Slashdot Mirror
No Encryption For RFID passports
Spy der Mann writes "Despite widespread criticism from security experts, the government is declining to encrypt data on RFID passports. Lee Tien, an attorney at the Electronic Frontier Foundation, said: 'It is my understanding it's possible to read this information from 10 to 30 feet away with the right equipment.' Considering gadgets like the BlueSniper as 'right equipment,' I think he's got a point. Tinfoil covers, anyone?"
Even if you accept that RFID should be incorporated in passports (and the concept of terrorists and criminals owning a hand-held US-passport detector should be more than enough reason to realise it's a completely dumb idea), then why on earth should there be any locally stored data?
If the passport held a unique ID number and nothing else, then sensitive data could be stored somewhere safe off-site, rather than in the back pocket of a potential terrorist.
A pizza of radius z and thickness a has a volume of pi z z a
Either remove the RFID bug or fry it with microwaves.
Either way, just guarantee there's nothing to harvest information from.
Still, I fail to understand why anybody would want encryption on it.. Encryption schemes are broken, as are signing algorythims and other complex mathematical constructs. COnsidering how long passports have been around, would you trust your data to DES?
"the government"
Which government?
If it is only a ID number, then the picture and info could be stored centrally. But then what about when that server gets hacked?
I think that if there is no broadcast, but info is on the passport and it is a touch transfer that could solve the problem, What would be so hard about it being a smart card that doesn't transmit?
A
just what you need when driving around town with your new RFID enabled passport... amazing how things just pop up when the topics are appropriate...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
How am I supposed to fit a pithy, relevant quote into 120 characters?
Of course should they have encrypted/passwd prototected the security, and then some person cracks that method they'd be in trouble too.
Knowingly having zero security *can* be better than having poor security and thinking it's strong security. eg the early 802.11 standards where security was thought to be good and turned out to be abismal, the css on DVD's etc.
don't forget - SHINY SIDE OUT.
This goes for foil hats too, but you already knew that didn't you.
take one RFID scanner , one unshielded passport , one laptop and an empty fake. Perhaps im hyping this up a little , but Drive by identity theft
The only things certain in war are Propaganda and Death. You can never be sure which is which though
On the other hand, having poor security believing it's strong *may* be better than having no security believing it's unneccessary. The article says that simply having the "foil case or a weave in the cover that will cloak the chip" should be enough to protect the data.
According to the wired article: Agents will also be able to use facial identification software to compare the person to the digitized photo, which is not feasible with current passports.
Which is interesting because, according to this the error rate for real time facial recognition: the current error rate is 20% [...] this implies that out of 50,000 match scores there are 1,000 errors.
Enjoy the wait. Remind me how many of the 9/11 hijackers had invalid passports?
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Still, two opportunities for profit: the RFID manufacturers and the RF shielding manufacturers can both get their cut.
We're talking about RFID here, these things aren't powerful enough to do any processing themselves, you can just read data from them. So if you use encryption, then you've gotta give anyone who needs to read the thing a decryption key - customs agents in every country of the world. It would be a matter of minutes before the decryption key got into the hands of criminals.
And they're going to enclose it in a RF shield, so that it can only be read close-up, with someone to open the shield. And someone thinks that this is a good idea?
True, it makes no sense to me that they'd use RFID in the first place. Surely they can come up with a technology which is on by demand (press a button) rather than which is always on. Or maybe there's a way to put a digital signature on the photo itself. I guess it wouldn't be a digital signature then, though, as photos aren't digital. What about a 2D barcode? How much data can you squeeze into one of those, enough for a low-res picture?
PDF417 allows for 1100 bytes. That's not enough.
It's not a trivial problem, after all you'd like the device to be battery-free, but maybe you'd have to abandon that requirement. Wouldn't be so horrible to put one of those watch batteries into it, since if the battery was lost or went dead you could just get a new one at the border. Then you can put a button on the damn thing so it's only transmitting when you press the button. And then you can have your digitally signed photo, which is the whole point of this in the first place.
Put a nice long Yagi on a sniper rifle and a PDA to control it. Go to a convenient rooftop and survey your choice of targets. Choose a likely one and squeeze lightly .. the Yagi sends an activation pulse to the target's passport and listens for the nationality .. "USA". A second later, one less Merkin.
Your tax dollars at work!
