Posted on 10/04/2017 8:08:22 AM PDT by Red Badger
My Social Security card says not to be used as identification. When did that change? Why does everybody need your social Security number? When I applied for a Kroger card they wanted my SSN. I did not give it to them.
I guess somebody must have used my SSN to file their tax return because now the IRS sends me a PIN number every year to use when filing.
Maybe they need to assign everybody an IP address.
Or ketchup.
They’ll get it too, or find a way to steal it.
“Congress is not empowered to tax for those purposes which are within the exclusive province of the States.” —Justice John Marshall, Gibbons v. Ogden, 1824.
”From the accepted doctrine that the United States is a government of delegated powers, it follows that those not expressly granted, or reasonably to be implied from such as are conferred, are reserved to the states, or to the people. To forestall any suggestion to the contrary, the Tenth Amendment was adopted. The same proposition, otherwise stated, is that powers not granted are prohibited [emphasis added].” —United States v. Butler, 1936.
The states could also kill federal SS and start their own SS programs.
You actually read your Medicare booklet? Now that is awesome.
The SSN is currently being used as a password, when it is actually much more akin to a userid. Unless this basic concept is changed and understood, no changes are going to work.
Well not much of it. Mainly the inside front cover. ;-)
I pay two of my bills by automated systems. Asking for the last 4 of my SS# put me off a bit.
It was bad enough when your # was required on your drivers license.
When Virginia started using alternatives to the SS# on our DL I was delighted.
I went to visit a friend who I hadn’t seen in years.
When we mentioned the new DL numbers his kid laughed at us.
He asked for my DL and sat down at his computer.
Ten minutes later he told me my SS#.
Three hours later he knew everything about me, my wife and our kids.
Nothing is secure in the digital age.
I agree that the private keys should be in the citizen's hands, but then you run into many other issues.
I strongly believe that public key crypto is a real solution to the issue of authentication, but it will never work until they force us all to accept chips in the hand or forehead. Even then, there will be ways to spoof it.
The SSN is really just a nickname for you. It is not a password that authenticates anything. It is only a 'secret' in the imagination of people who do not understand identity. Until you can make it a combination of something you know (i.e., the number) and something you have (a token of some kind, be it another number that is generated cryptographically or something physical), you're not going to be solving the underlying problem.
How will you generate your private key?
How would you revoke it if you lost it?(I'd recommend creating both the revocation cert and the private key at the same time and submitting both, but then you'd have a really interesting way for the governement to quickly DOS the person, by sending out their revocation cert when they wanted to cause them really serious issues.)
How do you re-authenticate in case you lose it?
How do you prove that someone has stolen yours? (this is a serious issue)
A phone number would probably work better, and is closer to being possible to do today. It also provides you with a physical token.
MAC Address.....
All of these questions can be answered with a basic understanding of public key infrastructure. (PKI)
Hit it up on Wikipedia.
In short, PKI provides authentication and non repudiation by way of private keys, public authorities, and one-way hashes.
Can’t one just go down to Walmart and get a new key made?
Look I don't know if you got confused but I deal with key pairs as a tools programer on a daily basis. I know how they work very well. I have written a lot of software that automates aspects of their use, and even some of that recently.
The .ssh/authorize_keys files on servers are full of PUBLIC keys. Only the .ssh/id_rsa or similar files on the clients will have the PRIVATE keys.
The server requires somebody trying to use a service to prove who they are by providing a PRIVATE key which is the solution to the riddle implicit in the PUBLIC key.
PRIVATE keys are PRIVATE. They are like the password. They are NEVER stored on a server unless the server is run by hackers that phish it out of someone. They are called PRIVATE, because ONLY you...or at least the .ssh/id_rsa or some other such protected file on your personal computer or other client..are supposed to know them. And any files that have them at least on linux/unix/mac systems must have limited permissions so they are only accesible to the user (such as chmod 600). The open source ssh client software enforces this!
Private keys are kind of like passwords, but have an advantage and a disadvantage. The disadvantage is they are too damn long to remember and to type. The advantage is that they do not need to be stored on the server. The server just needs the public key to tell if the private key is right. And yet even if the public key is obtained by a hacker they can't figure out the private key from it. However if the hacker got the passwords from the server...then they could impersonate the individual. So hackers are forced to trying to phish individuals into giving their private keys away, and there is no good way for them to hack a central database and get everyone's at once.
Seems to defeat the purpose of having key pairs for validation.
When I think of a design for the problem, I keep thinking that key pairs are only useful as a replacement for passwords. Seems each person in the system would still need an id number or the like associated with the public key. Presuming a relational db, they could have the public key be an index to the id of the user in a separate table or db, that can be updated when someone has to change their key pair....and then the id would reference everything else about the person. So somebody signs in say to access their SS benefits, and the server checks what public key their private key solves, and then sees what user is associated with that public key.
They could try to use the public key as the id itself, but that is problematic and could cause transaction/syncing issues with all the other tables and various databases when one tries to change their key pair.
A basic knowledge of PKI is all that’s required to understand that once the government’s private key is compromised, and it eventually will be, the system collapses.
I’ve been working in infosec since 1993, when DOD private keys were actually pieces of punched tape. I hold CISSP, CISM, and certified ethical hacker certifications.
“Seems to defeat the purpose of having key pairs for validation.”
Absolutely correct. We’d be better off simply moving to longer alphanumeric SSNs.
Ironically, the “last four” companies are so fond of logging and tracking are the actually the most secure part of current SSNs. The first 3 digits usually designate the state you were born in. It’s only the last 7 that provide any sort of uniqueness.
Even if we had a chip that had a private key assigned at birth, and the chip malfunctioned, I don't think this would remedy the need for sometimes changing a person's key....it would just make it harder to change unless the chip could get a new key without surgery.
For hackers sooner or later would phish the private key of some wealthy people's chips. They would then have their own chips replaced with one that imitates the wealthy person's chip when they need it to, but reverts back to the one they are supposed to have at other times....which would be easier to do if there were a way to change the chip without surgery...they just need to figure out how the changer works or get their hands on one.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.