)

computer_guy57 (998179) | more than 6 years ago | (#22360342)

As far as cash goes, sure you might have to hand it over personally, but keep in mind that when it's being handed over, the two parties don't necessarily know each other. And, when you're looking at a bag/drawer full of cash, it's pretty much impossible to tell who gave you each individual coin/bill.

Re:Why do we need spy tools? (4, Insightful)

Anonymous Coward | more than 6 years ago | (#22358428)

We live in an age where anonymity is almost totally gone.
No, it's not.

Re:Why do we need spy tools? (0, Flamebait)

ShieldW0lf (601553) | more than 6 years ago | (#22360796)

We live in an age where anonymity is almost totally gone. We can hope, now, only for privacy.

I don't hope for that. I hope for pervasive information, where I am always informed, where I never have a smiling snake oil salesman with no integrity moving from victim to victim, where I never have to deal with the hypocrisies of people because they're not practical to maintain anymore. I'd quite happily go to war with an assault rifle in my hands and kill people to prevent something like what you are describing.

MPC and it's uses (5, Interesting)

0ptix (649734) | more than 6 years ago | (#22358816)

This is not the first use of multi-party computation. MPC is probably the most advanced cryptographic tool theoretical crypto has produced in the last 35 years. (The strongest flavour being Universally Composable MPC). Also, though the intuitive concept of secure MPC was introduced by Yao the later results of Goldreich, Micali and Wigderson in their 1986 paper How to Play Any Mental Game [purdue.edu] is the one upon which modern MPC is based and the result which is usually cited in cryptographic literature. (My guess is the wired article author got the bit about Yao from wikipedia.) It is in this paper that the security requirements of such a protocol are first formally described using what is now called the ideal/real paradigm. Essentially a secure protocol computing some joint functionality of all players inputs should be as secure as if there where a totally honest trusted third party who would gather their input, compute the function and privately hand the outputs back to all players. (This paradigm is probably at least as important a contribution to modern crypto as the actual MPC protocol they presented in the paper.)

The problem with MPC protocols is that since they are so very general and powerful they tend to also be horribly inefficient (though polynomially bounded (i.e. in P). Never the less the constant are often horrible and could require on the order of n^2 rounds of communication. Another hurdle in their wider adoption in the field of security is that they represent a significantly more complicated concept then say encryption or a hash function and so tend to be a difficult sell to non-cryptographers.

However at least one company, Cryptomathics [cryptomathic.com] of Aarhus, Denmark are working on an implementation of MPC. The main client being the danish government which wants to use the product to setup an online market through which local farmers can to sell there goods. The idea being that by using an MPC protocol to do this rather then some central (government run) server no body needs to trust anyone else, not even the government; just their own implementation of the software on their computers. As long as that is correct and uncorrputed they are guarenteed all the security they could hope for.

Of course there is always the argument that you might well be better off trusting the government to host the entire show then your own computer, but on the other hand even IF the government runs some online auction server, you still need to connect to that remote system from your own computer. So a secure server is still not going to help you protect yourself from local corruptions. At least now that is the ONLY thing left to worry about.

Re: SIMAP and VIFF (1)

Martin Geisler (1118923) | more than 6 years ago | (#22372622)

You are talking about the SIMAP project which I am part of. SIMAP is short for Secure Information Management and Processing, see http://simap.dk/ [simap.dk] (Danish only). An English article will soon be up on Eprint.

The Danish government that was not involved in the auction -- it was an auction where sugar beet farmers traded their production quotas for producing beets for Danisco, the only company producing sugar in Denmark.

The auction finished last month and was a great success for all involved parties. It was possible to run the auction because of modern protocols that require only a logarithmic number of rounds (by "round" I mean a network round-trip). The logarithm is in the bit-length of the input numbers, so for 32-bit inputs you will need ~5 rounds. The auction used the comparison by Tomas Toft, available in his PhD Progres Report: http://www.daimi.au.dk/~tomas/publications/progress.pdf [daimi.au.dk]

The SIMAP code is not (yet) online -- instead I can point you to a library for multi-party computation made by myself: http://viff.dk/ [viff.dk] . VIFF implements the same comparison protocol that was used in the SIMAP auction, as well as other primitives allowing you to do general MPC. VIFF is written in Python and is available under the GPL.

