Centrelink will release its $560,000 smart card identification protocol for free in an attempt to buy-back security systems based on the technology.
The welfare agency claims the Protocol for Lightweight Authentication of ID (PLAID) has withstood three years of design and testing by Centrelink, the Australian Defence Signals Directorate and the US National Institute of Standards and Technology without fault.
Centrelink, which has one of the country's most advanced physical and logical converged security systems, will use the protocol in its incoming fleet of contactless smartcards currently under trial by staff. These will replace the existing identity cards that operate on PKI encryption. The agency designed its converged security system with Novell to allow staff to access doors and computers with a single centrally-managed identity card, and user identities can be automatically updated as employees leave, are recruited or move to new departments.
Minister for Human Services senator Joe Ludwig said the PLAID will fill vulnerabilities in Centrelink's converged security which have previously been vulnerable to hackers.
“Until now, existing technology in this field has been at risk of breach by hackers,” Ludwig said in a statement.
“But PLAID will prevent the cracking of authentication systems and foil the cloning of smartcards and other system-access devices.”
Centrelink hopes the protocol will be adopted across government.
The agency has about 26,000 employees and administers more than $70 billion in payments and services to some 6.5 million customers each year.
Centrelink documents reported the hackers cannot break the PLAID protocol because it uses two cryptographic algorithms in its scrambling process in rapid succession — typically less than a quarter of a second — whereas other systems use a single algorithm.
“PLACID is the only system that preserves the privacy of the cardholder from ID leakage. Other systems 'talk' from card to mainframe using easily captured personal information and unique identifiers in the ID-authentication process,” the documents reported.
Centrelink claims hackers cannot read query data between the terminals and smartcards even if it is intercepted because of the scrambling feature.
The protocol will be available on www.govdex.gov.au.
