zlacker

[return to "Opening up ‘Zero-Knowledge Proof’ technology"]
1. csense+0D[view] [source] 2025-07-03 22:57:55
>>doomro+(OP)
How do you defend against someone who:

- Buys or borrows a laptop / phone / whatever from somebody with an authorized private key

- Downloads an authorized private key file from a sketchy forum (maybe hacked from an unwilling target, maybe willingly shared by a free-speech advocate)

- Uses a VPN over HTTPS to visit websites in countries where age checks aren't legally mandated (and non-compliance is implicitly or explicitly encouraged for economic or ideological reasons)

◧◩
2. Matteo+0E[view] [source] 2025-07-03 23:10:44
>>csense+0D
The credential ("driver's license") contains a public key whose secret key is stored securely in a hardware secure element. The standard assumption is that the SE is in the phone, but it could be a yubikey or similar device. In order to use the credential, you need the SE. So you cannot buy a phone from somebody and download a credential from somebody else. You can however buy a phone and the credential from somebody. As a mitigation, the SE only generates the signature when unlocked via a fingerprint or similar biometric input which must match the one that was provided at the time the credential was issued. Whether or not your attack works in this scenario depends on the details. For example, if you only obtain the credential in person at a local government office and provide a fingerprint at that time, it's not that easy to sell the phone and the credential afterwards.
[go to top]