2d barcodes offer minimum level security

Smart Card Alliance Says 2D Barcode in Proposed REAL ID Driver's License Would Be Inadequate for Security, Privacy
Same level of security, privacy and authentication found in smart card technology used in other federal ID applications required at state level

PRINCETON JUNCTION, NJ, May 8, 2007–The Department of Homeland Security (DHS) should not rely on static 2D barcode technology to store citizens’ personal information on REAL ID driver’s licenses or identification cards due to its inherent security drawbacks, according to the Smart Card Alliance’s comments in response to the DHS Notice of Proposed Rulemaking on minimum standards for REAL ID cards.

Instead, the Alliance strongly recommends that DHS raise the security level for state-issued driving credentials to equal that which has been mandated in other federal programs, namely by using smart card technology. Smart cards represent a much more secure platform for preventing forgery, cloning, counterfeiting and theft or alteration of personal data stored on REAL ID cards, tactics which are far easier to employ against barcode-based systems.

The Alliance also notes that REAL ID credentials will become high-profile targets for identity thieves and fraudsters, since they will be used to establish identity, the right to drive and the right to travel. These factors make it all the more crucial that DHS get the choice of protective technology for REAL ID documents right.

“Smart card technology has been proven time and again in many federal identity management applications, including DHS’ own Transportation Worker Identification Credential and First Responder Authentication Credential programs, as well as the Transportation Security Administration Registered Traveler program, the Department of Defense Common Access Card program, the State Department ePassport program and the HSPD-12 government-wide ID program, all of which have provided enhanced security, privacy and user authentication,” said Randy Vanderhoof, executive director of the Smart Card Alliance. “The proposed use of 2D barcode for REAL ID credentials would, in our view, represent a serious flaw in the security design of the identity system by opening the door to ID counterfeiting and other forms of fraud.”

According to the Alliance, the static nature of 2D barcode allows printed media to be copied and disassociated from the original ID and its bearer, enabling misuse of the information. By contrast, a smart card’s microcontroller chip cannot be altered or tampered with, and it incorporates numerous cryptographic features that enable reliable, strong authentication.

The response statement also notes that the proposed barcode technology cannot secure the information stored in the REAL ID document’s machine-readable zone. Thus, required personal information–including address, date of birth, eye color, height and gender–could be vulnerable to access by unauthorized users. Encryption of information in the printed bar code will not alleviate this vulnerability, as the information is static and therefore susceptible to a brute force attack.

Smart cards, on the other hand, support:

The encryption of sensitive data, both on the credential and during communications with an external reader
Digital signatures which can be used to ensure data integrity
Multiple digital signatures which are required if different authorities create data stored on the card
Advanced security technologies such as public key cryptography and biometrics
Lastly, the Alliance’s response statement notes that the proposed use of 2D barcode for REAL ID driver’s licenses and identification cards runs counter to federal and international standards for identity credentials that call for strong document security and protection of citizen privacy. The Federal Information Processing Standard 201 (FIPS 201) for federal Personal Identity Verification (PIV) credentials and the International Civil Aviation Organization (ICAO) standard 9303 for machine-readable travel documents both call for storing identity data on a smart card chip, with the data digitally signed by the issuing authority. Smart card technology provides a significant, verifiable deterrent to forgery and alteration and enables strong authentication of the identity document holder.