Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Security Weblog

Posted by timothy on from the fresh-jams dept.

Daedala writes "Bruce Schneier now has a weblog that reprints the Crypto-gram newsletter and essays. The information will be posted more often than the once-a-month email. The recent op-ed piece for the International Herald Tribune on RFID passports is scary."

1 of 5 comments (clear)

  1. Schneier is probably overanxious about passports by swillden · · Score: 3, Interesting

    The recent op-ed piece for the International Herald Tribune on RFID passports is scary.

    Maybe, but it's also possible that Schneier has fallen into a common confusion between RFID and contactless smart cards.

    If the administration really is proposing to use RFIDs, then they're being stupid (no shock there). The term RFID is used, by convention, to refer to devices that communicate over RF but are fairly stupid. The most common ones simply spew their recorded information any time they're powered up by an appropriate RF field. This seems to be what Schneier is assuming.

    Contactless smart card chips are ultimately the same technology as a high-end RFID -- a microprocessor chip with a radio transciever, operating on inductively supplied power -- but the design principles and assumptions are radically different. Smart cards have the ability to perform cryptographic operations and to make decisions based on the results of those operations. For an electronic passport the obvious design is to configure the chips to require a cryptographic authentication before they're willing to divulge the data. Of course, only authorized, government-owned and -managed readers should have the keys needed to authenticate to the chips. More precisely, only the back-end servers connected to the authorized devices should have those keys, and they should be secured in tamper-reactive hardware, and in a secure facility.

    Given a system like that, the likelihood of anyone other than an authorized government agent being able to read your passport is next to nil, so put that fear to rest (assuming these aren't really RFIDs and I have seen some indications elsewhere that they're not).

    As far as the other concern goes... it's possible, but easy enough to defeat. Just put your passport in a metallized sleeve.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.