Let's Build a Responsible Cyber Society




The National ID Card Challenge for Nandan Nilekani.. Part II

[This is part II of the series. Part I is available here]

One of the important principles suggested for the National ID Card scheme in the previous part (ZeMo Card system) is to    de-link subject data from the ID device. For this purpose the data required to be associated with a person is divided into three categories. (or more as required). The first category of data is the data related to the ID of the holder. Part of this is visible on the card itself. The second category is related to the security of the ID. Part of this is embedded in the card in a machine only readable manner. Part of the security data along with the main data linked to the subject is held in a remote server which is accessible with the use of the ID data and the access data.

The physical appearance of a sample of  such a card would be as follows:


(A Sample ID Card under the ZeMo system)

The basic version which is depicted above does not have any memory. It however has a serial number which is the Unique ID attached to the holder. The unique ID can also be etched or represented through a bar code in such a manner that it cannot be tampered with. The card also contains a printing of the signature of the person.

For the unique national ID card, a low memory smart card may be used instead of the memory less card so that the digital thumb print of the person can be recorded. The resident memory is used only for recording the ID data such as the thumb print and no other data. This has to be supplemented with an option to register a "Password"  by the user. Passwords may not be suitable as a mandatory provision for the NIDC since a majority of users would be illiterate. The biggest challenge of course is how to make the embedded electronic information tamper proof. It may be necessary to use some special printing technology and multi factor authentication data to prevent possible cloning of a card with modified personal ID. It is also possible to use cards with embedded RFID tags. (More details of what would be appropriate as Security is an issue which is beyond the scope of this note.)

The de-linking of the information from the ID has its own advantages.

 The first and foremost advantage is that the database can be under the control of the authority and can be updated without the need for the card holder to present the card for modification.

 In the sample card indicated above an expiry date is provided for as a means of abundant caution so that the holder can be made to visit an authorized center with a new photograph and signature to be recorded at least once in 10 years. This is a policy decision for the Government to consider.

 The common frequent occurrences when the database is to be modified such as change updation of health records, updation of qualifications, updation of credit information, updation of employment details etc can be made with suitable documents from intermediary agencies such as the Hospitals, Colleges, Banks, Employers etc without the need for the card holder to personally submit the information. Any such modifications reflect at all access points when the data is queried based on the ID tag attached to the card.

The ease of updation of database by the authority without the need for the card holder’s consent or intervention is not available in the case of Smart Cards. The smart card data can be modified only when the card holder presents the card at one of the data writing centers. If the modification is not done on the card, the holder will be walking around with a card which does not correspond to the current information and therefore defeats the very purpose of issuing of the card. 

One more significant advantage in the ZeMo system is that the primary database can be created modularly and seamlessly integrated with the system. Operationally this would mean that after creating the primary data say from the PDS system, the health data base can simply be added. Further, the financial database can be integrated. Operationally therefore the ZeMo cards provides the flexibility of being expanded modularly. The smart cards do not have such flexibility since the cards have to be re-written if any change is made in the data base.

  Hacking Risk Mitigation:

In both the ZeMo based system as well as the Smart Card based system there has to be a central database and it is susceptible for unauthorized access. In the case of ZeMo based system it is envisaged that a “Synchronized Proxy” would have access to public through open networks. This access would be to a part of the database elements which contains the non critical  public data of the person. This will be susceptible to a higher level of hacking risk. However since this is separated from the centralized database the risk to the critical data is not different from the Smart Card based system.

 In the Smart Card based system the card itself contains the data both critical and non critical. It is also envisaged that in many access points the card data alone will be relied upon without cross reference to the original data. This is advantageous from the point of view of instant access to the information as against the connectivity dependent access of the ZeMo based system.  However a “Non reliable Data Access” is a greater risk since it does not serve the purpose of the card.

 It must be recognized that the Smart Card would be in the hands of the user which means that the data attached to the Card is in the hands of the public. It is therefore susceptible for modification through use of any technology at any point in India or outside.

