Thailand's Pricey ID Cards Fail 'Smart' Test
Source Bangkok Post via NewsEdge Corporation
Twelve million "smart" ID cards costing 888 million baht and awaiting formal acceptance are substandard and if issued the information in them would not be secure, the Bangkok Post has learned.
The smart cards fall short of the terms of reference (ToR) in four key areas, and if used as a national ID card the security features would be seriously compromised.
The card has an incomplete version of the Java Virtual Machine operating system, and failed tests for Public Key Infrastructure (PKI) data encryption.
It also failed tests of its ability to securely add and delete applications, and does not meet the requirement to have 32KB of rewriteable memory available for user data and Java applets.
These findings were made by the National Electronics and Computer Technology Centre (Nectec), which was commissioned by the prime minister to verify the card's compliance with the ToR.
The tests on a sample card were conducted using Sun Microsystems' Java Card Compatibility Test Suite, Nectec director Thaweesak Koanantakool said .
Nectec only had the card for a matter of hours but that was enough to reveal that the card's implementation of the Java Card specification was incomplete and it lacked two important classes or libraries required by the ToR -- security and storage memory management.
"Strictly speaking, these are optional components but as they are required options according to the ToR, official Java Card classes are needed rather than the piecemeal approach delivered," he said.
Public key encryption (PKI) security usable by the Java Card was not present in the card's ROM (read-only memory). The supplier said that PKI capabilities would be provided through application software to be added later using the native, non-Java mode of the chip. However, it was not supplied on the sample card and thus could not be tested.
The ability to securely add and delete applications was also lacking because of the incomplete implementation of the Java Virtual Machine, he said.
The supplier had offered a backup/restore application, using valuable storage space, which would allow for adding and removing applications and data.
This was far from secure as whoever operated the memory management module then had unrestricted access to all applications and data on the card, including the PKI security application.
In a proper Java Card implementation, each application and its data would be secure and separate and security features like PKI must be in unchangeable ROM.
The ToR called for 32KB of available storage for cardholder data and applets. The card tested physically had 66KB of memory, but only 32KB was visible and usable by the Java Virtual Machine and its applications.
Of this 32KB, 4KB was used by the card operating system, leaving only 28KB of available memory before the memory management program and the PKI system was loaded. Only then could one start to install the applets and programs the card was intended for. "Don't ask me why there is a lot more memory available on the chip which cannot be accessed by the Java Card," Mr Thaweesak said.
Thanachart Numnonda, a Java expert and adviser to the Nectec fact-finding committee, said that although the card would work, by accepting a smart card with proprietary extensions to Java "you will be stuck with this vendor [ST Microelectronics] forever".
The alternative was to risk opening the door to an incompatibility nightmare when further generations of smart cards were delivered, each with their own proprietary non-Java extensions.
"Having to maintain so many versions to cater for proprietary extensions defeats the idea of having an open standard Java Card in the first place," he said.
Instead of returning a standard error message when some non-installed options were invoked, this card would crash.
The director of Gartner Asia Pacific Research, Dion Wiggins, said that Thailand's smart national ID card project was the largest multi-application smart card project in Asia-Pacific and one of the larger implementations globally.
It was a "one time chance for Thailand to be seen as a leader and for the world over to see a large-scale implementation of 65 million smart ID cards.
"This project can be a world-class success or failure -- which will be determined in just a few short months, not years. This is a very small window in which to act to make this project the success it can be," Mr Wiggins said.