Electronic IDs

Interesting commentary on digital identification cards.

Posted on October 26, 2005 at 8:25 AM • 19 Comments

Comments

AntonyOctober 26, 2005 8:43 AM

Hi Bruce,

Thought you would like the following quote:

I would rather be exposed to the inconveniences attending too much liberty than to those attending too small a degree of it.
- Thomas Jefferson

katreOctober 26, 2005 8:49 AM

Interesting ideas. If some country did set this Root eID, in the way described, with the accompanying risk analysis and proper oversight and safeguards, I'd move there just to use it.

radiantmatrixOctober 26, 2005 9:30 AM

From the article:

"ideally an eID token should only be asked to answer yes or no to (cryptographic) questions, never to give out information stored on the token"

Unless I misunderstand the author, this is a fantastically bad idea. How easy is it to design a "fake" that will answer yes or no, given a known line of questioning?

No, rather, the questions should be of the form "Sign your birthdate, ID#, the current date-time (which is {X}), and this GUID with your key, and send me the result." When it responds correctly, and the machine verifies the information contained in the signed (and ideally encrypted) packet, the auth is approved.

I think what the author is trying to suggest is that the auth token should never send any personal information. I disagree: I think sending that information is key to authenticating strongly, but that measures must be taken to secure that data in transit.

As an example of how that might work, enrolling for a new bank account might work like this:
- Fill out enrollment form
- Insert eID card in reader.
- Reader performs a "pairing" operation where card and reader agree on reasonably strong session keys for encryption purposes. (further messages are encrypted with these keys).
- Reader sends a message containing a transaction ID and an authentication request.
- Card prompts for second-factor data (PIN, biometric, whatever) to use as 'passphrase' for signing key.
- Card signs a mesage containing TID and authentication data (e.g. name and ID#) to Reader, which verifies the signature based on the public key.
- If signature is valid *and* auth data matches enrollment form, authorize enrollment.

Such a system still has flaws. There would need to be a trusted database of public keys, so the whole issue of trust and PKI comes up again.

What I don't understand is this desire to have "infallible" and "universal" human-to-machine authentication. What's wrong with a human checking something and having the machine double-check? This reduces the chances of failure, because you have to compromise both machine and human.

Bruce SchneierOctober 26, 2005 9:33 AM

David Chaum invented some really elegent protocols for this: a device can answer a yes/no question without giving out any other details -- in such a way that cannot be spoofed. You could prove to a policeman that you had a valid licence to drive without him learning your name, for example. Great work.

Roy OwensOctober 26, 2005 10:04 AM

Nice thinking, but it is still wishful thinking.

We are not going to get any government backed strong authentication protocol simply because the government will force fiddling with it to allow their own agents to spoof the system.

Failure modes must be designed in to protect government agents from having their real identities exposed and to enable government agents to impersonate both real and imaginary people.

The government will insist it can be trusted not to misuse the shortcuts, and so the real system, as implemented, will trust any cheater.

That example of a cop able to find out only whether you have a valid license makes a nice illustration of why it will never be implemented. Without extra information, the cop who pulls over a weaving vehicle after dark won't know whether this is an important person needing a police escort home for his own safety or a scumbag needing a field sobriety test, a ride in a cage car to the drunk tank, and his car towed to the impound lot. It's that extra information that tells the government agent how the central bit of information is to be routed through the system.

Bruce SchneierOctober 26, 2005 10:18 AM

"Nice thinking, but it is still wishful thinking.

"We are not going to get any government backed strong authentication protocol simply because the government will force fiddling with it to allow their own agents to spoof the system."

Sadly, I agree.

It'll happen eventually, but eventually is many years away -- maybe decades.

ZwackOctober 26, 2005 10:54 AM

Roy >
"the cop who pulls [you] over a won't know whether this is an important person needing a police escort home or a scumbag needing a a ride to the drunk tank."

Which is the way it should be. In either case the Cop should need to know...

Do you have a valid licence and insurance?
Are you safe to drive? Are you legally allowed to drive?

In the UK you can refuse a breathalyser test but it is a criminal offence to do so. The cop should do the right thing regardless of whether you are a "scumbag" who is drunk, or a member of parliament who is drunk. In either case you shouldn't be driving.

However, while the protocols to allow the questioner to ask specific questions and get valid yes/no answers back exist, they won't be implemented. We'll be lucky if any real security is implemented.

My guess is that the system will cost an absolute fortune to implement. Will not work worth a damn, and will willingly give up all of the personal information it contains to anyone who asks for it. Identity theft will either stay the same, or rise because the information is now much more easily accessed.

The idea that the card should return any of the data contained is (imho) a bad idea. While not aware of the work of David Chaum, I would have thought that a simple protocol along the lines of...

Does parameter W match criteria X, encrypt your answer with public key Y and include hash Z to make it "unique". Where there are only certain criteria X that can be asked for each parameter. e.g. Is age greater than 16, 18, 21 or 60? (Are they a legal adult, or do they get senior citizen discounts?)

That avoids people needing to know date of birth, but still answers the important questions. I don't care if someone is 20 or 25 if I am selling them alcohol in the UK (legal drinking age is 18, except for certain alcoholic drinks purchased with a meal in Scotland where it is 16), I just care that they are over 18.

This would be good... But what will happen is the card will contain a small dossier unencrypted* which will be given in its entirety to anyone who has access to the card.

*By Unencrypted I mean in plain text or similar. It might be rot 13, or some similarly hard to decrypt mechanism.

Z.

