The following links may help navigating this page

Passport News · 2005-11-16

We have new information on the ongoing rfid passport issue. Our great german federal department for security in I.T., which I'd like to praise here, has mastered an agreement on certain security measures that shall prevent your fancy rfid passport from being remotely scanned.

The trick shalt be, that a rfid passport only allows radio scans if a (around) 56 bit key is send by the scanning device that wants to read the rfid chip. To get this key the reading device has to have optical access to the passport. The key can only be generated by optically reading a set of information that should make every passport, issued where ever, unique (passportnumber, date of birth, etc).

After transmitting the key, the passport will allow communication 112-bit triple DES encrypted. Now, that sounds reasonable and eases my concerns a little. Well, DES is not an algorithm that is considered very secure anymore. Triple DES might still be o.k.

In a second step, official reading devices will be provided with certified public keys to authenticate against your passport. According to the certificate your passport will decide what information it will transmit.

How to attack such a passport? If no public key authentication is needed the case is simpler. So, start with this one. If the target passport is within your rfid scanners range for a while, say you sit beside your target person in a train, you could try guessing the 56bit key. A lot of possible keys. Still, by guessing the date of birth one could narrow down the set of feasible keys remarkably. So, will there be a time lock? Three wrong keys submitted, no information for two hours, or something similar?

Then there is the topic of nation guessing or something like that. There might be scenarios, where the evildoer only wants to know very basic things about a target person. Does she carry a rfid passport? What nation does she come from? Will the chips behave identically in passports of all nations? Hearing that the optically readable key is 'about' 56bits long may mean that different countries will issue different chips, thus opening the door for this kind of remote scan. Furthermore, will the chip remain absolutely silent if wrong keys are submitted? Everything else would reveal some information that could be useful to gather more.

Last but not least, if a device has figured out the proper key, it could store the key permanently, thus enabling authorities of the same country to scan your passport where ever they'd like to, without asking permission. Say, police would be able to install a scanner at a frequented place, where they would 'broadcast' the keys of their top ten most wanted individuals. A properly working passport would certainly answer. Wouldn't it?

As last remark, I'd like to say that the whole tech issue is not my main point of critique. It is rather that I doubt the reasoning behind it. Even if everything works fine and secure, which will be the big 'if' for at least five years, it still costs a lot and adds little security.

... Read Passport News - Update 1 as well ...


Commenting is closed for this article.