ID card cannot be hacked, UK Government claims – encryption secrets revealed
UK national ID card cloned in 12 minutes
The Home Office said today it remained confident that the national identity card cannot be hacked, or cloned, or that information it contains can be changed or added to.
The Home Office was responding to reports yesterday that it took a computer expert 12 minutes to hack the card using nothing more than a mobile phone and a laptop.
A Home Office spokesperson said, “This story is rubbish. We are satisfied the personal data on the chip cannot be changed or modified and there is no evidence this has happened.
UK national ID card cloned in 12 minutes.
“The identity card includes a number of design and security features that are extremely difficult to replicate. Furthermore, the card readers we will deploy will undertake chip authentication checks that the card produced will not pass.
“We remain confident that the identity card is one of the most secure of its kind, fully meeting rigorous international standards”.
The Home Office is using root certificate with a RSA 4096-bit strength key. A root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the root certificate authority (CA).
According to Wikipedia, as of 2008, the largest (known) number factored by a general-purpose factoring algorithm was 663 bits long. Some experts believe that 1024-bit keys may become breakable in the near term, but few see any way that 4096-bit keys could be broken in the foreseeable future.
To protect the chip the Home Office uses public and private key encryption based on a 256-bit elliptic curve. Experts believe it takes longer to break codes encrypted using an elliptic curve than an equivalent length factor-based code such as RSA. This has made public key cryptosystems based on elliptic curves popular since their invention in the mid-1990s.
The data that describes the fingerprint image is also protected by a 256-bit elliptic curve. Before the chip releases this data, the reader must present to the chip a very recently issued digital certificate issued by the card issuer. The certificate guarantees the identity of the owner of the public key used to encrypt the data. The digital certificates are valid from one day to one month, it said.
A spokesman said the Identity and Passport Service had adopted the European Union extended access control protocol (EAC) for second generation biometric documents such as passports. “The protocol is being implemented this year by EU member states for their second generation biometric documents,” he said.
The spokesman said that at no stage was the card dependent on SSL (Secure Socket Layer) technology. At the recent Black Hat conference there were several demonstrations of how SSL, the world’s most widely-used encryption system, could be hacked.
The newspaper hired computer expert Adam Laurie to test the security that protects the information embedded in the chip on the card.
Using a Nokia mobile phone and a laptop computer, Laurie was able to copy the data on a card that is being issued to foreign nationals in minutes.
He then created a cloned card, and with help from another technology expert, changed all the data on the new card. This included the physical details of the bearer, name, fingerprints and other information.
He then rewrote data on the card, reversing the bearer’s status from “not entitled to benefits” to “entitled to benefits”.
He then added fresh content that would be visible to any police officer or security official who scanned the card, saying, “I am a terrorist – shoot on sight.”
According to the paper, Home Office officials said the foreign nationals card uses the same technology as the UK citizens card that will be issued from 2012.
Guy Herbert, general secretary of privacy lobby group NO2ID, said it was a mistake to assume that the Home Office cared about the card, or identity theft or citizens’ benefit.
He said the Home Office wanted the central database to record citizens’ personal details in one place for official convenience.
“It is that database which will deliver unprecedented power over our lives to Whitehall and make the Home Office king in Whitehall. The card is an excuse to build the database. If the card is cancelled it already intends to use passports as a secondary excuse,” he said.
Home Office officials said they were working on a response to the story, and would issue a statement later today.