E-Passport In the Works

ExE122 writes "In an attempt to curb falsification of passports, the United States has placed an order for millions of embedded ID chips. 'The chips carry an encrypted digital photograph of the passport holder. The chip is designed to be read by a special device that will be used by U.S. government workers who check passports when travelers come through border crossings. The State Department began issuing what are being called e-passports to tourists last week and will gradually increase production. State Department spokeswoman Janelle Hironimus said existing passports will remain valid until they expire but, eventually, all U.S. passports — about 13 million will be issued in 2006 — will contain such chips.'"

US Department of State announcement

[SgtPepperKSU]

I actually ran into this a few days ago while looking into getting a passport. They announced this on the 14th.

The Department of State has employed a multi-layered approach to protect the privacy of the information and to mitigate the chances of the electronic data being skimmed (unauthorized reading) or eavesdropped (intercepting communication of the transmission of data between the chip and the reader by unintended recipients).

It seems the passports will come with their foil hats pre-installed ;-)

Anti-skimming/eavesdropping measures

[SgtPepperKSU]

More info form department of state:

The Department of State has employed a multi-layered approach to protect the privacy of the information and to mitigate the chances of the electronic data being skimmed (unauthorized reading) or eavesdropped (intercepting communication of the transmission of data between the chip and the reader by unintended recipients). Metallic anti-skimming material incorporated into the front cover and spine of the e-passport book prevents the chip from being skimmed, or read, when the book is fully closed; Basic Access Control (BAC) technology, which requires that the data page be read electronically to generate a key that unlocks the chip, will prevent skimming and eavesdropping; and a randomized unique identification (RUID) feature will mitigate the risk that an e-passport holder could be tracked. To prevent alteration or modification of the data on the chip, and to allow authorities to validate and authenticate the data, the information on the chip will include an electronic signature (PKI).

I have a chipped UK passport

[OriginalArlen]

And, as I have no intention or interest in visiting the US, I gave it 30 seconds in the microwave. Problem solved. They've been issuing these things over here since the end of July - I missed the deadline for a "real" passport by 5 days. Oh, and the thing is described as "biometric" which can't be right, as they've never taken any biometrics from me. They can't store a 40K jpeg in an RFID tag, at most it could be a (small) hash, but that would be useless as obviously another image of my face will have a completely different hash. Anyone got any idea what the UKPO means by asserting this thing's "biometric"? My guess is that they're just breaking people into the idea gradually, so as not to alarm us too much...

Re:RFID Blocking Passport Case

[SgtPepperKSU]

Guess I will need to get me one of these sooner than expected

It comes with one already... that is, if you trust a government issued one.

Re:Americans traveling to other countries.

uh, what? I literally get two weeks of vacation a year. Anything more than that is "leave without pay". If I tried to take my two weeks of vacation all at the same time and also take two weeks of leave without pay my supervisor would deny it and probably have me fired. I don't know anyone who can "arrange their vacation time vs. work time quite easily" - everyone has to get it approved by a supervisor and rarely takes more than a few days at a time.
If I lived in the EU I would get 4 to 6 weeks of paid vacation and it's not frowned upon to take the entire 4 to 6 at once which makes it even better. Pay in the EU isn't that different than in the US and quality of life is higher. Sounds like a pretty good deal to me.

Already hacked, even before rollout

[MrAtoz]

As featured a couple of weeks ago in this article on Wired, these RFID chips have already been hacked. From TFA:

LAS VEGAS -- A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

The controversial e-passports contain radio frequency ID, or RFID, chips that the U.S. State Department and others say will help thwart document forgery. But Lukas Grunwald, a security consultant with DN-Systems in Germany and an RFID expert, says the data in the chips is easy to copy.

"The whole passport design is totally brain damaged," Grunwald says. "From my point of view all of these RFID passports are a huge waste of money. They're not increasing security at all."

Re:Americans traveling to other countries.

[Rosonowski]

I don't think there's anything about a minimum of vacation time, at least not for hourly wage earners. I don't get ANY vacation time, so any time I want to take off, I have to figure out how to make up the money.

Missing the point

[BigJavaGeek]

Most posters here are missing the point. The RFID tags are not used to store the images, just a reference to your ID in a database. It's about the same level of additional security the CVV (3 digit number on back of credit card) provides on top of your credit card number. It's a second factor that can provide a verification for the primary data (the picture/name in your passport). It's also like adding the little plastic strip inside US currency. You don't accept money from someone that is blank paper with a plastic strip, it still needs to have the other features that identify the money as legit. And while it still be counterfeited, it takes a bit more expertise and money to do so. Same thing with the RFID. You can't make it 100% impossible to fake a passport, but if this makes it a bit more expensive and difficult, that is a step in the right direction.

There may be legit concerns about the tags being used to track people, which is precisely why the new passports are mini Faraday cages to prevent reading the tags when the passport is closed. And if someone sniffs your ID when it is opened at customs, big deal. The RFID is just secondary confirmation. It still has to be paired with a valid passport with the MATCHING photo from the database that the RFID point to. A random person will not be able to make use of it. And if you're worried about someone snagging the ID of a similar looking person, how is that any different than non-RFID passports, when they can just create one from paper with your identification and their picture?

A healthy dose of paranoia can be helpful, but you have to critically consider the use of the data. The RFID does not replace the passport's primary identification, only augment it.

Re:Missing the point

[seanmb15]

Actually, the chips DO contain your picture, along with your address, passport number, and other info.

Re:Americans traveling to other countries.

[PPGMD]

It can also be frustrating to those working on a tight schedule.

One of my clients is a developer company, based in Mexico City, but with offices in most of the vacation hot spots in the US (because they own high rises in all those cities). There were having issues with their ERM, because it was a fixit session it was scheduled between other trips, and I only had two days on site. Well that wouldn't have been an issue, if they didn't stop working everyday for 3 hours to have lunch and watch the World Cup.

I don't know what it is, but the way we work versus the way that work is done in Europe and Latin America, is hugely different. I like to relate, to the Super Market that was across the street from where I was staying in Amsterdam, they were open M-F 10am-5pm, for an American that is unfathomable, Europeans are used to it, and adept to it, and I did too (by adept I mean I mostly ate at restraunts that were open later in the evening) when I was there for 3 months on a project. But it's quite strange for someone who's last job involved making a 1am Taco Bell run during my 11pm - 11am shift.

Re:The Main Reason is it's Faster

[swillden]

FYI: Yes it's possible to store a picture and a fingerprint template on the contactless modules in question, but more likely it's storing a hash that looks the data up in a DB. Sending a picture file or a fingerprint template across the reader would be pretty slow.

Actually, they not only store the photograph on the chip, but they store a fairly large, high-quality photograph (~30KB). The reference data set used for testing implementations of the ICAO electronic passport is almost 50KB in size, total. The transfer rates supported by contactless smart card chips are pretty high -- 400kbps and 800kbps. So, in theory, even with the slower speed you should be able to move 50KB of data in just over a second. In practice it takes longer than that since the chip also has to encrypt all of the data, and because the protocol has a lot of overhead. Still, decent implementations transfer the reference data set in just 3-4 seconds, even with all of the security turned on. That will get faster over time.

It's worth pointing out that performance is one of the reasons that contactless smart card chips are preferred over contact chips. Unless the ICAO wanted to develop new smart card technology, all of the contact protocols are significantly slower, maxing out at 115kbps. With off-the-shelf chips, contactless was much faster. There are other reasons contact chips wouldn't work well, though, and I doubt very much that performance was the deciding factor.