The Source for Java Technology Collaboration
User: Password:
Register | Login help    



Syndicate this blog (XML)

Bruce Boyes's Blog

«Vida: Art and Artificial Life Competition | Main | Linux vs Windows? Maybe a lesson here for Java vs Whatever »

RFID in passports: bad idea

Posted by bboyes on October 29, 2005 at 02:20 PM | Comments (6)

The NewScientist article describes what appears to be a glaring lack of system design. RFID in a passport might sound like a good idea, but consider this:

Without any protection, the passports might be "skimmed" – read at a distance by strangers as people walked through any public place. The weakness could allow a government to track someone, or allow a criminal to steal the names, digital photos and passport numbers of people on the street... Some critics even worried that the chip could act as a trigger to detonate a bomb when someone with an American passport walked by.

OK, so the State Department is trying to work around that little drawback, but you have to wonder why they can't afford a decent systems engineer to think these things through, first.

Meanwhile, the Electronic Frontier Foundation is leading the charge in filing comments on this half-baked idea. "RFID in passports is a terrible idea, period. But on top of that, the State Department is acting without the appropriate authority and without conducting any form of credible cost-benefit analysis," said EFF Senior Attorney Lee Tien. "It's asking Americans to sacrifice their safety and privacy 'up front' for a dangerous experiment that it hasn't even bothered to justify."

Perhaps the State Dept is following the lead of the state of California which is also getting hammered for proposing RFID in various ID cards (such as driver licenses).


Bookmark blog post: del.icio.us del.icio.us Digg Digg DZone DZone Furl Furl Reddit Reddit
Comments
Comments are listed in date ascending order (oldest first) | Post Comment

  • While skimming is possible, a lot depends on the RFID chip chosen. The risks are overstated (though real). The EFF is ever more developing itself into a bunch of anarchist anti-everything people and have lost what respect I once had for them.
    If the chip has very limited power, a detector would have to be within centimeters of the chip to be effective.
    If you then use a decent encryption algorithm on the data, it becomes more expensive still to decode.
    If all you store is a key into an external datastore that only specified agencies and authorised staff within those agencies can access the risk gets even slimmer.
    Add an authentication step in the retrieval process so the chip only gives up its secrets when queried with the correct request and authentication sequence and you're even more secure (though a brute force approach could theoretically break that, or someone could steal and reverse engineer an official scanner).

    I'm myself more worried about the durability of the chip. Most are relatively fragile and can be damaged by such things as strong magnetic fields, mechanical stress (even rubbing against a piece of rough leather can damage some designs), static discharge, etc. etc.
    What happens when you arrive at the airport and the chipreader doesn't get a response? Will you still be allowed to travel, maybe after a few minutes of extra bureaucracy?

    Posted by: jwenting on October 30, 2005 at 11:27 PM

  • German agencies today started to issue passports that provide an RFID chip to access biometic data stored on the chip. Right now the chip contains a digital photograph of the owner but starting in 2007 fingerprints will be stored on the chip too.

    Besides all the privacy-related aspects, I'm not a criminal - hence I don't think I'll provide my fingerprints to be able to fly somewhere.

    Posted by: slohmeier on November 01, 2005 at 06:57 AM

  • The article reports that the State Department has incorporated some protection against skimming. The paragraph you quote was describing what might have happened if they had not.

    You make it sound as if the State Department is at a loss to prevent skimming, which is false, and you don't have any basis for your assertion that they didn't have a decent systems engineer work on it. There are many crucial questions surrounding personal identification in the digital age. Willful or negligent misrepresentation of facts only makes them harder to answer correctly.

    Even the usually critical Bruce Schneier seems to think passport security is on the right track.

    Posted by: erickson on November 01, 2005 at 03:44 PM

  • According to this recent article:

    In addition, the passports will use "Basic Access Control," a reference to storing a pair of secret cryptographic keys in the chip inside. The concept is simple: The RFID chip disgorges its contents only after a reader successfully authenticates itself as being authorized to receive that information.

