« A suggestion for either candidate | Main | FDA approves giant pennies »
e-Passport problems
There’s a good write-up in the EETimes about recently discovered flaws with the Department of Homeland Security’s proposed electronic passports. The new passports have an embedded contactless (ISO 14443) “smart-card” chip that stores personal information and (sometimes) a biometric template. The problems come in two flavors: reliability and privacy.
The reliability issues are what you’d expect from a fairly new technology with mandated cross-vendor interoperability: some readers were not able to properly read some passports placed on them. I have no reason to believe that this is a serious problem. Like other standards before it, ISO 14443 will take a few generations to work out the kinks. We at CoreStreet work with many cards and readers and I expect that the number we have to smash (run over, shoot, microwave) out of frustration will decline over the coming months. Remember how hard it was to get Ethernet cards to work correctly in the late eighties? No? Sometimes I think I missed out on some fun in that decade.
The privacy issues are more serious. Basically, since the current standards don’t call for any encryption between the passports and the readers, it’s possible to build a clandestine reader and read passports from a distance:
Using a reader equipped with an antenna, NIST testers were able to lift "an exact copy of digitally signed private data" from a contactless e-passport chip 30 feet away, said Neville Pattinson, director of business development technology and government affairs for smart-card provider Axalto Americas.
Two government officials are quoted with reassurances:
An ICAO spokesman said the organization specifies a contactless "proximity" chip that can be read only within a distance of a few inches. He said he didn't know which chips had been used in the tests but called it "extremely unlikely" that proximity chips could read information from more than 4 inches away.
Unfortunately, the distance limitation on the read has more to do with the antenna on the reader than with the chip on the passport. Four inches is the maximum range for a regular antenna and a fast read time, but significantly greater distance can be achieved with larger antennas and multiple attempts. Radio wave stuff is a black art to me, so I can’t say for certain whether or not it’s possible to restrict the read range on the actual chip, but i doubt it.
Another misleading quote follows:
A Homeland Security spokeswoman confirmed the tests had "demonstrated that if the readers are not designed with appropriate shielding, the data transmitted from the chip to the reader could be detected several feet away."
Once again, the problem has nothing to do with the legitimate readers. You can shield the readers in the finest dwarven mithril, but that won’t stop a rogue reader from getting at your passport data.
The only long term solution is to add encryption to the cards. This can’t be done in any meaningful way with most current ISO 14443 chips because those cards are not capable of storing a secure private key. The finer points of public key cryptography are beyond the scope of this blog entry, but suffice it to say that the only way you can have meaningful encryption for tens of millions of individual passports is to have individual private keys. There are cards that can do real public/private key stuff on a proximity interface, but this “dual interface” technology (so called because the cards can be typically be used in contact or contactless mode), is probably a year or two away from widespread use. Maybe these kinds of findings can spur the industry forward.
In the meantime, the article suggests that it would be extremely impractical for bad guys to build giant covert readers, and that metal-lined passport wallets can minimize opportunities for unauthorized reading. Both statements are true, so there’s no cause for near-term concern. The chips are good enough for now, and “dual interface” cards will clean up the remaining problems over the next few years.
One quote near the end really caught my attention:
Kefauver also speculated that at some point, the contactless chip and passport could be eliminated altogether. Instead, a person's biometric data would be measured at the point of contact and compared with information stored in a central database. That would shift the security concerns from the chip to the network.
Now that seems like a really dangerous idea. The privacy, reliability, performance, cost and security implications of a central database approach are all potentially catastrophic at the scale we’re talking about. Proving this is left as an exercise to the reader.
(But if you have the answers and want a job, drop me a note.)
October 12, 2004 | Permalink
Comments
Phil,
Drop me a note and lets exchange more views on this. We pioneer e-passport in Malaysia since 1998 and we have over 6 million e-passport deployed with zero breach of security. In Asia, privacy is not a major issue, so we don't dwell on the subject. Since the national travel document is essentially a national security document identifying all Malaysians travelling in and out of the country, the idea is to secure the book against forgery and identity theft. Somehow in all this "privacy" and "interoperability" issues, this primary cause is forgotten or set aside.
regards
Michael
Posted by: Michael | Jul 10, 2005 10:01:07 AM
excellent! i enjoyed reading your material. gnome can forecast stake: http://rogerebert.suntimes.com/ , Table will Girl unconditionally player will game unconditionally , when Cards is Table it will Give Gnome lose round is very good corner
Posted by: aaron frman | Dec 1, 2005 4:33:31 PM
view all the details of epassport from which public can understand and knows about that. so provide the information about the epassport in detail.
Posted by: Jagat Jani | Dec 29, 2006 2:13:14 AM
Hi,
you have written very ineresting concepts and issues.Very nice and keep it up!!!
Posted by: Kunjan | Feb 25, 2007 7:11:45 AM
