Tuesday, September 16, 2008

How to have a secure ID database without Big Brother?

Sometimes, when you're bored and on the way to work you start to stumble around in your mind with ideas. For some strange reason this morning I started thinking about the Government's ID register and ID card scheme whilst on the Circle Line.

I then had an epiphany on how you could have such a scheme that really was about identity affirmation only, was also secure (usual caveats apply to the use of that term), and which would resolve civil liberty and security concerns about the Government storing our data.

To set the scene, and this is a very high-level view, the current ID register, and subsequent cards/passport technology works in a match based scenario. So, you register for a passport, they take your information, name, address, date of birth and your biometric data. They put this on a database and also on your card, and then when you come to identify yourself a match check is done.

So, when you identify yourself, which is what the Government says the scheme will enable you to do, the logic flow is as follows. Scan fingerprint. Does fingerprint match that on card? Does fingerprint on card match existing record on ID register. If yes, all good. If No, flash red alert lights. The key here therefore is not just in the match but in the fact that the ID register exists as a datasource readable by the state.

What this means is the autonomy and ownership of your private data is transferred to the state and the register. When you identify yourself you ask them to match you to an identical record they store and they confirm identity on that basis. There is however another way of doing this which would mean the register would hold no data on you that was useable by the state because it works like this.

When you go to register for a passport and/or card (assuming they were brought in), you provide your information as normal. The difference comes with the biometric part. Your biometric data, fingerprint or iris scan, is used as a private key in order to generate a public key. That public key is then used to encrypt the data about you that will live in the register. The biometric does not get stored anywhere. This means only you, with your fingerprint or iris scan can unlock the data.

Crucially, each individual record on the database would be uniquely encrypted effectively with a one-time pad starting point in the form of your biometric. If the database was compromised it would be useless as a result because it would require the private key (biometric) of each individual on the database to unencrypt each record on the database. The public key that encrypts the data is useless for decrypting it without its private key pair in the form of the individual.

Additionally, by using the biometric as a private key, it would be the random entropy of nature, rather than a random entropy of a computer processor that generated it. If you then used the public key generated by the private key to encrypt the data held on the database only the indivudal and not the state could unlock and read the data. So, no more Big Brother database where the state holds our biometric data and information.

Instead we'd have a database that on its own is useless. A database that can be used to identify yourself when you present your private key in the form of your thumb print to it. A database that uses biometrics to identify yourself, but does not store biometric data. A database that cannot be used by the state for further data mining and data sharing. A database that, if lost, would be of no value to anyone. A database where the ownership of the personal data remains with the individual and not the state.
Reference: Asymmetric cryptography

Update: Of course, the current Government does not just want an identification system, they want it to do much more. A future Government on the other hand looking to reassure, for example, people with passports, that their data is safe and that they (the Government) have no access to it, might prefer to do something like this.

Please also note that I am not arguing in favour of ID cards here. This is about the ID Register which the Government want to use with ID cards. The register however also exists for things like biometric passports. This idea would basically move the biometric data back to the owner whilst still exploiting its usefulness for identification affirmation.

Update II: Raised in the comments and privately to me, this is just an idea about flipping the ID register on its head and making it based upon individual record asymetric encryption that can only be decrypted by the subject of that records content. It assumes that biometrics are more reliable than they are currently considered to be. The key here is bringing back the autonmy of the individual over their data, rather than having the status quo where the state in effect appropriates ownership.

23 comments:

Guido Fawkes said...

Interesting concept, but I think I'm against state required ID in principle, no matter what safeguards.

Nor do I trust the state.

Without getting too tin-hat, it is my belief that the Congestion Charge cameras are used to monitor us and track us. Sarkozy when he visited London when he was interior minister gave a press conference to French journalists raving about the capabilities of the British security agencies to monitor London with CCTV tracking suspects - this was a bit of an embarrassment to the Home Office.

We were assured when those cameras were installed that they would not be used for spying on the public.

The state is not your friend.

Tony said...

Sounds good, but I suspect our biometrics technology isn't up to it and almost certainly never will be.
For it to work the same key would need to be produced every time and I very much doubt that happens, I suspect there is fuzziness in matches that wouldn't produce the same key.
The other flaw is that as researches have shown, you don't need anything much more sophisticated than some gummy bears to fool a fingerprint reader.

dizzy said...

Guido: I do get what you're saying, however, this is not actually something that needs to be about state required ID. This could be used in just general passport applications where by the data held is encrypted and can only be decrypted by you. Doesn't have to required or mandatory to have this system.

Tony: I agree regarding current biometric reliability.

T England. Raised from the dead. said...

