Centrelink issues $500k unbreakable code for free

Algorithms withstood three years of Defence hacking

Centrelink will release its $560,000 smart card identification protocol for free in an attempt to buy-back security systems based on the technology.

The welfare agency claims the Protocol for Lightweight Authentication of ID (PLAID) has withstood three years of design and testing by Centrelink, the Australian Defence Signals Directorate and the US National Institute of Standards and Technology without fault.

Centrelink, which has one of the country's most advanced physical and logical converged security systems, will use the protocol in its incoming fleet of contactless smartcards currently under trial by staff. These will replace the existing identity cards that operate on PKI encryption. The agency designed its converged security system with Novell to allow staff to access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments.

Minister for Human Services senator Joe Ludwig said the PLAID will fill vulnerabilities in Centrelink's converged security which have previously been vulnerable to hackers. “Until now, existing technology in this field has been at risk of breach by hackers,” Ludwig said in a statement. “But PLAID will prevent the cracking of authentication systems and foil the cloning of smartcards and other system-access devices.” Centrelink hopes the protocol will be adopted across government.

The agency has about 26,000 employees and administers more than $70 billion in payments and services to some 6.5 million customers each year.

Centrelink documents reported the hackers cannot break the PLAID protocol because it uses two cryptographic algorithms in its scrambling process in rapid succession — typically less than a quarter of a second — whereas other systems use a single algorithm.

“PLACID is the only system that preserves the privacy of the cardholder from ID leakage. Other systems 'talk' from card to mainframe using easily captured personal information and unique identifiers in the ID-authentication process,” the documents reported. Centrelink claims hackers cannot read query data between the terminals and smartcards even if it is intercepted because of the scrambling feature.

The protocol will be available on www.govdex.gov.au.

More about: Centrelink, Novell

Comments

1

Anonymous

Wed 29/04/2009 - 22:20

waste of money

Please explain to me why is the Australian government, in this case Centerlink of all agencies, is wasting tax payers money on developing secure authentication protocols for contactless smartcards- I mean is this really their job??? Why do they think they should be doing this??? Firstly, it is the role of private sector and IT industry to provide such solutions to meet the requirements of clients such as the government. It is inappropriate of government agencies such as Centerlink to think they can make up protocols, and then ask industry to implement in their products and adopt them as a standard so they can say it’s a COTS solution. Who do they think they are? They have no understanding of the commercial realities of vendors who provide these solutions. No mention of who is actually going to implement this protocol to provide the return on the investment made by the tax payer, and which they have decided to give away for free! Secondly, I would like to know what the actual requirements were, and the justification they have for approving the funding and developing of such technology. I don’t believe Centerlink has any reason what so ever to be developing smartcards with the level of security they are suggesting. Even the Defence Department does not have this type of technology, but at least they would have a justification. Even if there were really requirements for such a secure protocol for contactless smartcards, then there s a number of other far more superior and suitable agencies who have greater mandate and resources to research and develop this solution, namely CSIRO, DSTO, or one of the many CRCs and universities. ...just another example of agencies with not enough accountability overstepping the mark of responsibility

2

Ishmael

Thu 30/04/2009 - 04:22

This is delicious! YES! YES!

I can't wait! Imagine the possibilities!

3

Anonymous

Thu 30/04/2009 - 12:26

Is it PLAID or PLACID?

4

adrian mccullagh

Thu 30/04/2009 - 14:27

Plaid

The protocol name is plaid for "protocol for lightweight authentication ID".

5

Luke Kendall

Sun 03/05/2009 - 21:33

Sounds naive to me

This sounds dodgy to me. "Has withstood three years of trial" - big deal. Expose the algorithm worldwide and hope that someone *proves* its mathematically intractable to crack. What am I saying? I mean, hope that after many years of trying, no one finds an avenue of attack for the encryption.

Three years of relatively secret trials is close to meaningless, unless it involved top cryptographers.

As for the comment that it replaces existing systems that use PKI - in what way is that a step forward? As far as we know, PKI is not crackable by any technique known to any mathematician working outside the NSA, or without a working quantum computer. And there are several completely secure protocols (e.g. Kerberos, ssh) that depend on the public/private key duality of PKI.

And "PLACID[sic] is the only system that preserves the privacy of the cardholder from ID leakage. Other systems 'talk' from card to mainframe using easily captured personal information and unique identifiers in the ID-authentication process,". But that's the beauty of PKI.

PKI allows talking using easily captured information, but guarantees that's its completely useless to anyone without a million years of computing power up their sleeves to back-compute from. That's why Diffie and Hellman's work was such a breakthrough. So is Centrelink (renowned for its giants in the cryptographic community, I'm sure) saying that all current systems have broken designs?

As for the brilliance of using two cryptographic systems in quick succession - again, that's schoolboy stuff. Were any serious cryptographers were involved in this work?

6

Anonymous

Tue 12/05/2009 - 07:54

You seem to be confused a bit...

"PKI is not crackable by any technique known to any mathematician working outside the NSA"

PKI stands for Public Key Infrastructure and is not a cryptographic algorithm (so it is obviously not "crackable" since there is nothing to crack). The most popular algorithm used in conjunction with a good PKI is RSA. However, RSA requires very large keys and a lot of computation and is not practical for most small devices such as smart cards.

Also, Diffie Hellman offers no authentication whatsoever so is flawed without a PKI. However, a PKI is clumsy; it requires a trusted third party to verify identities and there are inherent problems with this as we see with the PKI that websites use, hence the "step forward."

As for the 2 cryptographic systems used in quick succession, I am guessing that is employed to help deter side-channel attacks (electromagnetic analysis maybe?) which is not exactly "schoolboy stuff." But that's just a guess.

Hope that helps.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: centrelink, cryptography, pki
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/160/ultraiso/

UltraISO

UltraISO is an ISO CD/DVD image file tool that creates, edits and converts. It is also a bootable CD/DVD maker that has the ability to ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia