EE Times: Latest News
New ID system is 'lousy' technology but it's cheap

Junko Yoshida


EE Times
(07/18/2007 9:12 AM EDT)

MANHASSET, N.Y. — For the next generation of technology choices for U.S. border security, the Pogo constant applies: "We have met the enemy and he is us."

Three different identification card programs under development in the United States will use three different technologies with no consistency, little long-term strategy and a virtually nonexistent regime of government coordination.

While the United States' new electronic passport deploys contactless smart card technology, the Real ID card (an enhanced driver's license) will use a 2D bar code. Meanwhile, the third form of identification, the Western Hemisphere Travel Initiative's PASS (People Access Security Service) Card, will employ RFID technology based on Enhanced Product Code Generation 2 (EPC Gen 2), originally developed for tagging products as part of supply chain management. The Pass Card was developed as an inexpensive alternative ID card to a passport, including U.S. citizens returning from Canada, Mexico, Panama, the Caribbean, and Bermuda.

The opportunity to go electronic with the Real ID card has already passed. The card will roll out over the next few years. But technology companies are making a last-ditch effort to convince Congress to change the implementation decision on the Pass Card. Members of the Secure ID Coalition and Smart Card Alliance including Texas Instruments, Gemalto and Infineon Technologies are in Washington Wednesday (July 1 to brief lawmakers on identification technologies. The briefing includes a real-time demonstration showing the differences between two types of automatic identification technologies for electronic ID documents: RFID and contactless smart card technologies.

Developers, many of whom provide both contactless smart card and RFID tags, are imploring the Department of Homeland Security (DHS) to at least conduct a trial to evaluate the performance of both technologies before going live with the new Pass card. When compared with RFID tags, they believe that a Pass Card system "designed using contactless smart card technology will fulfill the operation requirement for high throughput while also providing stronger security, protecting individual privacy, and leveraging the ePassport infractructure," according to the Smart Card Alliance's white paper.

Even though a solicitation for Pass card is already out, and RFID technology forms a basis for the RFP, "This is still an important issue that needs to be discussed," said Tres Wiley, director of electronic documents at Texas Instruments. That's because Pass Card technology could "set a precedent" for any electronic documents of the future. "It's unfortunate that the government decided to go with a 'non-electronic card' for Real ID," he said.

n theory, as long as it meets the federal government's minimum requirement for a Real ID Card, each state could go with RFID or any other technology. According to TI, "we are not aware of any states that have said they will incorporate RFID in a Real ID card. Some border states have hinted they might, but there is not yet a definitive commitment or statement from any."

The smart card industry's argument against the use of bar codes for Real ID focuses on its technological inability to add future applications. Had a smart card technology been implemented, the Real ID could eventually serve also as, for example, a health card, library card and digital signature, said Wiley.

As for the Pass Card, the smart card industry objects to the government's choice of RFID technology because the EPC Gen 2 tags do not include extensive protection against cloning or counterfeiting.

Because the EPC Gen 2 allows cards to be read at a distance of up to 30 feet, the Department of Homeland Security regards it as efficient for processing people in vehicles quickly. However, while the RFID technology supports 32-bit passwords to protect data written on the tag, it does not use government-approved encryption algorithms. DHS plans to offer "privacy protection" by placing a unique ID number on the card and using the number to retrieve personal information (a photograph and demographic information) from a central database when the card is used at a border crossing.

This effectively means that Pass Card holders' identification number can be stolen from a distance with relative ease. A stolen ID number can be programmed on a blank chip or programmed in an RFID reader, with the reader then acting like a chip by spitting out the false ID number.

DHS has also opted for RFID technology due to the already available infrastructure in Canada. Wiley said those existing readers now need to be replaced by new readers compliant to EPC Gen 2. Besides, as ePassports adopt a contactless smart-card technology based on ISO/IEC 14443, borders checkpoints will eventually be equipped with new smart card readers. In deciding between Real ID, Pass Card and ePassport, the bottom line is cost. RFID tags cost 10 to 15 cents per tag. A smart card chip equipped ePassport costs $2.

According to Bruce Schneier, a security technologist, "Security is always a trade-off; it must be balanced with the cost." He added: "We all do this intuitively. Few of us walk around wearing bulletproof vests. It's not because they're ineffective, it's because for most of us the trade-off isn't worth it."

Schneier said the new identification card is "another lousy security trade-off." He added, "For the price, we're not getting anywhere near the security we should."

http://www.eetimes.com/news/latest/show ... =201001955