Last week the Daily Mail published a feature piece in which it claimed that security expert Adam Laurie had managed to hack an ID Card in 12 minutes. The Home Office rubbished the article and claims that no hack has taken place. Which version of events should we believe?
The Mail's somewhat sensationalist article on the ID Cards hack describes how Laurie used a standard smartcard toolkit to clone a Foreign National ID Card (which incidentally isn't an ID card - it's a biometric visa document issued under the UK Borders Act). He then modified the cloned card to change the details of the holder and add another message.
In its rebuttal, the Home Office pointed out that the card is subject to cryptographic controls that prevent modification or cloning, and that the Mail's hack is therefore not valid since the cloned card would be rejected by any reader. In his blog, Robin reflects upon the challenge of reprogramming a card, and a key point is that without valid signatures the card can't be cloned or modified: that is, unless the attacker has copies of the private keys, or has managed to subvert the cryptographic algorithm, the integrity of the card remains absolute. It would, for practical purposes, be impossible to create a modified or cloned National ID Card - far simpler to try to create a false identity during the enrolment process, or subvert an official to tamper with the National Identity Register.
So all's well and good with the ID Card's security then? Not so. The 'hack' highlights a fundamental flaw in the architecture of the National Identity Service: the fact that for any 'high assurance' authentication to take place, the relying party must be able to verify not only the content of the ID Card, but its signatures as well. To do so requires a card reader that has access to the National Identity Register and associated databases so that the validity of the card and its data can be checked. But the Home Office has yet to discuss plans for putting in readers in any environment outside of border and immigration controls and law enforcement - in other words, the only time a high assurance check will be achievable in the near future will be at an immigration desk or a police station. That suits the Home Office's needs, but leaves the bit of plastic worthless for the rest of us, since creating a clone that looks like an ID Card and even scans like an ID Card will be trivially simple. 'Flash and dash' will become commonplace - individuals using fake cards to establish a false identity or false entitlements in the absence of any way to confirm the validity of the card. The only way to avoid that problem will be to build a huge and expensive network of card readers in every location where the card might be needed.
A better approach would be to make the card itself 'unimportant' in the authentication process: to issue digital certificates that can be embedded in mobile phones and computers so that individuals can assert their identity without having to produce a piece of plastic. This would open up online use of the scheme, and create a secondary market for ID, whereby commercial providers that have verified the individual's ID against the NIR can then issue further digital credentials: for example, underwriting m-commerce transactions using bank certificates to confirm the account-holder's ID and credit status. Furthermore, if certificates complied with relevant open standards then they could be embedded into OpenID, SAML etc. to nurture the growth of a peer-to-peer ID infrastructure that would build trust between individuals, industry and the public sector without the need to issue card readers at all. It worked in Sweden, where very few people actually have a plastic ID card, but most of the population use the associated digital certificates - so why can't it happen here?