Identity theft is still aided by it's own victims (2, Insightful)

erick99 (743982) | more than 6 years ago | (#22358138)

Unfortunately it is all too easy to accomplish identify theft via some very uncomplicated and low-tech methods. People still click on links in emails and type their financial information into fake websites or answer questions over the phone to the nice IRS man who wants to send me a tax rebate. However, I do applaud any effort to protect folks identities.

Re:Identity theft is still aided by it's own victi (1)

gotzero (1177159) | more than 6 years ago | (#22358152)

Tools like these will do more do help consumers. People that really have things to hide are doing just fine with things like PGP and other encryption standards. I hope that products like this, implemented and used well, would go a long way to help the kinds of people that have no idea online-privacy is an issue...

Re:Identity theft is still aided by it's own victi (2, Interesting)

davester666 (731373) | more than 6 years ago | (#22358256)

Tools like these COULD do more do help consumers. [fixed it for you]

Really, do you think Amazon or Google or somesmallretailer.com will settle for asking the minimum amount of information necessary to complete a transaction?

They already ask for more info than they need, presumably for 'security' purposes [ie, so someone isn't using your credit card to buy a bunch of Dells for orphans in Russia], but they just happen to keep using that data for marketing purposes. And now that they are already collecting all this information, they have a vested interest to keep getting this information, because they know it's valuable, both within their own company and to sell to other companies.

Today, businesses, together with Visa/Amex/Mastercard could set up a system so you, Joe Consumer, would just need to authenticate yourself to V/A/M, and the V/A/M web site would generate a one-time code that can be used for a purchase up to X dollars, and you just paste it into, say MacMall's web site, say with your email address, MacMall validates the number with V/A/M for the purchase amount, and then sends you an email with the download link/registration code for some software you just purchased. Do you realistically think MacMall would go for a system like this?

It would take one of two things to get a system like this going:

1) Consumers, en mass, would need to demand the online shops they shop at use systems like this instead of the ones they already have. And stop shopping online until the online stores actually implement these new systems. Likelyhood of this happening: 0.00001% There just isn't enough people that are passionate enough about their privacy, relative to the people who shop online just to avoid the lineups at the big box store.

2) Some hacker steals the identity of every member of congress and senator in the US, from some online store they all use, screws their credit and blatantly taunts all of them about doing it. Then then does it again to another online store they all use after they fix their identities and get the first store to fix it's security, and taunts them again. And then taunts all of them again. They then legislate the Online Privacy Act of 2050. Likely of this happening: 1%. Basically, someone who wants improved privacy online would need to do this to get them to do it. Of course, this is a high-risk proposition for that person :-)

Re:Identity theft is still aided by it's own victi (1)

gotzero (1177159) | more than 6 years ago | (#22358352)

Data for financial transactions on most sites is processed separately from the rest of the data provided. I think it would be feasible to make a system beneficial and transparent to both sides. I would like to think that an online merchant does not have any additional utility from having my CC#, as long as they know I paid, and know it was me. I agree that a quick mass adaptation of a system like this would not be the best, and I would absolutely not feel comfortable with a single company running it all, but someone needs to start doing something to protect the average consumer. It will be a cat and mouse game forever, but it does not mean the merchant/consumer/bank side should stop moving.

Identity infringement is still aided (0)

Anonymous Coward | more than 6 years ago | (#22358410)

"1) Consumers, en mass, would need to demand the online shops they shop at use systems like this instead of the ones they already have. And stop shopping online until the online stores actually implement these new systems."

Well considering all the open source stories over the past year, I;d say it's open sources responsability to step up to the plate.

"They already ask for more info than they need, presumably for 'security' purposes [ie, so someone isn't using your credit card to buy a bunch of Dells for orphans in Russia], but they just happen to keep using that data for marketing purposes. And now that they are already collecting all this information, they have a vested interest to keep getting this information, because they know it's valuable, both within their own company and to sell to other companies."

Yeah, well! customer Service will always be in a balancing act with the information needed to make it a good experience.

Re:Identity infringement is still aided (0)

Anonymous Coward | more than 6 years ago | (#22362428)

I;d say it's open sources responsability to step up to the plate.

