South Africa’s new electronic identity document (eID) smart card for citizens is set to launch on 18 July 2013 and it is expected to offer solid security for your private information, according to security experts at Sensepost and the recently established 4Di Privaca.
Following the announcement that Gemalto’s Sealys smart cards were selected for South Africa’s eID, both the Department of Home Affairs and Gemalto talked up the security features of the card.
This raised a number of questions and the department was forthcoming with answers, but unfortunately their responses to our questions didn’t go into much depth.
In particular we wanted to find out how secure their public-key infrastructure (PKI) is, and what their contingency plan is in the event that private keys are compromised.
eID PKI security questions answered
Responding to these questions, Sensepost’s Behrang Fouladi explained (with the caveat that this is a technical hunch, as they have not done an in-depth investigation on the products) that Gemalto’s systems are based on a secure PKI that they install and maintain in every country.
Part of the PKI and the card issuance application is run by a local partner, but Gemalto takes steps to ensure the integrity of the system even from insiders, Fouladi said.
“In some cases, Gemalto’s local partners are not technically strong and can make mistakes, or issue fraudulent cards,” Fouladi said. “Even if this happens the system can detect and revoke those tokens quickly.”
In PKIs there are different levels of keys protected in hardware security modules, but the chances that these keys could be misused is “very, very low,” Fouladi said.
Drew van Vuuren, CEO of 4Di Privaca, responded to our questions similarly, explaining that keys are unique to the individual and that eID holders won’t have direct access to the private key.
According to Van Vuuren, the main concerns around the proposed systems is not with the Gemalto technology, but more with the security of the systems that are managing the PKI platform.
“An example would be if the ‘seed’ servers which provision the key pairs are compromised,” Van Vuuren said. “Then there is possibility that the whole PKI system itself could be compromised.”
This scenario is highly unlikely, Van Vuuren explained, as “the systems that manage the PKI platform will in all probability be highly secured and certified to international standards.”
Instead of asking what can be done to ensure the integrity of eID cards in the event of a private key compromise, Van Vuuren said that the question should be: “how do we retain integrity of access to the eGovernment services if there is a compromise of the PKI system?”
“After all, one of the main reasons for modernising the national identity system is to prevent fraud and to ensure access to services provided by the government,” Van Vuuren said.
Cloning and unauthorised access to private data
Addressing questions about the security of the cards themselves, Fouladi said that cloning these cards is almost impossible.
“Gemalto’s eID suite is a well recognised solution installed in several European and Asian countries,” Fouladi said. “It’s based on JavaCard and uses well-secured Infineon smart card chips.”
The information you can read from the card depends on the Java applet running on the card, which Fouladi explained they haven’t really looked into yet.
“To my knowledge, in eID systems, the reader terminal needs to authenticate itself to the applet before the applet allows it to go further, so the possibility of someone reading info from it is also very low,” Fouladi said.