The Home Office said today it remained confident that
the national identity card cannot be hacked, or cloned, or that
information it contains can be changed or added to.
The Home Office was responding to
reports yesterday that it took a computer expert 12 minutes to
hack the card using nothing more than a mobile phone and a
laptop.
A Home Office spokesperson said, "This story is rubbish. We are
satisfied the personal data on the chip cannot be changed or
modified and there is no evidence this has happened.
"The identity card includes a number of design and security
features that are extremely difficult to replicate. Furthermore,
the card readers we will deploy will undertake chip authentication
checks that the card produced will not pass.
"We remain confident that the identity card is one of the most
secure of its kind, fully meeting rigorous international
standards".
The Home Office said that it is using
RSA encryption
technologies to protect the sensitive data on the card
elliptic
curve encryption to prevent the card from being cloned.
The Home Office is using root certificate with a RSA 4096-bit
strength key. A root certificate is either an unsigned public key
certificate or a self-signed certificate that identifies the root
certificate authority (CA).
According to Wikipedia, as of 2008, the largest (known) number
factored by a general-purpose factoring algorithm was 663 bits
long. Some experts believe that 1024-bit keys may become breakable
in the near term, but few see any way that 4096-bit keys could be
broken in the foreseeable future.
To protect the chip the Home Office uses public and private key
encryption based on a 256-bit elliptic curve. Experts believe it
takes longer to break codes encrypted using an elliptic curve than
an equivalent length factor-based code such as RSA. This has made
public key cryptosystems based on elliptic curves popular since
their invention in the mid-1990s.
The data that describes the fingerprint image is also protected
by a 256-bit elliptic curve. Before the chip releases this data,
the reader must present to the chip a very recently issued
digital
certificate issued by the card issuer. The certificate
guarantees the identity of the owner of the public key used to
encrypt the data. The digital certificates are valid from one day
to one month, it said.
A spokesman said the Identity and Passport Service had adopted
the European Union
extended access control protocol (EAC) for second generation
biometric documents such as passports. "The protocol is being
implemented this year by EU member states for their second
generation biometric documents," he said.
The spokesman said that at no stage was the card dependent on
SSL (Secure Socket Layer) technology. At the recent Black Hat
conference there were
several demonstrations of how SSL, the world's most widely-used
encryption system, could be hacked.
