European ID card data is not encrypted
None of the data stored on identity cards in the European Union is encrypted, according to a study by the European Network and Information Security Agency.
Governments in 11 EU countries use electronic identity cards (eID) to authenticate citizens for access to government services, the European Network and Information Security Agency (Enisa) said in a report this week. The cards hold personally identifiable data, such as names and addresses, but this data goes unencrypted in all the countries.
Enisa does not see the lack of encryption as a cause for worry, as the cards have access control mechanisms on them.
"There is, in fact, absolutely no concern about [unencrypted data storage]," an Enisa spokesperson told ZDNet UK on Friday. "From a technical perspective it is absolutely fine to use access control mechanisms; depending on the implementation it is usually even better [than storing encrypted data on the card]."
Access control mechanisms include PIN access (where the user authenticates their identity using a personal identification number), symmetric key-based access (where frequently identical, secret keys are used for encryption and decryption) and certificate-based access control (which uses public keys).
Cambridge University security expert Richard Clayton said that access-control cryptography can, in general, be trusted to maintain data integrity. However, it is possible to "sniff", or remotely read the chip, on cards and passports using symmetric key systems, if the chip inside is designed for contactless use, he said.
"If I have a big antenna, I can capture the information from across the room," Clayton told ZDNet UK on Friday.
The information on eID cards usually includes names and birthdates, which are used as the basis for symmetric keys. If those names and birthdates are known, it's possible to guess the keys, Clayton said.
It is also possible to compromise machines that read symmetric keys. "If all card readers can decrypt the cards, someone will [compromise] the readers and get hold of the keys," he said.
However, if personal data on electronic cards is encrypted, it might have an effect on public trust in the cards, Clayton suggested. "If there is an encrypted blob, the conspiracy people would run around saying it doesn't contain your name but some other data," he said.
The UK Identity and Passport Service said UK ID cards would use a public key system, rather than symmetric keys.
"The Identity and Passport Service has worked hard to ensure the data on the ID card has the best possible protection," said a spokesperson. "The ID card is compliant with the ICAO and EU Standards relating to travel documents. Furthermore it is compliant with relevant international standards and will use Public Key Infrastructure (PKI) to ensure that the data within the chip retains its integrity through cryptographic protection."