By golly, you're absolutely right! I think I'll start up an open source credit card company from my mommy's basement. I think I can get dad to spot me a $20 or so, how much money does it take to start a bank?

Re:Identity theft is still aided by it's own victi (1)

Vectronic (1221470) | more than 6 years ago | (#22358230)

I also see the potential for even worse identity theft, from what I gather the gist of it is basically instead of asking you exactly what is required, its now asking you stuff related to what is required?

Sort of like, they need to know that you are 21, so they ask you what your Grad year was, and what school you went to instead of how old are you?

Maybe I dont get it, but it seems like a possibility of "Personality" theft not just Identity theft...

Re:Identity theft is still aided by it's own victi (0)

Anonymous Coward | more than 6 years ago | (#22358624)

Hey, if the identity thief really wants to show up as me at my high school reunion, that's fine by me. And with my credit card details, he'd damn well be renting an expensive car to drive up in. Now I (well, at least the thief posing as me) can be finally be the cool, popular kid!

Re:Identity theft is still aided by it's own victi (2, Insightful)

slobarnuts (666254) | more than 6 years ago | (#22358248)

There are so many different avenues by which Identity theft can occur, I'm even weary of giving my information to the customer service people who will turn on my gas and electricity. If you think about it, you give them everything, and who is to say they are trustworthy? The company has no vested interest in doing so, they want the labor at the cheapest price. They may perform background checks to the extent that you never declared bankruptcy and have never been arrested, but that doesn't mean your private information is safe in their hands.

Re:Identity theft is still aided by it's own victi (0)

Anonymous Coward | more than 6 years ago | (#22358474)

REALLY INTERESTING: http://www.spymac.com/details/?2339829 [spymac.com]

Re:Identity theft is still aided by it's own victi (1)

Stanislav_J (947290) | more than 6 years ago | (#22359038)

Unfortunately it is all too easy to accomplish identify theft via some very uncomplicated and low-tech methods. People still click on links in emails and type their financial information into fake websites or answer questions over the phone to the nice IRS man who wants to send me a tax rebate.

Far lower tech than that -- much identity theft is still accomplished through dumpster diving, mailbox theft, over-the-shoulder snooping, and many other techniques that have been around since way before the Internet.

Re:Identity theft is still aided by it's own victi (1)

jacksonj04 (800021) | more than 6 years ago | (#22359354)

Or, say, give all their information to a website which claims it will keep it secure and only send companies the information they need?

</cynical>

Millionaire's Problem (5, Interesting)

Vectronic (1221470) | more than 6 years ago | (#22358170)

Millionaire's Problem: Alice and Bob want to find out who has more money without disclosing the amount of their fortunes to each other, or even to a mutually trusted third party. By applying special functions to their information that disguised it, Yao proved that each could know who was richer without either revealing their true holdings.

No wonder Millionaires are so stupid... if this is what they consider a "Problem"...

Re:Millionaire's Problem (1)

paulthomas (685756) | more than 6 years ago | (#22358384)

Stupid millionaires typically don't remain so for long.

Re:Millionaire's Problem (2, Informative)

britneys 9th husband (741556) | more than 6 years ago | (#22358484)

Counterexample [parishiltonzone.com]
another counterexample [wikipedia.org]

Re:Millionaire's Problem (1)

Dachannien (617929) | more than 6 years ago | (#22358516)

Maybe Paris Hilton and Dubya are just smarter than you think they are.

Hey, it could happen.

Re:Millionaire's Problem (1)

Vectronic (1221470) | more than 6 years ago | (#22358590)

Well, i'd like to pretend like (at least) Paris (specifically) isnt as dumb as she appears, but given that she wasnt exactly "poor" to start with, I cant really find a reason for her not to be as stupid as she appears.

But I will give credit to some "Famous" people that are in similar positions, being a guinea pig/stooge to someone who actually has a brain as far as marketing and management goes, gathering millions and then just vanishing from publicity to live out the rest of their life in luxery... however, I disagree with the morality of that, considering it tends to teach people to act that way in "real" life, not just celebrity life.

