SUMMARY

  This paper:

—  provides a description of the company making the submission, its background, experience and areas of expertise;

—  sets out an outline of the key issues that are often overlooked when designing, implementing, managing and maintaining such systems as proposed for the identity cards;

—  outlines an approach to managing risks in the above phases of the program;

—  summarises the benefits of such an approach

  and makes the following recommendation:

  Security sensitive implementations require:

—  Good security infrastructure design included from the outset;—prevention, detection, recovery.

—  A rigorous implementation, test and evaluation process—security, integrity, quality.

—  The use of external and experienced evaluators—independent with broad and deep experience.

—  An ongoing monitoring, research and review process to facilitate the management of risks—security future proofing.

  In order to allay the fears of citizens it is critical to establish appropriate rigour into the design, development and test regime. We recommend that the proposed approach to risk management of the development at the chip level be incorporated as part of the overall approach that Government employs to manage the risk of implementing ID Cards.

1.  INTRODUCTION

  SiVenture is a group of seven experienced individuals providing consulting services to the smart card industry with a range of expert skills, built up over many years within a commercial environment, including smart card chip hardware and software security analysis, crypto analysis and smart card system security. The team has a significant knowledge and understanding of the chip technology marketplace and the evaluation of security sensitive applications and hardware devices, and has provided consultancy on smart card security to UK Government.

  Based in the UK, the SiVenture Laboratories also offer a range of security, fault and quality analysis services for all chip types. Equipment includes a comprehensive set of tools for preparing, de-processing, probing and modifying samples. This includes a wide range of microscopy—optical, focused ion beam, scanning electron and atomic force, and comprehensive electronic measurement and signal analysis tool-sets.

  SiVenture undertakes formal chip security evaluations under Common Criteria working in conjunction with the UK certification body CESG/GCHQ. SiVenture is pursuing accreditation as a Hardware Evaluation Facility (CLEF).

  SiVenture is a division of NDS Group plc (a News Corporation company), a leading provider of technology solutions for digital pay-TV.

2.  NATIONAL ID CARD SCHEME

2.1  Objectives and outline

  We note the basic objectives and outline of the core technology encapsulated within statements from the Home Secretary:

—  Boost the fight against illegal working.

—  Tackle immigration abuse.

—  Disrupt the use of false and multiple identities by terrorists and organised crime groups.

—  Ensure free public services are only used by those so entitled.

—  Help protect people from identity theft.

  The cards are likely to obtain basic details on their face (name, age, validity dates, nationality, right to work and a unique number). A secure chip will additionally contain a unique personal biometric identifier. Cards will be linked to a national secure database containing the data from the card and be able to use the biometric data to confirm identity, preventing multiple card applications.

2.2  Observations on security

  IT security in its all its forms has always been important to government. However, the increasing use of computing devices in all areas of life has made a focus on security increasingly important for most organisations and companies working with IT. Security now includes areas of protection such as the following:

—  Protection of confidential data (eg national security).

—  Protection of valuable content (eg financial payments, film/video, games, music, news feeds).

—  Protection of customer and end-user data (eg citizen and Government data).

  This means that security is important in all areas of government activity—whether it is the design of the service or the security of the nation itself. Increasingly large amounts of personal and government data are available, potentially from great distances with little apparent risk of being caught, and thus present attractive targets to attackers.

  Organisations now need to address security, or else risk suffering the effects of security breaches in terms of:

—  Disruption to operations—security exposure can force legitimate activity to stop (eg web sites have had to be closed to recover from defacing of the web site, and insecure configurations that allow citizen or government data to be accessed).

—  Reputation damage—security incidents can cause loss of confidence in a service, and in an increasingly brand-driven market, this may have further effects on Government and the ruling party. This is especially true of the government sector, where the relationship with citizens depends critically on trust.

—  Financial costs—this can include loss of revenue (eg missing revenues and misplaced benefit payments) as well as the costs of recovering from a security incident (including public relations and senior management activity, as well as service changes). In some cases there may be compensation to be paid to citizens.

  To address these risks requires high-level management involvement, leading to a central security policy to address internal security issues (such as protection of government and citizen data). However, it also needs a high level of security awareness in the design of services. It is well-known that security cannot usually be successfully added to a service; it must be designed in from the beginning. But security also needs ongoing review against changing threats—this is particularly important for smart cards, where recent history shows that not only new attacks but new types of attack can emerge (which have not therefore been considered during system design and development). Security is not simply about encrypting data, or providing the right functions in a product. It is about ensuring that the total design of a product is secure. This means analysing all the parts of a system, as well as considering a complete range of attacks. It also means providing "defence in depth" by having multiple security measures to protect assets—single security measures are too likely to be defeated by some combination of luck, time, or resources. And, security is also about an ongoing process to monitor, maintain and the ability to improve security in the future.

  For Government, security is critical across many areas of its activities. Government must ensure that it is able to control its security planning and risk management given the critical nature of the data at risk and the overall issues of national security.

