The Possible Flaw in the e-KTP System

Written on May 17th, 2013. We've got comments, too!

Indonesia’s new electronic ID cards — the e-KTP — has come under a lot of fire recently (particularly with the minister for commerce insisting that photocopying the card will break it). Devs have been busy trying to make sense of the chaos, and my Google+ community managed to get some nice, technical answers.

It appears, however, that the controversy, slip-ups and confusion have hidden the true flaw in the system.

Disclaimer: all of this is speculation, since we haven’t reached the point where a flaw could be abused in the system. If I am wrong, please correct me (you can contact me here). I truly hope I’m wrong.

First, a quick recap on what this thing is. Here’s a guy holding up a pair:

Picture via Kompas. Don’t read the article, it gets even more confusing.

NFC-enabled, RFID-based “contactless” cards. Embedded in a few hundred million ID cards, distributed around Indonesia, starting last year or so. Right now, they’re not used electronically, but we expect that to change very soon.

The e-KTP system was designed to be an authentication tool. You put it on a scanner, scan your fingerprint, and that’s used to verify your identity.

Additionally, the data within is completely encrypted, with no useful information available to anyone with an NFC-enabled device. This stirred up a storm in the developer community: anyone wishing to read or interface with the e-KTP is required to have a special card reader, provided by the government, practically limiting their use to large businesses.

Or so they think.

The Flaw

Digging into the e-KTP specifications (available via third parties — for some reason these things aren’t available online) reveals this:

d. Keamanan (Security) terdiri dari beberapa hal sebagai berikut:
2) Mendukung autentikasi dua arah antara smart card reader/writer dan chip;
4) Algoritma Keamanan (Security Algorithm) bersifat simetris (symmetric) berdasarkan algoritma: 3DES dengan panjang kunci 168 bit, AES 128 bit, atau setara;

Translation: symmetric key encryption.
Explanation: Where one ‘password’ (okay, fine, a “key”) is used both to encrypt and decrypt.

Yes, all the data in the card — which includes the fingerprint data used to match up with the user, presumably to avoid requiring an internet connection (or a 24/7 online server) for authentication — is protected by a symmetric key.

To their credit, 128-bit AES is secure, and there aren’t any known flaws. A good deal of the world’s encryption relies on it. The issue is with symmetric key encryption itself.

It means every e-KTP reader machine contains the secret key to reading and writing.

Yes, not just reading. Writing. Which means fake e-KTP cards can totally happen.

There is simply no way that this will not happen. The card readers will be distributed around the entire country — there will be thousands of them. Protect the readers as you wish: once that secret key is embedded in a reader, it’s just a matter of time until a sufficiently dedicated individual — or organization, or government — recovers the key.

So what happens when the key gets exposed?

Identity theft.

First of all, a person possessing the key can — thanks to their contactless nature — press a reader (which, by the way, fits in a cell phone) to someone’s wallet, hope the signal passes through, and grab all the information on it. Or wipe the original card in the process.

Counterfeit cards are also an issue. With digital verification, it’d be much easier to disguise a card (say it fell into a river or something) and pass a person off as someone else.

Voting fraud is one thing. Impersonating a person at an airline check-in desk is a potential security threat.

To top it off, KTP cards have a 5-year lifespan. It would take up to 10 years to fully cycle all the cards to use a new, hopefully more secure, system.

I could be wrong!

First of all: it’s not defined in the specifications, but there’s a possibility I’m wrong all along — perhaps the fingerprint is the encryption key. That’d be completely brilliant, but nowhere near reliable: a person’s fingerprint is easy to obtain, so a sufficiently motivated individual could still obtain access.

The system could also be more complex, such as each card having its own encryption key, stored on a home server in Jakarta. Presumably, in this case, the key would have to be fetched by the internet whenever a e-KTP needs validation. And if the machine contains an API key (basically an access code to the server) to obtain said key, then there’s that vulnerability, too.

That said, when a system is said to be secured by symmetric encryption, the typical interpretation is what I explained above. There could be additional defenses, or there could be a specification sheet that I haven’t found.

Again, if you can enlighten me, please get in touch.

Potential Fixes

What really confuses the tech community — and many people I’ve talked to — is why the cards don’t just use asymmetric key encryption (i.e. public-key cryptography), where different keys are used for encrypting and decrypting. This would completely negate the issue of counterfeits — only card reading would be an issue, and let’s face it, the data is written in plaintext on the physical card itself. There’s pretty much no reason to hide that information in the first place.

And it’s not like asymmetric keys are advanced technology. They’re used every day — TLS, used by every website using HTTPS, is based upon it. It’s very well-understood.

At this point, though, the damage has been done. We won’t know how vulnerable the system is until it goes into practice. Hopefully a white-hat discovers the key before the bad guys do… And hopefully the government fixes the issue.

Or, you know, they might just change the secret key.