Bush is just a victim of inbreeding, and being spoiled. "Its not what you know, its who you know" thats how he got to where he is.

Nerd's Problem (0)

Anonymous Coward | more than 6 years ago | (#22358606)

"Bush is just a victim of inbreeding, and being spoiled. "Its not what you know, its who you know" thats how he got to where he is."

Damn! All I know are Slashdotters. Boy am I so screwed.

Re:Millionaire's Problem (1)

STrinity (723872) | more than 6 years ago | (#22360404)

Well, i'd like to pretend like (at least) Paris (specifically) isnt as dumb as she appears, but given that she wasnt exactly "poor" to start with, I cant really find a reason for her not to be as stupid as she appears.
She may've started with a nice kaboodle, but she's increased it significantly on her own through fashion-lines, perfumes, TV shows, and getting paid to show up at bars and clubs.

The only evidence of her stupidity that I've seen has been what she's said on those TV shows, which I have no reason to believe are real, and rash public behavior that's pretty much identical to a college freshman.

Re:Millionaire's Problem (1)

britneys 9th husband (741556) | more than 6 years ago | (#22368030)

Yes, because every college freshman gets DUIs and then drives on the suspended license so many times they get thrown in jail for it. Most colleges don't even allow freshmen to have cars on campus, and there's bars/parties/frats within walking distance anyway.

Re:Millionaire's Problem (0, Offtopic)

widman (1107617) | more than 6 years ago | (#22359696)

Paris Hilton at Wikipedia [wikipedia.org]

In December 2007, Hilton's grandfather, hotel magnate Barron Hilton, pledged 97 percent of his estate to a charitable organisation founded by his father, the Conrad N. Hilton Foundation. An immediate pledge of $1.2 billion was made, and a further $1.1 billion after his death. He cited the actions of his father as the motivation for his pledge. According to reports, the potential inheritance of his grandchildren is sharply diminished.[4][5]
Bush is cheating, he has Darth Vader as second in command running the show. A military-industrial complex [wikipedia.org] lobbyist.

Re:Millionaire's Problem (1)

Dr_Barnowl (709838) | more than 6 years ago | (#22361630)

Stupid millionaires typically don't remain so for long.
George. W. Bush.

Re:Millionaire's Problem (3, Funny)

Workaphobia (931620) | more than 6 years ago | (#22358822)

"No wonder Millionaires are so stupid... if this is what they consider a "Problem"..."

If you think that's bad, then I have some dining philosophers that I'd like you to meet...

Re:Millionaire's Problem (0)

Anonymous Coward | more than 6 years ago | (#22359302)

Easy. Just start with the most expensive item and ask if the other could buy it.

Alice: Could you buy Sweden?
Bob: No.
Alice: Neither could I.

Alice: Could you buy Belgium?
Bob: No.
Alice: Neither could I.

Alice: Could you buy Australia?
Bob: No.
Alice: Neither could I.

Alice: Could you buy Iraq?
Bob: No.
Alice: Haha I could! You're poor!
Bob: Who the fuck wants Iraq anyway?
Alice: Well at least it's better than Afghanistan
Bob: You're just saying the because you know I can buy that country. Bitch!

Re:Millionaire's Problem (0)

Anonymous Coward | more than 6 years ago | (#22359562)

I know your post is a joke, but even this kind of questioning reveals partial information (e.g. Bob isn't rich enough to buy Sweden).

The Millionaire's problem is trivial if Bob and Alice have access to a trusted computer with two terminals. By "trusted" I mean they can both examine the computer program they interact with. They each type their net worth on a terminal not visible to the other, and the computer simply compares the the two numbers, prints "A < B" or "B < A" on each terminal, and erases the numbers from memory. They each have exactly and only the precise information they agreed to exchange.

Re:Millionaire's Problem (0)

Anonymous Coward | more than 6 years ago | (#22363792)

No that doesn't work. In your solution the computer is the trusted 3rd party.

Metting the middle. (0)

Anonymous Coward | more than 6 years ago | (#22358204)

Actually something like this could be a good compromise between those who do statistical research and the ever growing collection of data.

Anonymous? (2, Funny)

Anonymous Coward | more than 6 years ago | (#22358232)

Forget about security on any large (sort of large) anything. Look at this site...you are immediately penalized for being anonymous.

