المقطع ولو ان مبالغ فيه “قليلا” الا آنه يعكس الواقع المحتم علينا في المستقبل القريب. طالما وجدت غريزة اختراق خصوصية الآخرين في البشر ، وجب علينا اعتبار امر اختراق هذه الانظمه شيء طبيعي.ويعطيك العافيه

نرجو الملاحظة أننا قمنا بحذف هذا التعليق، لمخالفته للشروط والقوانين

In a National Identification Scheme (ID Cards, Biometric Passports) the security of the chip considered a vital issue when counting authorization processes (i.e. when a user is granted a level of privileges to access a certain service). Having more than one application in one card made the card security more important than ever especially if it is contained personal financial, biometrics, and confidential information.

We can’t reach a 100% secure environment in any way; however, there are many tries to reduce risks of falling under a security impacts.

One of techniques used is having firewalls in the chip to make sure every application will be allowed to have the least information from the card that is only related to its service.

Security Management is a growing concern these days when talking about security. The way we deal with all parts in order to provide security. Security of ‘Registration and Issuance’ system of the smart identities in a National Identification Scheme is considered to be extremely important.

Starting with the Data Acquisition process, identification evidence is requested. If this document could be successfully identified against government’s records, then the user would be allowed to go further with the biometrics steps and other registration procedures. The identification evidence should be strictly dealt with and should not only depend upon providing identity documentation. Providing more than one evidence should be made preferable, accuracy of biometrics images and biometrics scanning devices should be maintained and attention should be paid for errors and exceptions handling. Alternatives should be there for people with disabilities in order to preserve their rights in having smart identities which allow them to conduct services as other normal people. Furthermore, authorities should consider that the provided evidence could be faked, and could still be registered as genuine documentations within the government records. In such cases, what proper solutions authorities would consider in order to discover forged documents before registering their users within the database? What would be their reaction towards such incidents?

During information entrance and transformation to the database some vulnerabilities might occur and put this procedure into certain security risks. The clients hosts and servers must strongly be secured, updated with the required patches and supplied with proper perimeters (e.g. Firewall, Intrusion Detection, antivirus, unti-spywares, assistiveware-keystrokes …etc). The underlying network should be reliable, fast, and available all the time. Virtual Private Networks (VPN) might be a need to ensure secure data transmission. However, the design of the VPN should be strong enough not be by-passed or weaken the system security. Before information is entered to the database, operations must be committed and checked that they do not result in conflicts which might bring the database in any unstable state. This could also result in storing and processing inaccurate or uncommitted data which directly attack the integrity of the database. Network Security, Computer Security, and Management Security professionals are needed to monitor the whole scheme progress.

Data Preparation, Key management and Card Personalization processes are heavily dependent on performing the job accurately and efficiently. Accuracy and security of the information stored in the central database is of vital importance since these procedures will only depend on the information they stored to accomplish cards issuance. Comprehensive training programs need to be planned to educate the staff and employees working on these schemes and to make them aware of policies, procedures, negligence penalties, responsibilities, security vulnerabilities, risks and consequences which might result due to carelessness. Duties should be segregated and specified clearly; each member within the scheme must understand his/her duty and the work he/she should handle. This will guarantee that all the staff knows their responsibilities well enough to successfully complete all the needed operations. Additionally, it will help in supporting audits administrations and will ensure operations’ security (i.e. confidentiality, integrity, accountability … etc).

‘Security audit files’ would be highly recommended in these procedures in order to provide evidence to track accountabilities in certain situations where taking a decision is an issue. The vendors companies responsible to supply governments with the Smart Cards should be accountable too and liable for the cards’ technical or security errors. Number of experts and professionals (e.g. security specialist, networking specialists, engineers, lawyers, accountants … etc) and deputies should be around for consultations in the different stages of implementing the schemes. Furthermore, the way sensitive keys are derived, created and stored should be studied properly. This will include the technologies involved, cryptographic algorithms applied, keys infrastructures required, Certificate Authority (CA) chosen and the security properties targeted.

The last process is delivering the card. Issues the ID Card to the cardholder immediately after the card issuance completed successfully or deliver the card to the user by the ‘secured delivery’ a few days after the issuance of the card. For this step, some questions must be agreed on before designing the scheme in order to securely deliver the card to its correct cardholder.

• How smart identities are going to be delivered to the correct user?

• Is there any assurance that the correct user is going to collect the delivery?

• What are the measures that state of the delivery and its collection would be secured?

• What is the procedure in case the smart identity is lost or stolen?

• Who is responsible if the smart identity is lost in delivery or collected by a wrong person?

• Does it mean when the card is lost and the issuance center is closed the user will lose his/ her opportunity to accomplish the required service?

• Could this create a new type of ‘Denial of Service’ (DoS) attack?

• If this relates to money and financial loss, how the government is going to deal with protecting individuals’ rights?

Many other issues should be considered before issuing a Smart Identity. If all parts cooperate and successfully achieve the security main targets then the system would be definitely successful. Otherwise, a catastrophe might occur.

Mona Mohammed

BSc. Computer Science

Msc. Information Security

Royal Holloway, University of London

نحن في مجتمع تحتله الحكومة وكنا في السابق نناضل ولكن الان نناضل وصوتنا غير مسموع

فلا داعي للاحتجاج فالاعذار والتبريرات موجودة