Re: National Identity Card

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Tue, 22 Sep 2015 12:54:41 -0700

Dear Dr Naicken,
At 08:43 22-09-2015, Stephen Naicken wrote:
>One of the disadvantages of an offline reader is the assumption of
>implicit trustworthiness. If a device is no longer considered
>trustworthy, for example, it is stolen, then there is no means for its
>permissions to be revoked and it can continue to decrypt card data.

Yes.

>Assuming that the intention has always been to use offline readers,
>this raises an important question as to why fingerprint templates were
>stored in a database. If the reader is offline then it cannot use the
>database in the matching process. Typically such a system would
>operate by either: submitting the fingerprint minutiae from a
>fingerprint scan to the server that performs the matching; or the
>relevant template being pulled by the reader so that match-on-reader
>or match-on-card can be executed. Hopefully there will be some
>clarification on this.

In 1998, the solution to the problems was to have a system based on a
Central Population Database. There were very few people outside
Mauritius talking about privacy in those days. Nowadays, we can do
things which were not possible in the past as the technology is
available. The usage of fingerprints for "identification" depends on
the culture of the country, i.e. in some countries people would
oppose while in other countries while in some countries people might accept it.

In "match-on-card" the data is sent from the fingerprint scanner to
the card. It reduces some security (and other) issues. However,
requiring a fingerprint match raises the question about the practical
uses of the National Identity Card. For example, should it be
required for senior citizens when they travel by bus?

>Having one decryption key is a weakness, so I would hope (and expect)
>that the system operates using a form of key derivation [1] to derive
>a unique key for each card. Each and every SAM would contain the same
>master key. At a high-level, this could work as follows: the smart
>card presents its identity to the reader, this could be a public-key
>or the NIC number or some combination of unique identity data; the
>SAM implements a function, such as a cryptographic hash function [2]
>using the master key and the smart card identity; the result of the
>function is a key unique to that card to decrypt its data. This
>eliminates the need to update the reader.

The decryption key is not really one; it is a public key [1]. There
is a need to update the reader at some point a public key is not used forever.

>This approach increases the complexity of an attack. Knowing a given
>smart card's key will compromise neither the master key, nor any other
>smart card. Additionally, if the master key is leaked, as long as the
>key derivation algorithm is unknown, an attacker can not derive the
>key for a given individual's identity card.

Having a key derivation algorithm which is unknown sounds like
security by obscurity. In practice, a person would not be able to
derive the key even if he/she knows the algorithm.

Regards,
S. Moonesamy

1. http://www.elandsys.com/~sm/mu-mnis-ca.html
Received on Tue Sep 22 2015 - 19:55:15 PST

This archive was generated by hypermail 2.3.0 : Tue Sep 22 2015 - 20:00:01 PST