  If we look at other sectors and consider the case of a financial card issuer and financial services provider, the trust relationship with customers is critical. Banks have long understood this, and hence have traditionally placed high security requirements on their systems. Financial assets are very attractive to attackers, and they have a high motivation to attack. The high potential gain means that sophisticated, organised techniques will be applied, even if these require a high level of investment. Examples of this sophistication and organisation can be seen in other high-return criminal fields including art-theft, illegal drug sale, forgery, high-value fraud and embezzlement, and magnetic stripe card forgery.

  The reputation of a financial issuer will be related to the perception of its security. This may not be the same as the actual degree of security, because customers cannot always understand the detailed differences between potential security weaknesses and the ability to exploit them. For example, there have been a number of examples where theoretical weaknesses have been demonstrated in smart cards, and the result has been a general perception of low security in all actual smart cards. In the UK, such results have led to adverse headlines in national newspapers. In a market with many competitors for customers to choose from, reputation is vitally important.

  Financial organisations place strong requirements on the way products that carry their brands need to be protected and evaluated. For smart cards, this includes a high level of technical review and testing.

  Albeit different in what the technology delivers, the concerns of Government should be no less—citizen confidence, national security, financial impact. This means having control over risk management, provided Government deals with the complete risk picture, and is able to balance the costs of vulnerabilities against countermeasures.

  The adoption of new security architectures and techniques can allow further evolution of delivery and operational models—ID cards, passports, access to Government services.

  Whilst the overall security architecture is critical in terms of ensuring the integrity of the system, there is one major component that can be overlooked in terms of building the overall system—the smart card and its chip. We have previously supplied a paper on smart card lifecycle security issues for UK Government use (see http://www.govtalk.gov.uk/documents/SmCLifecycle_v1-0_AB.doc), which more fully describes some of the concerns.

3.  THE SMART CARD CHIP

3.1  An approach to risk management at the chip level

  The individuals at SiVenture have extensive experience of developing and implementing on-chip system software and understand the roles to be played by the hardware, the operating system software and the application software.

  Now, as a consultant and evaluator, we have witnessed how well designed chip hardware can be undermined by poorly designed and implemented operating system software. In turn, a well designed and implemented platform (hardware and operating system software) can be rendered vulnerable by virtue of poor or careless application design and implementation.

  Careful and thorough design, implementation and testing (both functional and security) of the smart card is critical to the integrity and security of the overall system.

  The smart card can be an easy target for the attacker. It is issued in millions and into a hostile and unprotected environment. From the attacker's perspective, there will be plenty of samples available upon which to experiment with a range of attacks and time in which to carry out the experiments. Vulnerabilities at the card level might lead to a breakdown of the entire system.

  These types of development risks can be managed through the employment of a thorough test regime involving independent and experienced analysts involved in an on-going program of security testing and risk evaluation. A strong requirement for this type of evaluation (probably based on existing standard approaches used in the UK, such as Common Criteria (ISO 15408) evaluation) has not been clearly visible in the public framing of the identity card scheme to date. However, we believe it is vital that this approach is established at the highest level of requirement and project oversight, in order to allay some of the frequently cited fears over the security of the smart card itself and of its associated systems (eg a database of cardholder information, or systems giving access to services or data on presentation of the card).

  Since smart cards with more advanced security features generally increase the cost of the scheme, it becomes even more important to ensure that there is a standardised approach to security that will allow competition and multiple sources of supply of the cards whilst still achieving confidence that all cards meet a baseline security requirement.

  The testing and risk management must assess the impact of new threats and attacks on the existing card population, and should ensure that there is a suitable level of research to pre-empt new attack methods.

  The countermeasures and risk management regime should also ensure that there are measures in place to detect successful forgeries of cards, whether the forged card is encountered in physical form or represented only by messages claiming to be from the chip.

3.2  The Benefits

  By adopting this risk management approach the Government will:

—  Obtain an independent, industry view of the strengths and weaknesses of smart card chip hardware and crypto design through the use of innovative analysis techniques in addition to the known methods.

—  Benefit from the specific research and development into emerging attack techniques that might leave hitherto strong, well-defended chips open to new forms of attack.

—  Receive an independent, objective assessment that combines both developer knowledge and the "attacker" mindset which qualities are not commonly found within manufacturers. The analysis can be undertaken completely independently of the original architects, designers and developers, thereby providing Government with the comprehensive assurance needed.

3.3  Recommendation

  Security sensitive implementations require:

—  Good security infrastructure design included from the outset—prevention, detection, recovery.

—  A rigorous implementation, test and evaluation process—security, integrity, quality.

—  The use of external and experienced evaluators—independent with broad and deep experience.

—  An ongoing monitoring, research and review process to facilitate the management of risks—security future proofing.

  In order to allay the fears of citizens it is critical to establish appropriate rigour into the design, development and test regime. We recommend that the proposed approach to risk management of the development at the chip level be incorporated as part of the overall approach that Government employs to manage the risk of implementing ID Cards.

January 2004