41. Memorandum submitted by
SiVenture
SUMMARY
This paper:
provides a description of the company
making the submission, its background, experience and areas of
expertise;
sets out an outline of the key issues
that are often overlooked when designing, implementing, managing
and maintaining such systems as proposed for the identity cards;
outlines an approach to managing
risks in the above phases of the program;
summarises the benefits of such an
approach
and makes the following recommendation:
Security sensitive implementations require:
Good security infrastructure design
included from the outset;prevention, detection, recovery.
A rigorous implementation, test and
evaluation processsecurity, integrity, quality.
The use of external and experienced
evaluatorsindependent with broad and deep experience.
An ongoing monitoring, research and
review process to facilitate the management of riskssecurity
future proofing.
In order to allay the fears of citizens it is
critical to establish appropriate rigour into the design, development
and test regime. We recommend that the proposed approach to risk
management of the development at the chip level be incorporated
as part of the overall approach that Government employs to manage
the risk of implementing ID Cards.
INQUIRY INTO IDENTITY CARDS
1. INTRODUCTION
SiVenture is a group of seven experienced individuals
providing consulting services to the smart card industry with
a range of expert skills, built up over many years within a commercial
environment, including smart card chip hardware and software security
analysis, crypto analysis and smart card system security. The
team has a significant knowledge and understanding of the chip
technology marketplace and the evaluation of security sensitive
applications and hardware devices, and has provided consultancy
on smart card security to UK Government.
Based in the UK, the SiVenture Laboratories
also offer a range of security, fault and quality analysis services
for all chip types. Equipment includes a comprehensive set of
tools for preparing, de-processing, probing and modifying samples.
This includes a wide range of microscopyoptical, focused
ion beam, scanning electron and atomic force, and comprehensive
electronic measurement and signal analysis tool-sets.
SiVenture undertakes formal chip security evaluations
under Common Criteria working in conjunction with the UK certification
body CESG/GCHQ. SiVenture is pursuing accreditation as a Hardware
Evaluation Facility (CLEF).
SiVenture is a division of NDS Group plc (a
News Corporation company), a leading provider of technology solutions
for digital pay-TV.
2. NATIONAL ID
CARD SCHEME
2.1 Objectives and outline
We note the basic objectives and outline of
the core technology encapsulated within statements from the Home
Secretary:
Boost the fight against illegal working.
Tackle immigration abuse.
Disrupt the use of false and multiple
identities by terrorists and organised crime groups.
Ensure free public services are only
used by those so entitled.
Help protect people from identity
theft.
The cards are likely to obtain basic details
on their face (name, age, validity dates, nationality, right to
work and a unique number). A secure chip will additionally contain
a unique personal biometric identifier. Cards will be linked to
a national secure database containing the data from the card and
be able to use the biometric data to confirm identity, preventing
multiple card applications.
2.2 Observations on security
IT security in its all its forms has always
been important to government. However, the increasing use of computing
devices in all areas of life has made a focus on security increasingly
important for most organisations and companies working with IT.
Security now includes areas of protection such as the following:
Protection of confidential data (eg
national security).
Protection of valuable content (eg
financial payments, film/video, games, music, news feeds).
Protection of customer and end-user
data (eg citizen and Government data).
This means that security is important in all
areas of government activitywhether it is the design of
the service or the security of the nation itself. Increasingly
large amounts of personal and government data are available, potentially
from great distances with little apparent risk of being caught,
and thus present attractive targets to attackers.
Organisations now need to address security,
or else risk suffering the effects of security breaches in terms
of:
Disruption to operationssecurity
exposure can force legitimate activity to stop (eg web sites have
had to be closed to recover from defacing of the web site, and
insecure configurations that allow citizen or government data
to be accessed).
Reputation damagesecurity
incidents can cause loss of confidence in a service, and in an
increasingly brand-driven market, this may have further effects
on Government and the ruling party. This is especially true of
the government sector, where the relationship with citizens depends
critically on trust.
Financial coststhis can include
loss of revenue (eg missing revenues and misplaced benefit payments)
as well as the costs of recovering from a security incident (including
public relations and senior management activity, as well as service
changes). In some cases there may be compensation to be paid to
citizens.
To address these risks requires high-level management
involvement, leading to a central security policy to address internal
security issues (such as protection of government and citizen
data). However, it also needs a high level of security awareness
in the design of services. It is well-known that security cannot
usually be successfully added to a service; it must be designed
in from the beginning. But security also needs ongoing review
against changing threatsthis is particularly important
for smart cards, where recent history shows that not only new
attacks but new types of attack can emerge (which have not therefore
been considered during system design and development). Security
is not simply about encrypting data, or providing the right functions
in a product. It is about ensuring that the total design of a
product is secure. This means analysing all the parts of a system,
as well as considering a complete range of attacks. It also means
providing "defence in depth" by having multiple security
measures to protect assetssingle security measures are
too likely to be defeated by some combination of luck, time, or
resources. And, security is also about an ongoing process to monitor,
maintain and the ability to improve security in the future.
For Government, security is critical across
many areas of its activities. Government must ensure that it is
able to control its security planning and risk management given
the critical nature of the data at risk and the overall issues
of national security.
