3

Imagine a scenario, where you have a person p online which has a very good profile. For example, you want to hire them. This person is identified by a public key and has some information I about him signed with this public key. However, there is no way of contacting this person.

Now somebody p' shows up and wants to prove that he is p. He does not have his computer with him, so he can't sign anything with his private key.

What would "I" have to be so that it is possible to identify him an make sure the person who is in front of you is not a swindler?

I thought maybe biometric photos could be something? I guess a human would easily see when you would try to wear a mask to pretend you are p? I think I've seen that one can put something on the finger to get another fingerprint, so I guess finger prints are not a good identifier? Are there other identifiers of a person which are hard / impossible to forge, without having to create a shared secret? (Note that in this scenario, the biometric data is public)

One identifier which cannot be forged is DNA. But getting the DNA data is also quite expensive / time consuming, I guess?

Martin Thoma
  • 3,902
  • 6
  • 30
  • 42
  • 3
    I wouldn't be so sure about the ability to see if someone is wearing a mask - there are some really realistic silicone masks available now. Similar techniques can result in very inconspicuous fake fingerprints too. I'd suggest taking a photo, giving them a copy on a USB stick/CD, and getting them to sign it with their private key and send it to you. Not perfect, but hard to fake! – Matthew Mar 08 '16 at 13:14

2 Answers2

1

Even a DNA sample can be forced to be inaccurate: it's dangerous, expensive - but it's possible, beleive me. The way you're 100% sure that p and p' are the same person is sign something with your key, not giving any of keys to him, give this signed piece to him and ask him to sign with his key and bring the result with himself. You will be able to verify it in two ways: his signature and you can check the integrity of your initial crypto-message: the person "p" is not aware of what's inside, so it can't forge this. It should be fine and inexpensive, IMHO.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
  • That alone is susceptible to MITM. The real p could attend an interview at t+1 where the hiring manager gives him _your_ paper asking him to bring back the decoded content. Which is then given back to you by p' If you **have** to avoid these threats (eg. youa re the NSA) you shall make it in such a way you can't be fooled even if the real p is interviewed by someone impersonating you. – Ángel May 07 '16 at 19:05
  • You could end up with p "working" for NSA' and the insider p' at the real NSA. The piece may contain «This text along nonce j5n9p62QSzwsyQ… is to be used a proof that p was interviewed by Martin Thoma at 2016-05-07 16:28:56 UTC on X Street Nº 5, 2nd floor, and has to be returned signed by your key 0x12345678 and encrypted to 0x87654321 and including…» And even then, you are relying on the real p to notice that something in the text doesn't match should a MITM happen, instead of plainly following the instructions. – Ángel May 07 '16 at 19:07
-1

The only way you can ensure someone is who is pretending to be is by DNA.

You didn't mention retina scan or voice recognition, but those systems can be spoofeable as well. There are other patterns that are less likely to be forged, for instance, handwriting or typing in a keyboard.

As you can't analyze everybody's DNA, your option is to implement a "multi pattern" system, building a profile based on different metrics. For example, Coursera uses a picture and your typing pattern for identifying you.

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
  • 2
    How can retina scans / voice recognition be fooled when a human is standing next to the machine / tested person and making sure no speakers / images are used? – Martin Thoma Mar 08 '16 at 15:03
  • Do you have a resource (paper / repositiory / blog article,...) which explains how typing patterns can be used? – Martin Thoma Mar 08 '16 at 15:03
  • @MartinThoma using lens and voice modulators you can fool them. It's not easy, but it can be done. Back in college I had a Pattern Recognition course and remember to read about it, especially about the retina scan. About the typing, https://en.wikipedia.org/wiki/Keystroke_dynamics – The Illusive Man Mar 08 '16 at 15:53