Want CNET to notify you of price drops and the latest stories?

Technology alarmism in spades

ID management expert Phil Libin says critics of a government security card program miss the point.

4 min read
The Electronic Privacy Information Center recently issued a scathing analysis of the Department of Homeland Security's upcoming Access Card program.

Such watchdog organizations are vitally important for making sure that the secure-identity programs now emerging from many governments are ones we can all live with. I am staunchly in favor of holding every government security program to unyielding standards of efficiency, effectiveness and privacy.

Conversely, I am staunchly in disfavor of alarmist, pudding-headed and just plain wrong writing on the topic. Unfortunately this particular EPIC report stands proudly in the latter camp.

EPIC focuses on four specific technologies for criticism: radio frequency identification technology, Bluetooth wireless, biometrics and PIN backup. It gets all four humorously wrong.

Much of the text deals with RFID and Bluetooth. The criticism, in a nutshell, is that both RFID and Bluetooth can be remotely intercepted by unauthorized readers, posing both privacy ("Hey--that guy's an American, let's sell him something!") and security ("No, let's kidnap him!") problems.

Indeed, an ID card that uses RFID and Bluetooth is a really bad idea. Fortunately, the Access Card program, or DAC, is not such a card.

What the report doesn't bother to explain is that the DAC uses a one-to-one match system with a locally stored biometric.

Instead of RFID, the DAC uses a standard called ISO/14443 for wireless communication between the card and reader. RFID and ISO/14443 are totally distinct technologies, and ISO/14443 is much harder to snoop. RFID is unencrypted and meant for inventory scanning at a distance of several feet. ISO/14443 is usually encrypted and has a read range of a few inches or less.

There are certainly vulnerabilities in ISO/14443, but they are much less severe than the ones in RFID, and it's either lazy or dishonest to conflate the two. The real long-term solution is to move to contactless cards with strong cryptography. These are already available in the market and will replace the current generation of ISO/14443 cards over the next few years.

EPIC has confused RFID and ISO/14443; that's annoying but perhaps forgivable. What about Bluetooth problems? Crazy talk. The DAC does not use Bluetooth. The DAC does not use anything remotely resembling Bluetooth. As far as I know, no ID card uses Bluetooth, because it is neither possible nor desirable to put a protocol designed to let cell phones talk to PCs and peripherals onto a passively powered card. Bluetooth and access cards are completely orthogonal--like life insurance and whales.

Wading into biometrics, the criticism becomes less surreal but no more valid. EPIC rehashes the standard argument that fingerprint biometrics let in too many bad guys and keep too many good guys

out. What the report doesn't bother to explain is that the DAC uses a one-to-one match system with a locally stored biometric. Every time you scan your finger, the system only tries to match it to the already enrolled fingerprint securely stored on your card.

Such systems can be configured to have negligibly small rates of false positives at the cost of moderately high false negatives. Basically, this means that it's virtually impossible for an unauthorized user to get in, but authorized users will occasionally get their scan rejected.

What do you do if your scan gets rejected? Don't panic! Just swipe your finger again. Even assuming a high false-negative rate of 5 percent, you'll only have to swipe your finger more than twice 0.25 percent of the time.

Unlike with passwords (which may be guessed with repeated attempts), there's usually no reason to prevent multiple attempts. In the movies, one bad scan usually results in machine gun fire or electric shock, but DHS vendor guidelines frown on such implementations.

After muddling through biometric accuracy rates, EPIC brings out another classic quasi-conundrum: If a biometric is stolen (and what does this even mean?), how can you revoke it, since the legitimate user still has the same fingerprint? I've heard this argument many times and it's usually intoned with Zen-like ("What's the sound of one hand clapping?") profundity.

The question has been answered many times: You revoke the card that the fingerprint is associated with. With a revoked card, the fingerprint is useless and can safely be enrolled onto a newly issued card.

The argument is valid against programs that use a biometric not associated with a physical card, but meaningless here.

There's also confusion in the EPIC report about PINs, which are referred to as a dangerous back door instead of just another authentication choice for system implementers. But by this time it's hard to take any of the analysis seriously.

The report's conclusion is worth quoting: "In the fall, hundreds of thousands of personnel will have access cards equipped with personal information, biometric and wireless technologies, and the security risks associated with their use."

Exactly. I bet a serious look at those risks would make for good reading.