November 17, 2006
UK passport RFID "gotcha"?
The Guardian has a "gotcha" piece about how easy it is to crack the security on the RFID tags in the new UK passports. Bruce Schneier and Bruce Sterling have both commented favorably on the piece, but personally I don't see what all the fuss is about. The RFID chip contains a cryptographically signed digital copy of the main page of your passport, including a digital copy of your photograph. The idea is that this way you can't modify the name or paste your own photo into a stolen passport because the digital data won't match, and you can't modify the digital data because it has to be signed by the issuing country. After people expressed concerns that someone nearby could eavesdrop on the conversation between the passport and the RFID reader, they decided to encrypt the passport using your passport number, expiration date and date of birth, which is encoded using a barcode (or maybe a magnetic stripe). That way the customs official swiping your card can read the photo but someone eavesdropping on the RFID conversation can't.
There's only one concern the story mentions that makes even vague sense to me:
This means that each time you hand over your passport at, say, a hotel reception or car-rental office abroad to be "photocopied", it could be cloned with equipment like ours. This could have been done with an old passport, but since the new biometric passports are supposed to be secure they are more likely to be accepted without question at borders.
Certainly people trust computers a little too much, but this sounds like something proper training would solve. The idea that the RFID chip can be cloned doesn't seem like that difficult a concept to teach.
So what am I missing here?
Posted by bug to Big Brother at November 17, 2006 4:31 PM | TrackBackWell, one thing you may be missing is that it didn't have to be this way... it would have been very possible to create an electronic passport that wasn't (as easily) clonable, simply by using a smartcard chip and a challenge/response protocol from the reader.
For a forger, being able to have a duplicate passport that passes a quick digital inspection is useful I would say, compared to the situation where a fake one would immediately error out during a scan.
Posted by: Edward Keyes at November 17, 2006 10:06 PMI gather from the article that there is a challenge/response protocol, though the response is based on the same info used to decrypt the data so it doesn't make it harder to clone a passport you have physical access to. Given that the digital data needs to be accessible by literally every border guard in every nation in the world, I don't see any way a challenge/response could be kept secret.
Posted by: Bug at November 18, 2006 8:16 AMThe key to a good challenge/response protocol is that even when successful, not all the information in the passport should be transmitted to the receiver. It only sends enough to verify that the data has been properly signed, but not enough for someone to be able to deduce responses to all future challenges and thus create a clone.
Consider SSL... I can use that to verify the identity of websites from any browser in the world, but that doesn't mean I get access to or can copy Microsoft's certificate. That's the sort of security breach the passport cloning involves.
Posted by: Edward Keyes at November 20, 2006 7:17 AMOh I see what you're saying now. Yeah, that would be an improvement. (Assuming they don't already do that, of course — I like to take technical analysis in the popular press with a large grain of salt.)
Posted by: Bug at November 20, 2006 9:36 AM