BOX 3.1 Cards and Their Requirements The presumed goal of a counterfeit-resistant, long-lasting, easily replaceable ID presents difficult technical challenges. With respect to the ID itself, assuming that it is a physical artifact such as a card, a number of questions need to be answered.1 Form factors--the size, shape, and substance of the card--would likely play a part both in acceptance on the part of the citizenry and in the card's resistance to counterfeiting. The more difficult challenges pertain to the aspects of cards that are determined by the kind of technology used. One could use a relatively simple card, like a credit card or driver's license. Each individual in the system would have a card with some information printed on it about the holder and perhaps a picture. There might be a unique number on the card, and the information in a nationwide database would be indexed by that number. The card itself might contain a magnetic stripe along with embossed and printed data. As with a driver's license or passport, access to this database (for reading data out or putting data in) would presumably be limited,2 as it would be under the proposal by the American Association of Motor Vehicle Administrators to create nationwide standards for driver's licenses. On the other hand, the counterfeiting of magnetic stripe cards is a trivial undertaking.3 More important, the ease with which the information contained in the magnetic stripe can be duplicated means that a counterfeiter can produce a clone card and/or retransmit the data in other transactions as if they came from a legitimate card. All of this implies serious security and privacy vulnerabilities, and there is no verifiable connection (by means of biometrics, for example) between the holder of the card and the person to whom the card was issued. Hence, using such credentials as a basis for issuing new cards (and, ergo, identities) would compromise the accuracy of some of the identification data, inasmuch as the credentials depend on attestations by the individual or even third parties.4 Another possibility is a memory card (or storage card), which would hold more information and be more expensive than the magnetic-stripe cards of the previous example.5 These cards contain memory as well as some security logic to prevent unauthorized reading or tampering with their data. The information contained on them could be digitally signed (that is, a number would be associated with that information that is dependent on a secret known only to the signer as well as on the data itself) to prevent easy counterfeiting. The correspondence between the user and the card (along with the information on the card and in the database) could be ascertained through biometric authentication, which would be undertaken using special equipment--such as a reader for fingerprints or iris scans--in addition to presentation of the card. An additional possibility is to use smart card technology that permits computation (such as digital signatures and encryption) to take place on the card itself. Though successful attacks have taken place, these cards are even harder to counterfeit than memory cards. They might have a name, photo, number, and biometric data, all of which could be cryptographically signed. The data would be backed up in a database to enable checking when reissuing a card and checking for duplicates when the card is first issued. A card of this sort could engage in a real-time, cryptographic exchange with an online system to verify a user's identity--possibly without exposing details of that identity to the organization performing the data capture--for example, an airline or a retail establishment. As an example of a card-based system using biometrics, consider the Connecticut Department of Social Services, which issues cards to aid welfare recipients.6 Fingerprints of each applicant are taken and compared with the fingerprint of all applicants previously enrolled. Under the assumption that people are not modifying their fingerprints (and assuming no matching errors), this can prevent a single user from registering under multiple identities within the system. The card is printed with the fingerprints encoded in a two-dimensional optical bar code on the front of the card. At point-of-service applications, the user presents a fingerprint that is compared with that encoded on the card. This prevents multiple users from making use of a single identity. Other biometric technologies, such as iris recognition, might be useful in this application as well. However, no biometric technology is completely invulnerable to attacks by sophisticated adversaries.7,8 1 The Department of Defense is now deploying a smart card that it refers to as a common access card (CAC) as an authentication device and for other purposes. The card combines a magnetic stripe, bar code, a photo ID, and smart card technology. DOD's experiences may well prove instructive when considering a nationwide system. However, the privacy concerns of military employees are likely to be different from those of average citizens, making an exact analogue unlikely. In addition, the CAC will be deployed for a population that is more than an order of magnitude smaller than the U.S. population, which is more diverse in many dimensions than the military and currently less subject than the military to sanctions for failure to comply with the identification system's requirements. 2 On November 2, 2001, the Washington Post reported that the American Association of Motor Vehicle Administrators was working on a plan to link all driver databases and to strengthen the security and functionality of current driver's licenses and state identification cards. See <http://www.washingtonpost.com/wp-dyn/articles/A32717-2001Nov2.html>. See also <http://www.aamva.org/standards/stdAAMVADLIstandard2000.asp> for a description of AAMVA's standard, which aims to provide a uniform means for identifying holders of driver's licenses throughout North America. 3 See, as just two of many examples, "Skim Artists Can Swipe Your Credit," at <http://www.techtv.com/cybercrime/internetfraud/story/0,23008,2583624,00.html> and "Newly Discovered Bug Skims Credit Card Data," at <http://www.newsfactor.com/perl/story/11494.html>. 4 Note that the existing identification infrastructure (including the system of birth and death records) in the United States often depends on the presentation of credentials and is highly decentralized. The lack of common national standards generates skepticism about the quality of the data. 5 One example is the INSPASS and the data stored on it, coupled with a hand-geometry reader at point of entry to verify identity. Another example is a German identification card, die Karte, which uses two separate smart card chips and contains 22 separate mechanisms for card validation/antifraud technology. 6 For a discussion of the costs associated with identification cards and fingerprints in social service applications, see "A Review of Five Cost/Benefit Studies of Fingerprinting in Social Service Applications," Roger Salstrom, Burton Dean, and James Wayman, available at <http://www.dss.state.ct.us/digital/news22/bhsug22.htm>. 7 T. van der Putte and J. Keuning, "Biometrical Fingerprint Recognition: Don't Let Your Fingers Get Burned," Proceedings of IFIP TC8/WG8.8 Fourth Working Conference on Smart Card Research and Advanced Applications, Kluwer Academic Publishers, September 2000, pp. 289-303. Also, see T. Matsumoto et al., "Impact of Artificial 'Gummy' Fingers on Fingerprint Systems," Proceedings of the SPIE, vol. 4677 (January 2002) and D. Maio, D. Maltoni, J. Wayman, and A. Jain, "FVC2000: Fingerprint Verification Competition 2000," Proceedings of the 15th International Conference on Pattern Recognition, Barcelona, September 2000, available on-line at <http://bias.csr.unibo.it/FVC2000/>. 8 D. Willis and M. Lee, "Six Biometric Devices Point the Finger at Security," Network Computing, June 1, 1998.