Slashdot Mirror
RFID Passport Security "Poorly Conceived"
tonk writes, "European expert researchers on identity and identity management summarize their findings from an analysis of passports with RFID and biometrics — Machine Readable Travel Documents or MRTDs — and recommend corrective measures that 'need to be adopted by stakeholders in governments and industry to ameliorate outstanding issues... By failing to implement an appropriate security architecture, European governments have effectively forced citizens to adopt new international MTRDs which dramatically decrease their security and privacy and increases risk of identity theft. Simply put, the current implementation of the European passport utilizes technologies and standards that are poorly conceived for its purpose.' The European experts therefore come to similar conclusions as the Data Privacy and Integrity Advisory Committee of the US Department of Homeland Security in a draft report, which seems to be delayed."
Here is a link to the actual report.
Discard the "contactless" RFID option and use the old-style smartcards with the metal contacts. They're easier to design and can have more computing horsepower, since you don't have to power them passively, and they don't have problems with remote detection or electronic pickpocketing.
From what I was told, a passport is still valid even when the RFID chip is unreadable (as long as the rest of the passport is OK, of course). Maybe we should simply microwave our new passports for 10 seconds.
People on Slashdot have been saying this since it was first announced.
They should talk to geeks more.
In response to the poster who asked why these passports are data rich: Because it avoids the need to place all of this detailed personal information in central databases which are accessed remotely from thousands of locations around the world. How would you secure such a database?
The ICAO recommended approach is much more secure -- the problem here is that the EU has chosen not to implement the security features. The US State Dept. started down the same path, but changed course in response to public outcry.
Here's a description of how the "basic authentication" as recommended by the ICAO specifications works -- this is from memory, but it should be very close to accurate:
So, unless you can break AES or exploit some other flaw in the passport chip* the only way to retrieve the data from the chip is to look inside the passport. If you can look inside the passport, however, you really don't need to talk to the chip at all, because with the exception of some digital signatures, all of the data in the chip is printed in the passport.
What exactly is in the chip? Again from memory:
In the future, other biometrics may be added as well, like a fingerprint image.
The US State Dept. has chosen to go one step beyond the ICAO recommendations and add shielding to the passport cover, so the chip is isolated and can't be queried or detected when the cover is closed. Without that, an attacker couldn't read the data from the chip, but he could "ping" the chip and notice its presence.
*Note that these chips were not created for passports, they're standard contactless smart card chips which have decades of use as security devices behind them, and which protect billions in credit card transactions annually -- nothing's perfect, but they're darned good, having gone through many years of breaks and application of countermeasures.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What do you think the response of a government official would be when an underling brings him/her a proposal for some new project/legislation that will benefit the official?
a) 'Sounds interesting, but lets get some more input and make sure there is no downside for our employers, the public'.
b) 'Woot! More power and influence for me! Promotion for you, but if it goes wrong, you will get the blame!'
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
The general idea behind the e-passport is to create harder-to-fake passports as well as speed border processing. I will avoid the issue of creating counterfeit passports, as in the long run adding an RFID chip to this document will only make it harder to counterfeit. Old non-RFID passports will continue to be accepted for at least another 10 years. By then, it is likely that counterfeiters will have caught on and the issue will be moot. As for speeding border processing, this is not going to help anything. The passport still needs to be opened, and in the US case, a "passkey" needs to be entered into the system for the data to be readable (crackers already have found ways of decoding the signal and data if they have some basic info about the holder). This can easily be done using 2D barcodes which are not readable without the holder's knowledge. The problem is with everyone else who can read your passport. Whether the person is able to read all your private data, or simply determine that you hold a passport from a particular country, it already poses problems with security. As it looks like the passports are here to stay, the only viable solution is to put them into an RF shielded case, such as the RFID Shield. Some will say that the passport already has shielding. This is not always true. The Irish e-passport has no shielding at all. Furthermore, a partially open passport has a greater chance of being read, even if the cover contains shielding. This can easily happen in a purse or in your pocket if you accidentally shove your wallet between the pages.
This is not correct. The EU has implemented those security features - Basic Access Control (BAC) especially is a European development, mainly brought into ICAO by German Federal Office for IT Security (BSI). BSI also proposed Extended Access Control (EAC) for additional data such as fingerprints. The study on which the Budapest declaration is based has all this analysed.
The shielding within the cover is not a complete Faraday cage, see RFID Passport Shield Failure Experimental Report
The basic problem is, that
If you have access to the MRZ, you can just decrypt the session keys. Successfull brute force attacks on eavesdropped passport-to-reader-communication is already feasible within hours, see ePassport Privacy Attack. Once the MRZ is known, e.g. when you have to leave your passport in a hotel or after a successful brute force attack, the passport can be 'pinged' e.g. when going through a door and then be used as a trigger for something. Excessive eavesdropping of passport-to-reader communication e.g. at airports allows for later brute forcing and then identity theft.
The Budapest declaration and the study behind it focus in all these issues and take all your points into account. BAC and what is already known on EAC has been analysed. Still the resumee is 'poorly conceived'.
Well, as the US want to store all the data collected from the passports for 50 years, maybe they have an answer to that question?
The problem is not the chips. The problem is the RFID interface, the limited keyspace entropy, the absence of the option to change the key, well, see above.
Another problem with the passports is the use of biometrics in General, which is also covered within the study and the declaration.
The bottom line is: RF interface and biometrical identification do not increase security, but risks. These passports will cost lots of privacy, security, and tax money.