Glauber RibeiroOctober 26, 2005 11:10 AM

From the article: "It concludes - like earlier editorials in ISB - that the proposed project is not feasible, saying that the proposals are too complex, technically unsafe, overly prescriptive and lack a foundation of public trust and confidence. LSE's report also concludes that the risk of failure in the current proposal is therefore magnified to the point where the scheme should be regarded as a potential danger to the public interest and to the legal rights of individuals."

Doesn't this pretty much guarantee it's going to be implemented?

MaryOctober 26, 2005 12:07 PM

One problem with the terribly intelligent idea of requiring differing levels of identity proof for different transactions is, who will accept that they don't really need the highest level of security. Reminds me of the folks in the govt. suing when they were declared "non-essential personnel" who didn't have to come in on snow days. Or the problem with the death penalty - no DA wants to tell a family that their loved one's death wasn't heinous enough for the death penalty to kick in.

albert bOctober 26, 2005 12:43 PM

Bruce, thanks for pointing this out.

It sometimes seems to me that most comments on identity cards/identification systems I see on the web are knee jerk criticisms of the very *concept*. But this paragraph in the editorial stands out because it highlights the concept's potential for positive benefits:

"These goals seem to be missing: 'enabling and facilitating a society based on e-commerce', 'increasing individual freedom by enhancing anonymity and privacy', 'enabling irrefutable authentication of humans to machines' and 'providing individuals with transactional security'. These are some of the positive drivers of an eID system ... "

Of course, like many others, I am skeptical that the U.S. government will ever honestly implement such a useful system.

albert bOctober 26, 2005 12:55 PM

@Zwack:

"My guess is that the system will cost an absolute fortune to implement. Will not work worth a damn, and will willingly give up all of the personal information it contains to anyone who asks for it. Identity theft will either stay the same, or rise because the information is now much more easily accessed."

Please elaborate on this. I'm not saying I disagree, but I'm not so sure one way or the other. I mean, I can see the case for ID theft staying about the same, but rising?

My (albeit rough,imperfect) understanding of the current situation is that our data is already 'out there' in commercial databases, which have been hemorrhaging our data to hackers and anyone with enough cash to buy it for mailing list or marketing purposes.

If I had to guess, I'd expect the government to do about as poor a job of safeguarding my data as the private/commercial sector already does.

LogiOctober 26, 2005 1:06 PM

I am involved in implementing an electronic identification scheme for my very small European country. I would very much like to implement something like David Chaum's scheme which Bruce mentioned above, but it will never happen for a couple of resons:

1) It's not the sort of thing governments really worry about,

2) It's much more complex than the systems which simply hand over the data and

3) There are no useful standards for interoperability.

Getting x.509 certificates to interoperate is painful. Getting smart cards to interoperate is incredibly painful.

Interestingly and rather surprisingly, given his previous work, I met David Chaum at relatively small and closed meeting of people involved in e-ID programmes. I'm curious what his take on the proceedings is and, in fact, what he was doing there at all.

David, are you there? :^)

Davi OttenheimerOctober 26, 2005 1:44 PM

@ Logi

Which country? :)

The Register just posted a somewhat related article:

http://www.theregister.co.uk/2005/10/26/...

"The South African government is planning to speed up the introduction of electronic ID cards and passports, according to reports, in an effort to crack down on identity fraud. The switchover is expected to cost the government around R1.5bn (around £127m)."

MithrandirOctober 26, 2005 4:02 PM

"We are not going to get any government backed strong authentication protocol simply because the government will force fiddling with it to allow their own agents to spoof the system."

"Failure modes must be designed in to protect government agents from having their real identities exposed and to enable government agents to impersonate both real and imaginary people."

My assumtion is that since the government is issuing the ID, they will hold the trusted root keys. They can therefore issue fake ID to personel at will.

Impersonation is harder, assuming there is no key escrow. But impersonation is hard anyway: people are hard to fool, and if the issue is domestic, a warrant works better anyway.

There would probably be key escrow, however, so impersonation will simply require cooperation of the appropriate combination of escrow agents according to the chosen secret-splitting schedule.

As I see it, the hardest problem remains reliable, trustworthy biometrics. But if Root id authentication is only used to issue secondary ID (passport, driver's licence, etc.), then this is less of an issue, because it can be done carefully.

LogiOctober 26, 2005 5:09 PM

@Mithrandir

There is nothing stopping the government from issuing new credentials for a particular identity, thus allowing impersonation. Not that we're planning anything of the sort of course...

Roy OwensOctober 26, 2005 7:50 PM

@Mithrandir

Your analysis omits the requirement of being able to run identities 'off the books'. Otherwise the audit trail will leave incriminating evidence of misconduct and crime.

Law enforcement -- municipal, county, state, and federal -- has always run espionage projects off the books. A solid implementation of a reliable authentication protocol would put the kibosh on illicit operations, and so there must be ways designed in to gimmick the system without leaving a trail.

So it's a good bet that whatever the government decides on, the details of parts of it will be kept secret. 'Security through secrecy' -- smell a rat yet?

Dr. Akinwande SamsonNovember 12, 2005 11:28 AM

Dear Client,

How are you and how is everything going on with you, hope all is moving on fine, if so, thanks be to God Almighty.

I'll like to have all this items from you;

Sony Laptop (2) or any Laptops
Sony Projector (2) or any Projectors
Motorola Razor 3 Silver (2)
DVD Player (2)

While knowing the working condition of the items before sending down money to you and when i have your full info, i'll go to Western Union Money Order Transfer and send your money to you, so kindly
get back to me with your full info so that your money can get to you
fast, and about the shipment, don't worry, i'll handle it by myself.

Thanks and i look forward to read from you soonest.

Regards,
Dr. Akinwande.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..