Slashdot Mirror
British "Secure" Passports Cracked
hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work:
'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"
Home Office spokesman.
"If you were a criminal, you might as well just steal a passport."
Missing the point dude.
If my passport gets stolen, I report it. It gets cloned, I've no idea somebody is impersonating me, screwing up my life (and others).
Please people, support NO2ID and tell Blair where to shove his flawed ID cards and CCTV cameras.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
That would enable very cheap readers to authenticate passports and holders, and no option to fake it.
Even if people were to succeed in faking it, a criminal (let's not go down the terrorist route for once) wouldn't be able to erase his old identity from the books without deep inside help, which would probably be noticed by too many people.
(*)I don't know whether RFID chips are capable of implementing zero knowledge protocols (they require some computing power), but if they can handle 3DES, then the answer is probably yes.
The machine readable zone was chosen for key seed, because it is already there, and the readers are already there. I guess the idea is that it's better than nothing. It makes eavesdropping and cloning slightly harder than without. But just slightly. It is indeed possible to do both without very much effort. Forging (i.e. creating a passport with phony information but with a correct digital signature) is another story, very hard.
The EU is going to mandate the use of so called advanced security mechanisms, a.k.a. extended access control, for biometric passports that contain sensitive data, such as fingerprint or iris images. Such passports will have a Diffie-Hellman key exchange for encryption and message authentication, and a PKI based terminal authentication for granting access to sensitive data. The EAC spec is available from German BSI by request.
Oh, and before someone shouts that all RFID tags should burn in hell, I'll just say that the passport chips are contactless, or RFID, smart cards, and have next to nothing to do with RFID tags. The chips can, among other neat things, perform RSA operations using 2K-bit keys in reasonable time. Cracking the actual chip is very difficult.
How much happier would /. be it they based the security of the nation on a system that assumed you could make it imposible to copy digital data?
For once the experts got it right and realised the chips would always be copyable - and concentraited on making them unmodifiable!
The encription was only to stop people skiming your passpord whilst it is in your pocket (think Tin Foil Hat), and this has certanly not been broken. By using a unique key for each passport and not doing a centerilised lookup for each read makes this a very very secure system.
Why they used a contactless system in the first place, and what they will do when the signing is cracked are totaly diffrent matters.
True - provided you're trying to get Alice to talk to Bob! Those two know a thing or two about cryptography by know and can deal with keeping keys secret, using strong passwords etc.
It all gets rather harder if you're dealing with a huge messy system composed of hoardes of busy people who neither understand nor wish to understand the system. And that's just the immigration officers, never mind joe public!
The system that they cracked seems entirely fit for the (obviously intended) purpose of preventing casual sniffing of the RFID information. It makes the perfectly pragmatic assumption that, if the bad hats get physical posession of the passport you're screwed anyway.
They could have used a "secret" key (or something more sophisticated) because every immigration desk in every participating country then needs a secret key to "unlock" the info - and as soon as one of those (inevitably) leaks every passport in a dozen countries would have to be updated or replaced.
The problem is that all any technological change like this can achieve is to make counterfieters work that little bit harder (the article didn't say if the info had been digitally signed - which would really help there and would be totally unrelated to anti-RFID-snooping measures).
In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
You'll probably find this guy's experience both amusing and utterly appalling. How far can you really go with credit card signatures?
http://www.zug.com/pranks/credit/
A preposition is a terrible thing to end a sentence with.
You may think that a non party political system is a panacea - it isn't - it winds up being worse than a dictatorship because you just don't know who you're going to end up having in government or what their policies will be after each general election. I live somewhere where nearly all the candidates are independents, and there's no real party political system. Our election is next Thursday. I have NO IDEA what sort of government we'll have after Thursday. Not a clue. I don't even know who will be Chief Minister. We elect our members of parliament and then they decide.
When the government does form, it's all political horse trading and who's done favours to who because there is no party system binding one side or other together. They all collectively hush up scandal, and if one minister disagrees with government policy the Chief Minister sacks them. All that then happens is the Government typically just copies what the UK government does.
A party political system might suck, but it's the best we've come up with - a rabble of independents is much, much worse.
Oolite: Elite-like game. For Mac, Linux and Windows
Thankfully not anything, as the fiasco over the 90-day detention showed. What a stiff-necked dickhead he looked like after that. I guess it happens to all PM's eventually. They get quite convinced that anything is theirs for the demanding by virtue of their office. Maybe the Americans have got something in the two-term limit for PotUS.
Sadly, none of this is confined to the current government. I'm old enough to remember when the Thatcher government introduced the Poll Tax for Scotland alone, using purely English Tory votes to force the stupid idea on an unwilling Scotland. It all went pear-shaped when it was introduced onto an equally unwilling England the next year, but it does go to show that introducing unpopular legislation without any shred of popular mandate is a time-hallowed tradition in the UK. In the end, liberty and such like find a way through, but a lot of damage can be done in the meantime.
Do you think PR would make a sufficiently significant change to stop ill-conceived legislation from being forced through? One thing I would love to see is for the (reformed) House of Lords to have the power to block a bill for one Parliamentary session. If the government feels that strongly about the legislation, it can call an election and have the bill passed on the back of popular mandate. Alternatively, it can wait and introduce it after the lifetime of the current Parliament. But if the HoL vetoes a bill which has been explicitly mentioned in the government's manifesto, then they must pass it. A sort of updated Salisbury Convention.
--Ng
What fundamental principle of encryption are they breaking? If anything, a fundamental principle of encryption is that there can't be such a thing as a "secret key" if you're either putting it in the passport or if you're deploying it to everybody that needs to scan passports (remember DVD encryption?).
2 030/products_configuration_example09186a008055bd85 .shtml#maintask1 and look at the pre-shared key. On top of that there is a method for deploying keys to users and having them not now what the key is, I've done it many times myself.
Huh, you have worked with encryption haven't you? You are supposed to use a "secret key" in 3DES encrypted communication, it's a fairly standard procedure. It's also completely useless if the "secret key" is public information as that is really the only thing protecting it. A key should have been generated using other information or even more complex to have some math depending on date or something as the key, but if the key is public, than you have eliminated the point of the 3DES encryption. This is completely standard practice on firewalls for VPN's, as you seem to not know about this deployment here is a link http://www.cisco.com/en/US/products/hw/vpndevc/ps
What I am actually not getting is why the hell is there 3DES on these if the info is already easily available? the 3DES implementation seems pointless at best and with the key being public info, I wouldn't even call it cracking to get the info, it's plain old decrypting with the method the maker of the card designed.