Tuesday, March 09, 2010

More on National ID...

Hypnagogue in comments here:
The problem with biometric ID cards is that they can be forged. Without strong encryption, this is folly. With strong encryption this is tyranny.
The problem is that the .gov acts like there was strong encryption on the Constitution and they don't have the right key to read it.

More on the topic from Anothergunchick.

12 comments:

D.W. Drang said...

"The problem is that the .gov acts like there was strong encryption on the Constitution and they don't have the right key to read it."

Tamara wins!

John A said...

ID cards... During WWII the UK had mandatory ID cards. After the War, it was proposed to keep the, (hey, the bureaucracy was already in place) - util it was pointed out that the ONLY crime ever solved by use of the ID-card system was, yes, forgery of the cards.

2yellowdogs said...

Ever notice that those in the guvmint love the idea of mandatory ID cards for work, but HATE the idea of requiring the same when those people show up at their neighborhood polling place? They say it's intimidating and on the same order as a poll tax or literacy test.

I'm sure it has nothing to do with the fact that those ID cards they love so much might actually cut down on election fraud (at least until ACORN gets its printing pressess up and running).

reflectoscope said...

Just think, the whole program should only cost two or three trillion.

As for the Constitution, why not have it engraved in fine print on a Louisville Slugger, and literally pound it into their thick skulls? (Too much?)

Jim

D.W. Drang said...

As for the Constitution, why not have it engraved in fine print on a Louisville Slugger, and literally pound it into their thick skulls?
Reflectoscope wins!

Er, Tamara and Reflectoscope win.

Good thing I'm not specifying prizes...

Hypnagogue said...

I love the snark, but it's misguided. The constitution makes provision for the definition of citizenship. Verification of citizenship is clearly not facially barred -- it would obviously be required. The devil, in this case, is in the details.

Again, the problem is this: it is trivial to forge digital credentials. It is in fact much much easier than forging a drivers license or a dollar bill or a bus token. Thus to be effective, any digital biometric ID system must use strong cryptography.

The simplest solution would be a biometric document digitally signed by the government. (Currently, the standard would be 2048-bit DSS.) This has advantages and disadvantages. If they include personal credentials in the document with the biometric data, then anyone can easily prove who they are without interaction with any central database. The disadvantage is that sensitive personal information can't legally be stored together in this fashion anymore -- it's an avenue for identity theft.

One solution, easily defeated, is to encrypt the sensitive personal information. If CSS taught us anything, it is that releasing a shared secret into the wild will always result in the shared secret being disclosed.

Thus, we are left with only one viable implemenation: the signed document contains anonymous biometric data, and a unique, opaque identifier. Upon authentication of the biometric data, the verification system must query a central system with the identifier. It would have to authenticate itself as an uncompromised client, and would only be able to query specific data.

For example, the authenticator at a gun store might only be able to ask the question "Is this person barred from owning a firearm?" A border crossing might only be able to ask "Is this person a legal resident?" Since the full credentials are never disclosed to untrusted parties, the risk of identity theft is mitigated. Furthermore, the device authentication exchange allows for central distribution of certificate revocation lists. A device being manipulated or abused can be centrally revoked.

This isn't really speculation. I have years of personal experience with implementing this very sort of system with a large federal agency. This is how (and why) it is done. If you choose to implement digital identification for citizenship verification you end up with centralized tracking of everyone everywhere.

It would be nice to think that it wouldn't become ubiquitous, but just like bad money chases good money out of a market, strong authentication will chase out weak authentication. Use of non-digital credentials will quickly be seen as suspect. As it is, a birth certificate without other proof of citizenship is looked at like a worthless piece of paper. For good reason -- it doesn't describe the person bearing it in any detail except for age.

Timmeehh said...

Hypno.

Nice theory, here is why it won't work.

In Kanada we have a firearms REGISTRY and database. It is supposed to be secure. HW and SW precautions etc.

Some low level government clerk was bribed by criminals to provide them with a shopping list. Many unsolved firearms thefts took place. The REGISTRY that was supposed to prevent crime actually facilitated and even encouraged it.

Same thing would happen with your scheme. Some low level government clerk will get bribed and compromise the security of the system. Then organised crime will have bona-fide fake IDs that can be used to buy guns, obtain passports etc.

This scheme is not about crime prevention or prevention of terrorism, it is about controlling the people! I remember when I was a kid, we used to make fun of the Soviets because of their internal passports. They are required for a police state to function.

Hypnagogue said...

Clue check, table 4: it's not my "scheme".

Jake (formerly Riposte3) said...

This hits the same point I did.

Unless there's a central database that the information is checked against every time the card is read, I predict it will take less than six months for criminals to crack the code on the cards and start making fakes that read with biometrics matching whoever they decide to give the card to. Less than a year to spoof it, if there is a database (unless some .gov idiot leaks the whole bloody database on a 'lost' laptop, sooner).

Borepatch said...

Encryption is more or less irrelevant. It's vanishingly unlikely that the backend database can be secured in any meaningful way.

Even ignoring Timmeehh's scenario (absolutely plausible IMHO), the networks are swiss cheese and there are just too damn many people who need access to the database. The ONLY way we've had even moderate success is by building two entirely separate networks (one for classified info, one for unclassified).

The problem with this is that the database CAN'T live on the classified network, because everyone who needs to check on an ID is on the unclassified network.

Securely joining the two networks is beyond the ability of the technology (Google "Red Black separation" for a 30+ year history lesson).

Net/net, the contents of the database will not be trustworthy, so you can't count on the result of your highly-secure-cuz-it's-uber-encrypted query.

But yeah, the government loves this sort of thing because it needs bushel baskets of cash and buildings filled with headcount.

Not trying to link whore, but I wrote quite a long post a year ago on this: How to hack a classified network.

Jake (formerly Riposte3) said...

"Encryption is more or less irrelevant."

Exactly, though I'd pick a different reason - how long do you think it will be before some .gov ID10T takes the database (or part of it), or the encryption key and password, out of the office on a laptop or USB drive to work on it at home (legitimately or not) and it gets lost/stolen/sold-to-the-highest-bidder? I mean, this IS the same government that's done that with Social Security databases, Medicare/Medicaid databases, classified CIA files, etc. Do we really expect them to keep something that needs to be as frequently accessed as this secure?

Geodkyt said...

Anything strong enough to be secure, is probably too strong to be safe.