The general idea is that you have a master key, used to sign a new key for each issuing office every 6 months (or some timespan).
The issuing offices use their keys to sign cards when they issue them, so the chip on the id card, containing the person's name, number and biometrics, also contains a signature saying the fact that these three items are related has been verified by such and such office on such and such date.
A benefits officer has a hand held unit that they use to scan the card of a potential benefits recipient. They check the name is not already listed as revieving benefits, they check the biometrics match the person in front of them, and they check the signature is a valid one, matching the issuing office's published public key.
You need to be sure that you can revoke signing keys, and hence all cards signed by them - since otherwise a single office could produce a billion fake cards. More to the point, you need a good system for saying "Go away - you aren't granny smith, you're applying for a fake card." The basic point is fair though - if we get a card system, it should be strong. Otherwise, like, duh. Best of all would be transferrable capabilities, and free identity. My work identity and my social identity don't need to be the same. And why not allow granny Smith to delegate someone else to collect her bus pass? --Vitenka
Revocation - maybe you need a third layer of indirection, and have each issuing office sign a key for each issuing officer, so in effect the signed ID card then becomes the statement "Officer Dibley of the Peterborough Issuing Office issued the id number 20030926PET01132 to a person claiming to be Granny Smith on the 26th of September 2003, he states these pieces of biometric data are a true and fair likeness of her, and further more that he has seen 3 seperate legal pieces of evidence that back up her claim to be _the_ Granny Smith, daughter of Nathe and MaryJo? Smith, resident of 12, Sycamore Close, Little Willington, Shropshire."
Points of attack (some of these have been addressed above, to some extent):
This could probably be protected. Precedent: VISA signing keys.
My favourite way to do this would be to have the key in three locations (one primary, two backup). In each location the key is split into three parts, each held by a separate key holder. The key holders only meet up every 6 months to sign the new branch keys. Meaning to get the key you would have to steal from/blackmail/corrupt three seperate people simultaneously. --DR
Lots of precedent in banking industry for branch keys being retrieved and/or abused by insiders, either by collusion or by exploting bugs in the crypto. What happens if someone gains access to branch equipment? Sure, you can revoke the key, but by that time they've bootstrapped new identities, borrowed lots of money and gone off to Jamaica.
Hmm, how long would it take from a fraudster using a faked ID to this being discovered? If the benefit office hand held verifiers are updated regularly (say once a week when their batteries are recharged) this should not be too big a disaster. --DR
Uh - you're missing the point. If they nick the branch keys, they can issue valid IDs. Because the IDs aren't faked, verifiers wouldn't help. As for how long it takes to discover someone's nicked the branch key - that's presumably not going to happen until an investigation starts, and an investigation isn't going to start while everything looks OK - that is, until they've made off with the cash. How long does it take to arrange a few loans these days? - MoonShadow
How do you establish identity for issuing the card in the first place? Plenty of precedent for identity theft by bootstrapping "legal documents of identity" from things found in dumpsters in the US right now. ID card becomes just one more document at the top of the bootstrapping chain. It is a fallacy to assume this will only need to happen once. Suppose someone breaks into a branch office, steals equipment, waits for the keys to be revoked and mail sent to appropriate legitimate cardholders telling them to obtain new cards, then an accomplice presents themselves as a legitimate cardholder?
True. Though it would be interesting if, after the first 6 months of the scheme, the two professionals (who are not family members) that you need as witnesses to your identity must also produce their ID cards, thus building a web.
If they are in a central online database, that becomes a single point of attack. See online credit card databases vs Russian hackers for precedent. If they are in the cards, this does not render them exempt from tweaks - see the satellite set-top box subscription smartcard saga for details. They do not necessarily need tweaking - we still can't do reliable automatic biometrics at all, and humans comparing faces to photos has also been shown to be unreliable if the perp goes to some slight modicum of effort to nick the card from someone with similar colour skin, hair and face shape to them.
Can you expand on this? I'm not sure I understand you. I would think that the biometric data would be on the card, and would be signed by the issuing office (thus tampering would invalidate the signature). The only thing on the central database is a list of the keys that have been revoked. Everyone already has the public partner of the private master key, and all signatures are derivable from that. --DR
In general, they all have the same problem - they're hard to do reliably with current technology. Remember, you have to rarely reject legitimate users as well as rarely accept false ones, otherwise your users will force you to fall back to "the old way of doing things that at least worked" - studies sponsored by biometric equipment makers usually only quote the latter rates; and they have to work in real-world conditions. See the links elsewhere on the pages in this namespace for news reports on fiascos that inevitably occur whenever someone attempts to introduce biometric tech on a large scale. - MoonShadow
I'm not saying the FBI could train a person to falsely pass a combination of all three of these tests. But it wouldn't be trivial. I've also seen a pretty good infra-red fingerprint scanner, but it was expensive, and did less well on older people (their finger prints are less distinct - the ridges are worn down).
General-purpose reliable biometrics are like giant unsinkable ships:
TODO: link to appropriate research papers to back up points made above; most of the links already exist elsewhere on the wiki
Not sure if this belongs here, except that it mentions "biometric passports that include fingerprint and iris identification features" that make it "virtually impossible to counterfeit", but some ToothyWikizens may find this [news story] interesting. --K
On that note, the [latest government proposal] says the costs - and hence the amount UK-resident ToothyWikizens will be forced to pay to get their shiny ID cards - are even higher than previously estimated, while mentioning in passing that the best available technology for matching iris prints on an ID card to a person only has a 96% success rate and the rates for the other biometrics on the card are worse (and the Grauniad article doesn't mention whether that's false positives or false negatives; either way, imagine the usefulness of that in a check-in line at Heathrow.. Oh, and it takes an average of eight minutes to scan a person. Remind me what it is we're meant to be getting for our money again?) - MoonShadow
The government report (see main PrivacyMatters page) says very little about security and doesn't even mention the possibility of making the cards cryptographically signed. Does anybody think that emailing the chairman [John Denham MP] would do any good? --DR