Feature of the Month

REAL IDs ≠ Secure Credentials

Governments around the world are implementing new identity credentialing programs to improve the accuracy of identity verification for a wide variety of applications.  These programs are leveraging numerous advances in both chip and security technologies to create secure identity credentials -- credentials that implement security techniques, such as mutual authentication, cryptography and verification of message integrity, to protect identity information throughout the application and, by design, protect the privacy of the credential holder.

A widespread trend, cutting across all applications and all continents, is the increasing use of microcontroller-based smart card technology for secure identity credentials.  Smart card technology makes credentials more secure, better protects identities and privacy, more tightly ties the credential to its owner and enables them to work with information systems and networks.

At odds with these other identity initiatives, the U.S. Department of Homeland Security (DHS) has proposed technology for REAL ID driver's licenses that will not result in secure credentials for U.S. citizens.  Once implemented by states, REAL ID credentials will become high-profile targets for identity thieves and fraudsters, since they will be used to establish identity, the right to drive and the right to travel.  These factors make it all the more crucial that REAL ID credentials be implemented with technology that protects both the information stored on the credential and the privacy of the U.S. citizens.

So what's wrong with the REAL ID technology selection?

Weak Document Security

The DHS Notice of Proposed Rulemaking, "Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes," published earlier this year for comment, recommends the use of printed security features and PDF-417 2-dimensional (2D) bar codes to provide electronically readable features to enable automated scanning, verification and privilege decisions.  This fails to recognize the weaknesses of relying solely on static physical card features and their inability to deter fraud and counterfeiting. 

The REAL ID Act of 2005 requires a machine-readable technology (MRT) to be incorporated on the REAL ID driver's license or identification card to provide automated reading of some data elements of a REAL ID driver's license or identification card for law enforcement purposes.  By using PDF-417 2D bar codes with static codes printed on the surface of a plastic card, REAL ID documents would have a number of critical vulnerabilities:

• Once obtained, the PDF-417 2D bar code can be readily photocopied, duplicated, collected and distributed.

• The PDF-417 2D bar code can be substituted on a REAL ID driver's license or identification card with little difficulty by overlaying a replacement bar code over the original.  If this substitution goes undetected, any machine read will produce information that does not correspond to the visual information and may result in incorrect authentication checks or issuance of incorrect renewed licenses.

• Any encryption used to scramble the data contained in the printed bar code is subject to a brute force attack.  This means that interested parties or hackers can try extensive methods to decrypt the information at their leisure once the bar code has been obtained.  Any use of a common cryptographic key to perform encryption across REAL ID documents will quickly be discovered, rendering the encryption of the 2D bar code ineffective for the life of all of the credentials.

Lack of Information Security and Privacy-Protection

The privacy of a citizen’s personal information endures only as long as security protections are in place to prevent access to, or tampering with, that information.

The use of PDF-417 2D bar code, which can be read by a standard 2D bar code scanner, allows access to all of the personal information encoded in the machine-readable zone (MRZ) of the REAL ID driver's licenses or identification card.

That personal information will include (as noted in the 2005 AAMVA Driver’s License/Identification Card Design Specifications for mandatory data elements) name, address, date of birth, eye color, height, and sex.  Anyone reading the MRT will have access to all of this personal information, even if they are only looking for proof of age.  In addition, the AAMVA specifications also allow for optional data elements in the MRZ to include weight and ethnicity.

The AAMVA standard also requires “that all of the data on the 2D bar code be unencrypted.”  As 2D bar codes are a static visible technology, the personal information of the card holder is vulnerable to skimming or substitution by unauthorized users.  Encryption of the printed bar code will not alleviate this vulnerability as the information is static and therefore susceptible to a brute force attack. 

Lack of Consideration for Existing Secure Credentials Standards

National and international standards are available that enable selection of appropriate, secure smart card technologies that protect the privacy of citizens and support security of their information and access to that information for appropriate uses.  International standards for driver's licenses (ISO/IEC 18013), travel documents (ICAO 9303 for machine-readable travel documents) and Federal identification (FIPS 201) are all available and being used in identity programs.

These standards all recommend the use of smart card technology and enhance security and privacy of citizens using the security features supported by smart card technology.

REAL ID Driver's Licenses and Smart Card Technology

Smart card technology is currently recognized as the most appropriate technology for identity applications where personal information resides in a credential.  Strong credential security is a key element in protecting the privacy of citizens holding a REAL ID driver's license or identification card, and smart cards offer the following security protections:

• Smart cards support the encryption of sensitive data, both on the credential and during communications with an external reader.

• Smart cards support digital signatures which can be used to ensure data integrity, authenticate both the card and the information on the card, and authenticate that the reader attempting to access information is authorized to do so.

• Smart cards support multiple digital signatures required if different authorities create data stored on the card.

• Smart cards support such technologies as public key cryptography and biometrics.

Smart card technology provides a cost-effective solution for REAL ID driver's licenses and identification cards that not only improves privacy and security, but also allows states to leverage their significant investment in REAL ID documents and processes for other identification programs and government applications.

Conclusion

Driver's license reform is essential in improving the security of identity credentials being used daily by U.S. citizens.  DHS efforts to specify processes and technologies to meet the requirements of the REAL ID Act are critical to achieving this reform.  However, the current proposed specification for REAL ID driver's licenses falls woefully short in its specification of the common MRT to be used by all states.  2D bar code technology is inadequate to meet the security and privacy requirements mandated by the REAL ID Act and is not consistent with international and U.S. standards that have been set for secure credentials.  The selection of an antiquated, insecure technology for the next generation of driver's licenses is also short-sighted in not recognizing the opportunity that this affords for states to issue driver's licenses that can be used for identity verification for other government applications. 

The Smart Card Alliance has recommended that smart card technology be specified as the common MRT to be implemented in all REAL ID documents.  The same smart card technologies that have been chosen to improve and protect the identity documents used in a wide range of Federal and international identity applications should be used to secure the federally-mandated REAL ID driver's licenses and identification cards that citizens will be required to use (and almost certainly pay for) if they are to gain access to the locations and services restricted by the REAL ID Act.  Smart card technology is cost-effective and proven, can meet the security requirements of the REAL ID Act, and can protect the privacy of citizens' personal information.  In addition, smart card technology offers states a technology platform that provides the flexibility for REAL ID driver's licenses and identification cards to respond to future opportunities.

The incorporation of smart card technology into REAL ID driver's licenses and identification cards makes the REAL ID document a valuable citizen identity credential within our demanding information society.  Having a truly secure credential in the hands of all citizens can enable a host of applications that presently lack a trusted identity authentication credential.  The Federal Trade Commission (FTC) recently released a strategic plan for better authentication in our society as a countermeasure to identity theft.  A smart card-based REAL ID credential is the most appropriate platform to significantly improve the trust and reliability of identity in our society.  A trusted federally-specified, state government-issued citizen electronic identity credential would also form the foundation to stimulate e-commerce and e-government applications in our society.   

About this Article

This article is based on the Smart Card Alliance Identity Council response to the DHS Federal Register Notice, "Minimum Standards for Driver's Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes."  The Identity Council is focused on promoting the need for technologies, legislation, and usage solutions regarding human identity information to address the challenges of securing identity information and reducing identity fraud, and to help organizations realize the benefits that secure identity information delivers. The Council engages a broad set of participants and takes an industry perspective, bringing careful thought, joint planning, and multiple organization resources to bear on addressing the challenges of securing identity information for proper use.

The Smart Card Alliance is currently partnering with the Secure ID Coalition to put together a Congressional briefing on securing identity on July 19th in Washington, DC, to educate key policy makers and media on the best practices and technologies for secure credentials.

Copyright 2006-2007· Smart Card Alliance · 191 Clarksville Rd. · Princeton Junction, NJ 08550
Phone: (800) 556-6828 info@smartcardalliance.org · www.smartcardalliance.org