Don’t we have to think about how something is random!
We can assume because we are supposed to all be unique people, we are the fore random!
Let’s think about how a computer makes something random, it can use different things! Let’s say it uses scratchy noises it can detect from your hard drive to make something random, scratches are random up to a point, but if you know the make & model of that hard drive it would be possible to replicate the sounds that are used as the random generator & so work out how to crack the code used.
I believe that one of the only true ways we have to create randomness is to go nuclear!
Apparently that is really random!
The point I think I am making is that, if you can work out how the eye is created & formed & the possible outcomes, although there may be millions of variations I get a feeling that a programme to crack the eye code wouldn’t take long!
Maybe I’m thinking out of bonk here!

Anyhow!
Your idea is good because it is seems to be based on the public key encryption system which does a pretty good job.
The thing is, the government for some strange reason wants to have access to all our personal information when they want it & us being able to keep things from them is just a no no!
Think about how strong encryption was seen by governments as a bad thing for the public to have & it was said one particular government even got a certain company in a certain country to make a back door for the encryption system they were selling!

I do however think ID cards are a good idea!

Anonymous said...

I'm happy just reflecting on this as an idea, and I think it's fantastic.

We're still some way from being able to do this (biometric readers aren't that great, as Tony points out) but I love the concept.

Unknown said...

"Crucially, each individual record on the database would be uniquely encrypted effectively with a one-time pad starting point in the form of your biometric."

Not really. While the encrypted record idea is attractive, the biometric isn't a one-time-pad. It isn't even fungible - though it might decay or get damaged - so it is more of an all-time-pad.

The better way (if you are desperate to use biometrics) is surely to use local verification against a signed revokable card, used to trigger matching something else against the central encrypted record. Two-stage authentication: this is the person the card belongs to + the card is genuine. The first bit can be done with or without biometrics as you chose. As VISA et al prove the second bit can be done without government.

dizzy said...

"Not really. While the encrypted record idea is attractive, the biometric isn't a one-time-pad. It isn't even fungible - though it might decay or get damaged - so it is more of an all-time-pad."

Ok, get the point, what I meant was that the biometric itself was unique from a starting point.

Regarding being desperate to use biometrics, for me it's more they want to and this is way they can without actually ever storing it. Your other idea is good though.

................................. said...

What if you're involved in a serious accident in which you lose both hands and both eyes? No biometric key to unlock your record, and so you cease to exist.

Sorry Dizzy, don't like the idea - without even debating the issue of whether we should be forced to identify ourselves to agents of the state.

Anonymous said...

So, nobody except you can change your data.
So if I want to cheat the system I just enter some incorrect data. Which I can then use to prove who I am.
So what's the point?

I'm with Guido on this one. The state is to be tollerated only where necessary.

dizzy said...

"What if you're involved in a serious accident in which you lose both hands and both eyes?"

Carry the hand around in a bag?

OK flippant response aside, the biometric used could be a multitude of things to be honest. Fingerprint, toe print, iris scan, hell it could even (one day) be a quick DNA sequence. The crucial point, if biometrics are to hold the key, is to use them to generate a key pair so then you can encrypt and own your data and the state never actually has access to it without you.

Anonymous said...

Nice theory but it breaks down at the idea that you are the only one with access to your biometrics. Mercedes found this out when they first released a car that used a thumbprint rather than a key. Took about two weeks for the crims to realise the obvious solution. When you want to steal the car, you cut off the thumb as well. It would be relatively simple to mug you and use an iris scanner or pick up a glass you've used. Or if you needed something a little less apparent, stick the equivalent of a key logger in some government agency or the passport office. It's only a matter of time (if not already) before you can get contact lenses with someone elses retina pattern on it that is non-obvious and can fool the scanners (it's the government, they wont use the best available)

As an approach it probably raises the bar enough to bugger your common identity theft outfit, but it would actually make it easier for serious players - governments, organised crime and their other competitors - who have the sophistication to beat the system.

And it would be that much harder to prove misuse because everyone would trust the "foolproof" system more.

Public key encryption may be foolproof but there are always people in the chain somewhere.

Not withstanding the above, I don't want these bastards having anything more on me than absolutely necessary. They're not to be trusted. Ever.

dizzy said...

"So, nobody except you can change your data. So if I want to cheat the system I just enter some incorrect data. Which I can then use to prove who I am."

What? Not following you.

"I'm with Guido on this one. The state is to be tollerated only where necessary."

This is not actually about the state holding data though, that is the point. The state has no data in this case, the information is useless without you so you own it. And it's not about compulsion either, it's about creating a method of securing data.

What I find strange here is that no one seems too bothered about the passport office having their data when they apply for a passport. This scheme would actually make that data in the passport application far more secure and reduce the risk of compromise that has exited for centuries.

dizzy said...

jorb, you are right and wrong. It all depedns on what the application of the system is. Clearly taking a thumb out of your pocket is going to look odd.

