So if UK ID cards come to the UK, and I believe they are coming, what information will be stored on them?
After reading an article in the Mail on Sunday, about a related issue (involving air travel, BA in particular was mentioned) it strikes me that an awful lot of very personal information might eventually get stored on ID cards.
Which brings into question the secuity of said cards. Now the Govnment will undoubtedly say that the ID card system is secure, and to a point they will be right. But only to a point. Anyone who says that a system is secure, without vulnerabilities, knows nothing about security and is deluding themselves.
Given that the information on the cards will be protected using cryptography, you have to ask what kind of cryptography, and then further what will be the chosen size of the keys used. And then further how long will ID cards be valid for [ your passport is valid for 10 years ], and who will the card information be shared with [RE: air/intenational travel agencies spring to mind, especially the U.S].
This is important because if they use symmetric ciphers, then at the absolute very minimum you would choose 1024 bit keys, and even that is getting much too short – for symmetric ciphers you should be looking at a minimum of say 4096 bit keys. And for assymetric ciphers the minimum should be 2048 bit keys.
So far so good then? Well no, because ciphers are not unbreakable, their strength relies on the fact of the computational difficulty in breaking them, and computing power increases somewhat exponentially as Moore’s Law states. So a cipher that is strong now, may not be strong enough in a few years.
Look at DES for instance, its a strong cipher, but its now considered broken, to which triple DES was the answer – and of course other new symmetric ciphers (AES for instance).
And further, there have been reports that the SHA hash algorithm has been broken [SHA is a one way function, in that the results of the function are not reversible] and this is true, its just that these reports indicate that a hash collision using the SHA algorithm has become comptutationally feasible. Why is this important, well SHA is often used as a means of determining whether a piece of data has been changed.
So where does this leave UK ID cards?
I’d like to work on the project, but I sure wouldn’t want one.