March 29, 2008

Secure ID

Identification card issues have come to my attention lately. The Department of Homeland Security (DHS) is trying to bludgeon states into committing to implementation of Real ID, a yet to be defined system to be implement sometime in the middle of the next decade, at state expense. State governments in the libertarian mountain West and in the cranky Yankee Northeast have passed legislation rejecting participation in the program. DHS has been scrambling to save face by declaring these rejections to be equivalent of apply for an extension in committing to the program. Wyoming Governor Brian Schweitzer dismisses the DHS Sturm and Drang, in particular the threat to declare driver licenses from non-compliant states invalid for getting on a commercial aircraft, as bureaucratic bluffing. I have a DK diary up about Schweitzer's stand.

At the same time, I received email from someone who wanted to know whether he should participate in a new private sector ID card, called FlyClear. The idea is that you get a secure ID, complete with embedded biometric information that is pre-cleared. At the airport, a proprietary device transmit you ID to the current TSA watchlist, confirming that you are not on it. The question from the person sending me the email reminded me that most people don’t understand, at all, how a well designed biometrically driven ID system would work.

A good ID card would be unique and universal. It would contain biometric information encoded, and encrypted, on the card and nowhere else. It should not be stored on a central, (or distributed) database. A digital fingerprint or iris scan should never be transmitted anywhere. The whole ID of a biometric identification mechanism is that it is always with you, and never anywhere else.

The way it would work is you’d swipe your card through a reader, and then put your thumb in the reader. If the thumbprint matches the digital thumbprint that is on the card, then a green light goes on (“The person holding this card is the person whose thumbprint is on the card.”) If anything further needed to be done, like a lookup of your presence on the TSA watchlist, or your card’s available balance checked, then a unique ID assigned to you is transmitted to the entity doing the lookup. The key is that the authentication should always be entirely local, between the card, the reader and physical biometric input.

Storing or transmitting the digitized biometric ID means a copy of your thumbprint exists. But the whole point of using your thumb is that it doesn’t exist anywhere else. Storing or transmitting the digital image creates the possibility that someone else may obtain the digital print, becoming you in the process. Transmission is clearly the greater risk because transmission is necessarily less secure than storage for capturing the digital rendition. Much more important, though, is that with a transmission system, you can no longer be certain that the source of the digital rendition is in fact the physical, analog object being rendered. If you permit a digital image of your thumb to be transmitted, then that transmission can be simulated without your thumb.

How well do the two ID systems I mentioned above implement these design rules? There’s no way to know for sure how the Real ID system will work, because the system isn’t designed yet. However, as Schweitzer points out in an NPR interview that’s linked in the DK diary above, the reliability of the Real ID will only be as good as the identification documents that are used to obtain it. He notes that half a dozen teenagers in a Kinkos can do a reasonable job of forging the birth certificate that is a primary source for the planned Real ID. A more important indication of the quality to expect from a Real ID program (if it is ever implemented, which I strongly doubt) is the way the program is proceeding. Good security tools, like encryption methods, are created with a great deal of public scrutiny. Bureaucratic authoritarians do not use such systems; they tend to prefer what is called security by obscurity working in secret. Security by obscurity is the design philosophy that led to a SONY CD music encryption technology that was cracked by using a magic marker on a disk.

There is a host of other reasons to believe that 50 individual state implementation of “standards” set in Washington will fail.

The FlyClear system is actually pretty good. The biometric information is indeed stored on the card. The authentication process at the airport does indeed consist of local authentication against a digital biometric signature on the card, and then sending of an identification number to a database updated with TSA information. The digital thumbprint is not transmitted, only the ID is. The only problem is that they do store the biometric information in a “secure” database. There is, of course, no such thing. It’s possible to conceive of a series of security measures that one would have to take to be sure that the information is in fact secure, involving complicated measures for protection from everything from disgruntled employees to off-site backups.

They do it this way because it makes creating the end product easier; they have to do a bunch of pre-processing with the TSA before they issue the card. It’s easier if they have the biographical and biometric data in the database, and then create the card, than to create the card first, and then modify it. This also makes it easier to recreate a lost card. (Note that a lost card is of no value to anyone else, and that making a false replacement card request doesn’t do a bad guy any good, because the card is only useful to somebody with the user’s thumbprint.)

I haven’t said a word about DNA here. DNA would indeed play a role in a well-defined identification system, but it won’t work as a biometric authentication method on an ID card, because, unlike your thumb, you leave lots of copies of your DNA everywhere you go. I’ll write something up about how you’d work DNA into a national identification system later on. In the meantime, the one sentence takeaway is “If someone offers you a biometric ID card that does not do its authentication locally, back away slowly.”

If you have any further interest in this topic, and you should, because the numbskulls running DHS have no understanding of good security practice, a good source is Bruce Schneier, who wrote a very good book Secrets and Lies and maintains an excellent web site ( where you can signup for a monthly e-newsletter.

No comments: