Dematerialised ID — PKI exists

Anonymity/identity

Capture

Dematerialisation

Campaign

Newcomers and returning visitors, please note that you are welcome to talk to the hermit using this new invention, email.

Dematerialised ID

The voluntary alternative

to material ID cards

A Proposal by David Moss

of Business Consultancy Services Ltd (BCSL)

Section 4

For four years the government advocated biometric passports and ID cards on the confused basis that biometrics make them secure. In fact "security", these days, is synonymous with "PKI", the public key infrastructure, and is quite independent of biometrics. Without PKI, our biometric passports and ID cards would be forgeable, untrusted and an expensive waste of money.

It took a long time but, finally, in December 2006, the government confirmed that they would implement PKI in the ID cards scheme.

Will it be implemented properly? The early signs are not encouraging.

PKI was invented by GCHQ over 30 years ago and they stipulate the criteria for measuring how properly it has been implemented. These criteria include authentication, confidentiality, integrity and availability.

The government's implementation of PKI for biometric passports and the ID cards scheme looks like failing the authentication and confidentiality tests:

Tens of thousands of organisations will be accredited to undertake identity checks online to the National Identity Register.
Offline identity checks by non-accredited organisations will be allowed.
The personal data stored on biometric passports is not encrypted.
All of these organisations, in the UK and overseas, would be able to store the personal data read from people's biometric passports and ID cards. That can only exacerbate the problem of ID theft.

The integrity criterion of PKI is undermined by the fact that the ID cards scheme is based on smart cards. It would be more secure to base the scheme on mobile phones.

And the PKI requirement of availability is undermined by the government's track record with computer systems. The national fingerprint database, for example, has in the past been inaccessible to police forces for a week at a time. And there are examples of medical systems failing, of doctors being unable to see your X-rays when they need to treat you. If ID cards become important, what will happen when the computer system is not available?

All of which makes the government's idea of selling our personal data to selected organisations – to insert itself thereby into the nation's payments systems – unattractive.

PKI exists
BCSL have compiled a list of 35 media stories about passports. Examine this evidence, and it becomes clear that our non-biometric passports are worthless. They are not secure documents:

The evidence shows three-and-a-half years of newspaper stories about stolen passports and forged passports. Stolen and forged passports should not work. They should not get you into the country. But they do work and that is why there seems to be a thriving trade in them.
It shows that passport control procedures are not enforced. How else can a man manage unintentionally to travel on his wife's passport? How else can a woman enter the UK on a stolen passport? Stolen passports are meant to be reported to Interpol and passport control staff are meant to check the Interpol list. She got into the UK anyway.
It shows poor procedures. How can a visa application be checked properly in 11 minutes?
It shows corruption in the immigration service.
It shows the cost of passports, during the period examined, doubling to cover the cost of introducing biometrics. Biometrics are meant to solve the problem and make passports secure.
And yet it also shows that security problems with biometric passports are revealed as soon as the new passports are introduced. Do biometric passports solve the problem? Is our money well spent? Is it worth our while to spend time attending registration centres to record our biometrics? Will biometric passports be just as worthless as their predecessors?

According to the Identity and Passport Service (IPS) strategic action plan published in December 2006:

"We will also maintain the high levels of customer service achieved over recent years – for the third year in a row, IPS topped the independent Comparisat Customer Satisfaction survey, ahead of organisations such as Amazon, Asda, eBay, Marks and Spencer, and Tesco" (para.52)

More proof, if it was needed, that popularity does not imply reliability.

What applies to passports applies equally to other secure documents or, to be more precise, to other documents that are meant to be secure. Passports are chosen only as an example. In particular, these problems would apply to ID cards as well.

Biometrics are meant to identify people. The biometrics chosen for our new passports in the UK and for our proposed ID cards will only identify about 80% of people. They are not universal. That is one problem, which has already been covered in the biometrics section of this proposal.

... but the media do not seem to know about it
The point to make in this section is that biometrics have nothing to do with security. The problems of identification and security are independent. You can have biometrics without security and, conversely, you can have security without biometrics. Biometrics cannot make our passports or our proposed ID cards secure.

The way to get secure documents is to use PKI, the public key infrastructure. None of the articles offered as evidence refer to PKI. Where they mention security at all, they all confuse it with biometrics.

The International Civil Aviation Organization (ICAO), the people responsible for the format of passports, are perfectly clear on the matter. They say that there is no point recording biometrics on passports if they can be changed by forgers. They recommend that the established technology of PKI should be used to authenticate the biometrics:

"Unless data recorded, such as biometric and identity ... data on contactless chip media, can be self-authenticating through the use of PKI Digital Signatures, these initiatives are exposed to fraud and counterfeit" (para.2.7).

There it is. You need PKI to protect biometrics from forgery. Security and identification are not the same thing. You need one to protect the other. They are two different things.

So – time to learn
PKI is all about authentication.

It was developed by the UK Government Communications Headquarters (GCHQ) between 1969 and 1975 and independently in the US. It is a cocktail of procedures and encryption techniques used every day by governments, the military, the security services, academic institutions, businesses – including the mobile phone network operators – and secure websites (SSL/https), among others, to authenticate whatever needs to be authenticated.

