Gemalto, a Netherlands-based digital security company, recently announced in a press statement that it will be the company supplying the South African Government Printing Works (GPW) with its Sealys eID cards for our national ID card roll-out.
According to Gemalto, their secure embedded software will protect the holder’s image and biometric data within the electronic identity document (eID) card. The company also promised that the software on the smart cards would deliver “outstanding levels of integrity and privacy”.
South Africa is not the first country to have selected Gemalto as an ID card provider, with the company’s website saying that they contribute to 15 national eID programs, including Belgium, Finland, Sweden, Bahrain, the UAE, and Saudi Arabia.
Preventing fraudulent copies
Questioned about the measures in place to stop fraudsters from copying eIDs, Pierre-Luc Arnaud, marketing director for government programmes in Africa at Gemalto, said that they use several layers of security to fight against eID fraud.
As far as the physical card is concerned, Arnaud said they make it entirely from polycarbonate. It is then laser-engraved with the personal information and photo of the citizen.
“Different layers of polycarbonate let the identity document form a single and solid card body,” Arnaud said.
The card also features its own microprocessor and embedded software and encrypts the data on the eID through identification, authentication and a digital signature, Arnaud said.
Public key infrastructure (PKI) is used to encrypt the data, Arnaud said, with the Gemalto website stating that their Sealys cards implement all major security algorithms.
Preventing SA eID fraud
Arnaud went on to explain that the authentication feature on the South Africa eIDs is a new function not available on previous identity cards.
“Indeed, identification alone does not allow us to be certain that the applicant is the person he or she is claiming to be,” Arnaud said.
“Authentication requires the user of the eID card to know a secret, like a PIN code, or to use a biometric attribute such as the fingerprint,” he explained.
With this feature, Arnaud said that the eID card can then be a secure authentication device that lets citizens access eGovernment services in a secure, trusted, and convenient manner.
What if the private keys are compromised?
Gemalto was further asked what steps have been taken to secure the private keys generated as part of the PKI, which parties have access to those keys, and what steps can be taken to ensure the integrity of South Africa’s eIDs should the private keys be compromised.
As a technology provider, Gemalto said it could not comment on responsibilities, as it all depends on local legislations.
The questions were then put to the Department of Home Affairs (DHA), which provided the following feedback:
Q: What steps are taken to secure the private key (which is used to secure the data on the cards)? Is it unique to the South African government, the GPW, or is it used across Gemalto’s products?
A: Our smart cards use one of the highest forms of security including, amongst others, Public Key Infrastructure (PKI) which is built within DHA GWP networks. Session communication between different devices is encrypted.
Q: Following on from the above: who is responsible for the security of the private key?
A: We have appointed a certified security solution company who is building the security infrastructure with DHA within DHA GPW premises. DHA is responsible for the management of that security solution with the support of this service provider.
Q: Should the private key be compromised, what steps can be taken to ensure the integrity of the ID cards?
A: The keys cannot be compromised as proper best practice processes are followed including key ceremony. In addition, the system is within DHA GPW network fully protected by the firewalls and security systems of the Department.
Update: The Department of Home Affairs provided comment on the three questions and the Q&A has replaced the original final paragraph.