Most of us have seen the infamous “click here if you’re at least 18 years old” button online at some point in our lives— don’t worry, we’re not going to ask you which site you were on.
We can all agree that turning eighteen years old doesn’t bestow us with some adults-only button-clicking ability, so this test doesn’t do much apart from deterring one or two very honest and patient seventeen-year-olds. (Note: Legally speaking, buttons of this variety may or may not provide some risk mitigation value to the site owner, but that topic is outside the scope of this blog post.)
With such an ineffective age verification mechanism in place so often, there is certainly room for an improved solution— you know, for all the ordinary seventeen-year-olds. This blog will focus on the technical challenges and propose two interesting cryptographic solutions that attempt to solve or mitigate many of the technical hurdles.
Defining & Generalizing The Problem
While the first thought that may come to mind for these buttons is adult entertainment sites (e.g. online gambling), there are many more commonplace uses, such as online state services like applying for a driver’s license, ID registration, voting, buying alcohol or tobacco products online, and many more.
An even greater number of use cases becomes apparent once the problem is generalized from “prove you are at least eighteen years old” to “prove that you belong to a particular group,” where the group can be the group of people who are at least eighteen, the group of people who graduated from a particular university, the group of people that reside in a particular geographic region, and so on.
Regardless of the use case, remotely proving an aspect of one’s identity is a challenging but useful problem to solve. So, why do we still use the ineffective “click here” button? Well, like many things in life, the answer is complicated. A variety of factors, including technical, legal, and risk, have made solving this challenge a daunting task.
A Summary of Previously Proposed Solutions
People have attempted to solve this problem before. Three proposed solutions involved using cell phones, bank accounts, and government ID cards to verify one’s age online.
Broadly speaking, the first two methods assumed that a user had to be a particular age in order to have the device needed (cell phone or debit/credit card) or that the remote service could validate the age of the user with the user’s cell phone provider or bank. The government ID card is a bit more straightforward in that the date of birth is typically in the ID card and the card itself has the ability to attest to the remote service via a digital signature authentication (i.e., the government ID card has cryptographic smart card capabilities).
The first two solutions prove problematic in their assumptions alone – it is not correct to assume that all eighteen year olds have a cell phone or bank account, and assuming so may unfairly restrict certain people from accessing your service. However, the bigger problem is that none of these solutions provide any privacy. In order to remotely prove that the user is at least eighteen, these solutions give the user’s entire identity to the remote service! Most users will not be willing to use such a service, especially if it is a service they were previously accustomed to using anonymously and privately.
In order to design a solution that may actually gain widespread adoption, we must amend the problem statement from “how do we remotely prove that a user belongs to a particular group?” to “how do we remotely and anonymously prove that a user belongs to a particular group?”
We propose two solutions to this problem. The first solution is relatively straightforward and uses a concept of anonymous (or blinded) certificates. The second solution is more advanced and makes use of ring signatures.
Solution 1: Anonymous Certificates
In this solution, the government ID has multiple certificates (and corresponding private keys). One of these certificates is an anonymous (or blinded) certificate, without the identity of the user included on the certificate. Instead, only the relevant data needed to validate what group the user belongs to (e.g. age) is provided.
This anonymous certificates solution offers a reasonable level of privacy but it isn’t foolproof. Anyone able to cross-reference the anonymous certificate with the non-anonymous one will be able to identify the user. For example, if the service provider and the ID issuer share information, they can invade users’ privacy.
Additional drawbacks include the fact that each user needs multiple TLS keys and certificates, potentially leading to a user error where a user reveals their identity without intending to do so, and the reality that service providers may still be able to identify a user by their birth date and city of residence, if that information is provided in the ID card. Discovering users’ identities would be even easier with a small pool of users.
Solution 2: Ring Signatures
A ring signature is a type of digital signature that involves a group of users, where each individual has their own public-private key pair. A ring signature proves that one member of the group signed the data, but it is impossible to determine which individual created the signature. In other words, anyone can verify that the signature is valid and was signed by a member of the group, but they cannot discover the identity of the signer.
Knowing this, a remote user can form a ring of users, where every user is at least eighteen years of age. Then, the user can use a ring signature to complete a challenge-response handshake (as opposed to the standard digital signature currently used for challenge-response handshakes) with a remote service that needs to verify the user’s age.
At this point, the remote service can verify that someone in that specific group signed the challenge. Since every member of the group is at least eighteen, the remote service can be satisfied that the user accessing the system is at least eighteen, without knowing the identity of that user.
The ring signatures solution comes with the benefit of stronger security. At the same time, it’s more challenging to setup this type of solution, especially for the service provider that needs to verify the end users. Also, this solution would require a public database of government-issued certificates (potentially anonymous certificates).
It is possible, of course, to advance on the ring signature solution by mixing in anonymous certificates, using anonymizing services that hide IP addresses, and more, but we’ll leave those details for another post.
While Garantir doesn’t build any anonymizing solutions, we do specialize in secure digital signature solutions. GaraSign, Garantir’s flagship product, is a platform for cryptographic operations that keeps private keys secure for all public-private key use cases — enterprise code signing, SSH, security signing, S/MIME, document signing, and more— without slowing down the cryptographic processes. We also offer services related to secure digital signatures, from digital signature deployment and public key infrastructure to secure shell key management and cryptographic architecture.