Smart Card Alliance says 2d barcode in proposed REAL ID driver license isn’t secure
08 May, 2007
category: Biometrics, Government
The Department of Homeland Security’s Real ID compliance recommendations, already under fire from so-called privacy entities, has received another hit, this one from the Smart Card Alliance, which says that the recommended 2D barcode technology that would be used in state-issued driver licenses isn’t secure enough.
Same Level of Security, Privacy and Authentication Found in Smart Card Technology Used in Other Federal ID Applications Required at State Level
PRINCETON JUNCTION, NJ – The Department of Homeland Security (DHS) should not rely on static 2D barcode technology to store citizens’ personal information on REAL ID driver’s licenses or identification cards due to its inherent security drawbacks, according to the Smart Card Alliance’s comments in response to the DHS Notice of Proposed Rulemaking on minimum standards for REAL ID cards.
Instead, the Alliance strongly recommends that DHS raise the security level for state-issued driving credentials to equal that which has been mandated in other federal programs, namely by using smart card technology. Smart cards represent a much more secure platform for preventing forgery, cloning, counterfeiting and theft or alteration of personal data stored on REAL ID cards, tactics which are far easier to employ against barcode-based systems.
The Alliance also notes that REAL ID credentials will become high-profile targets for identity thieves and fraudsters, since they will be used to establish identity, the right to drive and the right to travel. These factors make it all the more crucial that DHS get the choice of protective technology for REAL ID documents right.
“Smart card technology has been proven time and again in many federal identity management applications, including DHS’ own Transportation Worker Identification Credential and First Responder Authentication Credential programs, as well as the Transportation Security Administration Registered Traveler program, the Department of Defense Common Access Card program, the State Department ePassport program and the HSPD-12 government-wide ID program, all of which have provided enhanced security, privacy and user authentication,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The proposed use of 2D barcode for REAL ID credentials would, in our view, represent a serious flaw in the security design of the identity system by opening the door to ID counterfeiting and other forms of fraud.”
According to the Alliance, the static nature of 2D barcode allows printed media to be copied and disassociated from the original ID and its bearer, enabling misuse of the information. By contrast, a smart card’s microcontroller chip cannot be altered or tampered with, and it incorporates numerous cryptographic features that enable reliable, strong authentication.
The response statement also notes that the proposed barcode technology cannot secure the information stored in the REAL ID document’s machine-readable zone. Thus, required personal information – including address, date of birth, eye color, height and gender – could be vulnerable to access by unauthorized users. Encryption of information in the printed bar code will not alleviate this vulnerability, as the information is static and therefore susceptible to a brute force attack.
Smart cards, on the other hand, support:
– The encryption of sensitive data, both on the credential and during communications with an external reader;
– Digital signatures which can be used to ensure data integrity;
– Multiple digital signatures which are required if different authorities create data stored on the card;
– Advanced security technologies such as public key cryptography and biometrics.
Lastly, the Alliance’s response statement notes that the proposed use of 2D barcode for REAL ID driver’s licenses and identification cards runs counter to federal and international standards for identity credentials that call for strong document security and protection of citizen privacy. The Federal Information Processing Standard 201 (FIPS 201) for federal Personal Identity Verification (PIV) credentials and the International Civil Aviation Organization (ICAO) standard 9303 for machine-readable travel documents both call for storing identity data on a smart card chip, with the data digitally signed by the issuing authority. Smart card technology provides a significant, verifiable deterrent to forgery and alteration and enables strong authentication of the identity document holder.
Smart Card Alliance’s REAL ID Position Backed by Industry Leaders
“CoreStreet supports the Smart Card Alliance’s position that chip-based smart cards are the best available technology to ensure that the stated goals of REAL ID are met. Simply put, the purpose of this response is to provide guidance in creating the best, most secure, most usable ID system possible. It is critical that policymakers understand the weaknesses of the current proposal and move toward a technology that solves today’s security shortcomings while addressing the needs of tomorrow. We applaud the Alliance for its leadership in developing this response.” Sal D’Agostino, executive vice president of sales for CoreStreet
“The REAL ID Act presents an opportunity to significantly raise the bar in authenticating citizens’ identities. Regrettably, DHS’ proposal does not embrace widely deployed, proven smart card technology, instead proposing outdated, low-security static printed barcodes. Smart cards bring sophisticated security features that protect privacy and ensure only authorized access to the credential. Since significant taxpayers’ dollars will be invested in this program, we should use the best, most cost-effective security technology to authenticate our citizens in today’s digital age.” Neville Pattinson, vice president of government affairs and standards, Gemalto North America, and chairman of the Alliance’s Identity Council
“We support the aims of DHS’ proposed rulemaking and believe its privacy objectives can best be met by implementing smart card technology, which will minimize any unwanted exposure of personal information. We agree with the agency’s own privacy impact assessment of the NPRM that encryption will help mitigate most privacy risks, and we fully support the Smart Card Alliance’s recommendation of smart cards as the best means to guard the privacy of all REAL ID cardholders.” Kathleen Carroll, director of government relations for HID Global
“It’s an incredible opportunity for the Department of Homeland Security to set standards for the REAL ID credential that dramatically improve security, protect citizen privacy and provide a framework for additional ID functionality to be leveraged for other applications in this information age. Unfortunately, it appears DHS has missed this opportunity by specifying 2D barcode, an antiquated machine-readable technology. We urge DHS to reconsider its decision and include secure smart card technology in its final rulemaking.” Tres Wiley, director of eDocuments for Texas Instruments Inc., and secretary of the Alliance’s Identity Council
“For several decades, we have continued to do business as if we all still know each other and can trust that we are who we and our laminated bits of paper say we are. REAL ID is not about catching terrorists, it’s about protecting our own citizens. It’s time to fix our ID documents to meet the needs of our citizens and the states. We need to give them the tools to fight identity theft by terrorists or anyone else. It’s time we moved to strong ID documents using smart card technology.” Stephen Howard, vice president of business development for identity management at Thales e-Security, and vice chair of the Alliance’s Identity Council
For more alliance information, visit www.smartcardalliance.org.
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.