Actually, a hidden roadside bomb is more likely. You can even target on the basis of other data, such as name or religion. Great fun.
I already have my aluminium card holder.
It is clearly an intentional choice. The goal is to make luser's data easy to get at. When talking about "lusers" in the context of government, read aloud as "anyone who doesn't get a bodyguard on government payroll".
I forget what 8 was for.
My bad. 10,000 out of 50,000, rather. Thanks.
Meine Schwester ist sehr, sehr reizvoll - Nietzsche
Tinfoil covers, anyone?"
Just wait for the law that makes the use of tinfoil illegal.
No tinfoil pockets
No tinfoil lining of jackets
No tinfoil anything
Tinfoil will be listed as a dual use good with special import/export restrictions like a screw driver for atomic bombs.
Before the law, tinfoil and atomic bombs will be treated equal.
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
Or they use a mag stripe hooked up to a little chipset, powered by the host machine. I mean really, you're getting stopped by border patrol. Is it really that much extra effort to physically touch your passport to a machine, when you're likely to be sitting in customs for an hour and a half anyway?
It sounds to me like someone got lobbied.
The ______ Agenda
Heh, mag stripe, good point.
Yeah, right.
Better yet, if they really want to store data, without broadcasting, and no need for a battery, use a contact smart-card. Those little guys can store all the data you would need for a photo, plus a few lines of text, and a signature of some sort. And, the only way you can read it, is by placing the chip physically in a reader. the only drawback I see with it, is that the contacts may wear out over time. Honestly, I'm not sure how many reads one can get before they wear down, but I do know that its a rather large number.
If anything, this is just irresponsibility from the governemnt at its finest. Putting unencrypted data on a device that can be queried from a distance is unbelievably stupid. And I don't see how this is going to help security in the long run. Anybody can buy RFID smart cards. All a "terrorist" would have to do is pose as a security company, and buy the cards, in bulk, from a supplier. Figure out the algorithim to make a correct digital signature, and then start printing their own cards. Embed them is a halfway convincing passport (no longer even needs to hold up to close visual inspection), and viola! instant "Get into the US free" card.
It never ceases to amaze me, the government is spending all of its effort running around trying to convince people to "fear the terrorist", but in the end, they are just making it easier for them to get in. I guess this "War on Terror" is little more than a thinly vield effort to erode civil rights. Its the perfect scam really, pretend to be doing everything to make people safer, while, in reality you relax security. More terrorist style attacks get through, and people get more scared. They then will be willing to give up even more liberty for security. Wash, rinse, repeat. In a few short years, you have the people willing to put up with anything, so long as it makes thing think that they will be safer. Machiavelli would be proud.
Necessity is the mother of invention.
Laziness is the father.
So lets say in 10 years you are walking in a modern day Iraq with your passport. Guess the terrorists will love your passport because they can just walk past you and get accurate ID information so they can pick and chose who to obduct and threaten. Way to go USA!
I want to put on my tin foil hat and make sure that my passpord it free of micro-organisms by PUTTING it into the MICROWAVE, YEAH!
While this woulnd't incur any damage to my current passpord, my Enhanced Password with RFID action may not fair as well.
And I woulnd't want to pay $_$ to have a perfectly good, micro-organism free passport replaced, would I?
>This goes for foil hats too, but you already knew that didn't you
... Sure, that's what you *want* me to believe ! <|;)
What if the chip gets broken? How do they distinguish it's fake or it was genuine?
A slight problem with putting the decryption key on the passport (e.g., as a barcode or mag stripe) is that it would make it easier for a forger to make a fake passport (i.e., they just make up whatever encryption key they want, print it on the passport, then encrypt the data with that key and put it on the RFID). The simple solution is to also include a digital signature on the encryption key.
Of course, this whole thing could be solved by printing a big 2D barcode on a page of the passport instead of including an RFID at all. Biometric data could easily be included. Make the barcode be encrypted and digitally signed (so you can easily check if it's a forgery). Tightly control who can make barcodes (i.e., only the passport authority of your country). I guess the only problem with the barcodes is that they're easily copyable. Though people will figure out how to copy RFID's soon as well (if not already).
Anyway, whole point of using RFID's is so that they can track people as they walk through various corridors of airports without having guards checking passports at every corridor.
My other first post is car post.