Schneier on Security
A blog covering security and security technology.
« Quantum Cryptography |
| Terrorist Fear Mongering Seems to be Working Less Well, Part II »
October 21, 2008
ID Cards for Port Workers
While I am strongly opposed to a national ID, I have consistently said that giving strongly secured ID cards to groups like port workers is a good idea. It's happening in New England:
The scannable card serves as proof that a background check has been performed and it contains features aimed at preventing misuse. In addition to a photograph, the card contains a smart chip that carries a copy of the holder's fingerprint. Port and delivery workers, cargo handlers, and other employees who must venture into sensitive or secure areas will be required to submit to a fingerprint scan before entering those locations. The scanning machine will automatically perform a match analysis with the fingerprint embedded in the smart chip.
This is a great application for these cards.
Posted on October 21, 2008 at 1:28 PM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Of course, once again you have to have a very good handle on the process by which such cards are issued. One nice thing in an application like this (access to secure areas of ports) is that the community of people with access is fairly small.
I'm unclear as to what problem these cards solve. I guess that it make smuggling operations a bit harder to run, but those can always be shifted to other ports. It might also make corporate spying marginally harder. I'm not clear that it would have any affect on terrorism, other than plots that involve smuggling into one of those ports.
What threat can ID cards for port workers address?
If you search the article, you'll notice the word terrorism is only found in the first paragraph. The rest of the article refers to this as a way to increase security in general.
My thought? Putting terrorism in the first paragraph is a tag to increase readership.
Otherwise, I operate under the assumption that these guys thought through what security problem the cards solve. I know there are many examples contrary to that notion, but this article doesn't give enough detail to make that determination. I think Bruce's point is that this is a good example using ID cards for authentication.
If it were limited to port workers, or even those with access to critical infrastructure facilities such as rail yards and airports, that would be laudable.
But this is already getting out of control. For example, the coast guard is REQUIRING all OUPV (Operator of Uninspected Passenger Vessels) licensed charter boat captains to obtain a TWIC. Technically, these small business owners are members of the Merchant Marine, and thus fall under the regulations.
This is absurd. Some of these operations are 16 foot, single engine boats that never operate in more than 30 feet of water. They barely make enough to survive (and often have second jobs) and have about as much to do with the national infrastructure as Joe the plumber (less, actually).
These cards are expensive, and take two trips to a regional C.G. center to obtain, which is typically a full day off of work for them.
What's next? Garbage collectors and Taxi drivers?
This is the same process used by the various US stock/options exchanges such as the CBOT, CBOE, NYSE, etc. People who are supposed to have access to the trading floors and systems have their fingerprints taken, id's and fingerprints vetted thru the NCIC (or whatever) before being issued a photo/rfid ID. Then, access to sensitive areas require reading the card and swiping a fingerprint before access is granted. This is not foolproof, but it does provide a reasonable level of access verification, I think.
Doesn't including the fingerprint and other information on a smart chip beg the card be hacked? Unless there is a stored is compared with a copy of the information that is in a centralized database. I just see the cards being a deterrent to the smaller fish, not the bigger ones.
The fingerprint record is digitally signed, so you'd have to crack the TWIC certificate authority to alter the fingerprints on the card in a way that a reader would accept.
Almost all security is really a deterrent in nature. Given enough time and resources all systems can be broken. That being what it is, if the projection is 180 days of work to break system A, and 5 minutes to defeat system B, 99% of the time (number is a guess) attackers go for the low hanging fruit.
If the fingerprint is encrypted with the verification system's private key, I don't see a need for a central database. As long as the scanned print matches the decrpted print, there's assurance that the person with the card is legit. And there's no central database to hack.
Do the requirements state that terrorists working for the port have that fact noted clearly on the ID card? How is this card not trying to use identity as a means of inferring intention?
Fingerprints digitally signed by what CA? If one central one, that wouldn't that make a juicy target? If multiple CA's, wouldn't that lessen their trust level? And if a third party obtained a card, wouldn't they then be able to get a copy of the good guy's fingerprint?
I have just such a TWIC card, as a student who needs access to a "port". I do underwater robotics, which requires access to secured docks occasionally. Unfortunately, the way the screening process has been performed left many students in situations similar to mine without required access to the dock, after being declared a "Security Threat" by DHS (http://www.nytimes.com/2008/05/13/washington/13tsa.html). Foreign student doing defense work on a government grant? Sorry! You're now a security threat!
Also, while this is not an appropriate place for specifics, the TWIC card has been labeled by many as a "Steel Door on a Grass Hut". Safe to say that requiring ID's occasionally will not significantly change access patterns to the dock.
We all know that an ID card is not a perfect system. What Bruce said was that this is a good example where using an ID card system is appropriate. The population is small, the added security will keep most people out. This should allow the other security resourses to be better focused on bigger threats. This all goes back to the economics of security.
If it's a "port" what's to stop a couple of terrorists driving a cigarette boat into it and triggering a suitcase nuclear bomb? Where are the submarine nets?
For that matter, the front door may be secure, but what about the rest of the perimeter? Even a small port may have a perimeter miles long.
"Badges?... We don't need no... stinkin' badges!"
Don't miss this line...
"proof that a background check has been performed"
This is a key difference between this application and a national ID card. There is likely a robust process to ensure that background checks are done properly. This simply builds on that check.
Most national ID cards suffer from the problem that doing the background check on a national scale would be prohibitively expensive, and so it doesn't get done. The card can't be any stronger than its issuance process, no matter what technology is used.
These cards cost $132.50 for 5 years - a significant sum, and one that most people would find objectionable for a drivers license. They also will likely take a while to issue, due to the background check - also something objectionable for a drivers license. (By comparison, it appears that a New York drivers licence costs $50 for 8 years.)
Of course, the rest of the security system (not just the issuance of the card) also has to measure up. But there would be little point in doing physical port security if you're not doing port worker security to the same level.
The only thing I found that would concern me is that apparently you don't actually need the card to get into some secured areas - you only need to be *with* someone who is allowed into those areas. This moves the problem from one of "getting a security card" (hard, takes a while) to "knowing who to threaten" (easier, faster).
Makes sense to me too but not sure I would call it a "great" application without any explanation. It seem very comparable to ID cards used in other private/commercial work spaces, except that it's managed directly by the TSA instead of a local authority or organization.
Here in the UK the government is trying to get national ID cards bootstrapped by issuing them to airport workers first. This is despite the fact that these workers are already highly vetted. So they are using airport security as a cover for a political agenda. They have calculated that no-one is going to complain about "more security" for airport workers even though it will make no difference.
But, fingerprint identification can be defeated using silly putty or play-doh.
Hopefully the cards have a good digital signature of the fingerprint data in the chip printed on the card via barcode or some other less-than-delible means to ensure a way to confirm that the data in the chip has not been tampered with.
Though, until Arisia provides the "Lens", what man can synthesize, man can analyze... and defeat.
The only thing you can do it increase the expense enough so it isn't worth bypassing.
This is an interesting post -- both the subject material and the fact that the comments are generally positive.
Also interesting that many commenters "assume" a positive spin on the unknowns ("I operate under the assumption that these guys thought through what security problem the cards solve", "there would be little point in doing physical port security if you're not doing port worker security to the same level" - true, but can we safely assume those things without verifying?)
TWIC is opposed by the same folks whose "I am not afraid" campaign Bruce liked in a previous post. http://www.downsizedc.org/etp/campaigns/77
TWIC is viewed as a backdoor for DHS to get their RealID, even when RealID has been soundly rejected by the states, primarily because TWIC is being applied to "brown water" shipping (inland/domestic) as opposed to "blue water" shipping (ocean-going). If this is really about securing our ports, why does it need to apply to inland shipping? (Sure terrorists can attack anywhere, but is that a credible threat? And just how does credentialing lower that threat? The 9-11 hijackers had legitimate credentials.)
The Coast Guard already issues a credential -- "The Merchant Mariner's Document (MMD) has worked fine for a very long time. And the Coast Guard recently revised the program to make the MMD tamper-resistant. Oh, and it also requires a fingerprint, and a background check, and it has a machine readable stripe on the back. So why, exactly, do these workers need TWIC cards? (Qui bono)" http://www.downsizedc.org/etp/campaigns/102
Would somebody put up $5 as the prize for the first news failure report of failure of this security effort? For example, it turns out that employees take their cards with them when they leave, lots of cards are lost and not accounted for, the crucial identifying information was left on a CD or USB drive or a laptop and has gone missing? Or of people bypassing the checkpoint by tailgating or by entering through unsecured doors?
Something like this can be made to work, yes. But if the people using it and operating it don't take it seriously enough, it will soon be found to leak like a sieve. The TSA itself is treats their own security as a make-work for-show-only joke.
Unfortunately these cards are only currently being used as flash passes. There currently does not exist any access control systems that leverage either the PKI or biometric components of these credentials. You should know better than to conflate the security token with the application and the infrastructure to support it.
Large scale ID programs go through a number of phases registration, issuance, infrastructure, use. At this point TWIC is really only at step 2.
I think you've pointed to the most significant portion of this issue. The scope of this project (TWIC) is NOT small. It is just a precursor to creating Federal ID cards for the next industry later. Eventually, you'll hear more arguments to continue with REAL ID because everyone with a Passport already has a Federal ID, and we have TWIC, TRWIC*, AWIC*, and all the other industrial ID cards too. We'd save money if we just made everyone have a federal ID card and it would work for all these other applications.
If this really was about security, and not just casting a net of control, then I might agree with Mr. Schneier. However I'm part of DownsizeDC.org, and they specifically argue against the TWIC, in a dedicated campaign --
*I made these names up to make a point TRWIC might be Trucking and Railroad Workers Identification Card, and AWIC might be Airways Worker Identification Card
@Jeremy D. Young
You don't need to make up cards. There are several efforts ongoing at the Federal level.
* CAC - The Dept of Defence's Common Access Card
* TWIC - TSA and the Coast Guard's Transportation Worker Identification Credential
* PIV - The fed's Personal Identity Verification card, originally ordered under Homeland Security Presidential Directive 12, and NIST's FIPS 201 standard. Required for federal employees and contractors who require routine access to government sites.
* FRAC - The FEMA National Capitol Region-sponsored First Responder Authentication Credential program to equip state and local first responders with FIPS 201 compliant IDs.
* REAL ID - Federal standard for state issued drivers licenses
* US Passports
There are substantial ongoing efforts in the area of digital credentials at FEMA, National Incident Management System (NIMS), Emergency Management Assistance Compact (EMAC), NIST and ANSI's Homeland Security Standards Panel (HSSP) among others.
Estimates of the size of the critical workers needing ID in the Crititical Infrastructure and Key Resources (CI/KR) sectors run to the 12-18,000,000 levels. Disaster planning efforts suggest that at least that many people should be issued IDs of the TWIC/FIPS-201 type.
How good a thing this is depends on how important you think ID is in terrorist prevention and disaster response, and how interrelated you see those two realms.
Tell me about it.
My mother was declared deceased because a voluntary account was marked 'terminated' in a government data base,
and her benefits were stopped.
In order to get the necessary statement to prove her alive,
she had to access a certain kind of Federal Judicial Officer
in a Federal Office only reachable with a NEW REAL ID card -
which she couldn't get because she didn't have the written proof of still being alive.
(The assistant magistrate laughed and laughed, and my mom thought it ironic funny. - Yes, there are back doors.)
This isn't a small program and just keeps getting bigger. A TWIC is required for anyone who requires unescorted access to port facilities. This includes Merchant Mariners, longshoremen, truck drivers, port officials, researchers, customs and immigration officials, janitors, shipping co. employees, etc. I read recently where they had discovered they needed to provide TWICs to train crews that entered the port.
This causes some issues with foreign nationals who might need access, i.e., students in research projects, foreign employees of port operators, etc, since the background check requires at least a 2 year history in the US for adjudication can be done. I assume they provide escorts for foreign vessel crews. I wonder how they handle foreign owners of port facilities?
As usual, and ID card effort destined to fail.
As others here have mentioned:
1. The obvious failure is use as a flash ID - the biometric is never checked because it is too much hassle, not implemented, out of service, etc. The physical card and photo will be easily forged.
2. Attack the biometric device: force it out of service, cut your thumb, have grease on your hands, etc. A suitable false negative will force a fall-back to using photo ID, which is easily forged.
3. Steal a valid ID card and lift the owner's fingerprint, modify the photo, and construct a gummy fingerprint to fool the biometric scanner.
4. Attach the process: get a valid ID card issued to you illegitimately.
ANY card that looks like an ID (it has a name and photo) is insecure, PERIOD. Irrespective of the fantastic digital technology and security, it will ALWAYS fail because attackers will force the process into a mode that relies solely on the face of the card.
Various new ID card proposals in Europe and Africa fail for exactly this reason: details on the chip are cryptographically signed and hard to forge, but in almost all situations the card reader to be used will simply indicate a valid card (green LED) or invalid card (red LED) - the association of chip to card-holder is based on the easily-modifiable photo on the face of the card.
An approach that doesn't fail so easily requires that you have only an issuer logo on the face of the card, and the card-owner's name + photo + biometric signed and on the chip only. The reader must be able to display the photo on a screen for verification.
Sadly, nearly all terrorist attacks are simpler than the 9/11 plot. The US doesn't see any of these simple attacks: bombs, fires, snipers, but pretends that securing airports and shipping ports is the key to our security.
Why do people expect terrorists in the US to only do the really big attacks, but do none of the small attacks?
IDs only work if the person is a known terrorist, yet many are first-timers, or at least haven't been caught yet, just like all other criminals.
If we can't catch bank robbers before they rob a bank, why do we think we can do these other things just because they are terrorists?
The idea of a TWIC is truly amazing. Why would anyone already inside the country want to plant an explosive device in a port container to be shipped outside the country? Then there's the whole question of TWIC or a hazmat endorsement on your driver's license and the security check you must go thru. Is the United States the only place on earth where people know how to drive a truck? All loads of hazardous material are required by law to stop at all railroad crossings. All anyone need do is wait at some railroad crossing for a load of gasoline, etc., to stop and then hijack to\he whole truck and drive it to some destination and blow it up. All of this can be done without any security check what-so-ever. Remember, these are stone cold terrorist that have already decided that they're going to die. What have they to lose? I simply don't understand.
The problem is that it is not a small number of persons who must have this card. Everyone trucker in the us will need the card, every construction worker will need the card, every boat owner will need the card this is just the beginning. truckers already pay for a back ground check when they do there license for haz mat. Now they pay again its a form of Tax which has gone on to long in this country. License plates, property tax, school tax, inspection stickers for autos, and the list go on and on. The only person who should need the card is the dock worker. vistors should have limited access without a card to pick up or deliver to the port.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.