upvote

points

by ulrikrasmussen7 hours ago |
comments
upvoteby whazor6 hours ago|
next
[-]
I'm ok with enforcing hardware security. Both for banks and governments.

But it must not limit the ability of running custom software on a phone. And especially not enforcing every person to get a Google/Apple signed phone.

Like if I get GrapheneOS on my phone. Banking/gov apps should work. But I believe this could be possible with enforcing hardware security as well.

reply
upvoteby TingPing6 hours ago|
parent|
next
[-]
The chain of trust always has a software layer. I don’t believe what you want is possible.

I find the bank talking point strange, why are they special, are they even targeted more. It just feels like a boogeyman “think of your money!”

reply
upvoteby microtonal5 hours ago|
parent|
next
[-]
For all practical purposes it's possible to do this. The boot ROM only boots a vendor-signed bootloader, the bootloader verifies the OS kernel, etc., until you have a fully verified boot chain. A secure enclave, which is completely separated from the main CPU and OS performs the attestation using a private key in its tamper-resistant storage and embeds the results of verification by the bootloader. There may be some vulnerabilities, but most of them can be fixed in updates, with exception of the boot ROM.

The reason why the system gets broken in Android occasionally is that most Android phones have terrible security and do not use a secure enclave/processor, etc. (which the iPhone had since 5s + Google/Samsung for quite some years through Titan M/Knox Vault). Instead they use TrustZone, which set up a TEE on the same CPU/RAM as the main OS. Of course, it uses memory protection for separation, but is often vulnerable to side-channel attacks. This is also the reason many Android phones will be cracked by Cellebrite in seconds (recently such a Mediatek TEE vulnerability was made public [1]).

[1] https://www.malwarebytes.com/blog/news/2026/03/this-android-...

reply
upvoteby summm1 hours ago|
parent|
[-]
Nope. It is still not possible to give someone else (the government, or the bank) control over your phone while at the same time run software that you alone control with higher privileges. Please don't mix that up with "is practically hard to implement because of sloppy code. Also your attacker model is still "occasional evil government agency or evil private corporation wants to crack and read your messages", while what is discussed here is more fundamental "evil government or abusive corporation controls your phone in the first place, and can just remote control it you can't use really secure apps"
reply
upvoteby ulrikrasmussen5 hours ago|
parent|
prev|
next
[-]
The software layer in age verification is not necessary to trust though. The worst that could happen is that a compromised software layer steals your age credential, but it is by design anonymous so you don't risk getting your money or account stolen or anything. This makes it a different threat model from the banking case.
reply
upvoteby Retr0id6 hours ago|
parent|
prev|
[-]
You can store key material in hardware-backed enclaves without involving remote attestation. If someone has a modified device/client that stores the keys elsewhere, that's on them - they're only weakening their own security.
reply
upvoteby Meneth5 hours ago|
parent|
prev|
[-]
You can't have both. "Hardware security" means the manufacturer decides which OS can run and you can't override it.
reply
upvoteby ralferoo7 hours ago|
prev|
next
[-]
Exactly, I'm not sure what benefits hardware attestation offers to the government. Sure, it's potentially useful for the customer that they can trust their keys are secure on their device, but it kind of misses the point.

It should really be an open-source specification that defines a standard protocol, but where the device just signs a request that it knows has come from a trusted source (so maybe signed by the government's key) with a key that the government's API knows that represents you.

So, I'd envisage something like government portal lets you add a bunch of public keys, one for each device, and shares a public key of its own that can be used to verify any requests. Something that wants to verify your identity can request your public key, and ask the government API for a challenge token which it passed back to you. You can verify the challenge token is signed by the key you trust, you can sign the challenge and return it to the app, which can pass it back to the government API which can then grant access to whatever subset of information they requested (and the challenge key can include enough information for the signing app to present a meaningful request).

Very simple in terms of protocol. Only the government needs to store any of your private data. If an application just needs to know if you are of a sufficient age or not, that's all the information it gets. If you lose your device you can easily revoke your keys and add new ones.

Sure, a specific implementation on a phone might want to use hardware attestation in order to keep its keys safe, but there's no reason that it has to be mandated. A well designed public key system should be sufficient leaving the implementation to safeguard its keys, while providing a simple way to replace keys if needed.

reply
upvoteby ulrikrasmussen6 hours ago|
parent|
[-]
I think the reason these systems require device bound keys is because the government is concerned with easily mass-produced forged age certificates. With software keys you can get an age certificate which can be copied instantly to a large number of devices, with hardware keys the government knows that the certificate is tied to a single physical unit.
reply
upvoteby KoolKat236 hours ago|
parent|
next
[-]
Again, at this point, they're taking things too far,age gates shouldn't need to be an impenetrable fortress (notwithstanding the question of whether they should exist in the first place).

It should simply be the adult account on the device is notified if the device is rooted, effectively no longer in child mode. Go crazy with the warnings on both devices if you want as they've opted in at that point.

reply
upvoteby tomega21343 hours ago|
parent|
prev|
[-]
Is this EU protocol so weak that it cannot withstand this attack, i.e. is duplicate age certificate use not detected or prevented?
reply
upvoteby ulrikrasmussen1 hours ago|
parent|
[-]
You can't really prevent that unless you design a system which is inherently designed to track people, e.g. by phoning home to the issuer on each credential verification. The system being deployed right now is based on the issuer issuing batches of single-use credential tokens to device-bound single-use keys, which on the plus side means that colluding verifiers cannot use age credentials as cookies to track people. It is still vulnerable to colluding verifiers and issuers though, because the issuer can de-anonymize the tokens (it knows them and their linking to the identity of the user). This scheme also means that if the keys that the tokens are issued to are not device bound, then it is trivial to copy the age credentials to someone else.

To my knowledge, even more sophisticated ZKP schemes still rely on device bound keys to protect against duplication.

reply
upvoteby Borealid4 hours ago|
prev|
[-]
> it just requires a few cryptographic primitives and a set of device-bound keys

Question: how do you make sure the keys are device-bound if you have no attestation about the hardware or operating environment?

reply