Hong Kong Gets Smart ID Cards 388
darnellmc writes: "This AP article is about Hong Kong's new smart ID cards (mandatory) with "embedded computer chips that hold names, pictures and birthdates -- as well as a digital template of both thumbprints". The picture in the article shows a man holding them and smiling. The article also mentions "Hong Kong's government backed down on proposals to have the cards carry health and bank records". The Hong Kong government hopes to add optional features like using them as driving licenses and library cards. This government learned nothing from the USA's abuse of the Social Security number, this is much worse. Hoping one card will do it all. These cards are also in the works in other countries like Finland, Malaysia and Japan where they are to be optional. Thailand
is working on a mandatory card."
Hong Kong already HAS mandatory ID cards (Score:5, Informative)
So this change is limited to putting a smart chip in a card people already carry.
Not that its not dangerous -- there are a whole load of risks associated with people not knowing what information they are giving up whenever they show it (though there are laws about who is allowed to request it), as opposed to a print-only card where its obvious what you are showing.
indecision
Re:What kind of crack are they on (Score:2, Informative)
Regarding the Hackability of these cards (Score:2, Informative)
Tamperproofing of Chip Card(s) [infowar.com] - abstract: There are two ways of attacking smartcards - destructive reverse engineering of the silicon circuit (including the contents of ROM), and discovering the memory contents by other means; a well equipped laboratory can do both. Persistent amateurs have often managed the latter, and may shortly be able to do the former as well.
Tamper Resistance - a Cautionary Note [cam.ac.uk] - abstract: An increasing number of systems, from pay-TV to electronic purses, rely on the tamper resistance of smartcards and other security processors. We describe a number of attacks on such systems - some old, some new and some that are simply little known outside the chip testing community. We conclude that trusting tamper resistance is problematic; smartcards are broken routinely, and even a device that was described by a government signals agency as `the most secure processor generally available' turns out to be vulnerable. Designers of secure systems should consider the consequences with care.
With any cryptographic system, it all comes down to one concept: time. With enough time and resources, these cards CAN be broken, overwritten, you name it. We have seen ubiquitous evidence [distributed.net] that even the strongest cryptography can be broken in time. HK is planning on using these SmartCards as digital passports. "Smart card holders will speed through Hong Kong immigration, using self-service kiosks that match digital biometric data on the card against the cardholder's fingerprint image read by a scanner."
The scariest part, for me, is that HK is setting a precedent. And it won't take long for other countries to jump on the bandwagon.
Re:ID Card Threat? (Score:0, Informative)
Even with all those things, facial recognition is an imperfect art. Even humans are unable to do so 100% accurately. How many times have you seen someone on the street and thought "Hey, that's Bill, or is it?" only to find out it's not Bill? Oh, and humans are trained from birth to recognize faces. The Smart Card National ID system just makes it easier. Instead of reading a face, you read a signal from the card saying "Hi, I'm Bob Patterson. I'm O+, my fingerprint signature is X41AW8NV...33R47, I live at 123 Park Place, New Orleans, LA 41127."
Lots easier than reading a face and figuring out who it matches.
Already in use, actually (Score:2, Informative)
Anyway, more information can be found from the Population Register Centres Electronic id card pages:
http://www.fineid.fi/default.asp?todo=set
Re:ID Card Threat? (Score:4, Informative)
This is a nonsequitur/slippery slope fallacy. The US government already has reasonably easy access to pictures of most of its citizens, but hasn't performed the abuses you described. Just because a government theoretically can do a thing doesn't mean that it does.
Fingerprints. The government doesn't have my fingerprints and I hope never will. Imagine you were at the scene of a crime, if the state already has your fingerprints they can match anyone who was there against their database, not just against known criminals.
If fingerprints were put in such a card, I'd want some safeguards put in place so that identities would be protected during police proceedings such as you mentioned. Still, the technology side isn't necessarily evil -- why is it so wrong if your fingerprint identifies you as being at the scene of a crime? An eye-witness could do that as well. Maybe we should eliminate eye-witnesses as a matter of course to protect privacy?
Genetic finger print. Think of Gattaca and the eye lash being found by the police. Immediate identification with very small probability of error. Now tie this in to : Banking - going for a loan? Any genetic defects and they'll increase the interest rate you're paying and demand cover in case you die before its repaid.
What if that genetic defect showed guaranteed sociopathic behavior that made it a 99.9% certainty that the loan would not be repaid? Why should a bank pay someone they know is a bad risk. They evaluate income, past repayment of loans, age, and other factors. Why not go to something closer to the source?
Btw: It should always raise a red flag in any discussion when someone starts citing a movie plot as a likely outcome of real life events.
Insurance - any genetic abnormalities and then try getting insurance. Even worse if diseases such as HIV/AIDs were included in your information.
Why should I, as a health non-AIDS getter be punished for living a healthy lifestyle? Smokers often have to pay higher insurance premiums because they're a greater risk. Why is AIDS any different?
As to the genetic identification, I have high hopes that by the time that we get sophisticated to easily sequence everyone's DNA, we'll also have good methods for fixing problems in our DNA.
Finally the worst part Identity theft. Government ID card is supposed to prove beyond all reasonable doubt that you are who you say you are. If you have a card with your photo on it, with your fingerprints and genetic fingerprint all matching then obviously you must be the person named on it with access to all your bank accounts, property deeds etc.
But right now, things are worse. Those bozos at my bank give people access to my bank accounts if they can recite my social security number and mother's maiden name! It's all about raising the bar, and putting my secret information encrypted with my PIN on a hard-to-compromise smart card would be a step in the right direction.
Re:Hong Kong already HAS mandatory ID cards (Score:4, Informative)
The reason smart cards can be good for privacy is that they allow data to be kept out of central databases. If you must use your fingerprint to authenticate yourself, it's much less intrusive if, at least, the government has no record of your fingerprint other than the one you carry in your pocket. The card can be designed such that it performs all of the fingerprint validation and never under any circumstances reveals the template (of course, the reader that scans your finger could store it in addition to giving it to the card, so privacy needs to be a goal throughout the process). Further, smart card systems can be (and all of mine are, by default) designed so that while you store a wide variety of different kinds of information on one card, the data are still separated and one agency does not have the ability to read data written by another agency. Even if your driver's license, medical record, credit card and passport are all on one card, that doesn't mean that the police and immigration officials can read your medical history or that the doctor can see how many tickets you've received or how much money you have.
The technological protections that can be put in place are quite strong, whereas any semblance of privacy in a central database system is (must) be provided by policy, which is entirely too easy to change, or for an unscrupulous individual to simply ignore.
I don't know whether or not the Hong Kong system has put these protections in effect. I worked a little bit with them (Hong Kong) as part of IBM's (failed) bid to be their technology supplier for this system, and IIRC, there was some concern among the different departments in the government that the other departments should not have access to their information. I think that if IBM had won, we would have implemented appropriate firewalls between the data elements, but I have no idea what the winner has chosen to do or what direction they've been given by the Hong Kong Immigration department (which is the entity issuing the cards -- I suspect they're mainly trying to combat forgery of IDs by people from the PRC who want to work in HK).
BTW, I don't speak for IBM and they don't speak for me, etc., etc., #include <disclaimer>.
Re:What kind of crack are they on (Score:3, Informative)
I don't know if this has actually been done in the Cyberworks solution for HK, but it's not rocket science and it's standard practice in the smart card industry.
Here's a suggestion: If you're clueless, don't post.
Please mod the parent as WRONG (Score:4, Informative)
Have you ever worked with smart cards? Do you know what a smart card reader is? It is simply an interface between the smart card and another system. It has no, I repeat NO intelligence. There is NOTHING TO CRACK in the reader.
What do you mean by reverse engineering a chip? In a properly designed smart card system the bad guys can get ahold of all the cards (initialized or uninitialized) they want and they will not be able to "compromise the whole system".
Even if you somehow managed to extract the keys from one card, that is all you would have, one card. You would have go through the process again for another card. BTW, extracting the keys from a single card is estimate to cost $300,000 or more. It is not something that can be mass-produced.
A remote reader is only useful for contactless cards and only in certain situations.
I work with smart cards everyday. I work for one of the teams that bid on this project. Not the winning team :( . I am only flaming the parent post because it is spreading lies and for some reason has been modded it.
Power Analysis is Dead (at the moment) (Score:4, Informative)
Techniques specific to cracking a smartcard have undone this work. If one knows the encryption algorithm used by the card and the hardware used to implement it, then because the card reader provides the card with power to do its computations, the power-demand-vs-time information gained by the reader can be used to reconstruct the key stored in the card.
All modern smart cards defeat simple power analysis and most of them defeat differential power analysis and a variety of other side-channel attacks as well.
How? It's not that hard.
Defeating simple power analysis (watching the power consumption for one run through the encryption) is easy, and cards fixed this problem quickly -- just install a capacitor that buffers the power consumption. In theory, enough buffering can completely smooth the power consumption curve and defeat all power analysis, but as Paul Kocher (inventor of power analysis) found, in practice if you run the card through enough cycles and apply some math to the results you can still extract the information. This is differential power analysis.
There are a wide variety of mechanisms for defeating DPA. Some focus on protocol design, ensuring that the same data is never encrypted twice, or limiting the number of times that a particular key is used, by doing most work with session keys established during an authentication protocol, counting the number of failed authentications and refusing to operate after a small number of them. This does enable a DOS attack, but that's less damaging to the system as a whole. Other approaches focus on the cryptographic algorithms, exploiting nuances of their structure. For example, some IBM researchers discovered that they could inject randomness into DES calculations, XORing random numbers with the values in the computations at certain points and then XORing again to remove the effects. The result is randomized power consumption, without compromising the consistency of the results. A 3DES engine built with randomized DES is immune to DPA. The current direction anti-DPA technology is less technologically sophisticated but just as effective: A hardware encryption engine. Because a hardware 3DES or AES engine performs its computations in such a tiny amount of time, and at such tiny power consumption, a very small capacitor can complete buffer the operation.
Many other side channel attacks have been defeated as well, mostly by shielding the chips with heat and power-conductive sheaths.
It's interesting to note that public key cryptography in smart cards *is* still vulnerable to power analysis, in most cases even to simple power analysis. PK cards use a hardware coprocessor, but the process still takes time, and that makes SPA/DPA possible.
Cards are not 100% secure, but nothing is. Current best estimates are that a modern card that incorporates all of the current security features would cost approximately $300,000 to break. All good designers of smart card systems understand that, and take various precautions (which I won't go into here) to ensure that the compromise of one card does not compromise the entire system.