The revolutionary element of PKI is that the key required to encrypt a message can be published, it is a public key. You can use my public key to encrypt a message and send it to me, secure in the knowledge that only I can read it, because only I have the private key needed to decrypt it.

CESG is the PKI bit of GCHQ. They define their rôle in terms of information assurance, which they say has five key principles:

Confidentiality – keeping information private
Integrity – ensuring information has not been tampered with
Authentication – confirming the identity of the individual who undertook the transaction
Non-repudiation – the individual who undertook the transaction cannot subsequently deny it
Availability – ensuring information is available when required

PKI is needed for authentication
When a message is sent from one person to another using PKI, as long as established procedures are followed, the sender, the recipient and the message itself are all authenticated. The sender can be sure that only the intended recipient will be able to read it, the recipient can be sure that the message comes from the purported sender and he can tell if it has been tampered with en route.

That is what BCSL means by the phrase "secure document". A secure document is one which can be authenticated in this way. The sender is authenticated. The recipient is authenticated. And the message received is the message that was sent.

... it is an established technology
There is nothing new about secure documents.

The government sometimes seem to suggest that biometric passports and the ID cards scheme involve secure documents which have never been seen before. The use of digitised biometrics is an innovation. Granted. But biometrics are identifiers, not security devices.

The use of encryption to support secure communications, far from being new, goes back at least to the the fifth century BC (see, for example, Simon Singh's The Code Book).

For the past 35 years or so, "security" has become synonymous with "PKI".

The stock in trade of PKI is the digital certificate. There is nothing new about issuing and using digital certificates. Two examples:

BT issue digital certificates to registered suppliers who wish to trade on the BT extranet.
HM Revenue & Customs support the use of digital certificates for companies making certain tax payments and submitting certain returns on the Government Gateway on the web.

... and it works
According to the National Security Agency (NSA), the US equivalent of GCHQ, commenting in 1997 on PGP, one of many PKI software packages:

“If all the personal computers in the world – 260 million – were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message” (PGP Desktop Security), p.246.

Given that the universe is about 15 billion years old, that implies that it would take about 180 million billion years to decrypt a message.

The mathematics of PKI is hard for most of us to grasp. The attempt may be made to explain it to those who are interested but all that is needed in general is to promote the same attitude to PKI as we already have to DNA. Very few people understand how it works but most people believe that it exists and that it does its job.

... sometimes not so well
There was a case reported in February 2003 of some Swiss cryptographers being able to decipher the password of a secure website in less than an hour. In October 2006 it was reported that Mr Jon Lech Johansen, a "prominent hacker", had cracked the code that protects Apple's iTunes music downloads. Mr Bruce Schneier has some doubts. And Professor Martyn Thomas, giving evidence to the Home Affairs Committe, pointed out that:

"No card based chip has yet proved to be completely unable to be broken open if you are prepared to apply sufficient resources to it. Although you may have to wreck a few chips in the process, once you have actually determined how to break the encryption on the chip and you can understand the workings you can make your own" (Q.394)

As an example of what Professor Thomas has in mind, consider the set-top boxes we attach to our TVs to receive satellite and cable TV programmes. They have a card in them to authenticate the user as a bona fide customer of BSkyB, for example, or NTL. There used to be a grubby market in illegitimate cards, which allowed people to receive these programmes without paying.

Without PKI, or if PKI were not implemented properly, there would be the same market in forged biometric passports and ID cards.

... and sometimes too well
There is considerable interest in the UK at the moment in the question of terrorists using encrypted communications. One of the arguments in favour of allowing terrorist suspects to be detained without charge for 90 days, instead of 28 days, is that it would give investigators longer to try to read any encrypted documents stored on impounded PCs.

The universe is roughly 14bn years old. 260m computers working for 12m times the age of the universe is therefore about 16,000 million million million million computer-days. If that is how long it would take investigators to read one properly encrypted document, then 28 days or 90 days are, clearly, neither here nor there.

As Professor Ross Anderson told the Home Affairs Committee, encryption tools are generally either good or useless and "if they are good, you either guess the password or give up".

The Home Office do not seem to know about PKI either
Consider the following exchange when David Blunkett, then Home Secretary, gave evidence to the Home Affairs Committe on 4 May 2004:

"Q625 Mr Cameron: That is really what I am saying. If you have to have a work permit, is not the problem that we are not checking enough people's work permits? Have you done any analysis of the enormous costs of an ID card system against a modest investment in more people checking whether people have a work permit?

Mr Blunkett: I do not believe we are talking about an enormous cost, I think we are talking about a steady state of around 200 million a year. The accumulated 13 years' roll-up of everything obviously frightens people to death and, in retrospect, perhaps that figure has misled people. In my view, the actual steady state is a very reasonable way, taken alongside biometric passports, because let me make it clear that I would not be advocating this if it were not that we were going to have to engage for international travel with biometric identifiers in passports and visas to ensure that those documents are secure and, therefore, be able to run the ID card and the secure register alongside that aspect which in itself will be the expense that has to be incurred by us whether we go for ID cards or not."

To paraphrase, Mr Blunkett was saying that it is the biometrics in passports and visas which ensure that those documents are secure.

... biometrics do not even in theory provide authentication
That is false.

Which is the ICAO's point. The biometrics in a passport or an ID card are meant to identify people. They are not a security device, they are a (putative) identification device. If they can be changed without detection, then passports and ID cards can be forged, they are not secure documents. In order to make them secure, we need to implement PKI. Only with PKI can we know that the biometrics are authentic.

Biometric uniqueness could not make an ID card secure against forgery. A forger could overwrite Person A’s unique biometric with Person B’s unique biometric. The biometric would still be unique but the ID card would now be a forgery. PKI is needed to protect against this sort of forgery and that is why the ICAO recommend it.

... PKI does, and yet the UK government have not mentioned it
So does every other informed system designer. OSCIE, for example, the open smart card infrastructure for Europe, relies centrally on PKI and is being implemented in many EU countries. There is no controversy about it. PKI is there, it works, it is natural to use it and it is essential for authentication.

The UK is unique in not discussing the central importance of PKI. BCSL raised the issue of PKI with the Home Office in an email dated 31 January 2003. We were told, in a subsequent telephone call to the Home Office, that “the British public is not ready for PKI”. Other countries find it appropriate to mention PKI. eESC, the eEurope Smart Card forum, list 13 EU countries (para.2.2) publicly considering the implementation of PKI. Surely the British public cannot be so exceptionally different.

That was in 2003. A year later the Home Secretary was still confused, as noted, about how to make biometric passports and ID cards secure. The confusion seems to have persisted for at least another two years. The Section 37 cost report on the ID cards project published by the Home Office in October 2006 states:

"Ultimately this will ensure that everyone* who has been given permission to enter the UK, those allowed to remain for more than a specified period (likely to be 3 months [but, as it turns out, six months]), and those claiming asylum can be identified securely using their biometrics" (p.4).

"Each person* registered will have a quick and secure way of proving who they are whenever needed, for example via a quick online match of their ID Card and biometrics" (p.6).

"The great benefit of the biometric card is that it is more resistant to forgery than predecessor technologies. The ID Card will be much more secure than documents currently requested by financial service providers as proof of identity" (p.6).

"Biometric cards will provide a secure means for foreign nationals* to prove their identity to the same level of assurance as UK nationals. This will help, for example, legitimate employers verify a foreign national’s entitlement to work and help prevent abuse of our public services by those not entitled to use them" (p.9).

"Each person’s* identity will be secured by the registering of a number of biometric identifiers, such as fingerprints and facial or iris images" (p.12).

* each of these references should be to 80% of people, of course, the biometrics chosen for the passport and ID card schemes are not reliable enough to verify everyone's identity.

Never mind the British public, it is not obvious that the Home Office themselves are ready for PKI. Perhaps it is their confusion, about the quite different rôles of PKI and biometrics, that explains why we have yet to see a single UK bank say that they will accept a government ID card as proof of identity.

... do the UK government propose to use PKI, yes or no?
The Identity Cards Act makes no mention of PKI. Without PKI, our ID cards would be expensive and worthless and IDNet would itself pose a security threat.

It is not just BCSL who have raised the issue with the Home Office. So have Microsoft: "the proposal to place biometrics ... on a central database could perpetuate the very problem the system was intended to prevent". And so have Cambridge Algorithmica, for example, in their written evidence submitted to the Home Affairs Committee:

"Encryption vulnerabilities It is assumed that data stored on the ID Card would be encrypted, using a trapdoor encryption algorithm ... Otherwise, biometric templates could be substituted easily".

It would not hurt for the Home Office to confirm that they intend to use PKI. That is the whole point. You can make your use of PKI public without impugning its effectiveness. So, are they going to use PKI or aren’t they? Will these cards be secured by PKI? We need to know the answer.

Until 19 December 2006, when the Strategic Action Plan for the National Identity Scheme was published, the best we could do was to say that it is unlikely that the government should be so ignorant as to try to introduce an ID voucher scheme without using PKI. If they are, that would be a major scoop.

Finally we know the answer – yes
The action plan continues to advocate the use of smart cards (passim). According to BCSL, that is a mistake. It would be better to base the ID cards scheme on mobile phones instead.

The length of stay for non-EEA* nationals visiting the UK before they have to apply for an ID card/record their biometrics has been doubled from three months to six months (para.59). There is no explanation for this move, which would make ID cards even less universal and, thus, even less useful.

* EEA = EU + Iceland + Liechtenstein + Norway

The plan continues to advocate the use of facial geometry as a biometric (para.2, fig.2, para.53, para.55). Acording to the evidence, that is a mistake. Facial geometry is useless.

And it continues to confuse popularity and pervasiveness with reliability. IPS may be popular (para.52). That does not make biometrics reliable. Nor would it make their passports and ID cards secure. Other countries may be deploying biometrics (Foreword, Executive Summary, para.22, para.63). That does not make biometrics reliable. Nor would it make their passports and ID cards secure. Just because they are wasting their money on schemes that cannot work is no reason for the UK to follow suit.

It continues to advocate the use of biometrics as a universal method of identification:

"We are also committed to meeting European and international initiatives to make passports ever more secure, including the use of fingerprint biometrics" (para.63)

"Over time, we will be able to link people to a single identity across our systems using biometrics" (para.92).

According to the evidence, that is false, it is only possible for a maximum of 80% of the population to have their identity verified by reference to their biometrics.

The plan refers to "small percentages of what are known as 'false matches' or 'false non-matches' ..." (para.50):

The false match rate for fingercopies in the UKPS biometric trials was small – 0.15% for the able-bodied participants and 0.27% for the disabled (para.3.4.1.1).
The false non-match rate on the other hand was, as we know, about 20%. In a population of 50m cardholders, that would be 10m people. To call that a "small percentage" is to be in denial. It gives the action plan the make-believe air of a charade.

The plan continues to confuse identification with security: "We are also committed to meeting European and worldwide initiatives to make passports ever more secure, including the use of fingerprint biometrics" (p.4).

But, in between all these business as usual mistakes, the plan acknowledges, for the first time, the notion of personal details being "electronically signed" (para.11) and it shows PKI as an element of the National Identity Register (fig.2, fig.3, para.15).

So, the UK biometric passport and ID card schemes will use PKI.

... but will they use it properly? And what are the implications?
The original paradigm of PKI was one spy sending a message to another spy, a message which, for reasons of national security, should not be readable by anyone else.

The paradigm works well for other applications, too:

If the manager of an overseas microchip fabrication plant needs to send the monthly report back to Intel headquarters, he or she will not want it to be read by anyone else. PKI will be used, for reasons of commercial confidentiality, to protect this message being sent from one person to another.
And when you pay for books you have ordered from Amazon, you would not want your credit card details, or any other part of the message, to be read by just anyone. You should be pleased that PKI is used to secure the communications between you, Amazon and your credit card issuer.

The implementation of PKI for biometric passports seems to fall short of CESG's authentication principle. The same would be true for ID cards
When it comes to passports, the paradigm is stretched. The passport is a message from IPS, to whom it may concern, to the effect that "her Britannic Majesty's Secretary of State requests and requires" them, in the Name of Her Majesty, "to allow the bearer to pass freely without let or hindrance, and to afford the bearer such assistance and protection as may be necessary". This is not a message to just one person or organisation but to any passport control operation in the world.

And when it comes to ID cards, the message, that the bearer is who he says he is, and here are his fingercopies to prove it, would be sent not only to passport control people but also to:

GPs and hospitals (to make sure that the bearer is entitled to non-emergency National Health Service care)
Schools and universities (to make sure that the bearer is entitled to state education)
Benefits offices (to make sure that the bearer is entitled to state benefits)
Prospective employers (to make sure that the bearer is entitled to work in the UK)
Banks (to help to establish the bearer's identity when opening a new account)
Pubs, supermarkets, tobacconists and off licences (to make sure that the bearer is old enough to buy tobacco and alcohol)
Police stations, courts, prisons
Insurance companies ...
... and any number of other organisations.

One spy sending a message to another spy can be confident that the recipient has been vetted.

The microchip plant manager and his or her boss in the example above are both known to Intel.

Banks take a lot of care, through the know-your customer scheme (KYC), to make sure that they know who they are issuing credit cards to, and which merchants, such as Amazon, they authorise to take credit card payments.

By contrast, and this is where the paradigm is being stretched, IPS can have no idea who might be operating passport control at Catania airport, for example, and they cannot possibly vet every off licence in the country.

... IPS may well authenticate the identity of people undertaking online identity checks
According to the Strategic Action Plan for the National Identity Scheme:

"The Identity Cards Act 2006 allows for certain NIR [National Identity Register] information to be provided, with a person’s consent, to an accredited organisation, for example a bank. This could be to confirm an ID cardholder’s identity when opening a new account. This may include information such as their address, which is not shown on the face of the card. IPS will be responsible for accrediting all such organisations to ensure they and their staff do not misuse these services. IPS will also put in place rigorous security controls so that only accredited organisations can use such services and only in the way intended" (para.42).

The dematerialised ID proposal sent to the Home Office in May 2003 includes a number of examples of how to use PKI with ID cards (para.6.2). These examples have been reviewed by academics both in the UK and abroad. A further example was added in September 2005 and circulated to a number of organisations, including the Home Office. In each case, the right of the person checking your identity to do so has to be established before the check can take place. The person is authenticated. This is how to use PKI properly.

IPS may or may not exert "rigorous security controls" over accredited organisations making identity checks online to the NIR. But what about offline checks? What control do IPS have over a supermarket checking your age by reading your ID card? None.

IPS are promising, in the quotation above, to control access to the NIR. They are not promising to control access to the personal data stored on your biometric passport or your ID card.

... but they can't do the same for offline checks
CESG's authentication principle is concerned with "confirming the identity of the individual who undertook the transaction". Using your ID card to check your age is a transaction. If the check is performed offline, the identity of the supermarket and their right to check your identity are not confirmed. Using your biometric passport to check your identity at Catania airport is a transaction. If the check is performed offline, the identity of the checker and their right to check your identity are not confirmed.

Not only have IPS not confirmed the identity of the checker. They do not even know that the check has taken place. This cannot possibly meet the requirements of CESG's authentication principle.

There have been newspaper articles in Wired magazine and in The Guardian newspaper showing that anyone with the right equipment can read the contents of a biometric passport, including a digital photograph of the bearer. The same story has been the subject of a TV documentary. We have all seen with our own eyes that there is no need to be accredited to read this data. No form of authentication takes place.

If fingerprints are added to biometric passports, perhaps they, too, will be accessible to anyone with the right equipment. The same biometrics would be stored on ID cards. Non-accredited people will be able to read these biometrics, which are a sub-set of what is stored on the NIR (para.22, para.65). So, in a way, non-accredited people are reading the NIR.

IPS may say that you have given your permission for the supermarket and the airport to perform these checks. That is not a convincing counter-argument. You have no choice but to give your permission.

It transpires from these media stories that the UK's new biometric passports include an RFID tag. That is one step on the way to making it possible for anyone to read data from your passport without authentication and without you even knowing it, let alone having given your permission. It hasn't happened yet, but we are one step closer. Why take the risk? Why include the RFID tag? No explanation has been given.

... offline identity checks stretch the PKI paradigm too far. The implementation ends up breaking PKI's most basic rule. IPS are not even encrypting the message
It seems at this early stage that the implementation of PKI for biometric passports would not pass CESG's authentication test. That is worrying for ID cards as well. ID cards would be issued by the same organisation – IPS – and they would include the same biometrics – yours.

With a proper implementation of PKI, such as in dematerialised ID, there would be no offline identity checks. All checks would be authenticated. We have the wherewithal, with four mobile phone networks, to undertake all identity checks online to the NIR. That would ensure that only those who are properly authorised to do so could check our identities.

The biometrics in BCSL's PKI examples are all encrypted. Only authorised persons would be able to decrypt them. By contrast, the TV documentary referred to above revealed that the biometrics on our new passports are not encrypted. They can't be if you want to support the use of offline identity checks – where would the non-accredited checkers get the key from to decrypt the biometrics? That is the surprising consequence of this particular implementation of PKI – they're not even encrypting the message.

... which leads inescapably to the conclusion that there should be no offline identity checks
In November 2005, it was announced that about 256 government bodies and 44,000 businesses would be accredited to undertake online identity checks. It was conceded at the same time that these figures were probably a significant underestimate. There are doubts about the advisability of online identity checks. How do you monitor all the people in so many organisations?

How good would IPS be at checking whether they should accredit a particular organisation?
How good would they be at ensuring that the organisation did not misuse the data they acquire?
How diligently would they pursue offenders?
And what can they do, anyway? Once your biometrics have been put up for sale on a Russian website, it's too late for IPS to do anything useful.

There are no doubts about the advisability of offline identity checks:

The organisations performing offline identity checks are not accredited.
IPS cannot pursue them – indeed, IPS do not even know that they are performing identity checks.
IPS can have no idea what these organisations do with the data they acquire.
In order for offline checks to be performed, IPS have to publish the format of the data on biometric passports and ID cards and they cannot encrypt the data.

There is only one conclusion possible. There should be no offline identity checks.

Offline identity checks make a nonsense of the authentication principle of PKI.

The facility to perform offline identity checks should not be an objective of the biometric passport and ID card schemes.

IPS's objective should rather be to make offline checks impossible.

That applies to IPS and to all the agencies in other countries involved in the deployment of OSCIE-type ID voucher schemes.

... which leads to a further conclusion – there is no need to have ID cards
The great strength claimed for the biometric passport and ID card schemes is the ability of biometrics, particularly fingercopies, to identify each person. The objective is to store each person's biometrics on the NIR.

The design of an appropriate ID voucher scheme follows simply. Set up a national network of fingercopy readers attached online to the NIR and then, whenever someone needs to prove their identity, all they need is their fingers.

There is no need for a card.

So how did cards insinuate themselves into the design? The only reason cards are needed is for offline identity checks, and offline identity checks are heavily contra-indicated.

It is the offline identity checks that we have to blame for the expensive and otherwise unnecessary introduction of ID cards.

The implementation of PKI for biometric passports seems to fall short of CESG's confidentiality principle. The same would be true for ID cards
The original paradigm of passports and ID cards was that you can show your passport or your ID card to a passport control officer or a policeman, say, and then move on, leaving nothing behind. That works as long as the passport control officer or the policeman is just making a visual check. It is stretched to the point of breaking once you introduce digitised data that can only be read by a machine.

CESG's confidentiality principle is concerned with "keeping information private". Your biometrics, stored on a passport or an ID card, cannot be read by a human being. They can only be read by a computer. And once they have been read, there is nothing to stop the computer from storing them, together with your name, your passport number, your ID card number, your PIN, your password and any other data, your date of birth, perhaps your address, and so on.

The effect is that you will be leaving your personal details behind, all neatly parcelled up and formatted according to published, international standards, at your expense, wherever you go, wherever you have your identity checked. These details will be stored all over the country and all over the world.

How many people realise this? It will be a big surprise to most people.

