Security and privacy: Can the two coexist?
By Dan Arico
web
posted March 18, 2002
There are a lot of proposals flying around these days about National ID cards, biometric databases, the need for more security and the like. Oracle has offered free use of its software to set up such a national system. Smart card manufacturers are prowling the halls of Congress, trying to make whatever product they're pushing the panacea for any perceived security holes.
Meanwhile, privacy advocates are fighting to keep camera lenses out of our daily lives and retain the ability to go about our business without having to walk through scanners at every street corner.
The question no one seems to be asking in all the debate is whether such hi-tech systems will make us more secure or just more controlled. Is it possible to gain some measure of security while still preserving privacy?
Modular vs. Centralized
Most of the proposals being floated call for a centralized system to make it more difficult to forge IDs. The reasoning goes like this: A simple ID card is just as easy to forge as those in current use. Even those employing such things as holograms, special material and UV ink run up against the iron rule that nature keeps no secrets. What one person can devise, another can copy. The answer that is most often proposed is the inclusion of biometric data such as a thumb print or a retinal scan.
This ties the individual to the card, but the question still remains - can such a card be forged? Unfortunately, a standalone card of this type can. A further step is required - the establishment of a centralized database against which these cards can be checked.
There are a number of problems that arise, not the least of which is the potential for invasion of privacy in a system that amounts to an internal passport. There are, in addition, severe technical problems that suggest such a system would result in less, not more, security.
The logistical nightmare involved in setting up the system is formidable. The cards would have to be issued in a secure manner otherwise the integrity of the system would be compromised from day one. Every man, woman and child in the US would have to be positively IDed and issued a card. In addition, that data would have to be accurately entered into the national database. Moreover, this would have to be done from tens of thousands of locations all over the country on a continual basis. There is simply no way to accomplish a task of this magnitude and insure the integrity of the data throughout. Falsified ID cards could be issued through official channels through bribery, extortion or just sloppiness.
Nor is this the only vulnerability. A single database means that there is a single point to be attacked. Continual updating as people die, are born and move will create ample opportunity.
It is an ironclad rule of security that a database is secure in inverse proportion to the number of access points and this one will need hundreds of thousands of access points in order for it to be used. Every location that needs to check an ID card will have to have access in real time.
It is possible that sites with authority to update could be used to falsify data either by direct access or by intercepting the data stream in what is known as a man-in-the-middle attack. Data can be altered between the updating site and the database site.
There is also the problem of access time. Picture what would happen at a busy airport when the data connections are overloaded and it takes five or six minutes per passenger to verify identity. Such databases have a history of slow response time and periodic loss of access.
Opposed to this centralized, single ID model, we have a modular, multiple ID model that offers some significant advantages.
First, multiple IDs offer the ability to cross check IDs and to scale the confidence level that is required. Cashing a check? A single driver's license is sufficient. Access to nuclear materials? Now we go all out.
Secure installations already use such a model. They have local IDs tied to databases that are not accessible from the outside. They are already far more secure than a National ID would make them. Anything from an airport to the local library can institute whatever level of identification is necessary. The question is what is necessary.
A New Security Model
I would like to propose an ID card system that I think would offer both enhanced security and enhanced privacy. This system employs smart card technology and encryption technology to produce an ID card that can be used anonymously and yet provide positive ID.
Smart cards are ID cards that employ computer components to enable an interactive data system on the card. They can store medical information, financial data, pictures or whatever is needed in a computer accessible format.
Encryption can take many forms. This application uses a dual key system similar to PGP. One encryption key is used to encrypt the data and the other is used to decrypt it. Decryption cannot be accomplished by simply reversing the encryption step.
Let's suppose you are running an airline and you want to create a "Trusted Flyer" pass to allow business travelers, the bread and butter of your airline, to pass through security in an expedited manner. First you need to determine that a given traveler is, in fact, who he says he is and that he poses no terrorist risk. This will require multiple documents and something of a background check, but it only needs to be done once and none of the information needs to be stored.
Now a smart card is prepared in a secure facility at the airport. His thumbprint is scanned and stored in an encrypted format on the smart card. Again, the thumbprint does not need to be stored anywhere but on the smart card. More importantly, because a key pair is being used, the stored thumbprint can only be accessed by a computer device using the decryption key matching the key that encrypted it. Only a single encryption machine in a secure location has that particular key.
When the card needs to be used, an ID on the card will indicate which decryption key needs to be used. A decryption device will have all the valid keys stored on it and will use the appropriate key. The card is inserted and the flyer puts his thumb on the scanner. If the digitized image on the card matches the thumbprint, he passes through security. Again, there is no need to store the thumbprint.
The decryption devices do not need to be in secure locations. All the keys on them are public keys and cannot be used to produce a false ID card. The security only needs to be maintained at the encryption point. If an encryption machine is compromised, the corresponding public key is deleted from the database and any travelers using that key will have to get new cards.
Stealing a card will gain nothing. The thumbprint won't match. Forging a card will only work if a matching public key can be inserted into the decryption machine. This can be avoided by constantly updating the decryption machines using the same dual key system with the update being sent to a secure location at the airport. The private key on the encrypted update will identify it as coming from a trusted source. The update can be transferred to some physical medium and then inserted into the decryption machines.
This system will ID travelers as belonging to a trusted group without identifying who they are and without storing information that will allow their movements to be tracked. It can be used for anything from the airline example to building access to provide a high degree of security without a loss of privacy.
There's one other thing that should accompany the implementation of this
plan. There should be legislation passed to provide strong criminal penalties
for anyone, whether private or in government, to use this system to capture
information on any individual using such a card. Without such penalties,
such a system could be modified to a National ID system with a resulting
loss of both security and privacy. 
Dan Arico is a computer programmer and president of Arico Systems.
Other related stories: (Open in a new window)
- Too late to stop national ID
by Roger F. Gay (December 3, 2001)
Roger F. Gay wonders why people are so up in arms over the concept of a national ID card. A central system to track you has already been set up and few people complained at the time
 Printer friendly version |
|