"The problem is the RFID serial number used for collisions will not be encrypted as is required for communication, thus still allowing tracking."
In a CAST Forum presentation http://www.cast-forum.de/events/cast/2005/Biometri e/ earlier this year the BSI (http://www.bsi.de/ Germany National Security Agency) claimed that German passports are protected against tracing, because they generate their serial number randomly, each time they get powered on via microwaves.
The idea of using something printed in the passport to protect the access to the RF chip is called basic access control and is regarded as moderately secure by BSI (who claim that this protection is a European/German - don't remember exactly - idea). Even this basic protection is optional by ICAO standards and not implemented by many countries.
A a more advanced PKI based access control will be implemented by Germany in a second step (in 1-2 years, as far as I remember).
CrypTool is a free (win32, linux w/WINE) tool with alot of cryptogrphy / cryptoanalysis functionality.
I would start like this:
Try to compress (zip/gzip) - compressibility is a sign for bad crypto.
Have a look at the auto-correlation - if you see a comb pattern then it is probably something like XOR, Vigenère, addition mod 256 or similar. CrypTool can break those algorithms automatically.
Have a look at character frequency, 2-grams, n-grams
Apply some tests for random data - good crypto should produce data undistinguishable from random data
If the data looks random you might need some hints on the algorithm.
All the tests suggested can be performed with CrypTool. If the crypto is strong you will need some more insight, but in many practical cases bad crypto is used, e.g. in Psion Word.
Slashdot Mirror
In a CAST Forum presentation http://www.cast-forum.de/events/cast/2005/Biometri e/ earlier this year the BSI (http://www.bsi.de/ Germany National Security Agency) claimed that German passports are protected against tracing, because they generate their serial number randomly, each time they get powered on via microwaves.
The idea of using something printed in the passport to protect the access to the RF chip is called basic access control and is regarded as moderately secure by BSI (who claim that this protection is a European/German - don't remember exactly - idea). Even this basic protection is optional by ICAO standards and not implemented by many countries.
A a more advanced PKI based access control will be implemented by Germany in a second step (in 1-2 years, as far as I remember).
I would start like this:
- Try to compress (zip/gzip) - compressibility is a sign for bad crypto.
- Have a look at the auto-correlation - if you see a comb pattern then it is probably something like XOR, Vigenère, addition mod 256 or similar. CrypTool can break those algorithms automatically.
- Have a look at character frequency, 2-grams, n-grams
- Apply some tests for random data - good crypto should produce data undistinguishable from random data
- If the data looks random you might need some hints on the algorithm.
All the tests suggested can be performed with CrypTool. If the crypto is strong you will need some more insight, but in many practical cases bad crypto is used, e.g. in Psion Word.