Quite rightly. It seems to contravene CESG's confidentiality principle. And it is a far cry from the respect for confidentiality claimed in the Home Office's July 2002 consultation document:

"To ensure confidentiality the central register check would simply confirm ‘yes’ or ‘no’ whether the details were correct ..." (para.5.29)

"The authentication service would have limited access to the central register. It would not have access to or be able to reveal any of the information stored on the central register, but it could give a ‘yes’ or ‘no’ answer to questions ..." (para.71, Annex 4)

"... the central register would simply confirm whether or not there was a match and the authentication service would merely pass on this ‘yes’ or ‘no’ to the person making the enquiry ..." (para.72, Annex 4, see also para.74 and para.77)

If the NIR responds with "yes", it confirms that something about you is the case. It does not "ensure confidentiality".

Again, IPS may be able to exert some control over what happens with this data in the case of accredited organisations making online identity checks. It would be impolite to suggest otherwise. But they can have no control over offline checks.

Offline checks make just as much of a nonsense of the confidentiality principle of PKI as they do of the authentication principle. IPS are offering confidentiality which they cannot possibly deliver.

... which will prove very useful to ID thieves
This is the sort of data required by fraudsters hoping to impersonate you and run up bills on your credit card, for example. The effect of a scheme designed to protect you from ID theft is, thus, to publish widely all the data needed to perpetrate ID theft.

This data, by the government's own admission – indeed, this is the unique selling point of the biometric passport and ID card schemes – is supposed to be the most fundamental data possible, required to identify you.

For the moment, luckily, while the only biometric on a UK passport is based on facial geometry, no harm is done, apart from taxpayers' money being wasted. Biometrics based on facial geometry are useless.

In future, if fingercopies are added to biometric passports and ID cards, 20% of people will still be lucky. They cannot be identified by their fingercopies. But 80% of people will not be so lucky.

This data is not like a password. You can change a password. It is not like a credit card. You can always get a new credit card. It is your biometrics. You cannot change your biometrics. You only get one chance.

It is hard to see how this could possibly meet CESG's confidentiality requirements.

The two paradigms have crashed into each other. 80% of people will be revealing fundamental data about themselves to all and sundry and leaving perfect copies of it all over the place.

BCSL has compiled a list of 45 media stories about ID theft. Between them, they amount to a useful primer on the subject. It will be clear from the primer that there are genuine and widespread risks involved in leaving your identity data behind you wherever you go. This is not a theoretical problem which may never occur. It occurs all day every day and now, quite unnecessarily, we are being asked to increase the risk.

At the moment, ID thieves have to hope that a bank will leave its records in the street to get information about you. Or they have to go through your rubbish, or go to India, or hack into the JobCentre or Network Rail personnel databases, or go to an underpass in Bradford, or bribe a postman.

In future, in addition to all these sources, they will also be able to get your personal details from crooked members of the Registrar's Dept in hospitals, GP surgeries, schools and universities, or from crooked database managers at airports, pubs, off licences, tobacconists, supermarkets, banks, insurance companies, police stations, law courts, prisons, and so on. The job is being made easier for them by the biometric passport and ID card schemes.

The banks have got the rate of plastic card fraud down from 0.33% of turnover in 1991 to just 0.15% in 2005. The incidence of plastic card fraud is low and getting lower thanks to the hard work done by the banks. If anything, the biometric passport and ID card schemes are likely to reverse that trend and undo all that good work.

What, then, is the government's stance on confidentiality? They are considering whether it might be appropriate to make money by selling the personal data they require us by law to give them in confidence

In view of the points made above, to do with authentication and confidentiality, the question arises why IPS should bother with an accreditation system at all.

Several answers suggest themselves.

One of them is that enquiry information is useful. If a company which operates in the leisure, tourism, hotel and catering sectors makes few identity check enquiries, then they are probably not being very careful to employ only people who are legally entitled to work in the UK.

Another suggested answer is that it makes it possible for IPS to charge for fielding enquiries. Will they charge? They may well do. Accreditation will not help to keep our personal data confidential, as we have seen, but it could make it easier for the government to charge people for performing identity checks.

Will they use people's personal data as a revenue stream? They may do. And not just by charging for enquiries. According to the Home Office's Section 37 cost report:

"... There is scope to look at ways in which a national identity management system could provide services to other organisations on a commercial basis ... The scope for collaboration between public and private sector to ensure secure identity, simpler and better service for customers and harness the best technology is being explored by the Public/Private Forum chaired by Sir James Crosby which was set up by the Chancellor and will report in April 2007" (p.8).

There is an obvious logical discrepancy, given that PKI means keeping data confidential, in even considering selling it. It is an odd way to go about keeping information confidential, to sell it. Once you have sold it, how do you ensure that it remains confidential?

Why would the government consider selling our personal data? It cannot be to "ensure secure identity". Selling it impugns security by spreading our personal identity details around. There must be some other reason

The context of the quotation above is this:

"The fact that people will have a secure way of proving their identity could drive major benefits for the private sector and other organisations too. In other countries the private sector is already exploiting the use of biometric identification. For example, companies in the US and Japan are already using biometric verification systems in retail and banking, allowing their customers to use their biometric identity as a quick way of paying for goods and services. There is scope to look at ways in which a national identity management system could provide services to other organisations on a commercial basis ..." (p.8)

There are some obvious problems with these assertions:

The suggestion is that everyone would be able to verify their identity using their biometrics whereas, as we know, only 80% of people would be able to do so, 20% wouldn't.
The government's approach to authentication and confidentiality undermines the security they are claiming here.
The unconvincing argument is being used once again that it is alright for the UK to do it because other countries do. Iraq has the death penalty. The government do not use that as an argument for the UK to adopt it. In Hungary, they speak Hungarian. That is not a reason for us to start speaking Hungarian in the UK.
There is a sleight of hand in the middle. It is the private sector in other countries which is exploiting biometrics, not the government.