The system as such doesn't fall down there unless you take the assumption that this is going to be applied to all aspects of your life.

In fairness, as I said in the piece, the use of the word "secure" comes with the obvious caveats. I wrote a piece in the Times the other week saying there is no such thing as a secure system.

"I don't want these bastards having anything more on me than absolutely necessary"

Well under this system they wouldn't have anything more on you than they alreayd do when you apply for a normal passport. The only difference is that they wouldn;t be able to read the data without you in this case, rather than in the current where they can read it, share it, and do what ever they want with it.

Anonymous said...

They still haven't eluded to how they are going to get assurance that documents they are going to use to generate the ID are authentic.

We'll have billions spent so the clever crims can use their existing fake or fraudulent documentation to gain a 'genuine' Citizen ID.

Can you imagine how difficult it would be to regain a 'stolen' identity under those circumstances with the Gov having to admit it's system is pants. They'd do a Brazilian on you first.

purplepangolin said...

Interesting idea. Have you tried posting it on Bruce Schneier's blog to see if you can get any feedback?

As you say, this would only match the stated intent of the government in termsof secure id. Whether they would be quite so keen without the identity register to trawl for other purposes is open to question

Unknown said...

Dizzy: "What I find strange here is that no one seems too bothered about the passport office having their data when they apply for a passport."

I'm bothered by it. I'm also bothered by PNR data-sharing which is much much worse. "No-one" is bothered in the sense that very few people even realise it is happening, and most of those are so reconciled to the harassement entailed in international travel that they are willing to give up just a little more marginal privacy in order to travel.

I'm pretty bothered by the idea of having to have a passport too, let alone the Home Office's fancy new plan (currently under 'consultation', so they can say you were asked) of making it an absolute requirement to have a Home-Office-validated passport or ID card to enter or leave the country of which I am a native citizen.

Unknown said...

jorb,

"When you want to steal the car, you cut off the thumb as well."

Doesn't work. But it is sufficient for moronic thugs to believe it does to have lots of people mutilated.

dizzy said...

Guy, it's not really an absolute requirement ot have a passport to leave the country, but it is one to get into another country once you have left. Hence you need a passport just like the other nations round the world. My point was that many people in this thread who have complained have essentially "ARgghh Government can't have my data" and yet they all probably have passports and this idea is suggesting a way to make that data they alreayd have a bit more secure.

Unknown said...

Dizzy,

It isn't at the moment. That's why I wrote 'The Home Office's fancy new plan...'. See:

http://www.ind.homeoffice.gov.uk/sitecontent/documents/policyandlaw/immigrationandcitizenshipbill/

They are also consulting on the idea (it is in cl.30 of the draft) that you should provide such information as the Home Secretary deems expedient whenever you stay in a hotel or guest-house.

dizzy said...

OK, my point was that whatever happens, if you go to say America, America will not let you in without one.

John Pickworth said...

I actually quite like your idea Dizzy; its well thought out and its only a pity the Government haven't been taking trips on the Circle Line recently.

Unfortunately, many of us just don't trust the Government. I'm sure if they were to take up your idea (in the hope of reassuring a nervous public) then the security services would still insist on a priviledged 'backdoor'. And how long would it be before that backdoor was made available to other vital agencies like the Bin Inspector's down the local Council etc?

Also, as you yourself recognised, the Government don't simply want an identification system... They want a database they can scan regularly to see who has avoided paying their council taxes, TV licences or have bank accounts the Government isn't aware of etc, plus a whole host of other lucrative tax raising opportunities - hence Gordon's emthusiasm for the ID Card Scheme.

Alex said...

Fine in principle except that as I recall biometric scans do not necessarily rely an exact match to the stored data, rather for example in the case of iris patters they are said to match if they fail a test of statistical independence on their phase structure encoded by multi-scale quadrature wavelets, which means that you wont get the same key produced each time it is tested.

But why not just issue electronic cards to individuals? Keys could be generated and stored on the cards, but all record of the key would be destroyed. Perhaps they would be handed out randomly, or you could collect a card from your local council and you could pick any of the cards held at the time. This key could then be used as a private key just as your biometric data was in your example.

BrianSJ said...

Perfectly good policy already put out by a UK party.
http://tinyurl.com/25fzun
our policy on I.D cards

I.D cards will be issued in form of a small compact mirror with the following instructions.
1.If asked to identify yourself .....look in mirror to check that its you. If you cannot identify yourself....
2.Ask someone else to look in the mirror to see if its you....If you still cannot identify yourself....
3.Try again later when sober.