UK's National ID hacked in 12 minutes: what about us?

Similar to India’s initiative for a National ID Card Project, headed by Nandan Nilekai, the UK had also invested in an infrastructure to create a National ID Card.

Over the past couple of years, a lot of security experts have commented repeatedly on the problems and the risks associated with ID cards.Similar to the current uproar over the easily broken Electronic Voting Machines, I believe that the ID card project will be fraught with similar dangers.

The dangers are countless - from fraud (sooner or later, banks will start using the National ID as the only criteria for accounts) to abuse (fake ID cards to get govt. funds), the opportunities to misuse are countless. What is the solution then?

I have maintained that bureaucrats dont understand software and code - and I dont expect them to. I expect them to, instead, focus on making the best possible decision for the people. I believe that critical pieces of software infrastructure that affect every citizen must be available for public whetting and audit. I mean open sourcing the software (database related or the software running on the smart card).

As always, the hope that obscurity leads to security is a false one.  Any security that is established should be done through clear cryptographic techniques - of which source code is important to the extent that it follows the technique to the letter. The actual secret piece of the security is generated through a key which should not be revealed.

An audit of the source code ensures that the developers have not missed out any glaring bugs and problems. Frequently companies sell snake-oil by claiming to have developed a new cryptographic protocol that is their proprietary technology. All such claims needs to be taken with a grain of salt. Cryptography is hard and good cryptography is even harder - which is why the US Govt. held open competitions to determine a new encryption standard.

This process won plaudits from the open cryptographic community, and helped to increase confidence in the security of the winning algorithm from those who were suspicious of backdoors in the predecessor, DES.

My privacy is at stake here and I am extremely concerned about the process being followed for the same.


UK's National ID hacked in 12 minutes: what about us?


August 07, 2009

Find me on Twitter @sandeepssrin

Did i make any mistake? Please consider sending a pull request.