WeaverMount
Jul 26 2007, 10:41 PM
Lets say you have my real social security number. What can you do that and nothing else? Do you know company I bank with to try to clean me out? Could you give it to a prospective employer without my real name? You sure as hell couldn't get issued a passport.
In shadow run an uncorroborated SIN couldn't get you a pack of smokes at a StufferShack. You would need at least a pin, or a thumb print. Maybe you have to open an account with them when you file a mug shot for facial recognition or at least Authorize them grab it from somewhere. I'm just imagining a scene
AR cleric: "Welcome back to the StufferShack at 19th and MLK, Ms. Fakie McShambert"
Runner: [panting] "The usual and ... hurry"
ARC: " Ok got it. One MetaLink, One All-purpose Body wash, One box of Hair Dye, and a fresh change of closes, and 5 minuets in the Lavatory. Do you have any medium or large objects for incineration mama?"
Runner:"...Not today" [bleeds a little]
ARC: "Total 147.48
, please look at the Camera for validation"
Runner: [Wipes blood from from around eyes and looks]
neko128
Jul 27 2007, 02:39 AM
| QUOTE (DireRadiant) |
| QUOTE (WeaverMount @ Jul 26 2007, 02:57 PM) | | About the SINs though, it stands for System Identification Number. I'm thinking that it is litteraly that simple, you are required to broadcast or automatically provide nothing more than a number. This is then checked against your person. The rating of the reader measures the security of the Databases it checks this number against. If it worked any other way 20 hits or so spread out over some hacking, edit, and forgery tests would give you the data of a perfect SIN. |
Your Commlink is going around announcing "121947214SHDSH17D" whatever.
The Authentications System takes that number, and queries against the <<Insert your favorite corp/national identity system here>> and gets a response.
The higher rating system sends more information.
1. So my handy dandy SIN checker grabs the SIN you claim to have from your commlink broadcast.
2. I send that number, Plus a varying amount of the following
- Picture my drone took
- Your 8 digit simple PIN you entered into my number pad
- Your answer to my question about where you work
- A sample of your blood
- A picture of your retinal patterns
- A fingerprint
- A voice print
- Your answer to the question about your favorite color etc...
- Anything else you can think of
(The higher the rating, the more information collected to verify against.
3. Your broadcast SIN, and all the independently and separately collected verifying information is sent to the also independent system.
4 The authentication service receives all the data, does a check, and returns the result.
5. My SIN Checking device tells me it's 95% confident you are who you say you are.
Note the Commlink only has to have the SIN, no other information on it.
|
If a SIN is a purely passive system, this would work; but there's no reason to believe it's a passive system rather than an active one. There's a concept known as asymmetric key encryption. In its current form, it's based on prime numbers of extremely large size, though that's secure primarily because of the computation infeasibility of factoring extremely large numbers; that particular method is fairly unusable in the Shadowrun world because of the massively improved processing power, but the theory stays valid regardless of implementation.
Anyway. The simplest forms of key-based encryption are "symmetric key"; you have a key K and a message M; encrypting a message M with key K gives you ciphertext C; and then decrypting C with K gives you M again. Decrypting C with any other key (Q, X, or T) gives you absolute garbage. Asymmetric key encryption is different in that you have two keys, K and L; if you encrypt M with K and then decrypt with K, you get garbage. However, if you encrypt with K and decrypt with L, or encrypt with L and decrypt with K, you get the message back.
How is this important? It lets you authenticate a person, and prove that you are who you say you are: and here's an example of how.
When you have a SIN, the two keys (Kg and Kc) are stored separately. One (Kg) is stored in a central location (government DB), and the other (Kc) is stored on the commlink who is broadcasting the SIN. Both are linked to a public ID - your SIN. The SIN is then linked to all your records. So, a policeman comes up to you on the street. You're broadcasting the SIN 5184-VJ24-XQQ1. He sends a query off to the central database, and says "Please give me the encrypted text for 'Are you really John Smith?' using the Kg associated with SIN SIN 5184-VJ24-XQQ1." The central DB sends back "jnf;aasjl;newjl;cjnvj;;fldn;eldj", and encrypted message. The policeman sends that random crap to the person whose commlink he's querying. If, and only if, the Commlink has the correct Kc associated with that SIN, then it will decrypt the garbage and send back the correct message. If it is in fact a bad fake SIN, or just broadcasting a false SIN, he won't have the right key; and the message the policeman gets back will be wrong.
Now, remember, with the amazing speed of SR4 tech toys, this all happens in the blink of an eye; and, more importantly, the identifying message that the policeman sends will be unique - including a timestamp, a date, the last score from the Denver Dragons, and the current ambient temperature in Bora Bora. However, since communications are nigh-instant, he just pushes the virtual button that says "Authenticate this guy's SIN" in his AR view, and it instantly comes back with a green light or red light.
So; now, back to your message. You were watching some guy last week, and you copied his SIN, and copied the response he broadcast to an authentication check. So, you re-broadcast that authentication; unfortunately, the timestamp, date, ambient temperature (they're having a cold snap!), and last score (one of their main players is out sick this week) have all changed drastically, and the query comes back as garbage. Red light goes off, drones start converging, backup is called in, and they ask you politely why you're pretending to be someone you're not.
So no, there's no reason to assume that you can hijack a SIN simply by listening to what's broadcast.
To go further... In theory, there's no reason why you can't have an unhackable SIN. It's pretty easy to create a small electronic device where it has two sets of contacts; one used as an input, one used as an output. Internally, it runs a quick decryption scheme against the inputs, and the outputs then provide an answer. There's no other way to access the device; the key used for that decryption simply isn't available electronically, no matter how much you hack or how hard you try. So you insert that into the decryption/authentication algorithm; and suddenly, you can't steal the SIN by the simple measure of hacking into the commlink and "borrowing" the secure SIN configuration file that the authentication scheme uses. If the authentication scheme is properly designed, you'd actually have to physically steal the chip to get it to work right.
And these are just the schemes in common use today; there's no reason to think they couldn't be massively more intricate 60 years in the future.
This would also explain why creating fake SINs is talked up as such an involved and difficult process; they would have to inject accurate but undiscovered responses into the government's systems.
DireRadiant
Jul 27 2007, 01:08 PM
Regardless of the exact process, it involves the (SIN + Independent Data) validated against a third party system.
You can envision it as SIN + Password, and the commlink has the SIN, and the person has the password.
And as Neko128 has pointed out, you can also include some kind of varying key of some algorithm known to the validator as well.
So the validator receives SIN + (Some generated number) + Password, and just makes sure it all adds up.
So you can capture the SIN broadcast from someone elses commlink, but when it gets sent to be validated, you won't have the password or the generated key.