What a load of shit.

Nlasdfi Ksdf, lkasdb bmxao iajsdflk (0)

Tablizer (95088) | more than 6 years ago | (#22358234)

Bahsfl bqaaf ba azxmx amvpoax. Taekf alkjoxk sdkg a sfba skl ba sdfd qassbm oqpla vse bmxislke.

And I mean it, too!
     

Nlasdfi Ksdf, lkasdb bmxao iajsdflk-BURP! (0)

Anonymous Coward | more than 6 years ago | (#22358338)

Well that's one way to get the message out without being penalized by the cabal.

Three Words (1)

tobiah (308208) | more than 6 years ago | (#22358272)

Online Drug Trade

What does this mean ? (0)

Anonymous Coward | more than 6 years ago | (#22358288)

Can't the missing information be calculated ?

Minimum Disclosure = Full disclosure (0)

Anonymous Coward | more than 6 years ago | (#22358292)

In order to interact with me, you'll need to disclose all of your private credentials.

Kind of like how facebook lets you have lots of control over applications but only one about what level of data applications can get when you add them: all of your data.

Re:Minimum Disclosure = Full disclosure (1)

Broken scope (973885) | more than 6 years ago | (#22358444)

And thats why all my data is fake.

Some interesting questions here. (1)

Z00L00K (682162) | more than 6 years ago | (#22358442)

This seems to be an idea about not revealing enough of yourself. But there is a risk too and that is if someone steals the ID token and forces you to reveal the key to it then it can be abused with low risk.

Another issue is that such tokens may be forged. What are the safeties in place to verify that it isn't forged?

Forged identities are likely to be abused by those that really doesn't want to be on the map, like terrorists and major drug dealers. The latter can probably afford a lot to be anonymous - even cracking/theft of the encryption keys in place for the token.

Real security will not be obtained until any instance that makes use of the personal data takes measures to double-verify the person when an actual transaction takes place. You may say that the social security number shall be protected etc. but that is only the key to the information store that can reveal your identity. If that store is used to verify your credentials it's a lot harder for any abusers to gain access to your money or perform illegal transactions using your name.

Of course - some may not trust the government to protect you as a person, and for some governments that may be right. But it's always possible to get under the radar for some time. And by storing the right data on each level it shall still allow for individual protection against abuse. The government already has all records of you that it needs like place of birth etc. It may even have your fingerprints and DNA on file, even if you don't know it yet. The social security number is the key that allows for access to this information store. A national ID will do the same, it's a key that allows anyone to verify your identity to have the correct means to do that. The catch is that in most cases it's never used as a key, it's used as proof itself and that can be abused. For small transactions that's never a problem, and who really cares if X rents a video Y with some fake ID as long as it's returned?

Re:Some interesting questions here. (1)

Paul server guy (1128251) | more than 6 years ago | (#22358482)

"As long as it's returned"

That's the magic statement, And if you can't trust them with your ID, What makes them think you can trust them with (after Blockbuster gets done with it) an $80 copy of midget porn that they demand back with a post card.

But of course, renting "Midget Ladies of Lust" was just what they did to test the stolen ID on the way to the BMW dealership, where they really had fun...

Re:Some interesting questions here. (1)

Z00L00K (682162) | more than 6 years ago | (#22367952)

Which means that you REALLY misunderstood...

In both cases the dealers would have failed to do a sufficient verification of the ID by checking that it was valid and not reported as missing and that the person providing it did match the person holding it. So in both cases the dealers has to take full responsibility by being insufficient.

Book pointer (4, Informative)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#22358486)

For people who want background or just enjoy math, Brands's book is Rethinking Public Key Infrastructure [barnesandnoble.com] .

Re:Book pointer (3, Informative)

Anonymous Coward | more than 6 years ago | (#22359100)

IBM has developed IDEMIX, a pseudonymous credential system. It work on the same principle and is going to be contributed to the Eclipse project as open source! http://www.zurich.ibm.com/security/idemix/ [ibm.com] There is some white papers for those interested in the techno background.