There is a bigger problem.

Consider the Section 37 report in its entirety. It is meant to be a cost report. It isn't. It wouldn't pass GCSE Business Studies as an example of a cost report. What it is, is a marketing document, extolling the benefits of the ID card scheme. In particular, the government is trying to insert the ID cards scheme into the UK's payments systems.

The marketing is beginning to work. There are people who believe that the ID card is a payment card, or at least there is one person:

"So the government will know everytime I go to the bank, purchase food, take out money, see my doctor etc. One day sometime soon , if you oppose the government or annoy some bureaucrat your card is cancelled and you become a non-person. It's no wonder the government mouthpiece, the BBC, has never repeated '1990' which predicted this nightmare 20 years ago." (Comments on the Prime Minister's Daily Telegraph article, November 6, 2006 6:55 AM)

As things stand, this comment could not be more wrong. The ID card is not a payment card. It is not like a charge card, or a debit card, or a credit card, or a cheque guarantee card, or a cash withdrawl card. The ID card is separate from all these other cards and irrelevant to payments in general.

... there is. The government are trying to give themselves a rôle in the UK payments systems

And that is the problem which faces the government.

As long as this continues to be the situation, the daily irrelevance of the ID cards scheme is embarrassingly clear.

Only if ID cards are inserted somehow into the UK payments systems would they become relevant, only then might the huge expenditure appear to be justified, only then would the government appear to have a rôle.

That is why what was meant to be a cost report was converted into a marketing document instead.

Would it work? No. It is up to the banks to establish the identity of their accountholders. That is what the accountholders and the banks' shareholders expect. The banks would be taking a risk if they abdicated their responsibility to establish people's identity. There is no business case for taking this risk.

Would the government underwrite their ID cards? Suppose that they did. It wouldn't help. When an ID card turns out to identify someone wrongly, and that person perpetrates a fraud, then the government would pay compensation to the bank. What would they pay it with? Tax money. Tax paid by the bank and by its shareholders and by its accountholders. We would all be paying ourselves compensation for the mistake made by someone we were also paying not to make mistakes.

If the banks wish to introduce biometrics into the payments systems and they can make the case to their shareholders and to their accountholders, then well and good, let them experiment. They will have to be able to prove first that:

They will keep our personal data confidential.
They will authenticate whoever undertakes any transaction.
The additional verification requirements will not slow down the payments systems.
The additional verification requirements will not introduce new risks into the payments systems.
The cost of the introduction of biometrics will be outweighed by the benefits.
They can cater for the 20% of their accountholders who cannot use their biometrics to verify their identity.

Maybe they can. But it is not their job to legitimise a government initiative which is full of holes. That is not their mission statement. That is not what the shareholders or the accountholders pay for.

There are doubts as to whether the implementation of PKI for biometric passports can meet CESG's integrity principle. The same would be true for ID cards

CESG's integrity principle is concerned with "ensuring information has not been tampered with".

No-one has demonstrated yet that they can forge a biometric passport. They can copy the data but they cannot change it.

They haven't had long. Given time, it may well be possible to forge passports.

Professor Thomas warns that "... no card based chip has yet proved to be completely unable to be broken open," as noted above.

Professor Anderson describes a number of the techniques for breaking the security on smart cards in his book (chapter 14).

And Cambridge Algorithmica warn that:

"Smart cards are vulnerable to forgery; excessive reliance should not be placed on them. Despite the best efforts of card manufacturers, it will eventually be possible to access the data content and reverse engineer any smart card ... forged cards can then be produced. Though this will be at a price, it will not be beyond the means of organised crime. Cryptographic techniques do give further protection; however, practical constraints make on-card encrypted information more vulnerable than encrypted information transmitted over communications networks".

These three experts do not seem to be confident that the integrity of data stored on biometric passports and ID cards would last for long.

The government do not seem to be confident either. Why else would they threaten to fine us £1,000 if we fail to return our mother's ID card when she dies? (See Comment, December 24, 2006 10:56 AM, 'A tax on the absent-minded', The Sunday Telegraph)

... which suggests another benefit of basing ID voucher schemes on mobile phones rather than smart cards
Cambridge Algorithmica claim that "practical constraints make on-card encrypted information more vulnerable than encrypted information transmitted over communications networks" and:

"It is assumed that data stored on the ID Card would be encrypted, using a trapdoor encryption algorithm. The same key (or a modest number through some key compartmentation scheme) is used for every card; breaking the key creates a widespread vulnerability that is very expensive to overcome. For an encrypted communications system, each link can use a different key and keys can be changed frequently; thus, if there is compromise of a crypto key, damage is much more limited. The cryptographic strength is less, for trapdoor encryption algorithms".

That seems to imply another benefit of basing ID voucher schemes on mobile phones rather than smart cards. PKI implemented in a mobile phone-based scheme might get us back to the 12m times the age of the universe end of the spectrum and away from the forged set-top box ID cards end.

