Bruce Schneier, writing on behalf of the Electronic Privacy Information Center, has put out a well-written refutation of my recent criticisms of EPIC's report on the DHS smart card program. (Links to EPIC's report, my original blog entry, the much-shortened C|net article and EPIC's response).
I'll post a more thorough response when I have a bit of time, but here's where I'm leaning:
1. I'll mostly concede the "ISO/14443 is RFID" point. ISO/14443 clearly is "RFID" in the broad sense of the word, but much scare-hay has been made by applying non-ISO/14443 aspects of RFID to discussions about smart cards. There's more to talk about here, but I was wrong and apologize for it. The word "RFID" has taken on many meanings and I should have been more precise. As I said in the original article, the only real answer is to move to strong, active cryptography on RFID cards which (among other benefits) would make it virtually impossible to an unauthorized third-party to snoop a conversation.
2. I'm glad that EPIC admits their mistake on calling the DAC cards "Bluetooth". However, I'm very puzzled by this "Bluetooth-enabled card holder" business. If, as Bruce suggests, it's a way to rebroadcast card data over Bluetooth... that's just strange. Not necessarily bad, but strange. Ok, probably bad. Maybe he means Bluetooth card readers. That would make a bit more sense. I've never heard any talk at DHS about these things, so I'm going to do a bit more research before commenting further. Still, the cards themselves have nothing to do with Bluetooth and the card program should not be unjustly criticized because some hypothetical peripherals that use the card might be poorly thought out. There will eventually be thousands of hardware and software products that work with government smart cards. Some of them are bound to be dumb. I could make a machine that sucks in your dollar bill and then punches you in the stomach, but my talking about such a machine should not subject the entire system of U.S. Currency to ridicule. Come to think of it, the Vend-o-Punch™ might not be such a bad idea.
3. I do not agree at all with EPIC's response on the biometrics points. There's still a lot of confusion over the issues. More on this later.
4. We've met about half-way on the PIN discussion. A global and mandatory-override short (4 or 6 number) PIN is probably a bad idea, although not for the reasons stated in the original report. I think the DAC use of PINs is mostly fine.
5. The disclaimer about my indirect involvement with DHS appears on my blog but not on the C|net article because the editors at C|Net asked me to cut the originally submitted 1,700 words down to 700. The blog is linked to from the article.
As an aside, Bruce Schneier is a demigod of sorts in the security industry. His Crypto-Gram newsletter has been worth reading for a long time now. I'm glad to see him engaged in this discussion.
May 30, 2005 | Permalink
A recent CNN news blurb highlighted a vote by the UK Parliament concerning a proposed law to create a voluntary (which in the UK is a nice way of saying compulsory) e-passport and national ID card scheme with these cards and passports incorporating biometric identifiers. If you think the reaction to the DHS cards in the US borders on hysterical, is based on technical confusion, and is subject to unscrupulous pandering to people's worst Luddite instincts, check out the highly unenlightening stories on www.theregister.co.uk about this new national ID card scheme.
The one thing that I think we can conclude from all of this is that it will take a long time for common sense to prevail.
Posted by: Charlie McLain | Jun 29, 2005 3:43:33 PM
Posted by: payday loans | Nov 21, 2005 3:27:47 AM
Posted by: penis enlargement | Oct 4, 2006 4:08:32 AM
Bruce Schneier has an article about the competition for a new cryptographic hash function to replace SHA-1. He calls it "An American Idol for Crypto Geeks."
Posted by: Charlie McLain | Feb 12, 2007 4:31:32 PM