The ICT Ministry has issued what is expected to be the final draft Terms of Reference (ToR) for a project to issue 26 million new Smart ID Cards, worth an estimated 1.61 billion baht. This new ToR succeeds in patching most of the irregularities in the original 888-million-baht 12-million card procurement, but by and large fails to keep up with advances in technology in the four years since the original project was initiated.
In June 2005, the project to issue Smart ID Cards made headlines after the National Electronics and Computer Technology Centre (Nectec), an agency under the National Science and Technology Development Agency, Ministry of Science and Technology, was called in to conduct a fact-finding study into the project, which lay in tatters at the time. The ICT Ministry, charged with procuring the cards, and the Ministry of Interior (MoI), who were issuing and using them, were blaming each other for technical problems that had resulted in serious delays in the IT mega project.
The Nectec report found the cards sub-standard and non-compliant with the ToR on at least four key points. However, the ICT Ministry's own ten-person committee ignored the Nectec report and pronounced the cards compliant in a 5-3 vote. There was one abstention, one resignation and the representatives from the MoI, Nectec and the ICT Ministry's own legal affairs officer all voted the cards as non-compliant, but to no avail.
The four points identified by Nectec were; that the 12 million cards were not Java compliant; did not have any working PKI (public key infrastructure) encryption; did not have the required 32KB of available memory; and could not safely add or remove applets without affecting other applets.
The vendor, ST Microelectronics, had supplied a card that had a non-Java, proprietary PKI engine which, while it may have worked, could not be tested, as it required a non-standard programming subroutine to invoke. They argued that the ToR did not explicitly call for official Java PKI, only that a form of PKI be present.
Nectec reasoned that a Java card without a Java encryption engine was not a Java card. Thailand's foremost expert on Java technology, Dr Thanachart Numnonda, said that by accepting the card, Thailand would either be locked into using the ST Microelectronics library forever, or face an incompatibility nightmare with each generation of cards bringing along its own proprietary library.
When the non-existent Java PKI was called, instead of returning an error message that the Java library was not present, the card crashed. A real Java Card should return an error message when optional modules are not available, rather than crash.
It was tantamount to ordering a 5-litre Mercedes 2-door sports car, only to find that an E200 Saloon was delivered, had its 2-litre engine removed and replaced with a 5-litre American truck engine, and the rear doors welded shut.
The ToR called for 32KB of available memory for the card. The card came out of the factory with 66KB of memory, but was later partitioned so that only 32KB was visible to the Java Card. The remaining 34KB could only be used in a proprietary native mode which was not called for anywhere in the ToR.
Of this 32KB, 4KB was already used for a patch, in essence a repair, leaving only 28KB available for use, which is less than what the ToR called for. The huge size, relatively speaking, is very unusual as normally most bugs are ironed out before a production run of 12 million cards is commissioned.
The chair of the procurement committee, then MICT Deputy Permanent Secretary Thananoot Treetipbutr, was contacted and asked whether 32 minus 4 equals 32 or 28. She declined to comment, saying only that the cards were compliant, as the committee voted them compliant.
It has been speculated that this either means a very poor design and quality control process, or that the chips were originally intended for some other purpose and needed this 4KB "hack" to get it to work the way the Thai ToR called for.
SHORT PROBE FINDS BIG PROBLEMS
In his original interview in 2005, then Nectec Director Dr Thaweesak Koanantakool said the ICT Ministry and ST Micro had refused to give his team access to engineering documents which would have shown who signed off the production run, the memory partitioning and, more importantly, what programmes were installed in the native partition.
However, Nectec did succeed in probing the card during the little spare time they had, and found an interface to an EMV (Europay-Mastercard-Visa) e-Purse installed along with other modules they did not recognise. At that time, the Bank of Thailand had not yet legalised smart card-based money and none of this was called for in the ToR. Even today it remains unclear who holds the keys to the unused EMV engine currently in the wallets of 12 million Thai citizens.
However, the final point was the most damning. The card lacked the official Java memory management module and thus could only add and remove applets in a stack fashion, meaning that the last applet installed had to be the first one to be removed.
ST Micro instead provided a memory management system that initially seemed to work, albeit in a proprietary, non-Java fashion. It backed up all the applets and then reinstalled them with the changes needed. However, Java security features ensure that any applet leaving the card had its data wiped first to prevent an entire applet being backed up off card and someone then poking at the data. The security measures include the citizen's fingerprint and legally binding digital signature.
The "solution" was to override this security and put in hooks in each applet so that it cooperated with the backup/restore program in not destroying data. Not only is this proprietary, but it means that all applets have to grow by around 20 percent in size to take into account these non-standard security override subroutines. It also means that the security of the 12 million cards in circulation today is seriously compromised.
Further along the way, even more irregularities emerged.
In January 2006, the MoI ran into problems issuing the card, as the card management system was indicating that some cards had already been issued. Investigation showed that the reason was that the card's unique chip ID number was being issued in pairs - meaning that hundreds of thousands, if not millions, of cards had an exact clone. A letter dated 2 February 2006 from ST Micro's Finance and ID Business Unit Director Pascal Audiffren and Software Engineering Director Amand Linkens to ICT Permanent Secretary Kraisorn Pornsutee said that duplicate "unique" ID numbers do not pose a security risk. Apparently, the ToR did not call for unique chip ID numbers and the matter was not taken any further.