If we look at other sectors and consider the
case of a financial card issuer and financial services provider,
the trust relationship with customers is critical. Banks have
long understood this, and hence have traditionally placed high
security requirements on their systems. Financial assets are very
attractive to attackers, and they have a high motivation to attack.
The high potential gain means that sophisticated, organised techniques
will be applied, even if these require a high level of investment.
Examples of this sophistication and organisation can be seen in
other high-return criminal fields including art-theft, illegal
drug sale, forgery, high-value fraud and embezzlement, and magnetic
stripe card forgery.
The reputation of a financial issuer will be
related to the perception of its security. This may not be the
same as the actual degree of security, because customers cannot
always understand the detailed differences between potential security
weaknesses and the ability to exploit them. For example, there
have been a number of examples where theoretical weaknesses have
been demonstrated in smart cards, and the result has been a general
perception of low security in all actual smart cards. In the UK,
such results have led to adverse headlines in national newspapers.
In a market with many competitors for customers to choose from,
reputation is vitally important.
Financial organisations place strong requirements
on the way products that carry their brands need to be protected
and evaluated. For smart cards, this includes a high level of
technical review and testing.
Albeit different in what the technology delivers,
the concerns of Government should be no lesscitizen confidence,
national security, financial impact. This means having control
over risk management, provided Government deals with the complete
risk picture, and is able to balance the costs of vulnerabilities
against countermeasures.
The adoption of new security architectures and
techniques can allow further evolution of delivery and operational
modelsID cards, passports, access to Government services.
Whilst the overall security architecture is
critical in terms of ensuring the integrity of the system, there
is one major component that can be overlooked in terms of building
the overall systemthe smart card and its chip. We have
previously supplied a paper on smart card lifecycle security issues
for UK Government use (see http://www.govtalk.gov.uk/documents/SmCLifecycle_v1-0_AB.doc),
which more fully describes some of the concerns.
3. THE SMART
CARD CHIP
3.1 An approach to risk management at the
chip level
The individuals at SiVenture have extensive
experience of developing and implementing on-chip system software
and understand the roles to be played by the hardware, the operating
system software and the application software.
Now, as a consultant and evaluator, we have
witnessed how well designed chip hardware can be undermined by
poorly designed and implemented operating system software. In
turn, a well designed and implemented platform (hardware and operating
system software) can be rendered vulnerable by virtue of poor
or careless application design and implementation.
Careful and thorough design, implementation
and testing (both functional and security) of the smart card is
critical to the integrity and security of the overall system.
The smart card can be an easy target for the
attacker. It is issued in millions and into a hostile and unprotected
environment. From the attacker's perspective, there will be plenty
of samples available upon which to experiment with a range of
attacks and time in which to carry out the experiments. Vulnerabilities
at the card level might lead to a breakdown of the entire system.
These types of development risks can be managed
through the employment of a thorough test regime involving independent
and experienced analysts involved in an on-going program of security
testing and risk evaluation. A strong requirement for this type
of evaluation (probably based on existing standard approaches
used in the UK, such as Common Criteria (ISO 15408) evaluation)
has not been clearly visible in the public framing of the identity
card scheme to date. However, we believe it is vital that this
approach is established at the highest level of requirement and
project oversight, in order to allay some of the frequently cited
fears over the security of the smart card itself and of its associated
systems (eg a database of cardholder information, or systems giving
access to services or data on presentation of the card).
Since smart cards with more advanced security
features generally increase the cost of the scheme, it becomes
even more important to ensure that there is a standardised approach
to security that will allow competition and multiple sources of
supply of the cards whilst still achieving confidence that all
cards meet a baseline security requirement.
The testing and risk management must assess
the impact of new threats and attacks on the existing card population,
and should ensure that there is a suitable level of research to
pre-empt new attack methods.
The countermeasures and risk management regime
should also ensure that there are measures in place to detect
successful forgeries of cards, whether the forged card is encountered
in physical form or represented only by messages claiming to be
from the chip.
3.2 The Benefits
By adopting this risk management approach the
Government will:
Obtain an independent, industry view
of the strengths and weaknesses of smart card chip hardware and
crypto design through the use of innovative analysis techniques
in addition to the known methods.
Benefit from the specific research
and development into emerging attack techniques that might leave
hitherto strong, well-defended chips open to new forms of attack.
Receive an independent, objective
assessment that combines both developer knowledge and the "attacker"
mindset which qualities are not commonly found within manufacturers.
The analysis can be undertaken completely independently of the
original architects, designers and developers, thereby providing
Government with the comprehensive assurance needed.
3.3 Recommendation
Security sensitive implementations require:
Good security infrastructure design
included from the outsetprevention, detection, recovery.
A rigorous implementation, test and
evaluation processsecurity, integrity, quality.
The use of external and experienced
evaluatorsindependent with broad and deep experience.
An ongoing monitoring, research and
review process to facilitate the management of riskssecurity
future proofing.
In order to allay the fears of citizens it is
critical to establish appropriate rigour into the design, development
and test regime. We recommend that the proposed approach to risk
management of the development at the chip level be incorporated
as part of the overall approach that Government employs to manage
the risk of implementing ID Cards.
January 2004
|