    Computer scientists, however, have criticized that encryption method as flawed. In a recent paper, RSA Laboratories' Ari Juels, and University of California's David Molnar and David Wagner, warned that the design of the encryption keys is insufficiently secure. They said that the use of a "single fixed key" for the lifetime of the e-passport creates a vulnerability.

    The Bush administration could face an eventual legal challenge. A letter to the State Department from privacy groups (PDF here) says there is "no statutory authority" for the RFID passport because Congress has not authorized it.

    This sounds like rushing something into production to me. Apparently there have been no field trials (they are scheduled to start next month with State Dept employee passports). If so many credible experts are raising red flags, it certainly makes you wonder....

    According to what I've been reading, the State Dept has not proven the effectiveness of this shielding cover, especially with high powered readers, so others far more knowledgable than me are basically saying, that, yes, the State Dept may in fact be powerless to prevent skimming with the current design.

    I'm not "willfully or negligently" misrepresenting anything... those are serious accusations. I'm sorry the contents of my blog offended you. I'm simply reporting the findings of credible experts in the field, such as reported in this paper: http://eprint.iacr.org/2005/095.pdf . If you have some evidence to dispute these concerns, please share it.

    Posted by: bboyes on November 01, 2005 at 09:49 PM

  • If the information is properly encoded then the information could be as secure as content within XMLSignature and Xml Encryption which might be sufficient (X509 public-private key). Then it would take both a strong reader and lots of computation to decrypt the contents.

    More importantly it would make passports more secure since they would be much harder to alter or counterfeit. Like always there is a trade-off, but in this case issues such as copying or misuse of the information also exist in real passports (You hand your passport and the information is then copyied to some store).

    If the built-in faraday cage concept (metallic film) is incorporated I can't see how a RFID enabled passport are worse than the current passports in use.

    Thanks for the link. It is an interesting topic.

    Ilan

    Posted by: toren03 on November 01, 2005 at 11:28 PM

  • One of the hard bits about technology is that one size rarely fits all. In the case of RFID, what's good for Wal-Mart is not necessarily good for passports. One weakness of RFID is that it's easy to eavesdrop on a legitimate read of the ID chip -- and this can be done completely passively and at a considerable distance.

    Why in the world is RF anything even being used in passports? Unless there is a (possibly hidden) motive in wanting to read them at a distance (not hard to imagine such an interest), RF tags seem like completely the wrong idea. We don't find RF-readable credit cards... there's a reason for that.


    Who cares if some evil person passively eavedrops on a pallet of razors on the Wal-Mart loading dock? On the other hand, it's a big deal for someone to eavesdrop on passports being scanned, and the current design has no provisions to prevent that.

    Why not use Smart Cards instead of RFID? They are already being used in Europe to replace mag-stripe credit cards. Would Smart Cards eliminate most, if not all, of the eavesdropping worries? They would probably cost a bit more, but last time I renewed my passport it was $50. Seems like there could be $2 in there for a Smart Card.


    What seems to be missing from the State Dept rush to push e-passports through is some risk/reward analysis. What is the problem being solved here, and how well does this RFID approach solve it? Sure, RFID is more secure than paper passports (the reward) but there seems to be a significant number of significant negative side effects (the risk). Given this, what is the justification for rushing into e-passports with RFID? Can we take a bit more time to really come up with a more optimal solution? We're talking about something which will cost $US hundreds of millions to deploy - that should be worth doing right.

    Posted by: bboyes on November 09, 2005 at 07:38 AM




This work is licensed under a Creative Commons License.
Creative Commons License

Powered by
Movable Type 3.01D
 Feed java.net RSS Feeds
Feedback  | FAQ  | Press | Terms of Use
Privacy  |  Trademarks | Site Map
 
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Participation.
 
Copyright © 1995-2008 Sun Microsystems, Inc.
Oreilly LogoCollabnet Logo
Powered by Sun Microsystems, Inc.,
O'Reilly and CollabNet