There is no reassurance on the matter of the availability of the biometric passport and ID card scheme computer systems
CESG's availability principle is concerned with "ensuring information is available when required". The more successful the ID cards scheme is, if it is ever deployed, the more we might depend on it and the more serious it might be if the system failed.

There is no reassurance on this matter in the Home Office's strategic action plan. There needs to be. Computerised systems do fail. BCSL has compiled a list of 11 failures, including particularly relevant cases of fingerprint systems failing in the UK and the US, UK passport systems failing and US identity management systems failing. There is also a worrying example of UK medical systems failing.

... if the government has its way, when the computers fail, the UK payments systems could grind to a halt
What reason is there to believe that the government's identity management schemes will not fail? And what will happen when they do?

These are questions you might expect to see addressed in a document which calls itself "strategic". They are not.

The non-repudiation feature of PKI should be regarded with scepticism
Suppose that ID cards have been introduced. Suppose that you are living on state benefits. Suppose that you go to the Post Office to collect your money, you put your ID card in the reader, enter your PIN and the postmaster says no, sorry, you can't have your money, you have already been paid.

A fraud has been committed against DWP, the Department for Work and Pensions. Someone impersonating you has drawn your money. That is what the conclusion would be, as things stand at the moment. But not if PKI is implemented.

With PKI, you get something called "non-repudiation". CESG's non-repudiation principle requires that "the individual who undertook the transaction cannot subsequently deny it". As a result, the fraud will have been perpetrated against you, not DWP, you cannot repudiate the transaction, the money drawn out has been digitally signed for, apparently using your ID card, you have no recourse.

There could be any number of explanations, involving perhaps a malicious member of staff in the registrar's office at your son's university stealing your ID card details, or a malicious member of staff at IPS suplying your details to a forger, or supplying a copy of your card to an accomplice. All these explanations are irrelevant under PKI. There is nothing to debate. You can try to draw your benefit money next week and start eating again then but this week's money is gone.

That is what "non-repudiation" means and it is surely too extreme. We may want PKI implemented properly in respect of integrity, authentication, availability and confidentiality. We are unlikely to want PKI to include non-repudiation. Why would we pay, and queue up, to transfer the liability for fraud, from others, to ourselves?

Is this just a theoretical matter, the consequence of a mathematical theorem with no relevance outside ivory towers? No. There is a debate in the UK at the moment (January 2007) between the credit card companies and retailers about liability. The credit card companies have been arguing that the PKI link between them and the retailers implies that it is the retailers who should bear the cost of fraudulent card usage, not the banks. Visa are believed to have backed down. MasterCard are still arguing.

Is IPS a trusted third party?

IPS combines three PKI rôles:

It is a registration authority, it registers people, i.e. it establishes their identity.
It is a certification authority, it issues (material) certificates, i.e. passports now and ID cards, perhaps, in the future.
And it is a revocation authority, it is involved in revoking certificates, for example when people die, and in modifying the associated entitlements, for example if a football hooligan is banned from travelling abroad to watch football matches.

Dematerialised ID implies that IPS would make the small move required to issue digital certificates, instead of material ones, and to distribute and revoke them by calling people's mobile phones, rather than using the post. Otherwise their registration, certification and revocation responsibilities under dematerialised ID remain much the same as they have always been.

PKI has been around long enough for there to be standards to measure security assurance – ISO 15408 and FIPS 140, for example. IPS are not a PKI trusted third party ex officio. That status has to be earned in the first place and it requires continued vigilance to retain it.

Our review of the government's implementation of PKI is based on very little information about their intentions. That is hardly surprising. It has taken them years to mention PKI at all and, even now, they have provided very few details as to how identity will be verified and what data will be stored on the ID card.

The results of the review, summarised in the table below, might change when more detail is supplied. But for the moment, they do not point to trusted third party status:

CESG principle of PKI	Desirable from the taxpayers' point of view?	Likely to be implemented by IPS?
Authentication	Yes	No
Confidentiality	Yes	No
Integrity	Yes	No
Availability	Yes	No
Non-repudiation	No	Unclear

All UK central government communications are encrypted and authenticated by PKI. Digital certificates are issued to government departments and individuals in a hierarchical system with the root certificate being managed by GCHQ. GCHQ includes CESG, its information assurance arm, which devises PKIs, advises on their implementation and performs security/information assurance evaluation.

It would be obtuse not to take advantage of GCHQ's experience in the implementation of PKI for biometric passports and ID cards. But the questions raised in this section about authentication, confidentiality, integrity and availability suggest that GCHQ cannot have been involved.

The question arises, therefore, whether IPS will submit to inspection, to measure its level of security assurance. If it will, it may learn something about best practice. And it would contribute to the sense of trust that people have in its operations.

... will we see the development of a two-tier system of identity – public sector and private sector?
Suppose that IPS will not submit to inspection. And suppose that a number of private sector authorities will. Some banks, perhaps, some insurance companies and some mobile phone companies. Then their certificates could come to be seen as more trustworthy than IPS's. We could then see the development of public sector v. private sector identity, a two-tier system, like public sector and private sector health and education.