Re:Book pointer (1, Informative)

Anonymous Coward | more than 6 years ago | (#22360222)

Sounds like that project will be part of Eclipse Higgins? http://eclipse.org/higgins/ [eclipse.org]

Re:Book pointer (1)

pavon (30274) | more than 6 years ago | (#22366346)

Thanks for that link. To be honest, I don't know that I'll get around to reading it due to my other school and work obligations, and the fact that security isn't my strong point (ability or interest wise), but stuff like this is what makes slashdot worth the noise.

This will never fly (2, Insightful)

Nartie (1128613) | more than 6 years ago | (#22358524)

Why would any business want to use it? The bar that scans your drivers license gets some valuable information in the process. The porn site that asks for your credit card information to verify your age gets a credit card that they can use or sell. The bank that you ask for a loan gets all sorts of information, all of which it can sell or use to market itself. The current situation is bad for the customer, but the customer isn't the one who decides what verification system is used. None of this will change until large numbers of people refuse to do business with companies that demand more information than they need. And that's never going to happen.

Re:This will never fly (1)

fastest fascist (1086001) | more than 6 years ago | (#22358926)

it certainly won't happen if there is no alternative available.

Authtication is not considered a problem, (1)

v(*_*)vvvv (233078) | more than 6 years ago | (#22358570)

and neither is privacy. This company is going to have a very hard time selling a solution to a problem they won't admit to. Most companies that gather information consider it a resource, and would rather gather it and promise privacy, than to not gather it and actually provide privacy.

Consumers might adopt a solution like this if it were up to them, but I doubt anyone would pay for it, and no, this does require cooperation of both parties, so it is not up to them, and will not work independently on the consumer side.

Re:Authtication is not considered a problem, (1)

STrinity (723872) | more than 6 years ago | (#22360448)

Authentication is a probelm, whether it's considered one or not.

Please explain (1)

Compuser (14899) | more than 6 years ago | (#22358686)

The notion of comparing two integers without knowing both simultaneously (or knowing intermediate results from which original
numbers could be derived) sounds impossible. Can someone explain how the problem is solved in plain English (since IANA crypto expert).

Re:Please explain (2, Informative)

Chexum (1498) | more than 6 years ago | (#22359070)

A practical application of this is at http://www.cypherpunks.ca/otr/ [cypherpunks.ca] (with a plugin for a few common AIM application, most usefully for pidgin née gaim).

This one has an implementation called the "Socialist Millionaires Problem", which sounds the same, although I recall it being used only to tell if two secret values are the same on both side, thus augmenting the key exchange protocol with man-in-the-middle detection capabilities, provided the parties has shared knowledge about something (and something reasonably private).

Re:Please explain (2, Informative)

Martin Geisler (1118923) | more than 6 years ago | (#22373214)

I can not explain to you how a comparison is done without leaking information (that is pretty involved), but I can understand the much simpler operation of addition.

Imagine three millionaires in a room who wants to compute the sum of their incomes. Let us say that the millionaires can agree in advance that the sum can be represented by an integer in the range 0..100. They just need some upper limit, so the number could denote billions, trillions or whatever. Each millionaire then chooses three numbers a random from the interval 0..100 with the only condition that they sum up to the millionaires own income. The sum must be calculated modulo 100, which simply means that the numbers wrap around when they reach 100. So 75 + 50 = 25 and so on.

If the three millionaires are worth M1, M2, and M3, respectively, then the first millionaire chooses numbers r11 + r12 + r13 = M1, the second chooses r21 + r22 + r23 = M2, and so on. This is a simple secret sharing which hides M1, M2, M3 perfectly. Seeing any two shares (the random numbers) reveal nothing about the target value because depending on the third share, the target could be anything.

They send their first number to the first millionaire, the second number to the second millionaire and so on. These numbers are send securely. Each millionaire now has three shares: the first millionaire has r11, r21, and r31, and likewise for the other two millionaires.

If each millionaire adds their shares, they end up with shares of the correct sum! So the first millionaire computes s1 = r11 + r21 + r31, the second computes s2 = r12 + r22 + r32, and so on. They then publish these shares and now they can all compute the correct sum S:

    S = s1 + s2 + s3
        = (r11 + r21 + r31) + (r12 + r22 + r32) + (r13 + r23 + r33)
        = (r11 + r12 + r13) + (r21 + r22 + r23) + (r31 + r32 + r33)
        = M1 + M2 + M3

Voila! :-) In this computation no information was leaked at any point, and yet the three parties were able to correctly calculate the sum.