 Smart Cards are prone to “Floating Information Risk” where manipulated data is never available to authorities for verification and will be floating until a major scam surfaces. This is the typical type of risk that surfaced in  the forged stamp paper scam with thousands of crores of rupees worth stamps being in the hands of unregistered stamp papers in the hands of the public.

 Also the Smart Cards can be duplicated and not withstanding the hidden codes that can be embedded, the risk of duplication by organized outfits such as terrorists is a real threat.

 As in the case of Currency duplication and Stamp Paper duplication, Smart Card based Resident IDs will be easily duplicated in large numbers in border areas to change demographic configuration or to obtain a false identity. The ability to check forged smart card data cannot be provided for in all access points since they may not be by design meant to cross verify with any other central database system.

It has also been revealed by  M/s Sergei Skorobogatov and Ross Anderson of Cambridge University that sensitive information stored on a smart card microprocessor can be revealed with a flash of light using inexpensive, off the shelf equipments.

 It has been found that firing light from an ordinary camera flash at parts of a smart card microchip can assist an attacker in determining the sensitive information stored on the card.

In the semi invasive  attack, the researchers  removed part of a chip's protective covering and then focused the light from an ordinary camera flash  using a microscope on particular parts of a smart card's microprocessor. It was found that this could reveal the information stored in the card such as for example, the cryptographic key used to gain access to a building or to secure internet transactions.

Since the Smart Cards will be in the possession of the public for extended times, it can be modified if effort is placed.

On the other hand, the ZeMo card system does not place faith on the data on the card and it is always checked with reference to the central database. The only way data can be manipulated is by hacking the central database server or the intermediary routers or linking the data of one genuine person to a fake card holder. All attempts to hack an electronic system leaves a trail with which either the card can be cancelled or the culprit traced before large scale damage is done. Manipulations on the card itself need to be secured with appropriate printing technology safeguards.

The electronic data base would ordinarily be capable of generating instant alerts for identifying any security risks as in the case of online credit card validation systems and once identified, alerts become available at all access points simultaneously leaving little time for the offender to make profitable use of the manipulation.

It is therefore considered that the Central Secure data base management lends itself to better security than the distributed database represented by the smart cards.

On the other hand the Smart Cards are to be used only for the purpose of implanting a mechanical ID, then the RFID cards can achieve this purpose at a lot less cost than the Smart Cards.

If in some point of time in the future, “Digital Signatures” need to be embedded into the ID cards, then only Smart Cards may become useful. However, it is possible to use the RFID cards also in some manner to invoke digital signatures since some storage space is available in higher versions of RFID cards.

Technology and Vendor Neutrality

Traditional smart card systems require Card Writers and readers and these tend to be vendor specific. The system therefore is liable to be dependent on the vendor or technology and could be impractical for a sensitive application such as the NIDC.

On the other hand the ZeMo system uses data on a server accessible either through a network computer or through a mobile phone system in conjunction with a Voice response system. The dependency here is only on connectivity and the mobile connectivity today is  or can be made near total in the country during the project implementation period.

Cost Consideration

The cost of a traditional smart card system includes not only the cost of the card but also that of the writers and readers as well as the provision for annual wear and tear etc. On the other hand the ZeMo system is based on computers and mobiles which are already present in the system and have multi purpose use. The overall cost of a Zero or Low memory card as against a Smart Card with an embedded chip with a processor and memory power of say 64K will be relatively far more expensive. The increased cost will also hurt in terms of image when citizens report loss of cards and have to bear the cost of replacement.

In view of the above, there is a need to consider the alternate card (ZeMo system) as suggested here instead of the traditional smart cards for the NIDC project. This  could bring down the overall cost, make it more secure and functionally more convenient.

I hope that the committee would give a serious thought to this system at the time of evaluation of the technical proposals.


June 27, 2009

Related Articles:

Smart Cards and their limitations: 16th September 2003

Smart Cards for Citizen ID..Let's Not Build Castles in the Air  24th September 2003