A later batch of 13 million cards was cancelled in September 2006 after it emerged that the winning IRCP consortium had "failed" part of the ToR calling for a UL-94 burn test. UL-94 refers to fire resistance of materials and the burn test has to be conducted on pure rods of that material. A smart card is not shaped like a rod or stick, thus it was impossible for any card to comply with that clause in the ToR.
DANGEROUS PRECEDENT
The new ToR manages to address most of the concerns. It explicitly calls for a Java PKI library and allows up to 4KB of memory to be already used at the time of delivery. The new card will have 64KB of memory available to the Java Card Operating System rather than the 32KB of the first generation card.
In effect the new ToR says it is acceptable to make up to 4KB of error patching, and thus absolves any guilt the previous committee may have had. However, this sets a dangerous precedent for future batches that rather than insist on correct design from the outset, the Thai government is willing to accept cards with big patch repairs. It also means that the government is paying for 4KB of memory on each card that cannot be used, which could have been avoided with due process.
The new ToR removes the UL-94 burn test requirements and explicitly states that the chip ID numbers have to be unique.
With regards to memory management, it adds the possibility of disabling applets to the clause relating to their addition or removal. A later paragraph says that removal of applets can be done without affecting other applets and must return the memory and resources to the card.
A new section, 2.2.3, states that the only organisation responsible for testing compliance is the MICT or an agency approved by the MICT. This prevents the "problem" of Nectec coming in and and finding further fault with this new batch of cards.
After careful consideration, it is clear that the new ToR is an evolutionary appeasement that has been hacked together, plugging the holes in a reactionary manner rather than with any vision as to how the cards will be used in the real world.
On a purely technical level, it would be much better to explicitly specify Java Card version 2.2 rather than the same 2.1.1 or higher as was done for the first batch. This is because version 2.2 includes as standard the Java PKI libraries and proper memory management that allows applets to be added and removed in any order, components that are optional in 2.1.1.
It also includes many new security encryption algorithms.
Four years ago, when the ToR for the first 12 million cards was being written, officials said that specifying version 2.2 would constitute a lock-in, as it was at the time a new standard with only a small handful of vendors. Today 2.2 is well established and specifying a next generation card would make sense. Writing applets for both cards would have to be done separately anyway, as the first generation cards have a proprietary ST Micro PKI library and the second set should have a Sun Java PKI library.
A 2.2 card would also probably help solve future problems. For instance, the ToR calls for two different encryption algorithms: The PKCS#1 asymmetrical public key algorithm and the Triple DES symmetrical encryption algorithm.
DES (Data Encryption Standard) is a 56-bit cypher that first surfaced way back in 1977 by IBM research and amazingly, stood the test of time with extensions to the size of the key, growing to Double DES and Triple DES.
However, in May of 2004, the US Government's National Institute for Science and Technology (NIST) issued a paper saying that T-DES was no longer authorised for encryption of government data. In 2005, researchers demonstrated a proof of concept attack on Triple DES that security experts agreed was verging on practical, given enough time and money. Since then, there have been no new major roll-outs of T-DES because of this apart from the EMV card and soon, phase two of the Thai Smart ID Card.
EMV card proponents argue that T-DES is sufficient as the key is in existence for only a split second at a time. The conceptual attack on T-DES would have taken months.
When the original ToR was written in 2003, the world still felt secure with T-DES. In 2007 encryption technology has moved on as has information and communication technology on the whole.
LAGGING TECHNOLOGY
Indeed, the Nectec representative on the Smart ID Card committee, Dr Pansak Sirichutapong, now promoted to Nectec director, said in a recent interview that technology has progressed so much that we can do most of what was envisioned with a Smart Card instead with a cheap 5 baht RFID card, digital rights management technology and online databases. The new cards are expected to cost 62 baht each.
When he came to power in October 2006, ICT Minister Sitthichai Pokai-Udom promised a perfect ToR for the Smart ID Card project. He may have succeeded in delivering a perfect ToR for use back then in 2004, but it is one that falls short given the state of the art today. The sad thing is that Thailand will have to waste 1.6 billion baht in finding that out.
Today, corporations no longer talk about technical specifications of the item they buy, rather they talk about service level agreements regarding the outcome they expect from their IT investment.
The idea for a Smart ID Card was very much a part of the Thaksin government's style of big-buck mega projects coupled with a tangible token of popularism. E-government was never supposed to be about smart cards, it was about investing in government enterprise architecture, breaking down silos, working better together and using technology, be it software, smart cards or RFID tags, to enable better and more efficient government processes for the citizen. The card was a means to an end, not an end in itself.
The Surayud government had the chance to practise the sufficiency economy it preaches, forgoing some imported hardware functionality and making up for it in software processes that can be created very well right here in Thailand. Yet it decided to forge ahead with what was at best a nebulous pipe dream, at worst a blatant waste of money, in the name of popularism.
Instead of a 62 baht imported card, we could have driven forward e-government with a 5 baht RFID tag, and with a billion baht left over to develop middleware poured into the local IT industry. Unfortunately, it will be the next generation who suffers from this choice, as by then all the players who made these decisions will be long gone.
Autor(en)/Author(s): Don Sambandaraska
Quelle/Source: Bangkok Post, 08.04.2007