The secret sharing scheme used here is a simple one that requires the cooperation of all involved partie There also exists threshold schemes in which only a subset of the parties is needed to open a shared secret. Shamir's scheme is most famous and relies on the simple fact that you need two points on a straight line to determine it. So encode your secret s as the point (0, s) and pick a random straight line that goes through (0, s). Then hand out other points on the line to the other players. As long as each player only knows his own point, he cannot determine the y-axis intersection (the secret), but when any two players get together, then they can easily determine the secret. This scheme generalizes naturally to polynomials of higher degrees, which require more players to get together to reconstruct the secret.

If you can read Python, then you might be interested in my Python code here: http://viff.dk/api/viff.shamir-pysrc.html [viff.dk] . This code is part of a larger project for MPC called VIFF, see http://viff.dk/ [viff.dk]

identity theft is not surprising (0)

Anonymous Coward | more than 6 years ago | (#22358700)

I realize the proposed solution covers personal data in general, and not just CCs. However, with regards to CCs, all I want are one-time keys. Every transaction with your CC should require the owner to manually setup a one-time-use key before making the transaction. And I'm talking about ME providing keys, not some stupid system auto-generating them. Or at the very least, PIN numbers like debit cards.

Of course, such a system is guaranteed to be too complicated for non-techies (and the elderly) to use. Whatever the solution, charging $1000 on a credit card MUST BE made more difficult than simply possessing the card (and in some cases, not even that). A CC #, expiration, and CVV code is not sufficient. It's absurd that we still rely on signatures for "security".

My first 2 jobs as a teen were at McDonald's and Wal-Mart. The merchant slip that employees keep contains the full credit card number, and it wouldn't take any brains to be able to memorize the expiration and CVV. I've also worked for Cingular (aka AT&T), and guess what folks? Every Cingular/AT&T employee has access to your full SSN. As someone who simply had to pass a basic criminal record check, I had access to your full name, addresses, full SSN, and when you call to make a payment, your credit card details (including CVV cause you have to give that too).

Imagine that, one phone call to AT&T customer support, and your life can be over.

Identity theft, yes; anonymity, no (0)

Anonymous Coward | more than 6 years ago | (#22358734)

They do not provide anonymity. They have your IP address and other data.

What they provide will thwart some identity theft attacks (you can still steal the passwords and become that person and do whatever they can do on the new startup).

It's a good idea - maybe - it's slashdotted so I can't check out the SDK.

If only its easy for sites to adopt (1)

xbhatti (262449) | more than 6 years ago | (#22358930)

During the pre-Web 1.0 days, there used to be something called as SET (Secure electronic transaction) Protocol for online payments. It worked by securing the credit card information which was only seen by the merchant's bank and not by the merchant himself. Hence, reducing theft of data and other blah. However, it failed to take off as it required additional infrastructure and internet users were daunted with certificates and e-wallets (a browser plugin).

As I see, credentica has some kind of SDK. How would the provisioning of identity work? Not very clear (there website is down with a 403 right now, guess slashdotting is still a bane!).

Re:If only its easy for sites to adopt (1)

mlts (1038732) | more than 6 years ago | (#22359160)

Maybe a cryptographic token is the answer to this, be it an add-on to the SIM card of a cellphone, a civilian CAC, or a custom Aladdin eToken. When a purchase is done, the user has his cryptographic token (preferably by both a fingerprint swipe and a PIN) sign the order.

For validing an ID, all it takes is a government CA adding certs onto someone's public key stating that they are above 21, not a felon, etc. Of course, all the certs are revocable, and ones that would possibly change (absence of a criminal record) would have a fairly short expiration time (as they are easily renewed). For things that are security sensitive (no felonies), the certificate could have a lifespan of days, to ensure that the records are up to date, and provide a failsafe should the certificate recovation server be downed.

