The Home Office said today it remained confident that the national identity card cannot be hacked, or cloned, or that information it contains can be changed or added to.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The Home Office was responding to reports yesterday that it took a computer expert 12 minutes to hack the card using nothing more than a mobile phone and a laptop.
A Home Office spokesperson said, "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened.
"The identity card includes a number of design and security features that are extremely difficult to replicate. Furthermore, the card readers we will deploy will undertake chip authentication checks that the card produced will not pass.
"We remain confident that the identity card is one of the most secure of its kind, fully meeting rigorous international standards".
The Home Office is using root certificate with a RSA 4096-bit strength key. A root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the root certificate authority (CA).
According to Wikipedia, as of 2008, the largest (known) number factored by a general-purpose factoring algorithm was 663 bits long. Some experts believe that 1024-bit keys may become breakable in the near term, but few see any way that 4096-bit keys could be broken in the foreseeable future.
To protect the chip the Home Office uses public and private key encryption based on a 256-bit elliptic curve. Experts believe it takes longer to break codes encrypted using an elliptic curve than an equivalent length factor-based code such as RSA. This has made public key cryptosystems based on elliptic curves popular since their invention in the mid-1990s.
The data that describes the fingerprint image is also protected by a 256-bit elliptic curve. Before the chip releases this data, the reader must present to the chip a very recently issued digital certificate issued by the card issuer. The certificate guarantees the identity of the owner of the public key used to encrypt the data. The digital certificates are valid from one day to one month, it said.
A spokesman said the Identity and Passport Service had adopted the European Union extended access control protocol (EAC) for second generation biometric documents such as passports. "The protocol is being implemented this year by EU member states for their second generation biometric documents," he said.
The spokesman said that at no stage was the card dependent on SSL (Secure Socket Layer) technology. At the recent Black Hat conference there were several demonstrations of how SSL, the world's most widely-used encryption system, could be hacked.