Proving your age with IRMA (without revealing you're a dog)

November 12, 2012

In the IRMA (I Reveal My Attributes) project we are working to make attribute based credentials practical. IRMA provides very efficient implementations of such credentials on (contactless) smart cards. This allows us to use the smart card as a secure and portable container for these credentials. One of the things we have been looking at is possible use cases. Last week I discussed how the IRMA card can be used to stop the resale of event tickets. In this blog post I will discuss an almost trivial application: proving age bounds.

Proving your age, without revealing anything else, is the prototypical application of privacy friendly credentials. In this application, a credential could for instance contain the following attributes: your age in years, and whether you are at least 16, at most 16, at least 18, or at least 65 years of age. Typically, the government would issue such a credential to all its citizens on request. This credential allows you to prove a certain property about your age without revealing anything else.

Which attribute you choose to reveal depends on the application. To buy cigarettes or beer in the Netherlands, you need to prove you are at least 16 years old. To buy strong liquor, you need to prove you are at least 18 years old, and to get reduced fares in public transport you need to prove you are at least 65 years old. The fact that an IRMA card carries the picture of the holder allows the use of the IRMA card for such use cases offline.

Sometimes you need to prove you are below a certain age. For example to join an on-line chat forum for children. Absence of an "at least 16" attribute is no proof of being at most 15, as people may choose not to disclose that attribute. So you need a positive attribute that proves you are below 16. (This is a general principle: attributes that are disqualifying in a certain context may not be revealed by their owners. The negation of that attribute is then a qualifying attribute that must be explicitly verified to achieve the same effect.)

An infrastructure to prove age bounds on-line would also be very useful for other applications. For example, brick-and-mortar shops have to verify the age of people buying age restricted material (booze, but also video games and movies). On-line shops should have to do so too (for fair competition reasons), but are in practice unable to reliably verify the age of their customers. Government has only two options: either outlaw the sale of age restricted material on-line, or provide an infrastructure where people can prove they are a certain age. (In the latter case, it is sufficient if government stimulates the development by such infrastructure by the private sector, provided the necessary privacy safeguards are preserved.)Lack of such possibilities in one of the reasons why offering online gambling services is still not permitted in the Netherlands.

A few details have to be taken care of though. Clearly, the "age-in-years" attribute expires on your birthday. But including your exact birthday as expiry date in the credential is not good idea, because it is revealed whenever the credential is used, and exact birthdays are quite identifying pieces of information. The same holds for the "at most 16" attribute. We deal with this problem by only allowing expiry dates in month and year format (for any type of credential actually). It is up to the issuer to decide whether to be conservative (credential expires before the attribute becomes false) or liberal (credential is valid for at most one month after the attribute becomes false) in setting the expiry date. But even this strategy reveals your month of birth if applied strictly by an issuer that only issues such a credential once with the maximum expiry date. To destroy this correlation, age bounds credentials should have short validity periods, so that they are issued frequently. Unless the age of the bearer is close to the limit implied by the age bound, the expiry date can be chosen to be a random month in the next year.

In case you spot any errors on this page, please notify me!
Or, leave a comment.
Rob Dirksen
, 2013-02-26 20:02:00
(reply)

The only challenge is the infrastructure to issue IRMA card with photo in a secure way. You need to see and verify at least 3 items: the cardholder, some document to prove the identity of the cardholder and the IRMA card with photo. There are many ways to do this but it requires human intervention of a trusted party.

Rob Dirksen
, 2013-02-27 09:48:46
(reply)

In the years 2001/2002 we developed the “agekey” for the tobacco industry. One needed the agekey to buy cigarettes from a vending machine. We used the Dutch bankcards in casu the Chipknip as the carrier for the Agekey token. Also here the challenge was the infra structure to securely issue the Agekey. We chose to cooperate with the Dutch postal Service (Postkantoren b.v.) where personnel was accustomed to work with identification papers. The customer went to the postoffice with his bankcard and his passport or other id paper. He identified himself to the clerk who put the Agekey on the customers Chipknip by means of a adapted PIN machine. The PIN machine registered various customer details into a central database for tracking an tracing purposes.

The IRMA card is another card in the customers wallet. The same functions could be implemented on the bankcard, the OV chipcard (well, not with the current technology) or on any other secure and widespread card.

Jaap-Henk
, 2013-02-27 10:11:14
(reply)

To bad the Dutch postal service are closing down post offices. Instead, they now license postal service points in shops. Those are less ideal for securely distributing such tokens…

The future of IRMA: ideas to improve Attribute Based Credentials. // Jaap-Henk Hoepman
, 2014-07-03 07:53:07
(reply)

[…] Attribute based credentials (ABCs) allow users to prove properties about themselves without disclosing any additional information, and without being traceable. ABCs therefore implement privacy friendly identity management. Within the IRMA project of the Privacy & Identity Lab we are busy making ABCs practical by implementing them on a smart card. This allows them to be used, for instance, in national electronic identity card schemes. We are currently studying how to implement some recent ideas on how to improve ABCs in terms of functionality, securty and privacy. […]

The ABC of ABC – An Analysis of Attribute-Based Credentials in the Light of Data Protection, Privacy and Identity // Jaap-Henk Hoepman
, 2015-03-27 09:27:34
(reply)

[…] research group at the Radboud University has been working on efficient implementations of so-called attribute based credentials (ABCs) on smart cards for several years now. The resulting IRMA card is ready for pilot deployment […]