Slashdot Mirror
Germany To Roll Out ID Cards With Embedded RFID
An anonymous reader writes "The production of RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10-year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards starting from the first of November. The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities. There are some concerns that the use of RFID chips will pose a security or privacy risk, however. Early versions of the electronic passports, using RFID chips with a protocol called 'basic access control' (BAC), were successfully hacked by university researchers and security experts."
The passports already have RFID. This is about the identity cards. (which is only a card, compared to the passports that are too big to carry them around with you all the time).
It's time to buy RFID-blocking cover/wallet/bag/whatever. Or feel free to have some fun with aluminum foil - http://www.rpi-polymath.com/ducttape/RFIDWallet.php
Germans must be able to identify themselves with either a passport or an ID card. There is no obligation to have either of those with you at any time.
The new cards do not use classic RFID chips but near field communication, which is much harder to attack from a distance (if at all).
Anyone who wants to sit this out can get a new ID card before November. The old ID cards cost 8 EUR and are valid for 10 years.
On the contrary. Since the new EU passports contain fingerprint data and a digital version of the picture, much of the contention about the new passports revolved around the creation of a central database of biometric information. If the passports were just an index into the database, then that database would be inevitable.
It is important that technology-minded users learn not to apply the usual centralist approach to everything. We are not cattle.
True to that check this out:
http://www.personalausweisportal.de/cln_164/DE/Neue-Moeglichkeiten/Online-Ausweisfunktion/online-ausweisfunktion_node.html
The new online functions! If you dont understand german try google translate, here a quick translation
Identification on the Internet and on machines can in the future be done with the new identity card. This is simple and safe as the presentation of your previous card today.
Even without being personally present you can use the online identity function (also: eID function) authenticate everywhere (where personalized services - are consequently offered and directly tailored to the individual user). With your new personal ID and your 6-digit PIN you can prove your identity in the electronic world simple, safe and reliable.
That is just the first paragraph , better than the Sunday comics !
After 9/11, the US mandated biometric passports for all (if you wanted to enter the US).
Really? I've never been asked to show my identity card. What you may required to show in certain situations (as in, when caught using the transport without a valid ticket, or in case of using a price-reduced personalized ticked), is an official paper with image ("amtlicher Lichtbildausweis"), but that doesn't have to be your identity card, your driving license should work anyway (I don't have experience with this, though, because I've never been asked to show it in public transport anyway, not even with personalized train tickets).
The Tao of math: The numbers you can count are not the real numbers.
Fingerprints are only optional in the ID card ("Personalausweis"). The comment was about the biometric passports, for which two fingerprints are mandatory (left and right index finger).
You have to actively go out, apply for an ID card and pay the fee to get one. You can live a long and productive live and never use your ID at all, unless you're a lawyer by profession or get arrested a lot...
Not quite. You will have to use it if you want to get a bank account (and I assuem you want one). If you're younger, you will have to use it to get a driver's license, probably to sign contracts, to get into music clubs late night, to get alcohol, even to play the lottery and of course everytime you fly within the EU.
So I say you can live a long and productive live alone in the mountains and never use your ID at all.
Actually, tests by various groups have shown that RFID chips are easily read from several METERS away.
You are mistaken as to what is freedom of speech in USA, nobody is allowed to make direct threats of murder for example, but one can have an opinion that abortion doctors must be killed, it's an opinion.
Of-course one person's opinion may lead to another person's action, but the correct thing to do is to hold the one who takes action as the responsible party, not the one who says he has an opinion.
I am not American, in fact at this very moment I am in Germany, though I am Canadian, born in the former USSR.
I hold every single thing that government says or does as suspicious, I don't trust government at all, in any single one thing ever, and I am not an American.
You can't handle the truth.
What TFA forgets to mention is, that the ID card remains valid when you kill the RFID chip, as it still allows a person to be identified. Also, the fingerprint is a voluntary information to be stored. Most people won't know or bother and just let them store it anyway, though. For my fellow citizens: get yourself a new ID card w/o RFID just now (it is only a few Euros more expensive when you "loose" your current ID). If you have to get, for some reasons, an ID card with RFID on it, just put it in the microwave oven for a minute or so. Chaos Computer Club has proven this to kill the chip reliably.
I find the most intriguing part of this whole thing is the decision to outsource the chips to a Dutch company
NXP is the research division (now independent) of Philips, still considered to be one of the world's leading companies in the electronics department. It would be equally intriguing to see European governments turning to a certain US-based software company for their desktop software.
This is the same company responsible for the Mifare series of travel cards, which are used in the London Underground and Dutch public transportation. And in Moscow, Bucharest, (all of) Slovakia, Seattle (WA), Minneapolis (MN), Boston (MA), Brisbane, Melbourne, Montreal, ...
Is 96ft (~29m) far enough away, that's the Defcon record. Blackhat USA 2010 has beat it don't know the practical distance achieved but the paper gives a theoretical maximum of 565ft (~172m). Want to change some of those assumptions? It's a radio, distance is based on three things transmitter power, receiver sensitivity and atmospheric conditions the first 2 can be controlled very easily.
They just spoofed, they haven't talked to the TAG at all!
ISO14443-A and other NFC tags simply don't work like this:
You need a two way communication. From the reader to the tag, and from the tag to the reader. The ISO14443-A tag is not capable to actively send out answers. Instead it loads down the magnetic field that powers it. This load is measured on the side of the reader and interpreted as answers from the tag.
If I remember right the tag must be able to pull about 10% of energy out of the magnetic field to transmit data.
And this puts a simply physical constraint on the range:
You can't simply make the reader put out a stronger magnetic field. This would increase the range from the reader to the tag, but it would also make it almost impossible for the tag to answer because it can't remove that much energy anymore. If you lower the energy of the field the tag doesn't has enough power to operate.
The 15 cm
In the lab you can get a longer distance than 15 cm... Maybe up to half a meter or so. To do so you have to calibrate the resonant frequency of the tag and the reader so that they are almost perfectly coupled. And you have to do this in an RF shielded room because every disturbance in the RF field would interfere the transfer.
What the Defcon guys did was to listen to a running communication between a reader and a tag from afar. That is indeed possible up to such a range.. That will not tell you anything interesting except the fact that a tag was read because the first thing the pass does is to do a Diffie-Hellmann key exchange (part of the PACE protocol). Oh - you get the ID from the tag, but as I wrote earlier the ID is random ...
Not much gained..
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Americans are NOT required to carry ID at all times.
Neither are us Germans (yet), we only have to own one. Most people do carry it, though.
(+1, Disagree)