UK national ID card cloned in 12 minutes
21 views
Skip to first unread message
fcorneli
Aug 7, 2009, 8:35:43 AM8/7/09
to eID Applet
Hi,
Some interesting article just popped up at:
http://www.computerweekly.com/Articles/2009/08/06/237215/uk-national-id-card-cloned-in-12-minutes.htm
Here they seem to be able to clone a UK eID card issued to foreign
nationals.
As far as the Belgian eID card is concerned, cloning is not possible
as the private keys are generated on the eID card itself during the
personalisation phase of the eID card. The smart card chip is
constructed in such a way that the private keys cannot be retrieved.
So in theory you can clone a Belgian eID card, except for the private
keys. However one has to keep in mind that cloning is actually not
about the ability of creating an exact copy of an eID card, but more
about constructing an as-correct-as-required perception of a real eID
card. Think about it. If the verifying party does not challenge the
eID card actively via some private key usage, you will never be able
to distinguish a so-called cloned eID card from a genuine eID card.
And this is indeed an area where most eID applications, that use eID
for identification purposes only, fail these days.
The eID Applet identification operation foresees in a so-called
authenticated eID identification. Here the "entity authenticated"
National Registration Number is verified against the National
Registration Number as found in the "integrity authenticated" eID
identity file. A mismatch indicates a copied eID card. Depending on
the required security level, we advise you to enable this type of eID
identification.
One big disadvantage of authenticated eID identification is that the
user is required to enter his PIN during entity authentication. This
is some overkill; what we actually want is card-authenticated eID
identification, not entity authenticated eID identification. It would
be some cool if future eID cards would come with a public certificate
for the card private key. That way software could challenge the card
directly when a card-authenticated eID identification is required. To
preserve eID card compatibility and to prevent to run into all kind of
web browser trouble, it would make sense if this card certificate is
not visible via PKCS#15. As for today the National Registry holds all
the public keys corresponding to the private card keys for
administrative card operations.
Let me go some more into detail about how IMHO the future eID card
should be changed. First of all we have the internationalisation
issues of the current eID identity files. This is really funny from a
developer's point of view. So what software does for example is
reading out the internationalised date of birth, then convert it to
some generic date format, and finally (depending on the application
settings) visualize some internationalized version of this generic
date. So a clean-up of the layout of the eID identity and address
files would be welcome. Next we have the required PIN authorization
for an address change. This is causing a lot of blocked eID cards when
people move homes. This PIN authorization for changing the address
file should be dropped. It doesn't bring us anything. From a
cryptographic point-of-view we have the obvious things like the RSA
1024 bit key size and support for the RSA-PSS signature scheme. And
then of course we still have features like fingerprints, face
recognition and such... definitely an interesting area in the years to
come.
Kind Regards,
Frank.
Some interesting article just popped up at:
http://www.computerweekly.com/Articles/2009/08/06/237215/uk-national-id-card-cloned-in-12-minutes.htm
Here they seem to be able to clone a UK eID card issued to foreign
nationals.
As far as the Belgian eID card is concerned, cloning is not possible
as the private keys are generated on the eID card itself during the
personalisation phase of the eID card. The smart card chip is
constructed in such a way that the private keys cannot be retrieved.
So in theory you can clone a Belgian eID card, except for the private
keys. However one has to keep in mind that cloning is actually not
about the ability of creating an exact copy of an eID card, but more
about constructing an as-correct-as-required perception of a real eID
card. Think about it. If the verifying party does not challenge the
eID card actively via some private key usage, you will never be able
to distinguish a so-called cloned eID card from a genuine eID card.
And this is indeed an area where most eID applications, that use eID
for identification purposes only, fail these days.
The eID Applet identification operation foresees in a so-called
authenticated eID identification. Here the "entity authenticated"
National Registration Number is verified against the National
Registration Number as found in the "integrity authenticated" eID
identity file. A mismatch indicates a copied eID card. Depending on
the required security level, we advise you to enable this type of eID
identification.
One big disadvantage of authenticated eID identification is that the
user is required to enter his PIN during entity authentication. This
is some overkill; what we actually want is card-authenticated eID
identification, not entity authenticated eID identification. It would
be some cool if future eID cards would come with a public certificate
for the card private key. That way software could challenge the card
directly when a card-authenticated eID identification is required. To
preserve eID card compatibility and to prevent to run into all kind of
web browser trouble, it would make sense if this card certificate is
not visible via PKCS#15. As for today the National Registry holds all
the public keys corresponding to the private card keys for
administrative card operations.
Let me go some more into detail about how IMHO the future eID card
should be changed. First of all we have the internationalisation
issues of the current eID identity files. This is really funny from a
developer's point of view. So what software does for example is
reading out the internationalised date of birth, then convert it to
some generic date format, and finally (depending on the application
settings) visualize some internationalized version of this generic
date. So a clean-up of the layout of the eID identity and address
files would be welcome. Next we have the required PIN authorization
for an address change. This is causing a lot of blocked eID cards when
people move homes. This PIN authorization for changing the address
file should be dropped. It doesn't bring us anything. From a
cryptographic point-of-view we have the obvious things like the RSA
1024 bit key size and support for the RSA-PSS signature scheme. And
then of course we still have features like fingerprints, face
recognition and such... definitely an interesting area in the years to
come.
Kind Regards,
Frank.
Reply all
Reply to author
Forward
0 new messages