ID card cannot be hacked, UK Government claims - encryption secrets revealed

The Home Office said today it remained confident that the national identity card cannot be hacked, or cloned, or that information it contains can be changed or added to.

The Home Office said today it remained confident that the national identity card cannot be hacked, or cloned, or that information it contains can be changed or added to.

The Home Office was responding to reports yesterday that it took a computer expert 12 minutes to hack the card using nothing more than a mobile phone and a laptop.

A Home Office spokesperson said, "This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened.

See also: UK national ID card cloned in 12 minutes

"The identity card includes a number of design and security features that are extremely difficult to replicate. Furthermore, the card readers we will deploy will undertake chip authentication checks that the card produced will not pass.

"We remain confident that the identity card is one of the most secure of its kind, fully meeting rigorous international standards".

The Home Office said that it is using RSA encryption technologies to protect the sensitive data on the card elliptic curve encryption to prevent the card from being cloned.

The Home Office is using root certificate with a RSA 4096-bit strength key. A root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the root certificate authority (CA).

According to Wikipedia, as of 2008, the largest (known) number factored by a general-purpose factoring algorithm was 663 bits long. Some experts believe that 1024-bit keys may become breakable in the near term, but few see any way that 4096-bit keys could be broken in the foreseeable future.

To protect the chip the Home Office uses public and private key encryption based on a 256-bit elliptic curve. Experts believe it takes longer to break codes encrypted using an elliptic curve than an equivalent length factor-based code such as RSA. This has made public key cryptosystems based on elliptic curves popular since their invention in the mid-1990s.

The data that describes the fingerprint image is also protected by a 256-bit elliptic curve. Before the chip releases this data, the reader must present to the chip a very recently issued digital certificate issued by the card issuer. The certificate guarantees the identity of the owner of the public key used to encrypt the data. The digital certificates are valid from one day to one month, it said.

A spokesman said the Identity and Passport Service had adopted the European Union extended access control protocol (EAC) for second generation biometric documents such as passports. "The protocol is being implemented this year by EU member states for their second generation biometric documents," he said.

The spokesman said that at no stage was the card dependent on SSL (Secure Socket Layer) technology. At the recent Black Hat conference there were several demonstrations of how SSL, the world's most widely-used encryption system, could be hacked.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.