Slashdot Mirror

← Back to Stories (view on slashdot.org)

British "Secure" Passports Cracked

Posted by CowboyNeal on from the trust-us dept.

hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work: 'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"

8 of 305 comments (clear)

  1. Re:Great articel by Knuckles · · Score: 5, Funny

    Wait for a few minutes and you'll see ;) In the meantime, you might want to read the FAQ

    --
    "When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
  2. Easy to clone by SomethingOrOther · · Score: 5, Interesting

    Home Office spokesman.
    "If you were a criminal, you might as well just steal a passport."

     Missing the point dude.
    If my passport gets stolen, I report it. It gets cloned, I've no idea somebody is impersonating me, screwing up my life (and others).
    Please people, support NO2ID and tell Blair where to shove his flawed ID cards and CCTV cameras.

    --
    Anyone quoted by a reporter knows how little they understand
    Don't believe what you read is the truth.
    1. Re:Easy to clone by Calinous · · Score: 5, Insightful

      Even better: read a passport's chip, follow the man until he reaches his car. Make a small accident (your guilt), and let repairs be solved the official way - you will know his name (full name), address, and maybe other info from the exchange of insurance info

  3. Nothing to see here... by ericlondaits · · Score: 5, Insightful
    The author of the piece (yeah, TFA) gets his panties in a bunch because the encryption key of the passport (which has the data encrypted with 3DES) is passport number, date of birth and expiration date. Then he says:
    So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'
    What fundamental principle of encryption are they breaking? If anything, a fundamental principle of encryption is that there can't be such a thing as a "secret key" if you're either putting it in the passport or if you're deploying it to everybody that needs to scan passports (remember DVD encryption?).

    What's important is to have the data in the passport (along with the picture) digitally signed, in order to avoid tampering. The article claims that these passports are indeed signed and they didn't break the signature. Big surprise, since all they did was get a RFID reader and decrypt 3DES with the key right in front of them.
    "If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country."
    Don't see how you can... but anyway an exploit would be a problem with the reading software, not with the passports. And it could be more easily patched after deployment.

    The article then presents some more valid points... but these have nothing to do with the basic encryption being broken. FUD mostly, surprise, surprise.
    --
    As a Slashdot discussion grows longer, the probability of an analogy involving cars approaches one.
  4. Re:Another DRM? by Anonymous Coward · · Score: 5, Insightful

    The basic problem isn't the algorithm they choose. It's that their goal is incompatible with security.

    They wish to establish a world where all people can be instantly identified, correlated with commercial profiles, and tracked wherever they travel.

    How can this be done "securely"? It cannot.

    Let's assume you get these politicians to understand some basics of encryption and physical security (and good luck with that). So, you now have a system where all people can be instantly identified and tracked by the government. Secure from... what, exactly? Secure from being tracked by unauthorized people?

    Who is unauthorized, and why? I certainly have no say in who gets authorized to track me. Thousands or hundreds of thousands of random workers have access to the "authorized" level. This doesn't sound very "secure" to me.

    It's like an electrocution collar you get to wear around town, "secure" in the knowledge that its encryption protocol is flawless. The only people who can activate it are from the police department, or friends of police officers, or people who sneak into the police building and use a computer there when nobody's looking. It is secure, and cannot be triggered except from the police station. Yet, in the broader sense of security, the mere fact of the collar's existence around my neck is the absolute opposite of security.

    It doesn't really matter how secure they make the algorithms. A system whose purpose is to authoritatively track and identify all individual humans "from above" is insecure, by definition.

  5. Re:No surprise there then by mikerich · · Score: 5, Informative

    They should have called in the experts, Microsoft!

    Okay I know you're joking, but Microsoft have been one of the biggest critics of the UK government's ID card system as providing the ideal conduit for ID theft; so perhaps the Home Office really should have called them in.

  6. Re:I donno. by x2A · · Score: 5, Funny

    To get to the other side?

    --
    The revolution will not be televised... but it will have a page on Wikipedia
  7. Re:Another DRM? by Alioth · · Score: 5, Insightful

    That's a big part of the problem. Whose retarded idea was it to use RFID? Wouldn't, say, a smart card chip like the chip & pin card in credit cards have been MUCH better because then you actually need to physically have the passport in your hand to read it - instead of being able to read it through envelopes, clothing and the like with no evidence that it's been read?

    --
    Oolite: Elite-like game. For Mac, Linux and Windows