Then, if a bar needs proof someone is 21, they swipe the ID card, and then check if the public key shown has a certification from the county or state stating that the person is over 21 years. It doesn't even have to show the exact age of the person, just the fact that they have been documented to be on the planet 21 years.

bad passwords (1)

robo_mojo (997193) | more than 6 years ago | (#22358970)

I worked at a web shop once, where clients use passwords to access their online accounts,

At the time the database stored passwords in cleartext (guess they haven't heard of hashing then). When doing some work of course I can see everyone's passwords. People choose funny passwords. There's the obvious "password", "<my name>", or whatever.

But there was one that was a strange 9 digit number. Later when I had a chance to talk to that person on the phone I got to learn that his password was his SSN. I didn't have to ask (I didn't even need it), he volunteered it to me when asking for help.

He said "It's a good password because nobody knows what my SSN is!"

Good lord some people are fucking stupid.

companies like that trail (1)

nguy (1207026) | more than 6 years ago | (#22359360)

There are plenty of simple things we could be doing already to make transactions more anonymous and secure, but companie and governments like getting all that information, and they collude to force customers to provide it.

terroristsdream (5, Insightful)

noz (253073) | more than 6 years ago | (#22359706)

To the asshole who tagged the article `terroristsdream': terrorism is not an excuse to erode our right to privacy. Fuck off.

Re:terroristsdream (1)

bushwhacker2000 (992073) | more than 6 years ago | (#22360422)

I second that! I can't understand how people actually believe nonsense like that. Lack of privacy is, by itself, a form of terrorism when taken to an extreme. I can safely say that I fear our own run-away government much more than "a few riled-up Muslims", as Brzezinski once said.

Re:terroristsdream (1)

swillden (191260) | more than 6 years ago | (#22361188)

I can't understand how people actually believe nonsense like that. Lack of privacy is, by itself, a form of terrorism when taken to an extreme.

I don't know about a "form of terrorism", but I'd say that trading privacy for safety, even if it worked, would be a bad trade.

Jefferson's well-known quote is very appropriate: "The tree of liberty must be refreshed from time to time with the blood of patriots". Most people take this to mean that soldiers have to give their lives to preserve liberty, but I think there's another important truth in the statement: In some cases liberty is incompatible with safety, which means that people will die, including civilians.

For example, if we banned personally-operated automobiles we could save tens of thousands of lives per year. It would significantly increase our personal safety, at the expense of dramatically reducing our personal freedom. We don't make that trade because freedom is more important. In the case of terrorism, we might be able to reduce the danger of terrorism by giving up various freedoms, including the freedom to be private people, but it's not a good trade. Freedom is worth the risk, even when the risk may include death.

Privacy hypocrisy (1)

JAlexoi (1085785) | more than 6 years ago | (#22359966)

I think that Americans are hypocrites. who value privacy, but basically do nothing to insure it's protected.

No reason to use it (2, Insightful)

Fnord666 (889225) | more than 6 years ago | (#22359970)

Simply put, this will not take off until businesses and corporations that warehouse our personal data are held financially liable for any losses that occur related to that data. Right now there is way too much positive financial incentive to hold onto as much consumer data as a company can, and almost no incentive not to. This situation will have to be reversed before companies will invest in a technology such as this.

Gas stations already do this.... (2, Interesting)

foniksonik (573572) | more than 6 years ago | (#22360152)

When you pay with a credit card outside they make you verify the billing zip code. That's it. It's enough information to verify that you are either the primary card holder or know the person well enough to know their zip code. It's not cryptography in any sense but it does implement the concept of least necessary information rather well. They could ask for a lot more... your SSN or DOB for instance... but for the purposes of buying gas a zip code is just the right amount of info.

Re:Gas stations already do this.... (1)

Dr_Barnowl (709838) | more than 6 years ago | (#22377644)

That's not smart. You could steal the card from the envelope it's delivered in, and instantly know the zip code. This is why cards and PIN numbers are mailed separately.

Re:Gas stations already do this.... (1)

foniksonik (573572) | more than 6 years ago | (#22379234)

You have to activate cards before you can use them.... which means calling the activation number from the number you designated as your home phone.

thats good (0)

Anonymous Coward | more than 6 years ago | (#22383198)

That's a fairly profound viewpoint. The fact is that people deploying enterprise software are looking for strong Value.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>