Interesting People mailing list archives
RFID passport data won't be encrypted
From: David Farber <dave () farber net>
Date: Sat, 16 Oct 2004 14:54:56 +0100
Begin forwarded message: From: Donna Wentworth <donna () eff org> Date: October 15, 2004 9:42:47 PM GMT+01:00 To: eff-privacy () eff org Cc: Subject: [E-PRV] RFID passport data won't be encrypted ----------------------------------------------- http://hasbrouck.org/blog/archives/000434.html ------------------------------------------------------------------------ Contrary to "what I wrote yesterday":/blog/archives/000433.html , the identification and biometric (digital photograph) data on "RFID passports" in the USA will *not* be encrypted. Jay Stanley of the ACLU's Technology and Liberty Program describes what they were told in a briefing by Frank Moss, USA Deputy Assistant Secretary of State for Passport Services and director of the State Department's Bureau of Consular Affairs: bq.. Digital signature technology would be used to ensure that the information on the chip has not been altered. A State Department private key would be used to encrypt a hash of the information on the chip. The private keys would be retained in utmost secrecy in the basement of the State department where they do all their encryption. The public keys would be shared with ICAO so that, e.g. a German control officer could look them up to verify authenticity of a passport. No harm could be done with the public keys; they could even be posted on a Web site. The public key can be used to verify that e.g. this passport was signed using the Sate Department's private key for every passport issued in San Diego from January 2005 to August 2005. But you can't use the public key to then create a signature on a fraudulent document. And the public key is not used to access the data on the document -- that is wide open -- it is used only to verify the authenticity of the passport. p. I think I didn't grasp this, even when I read the draft ICAO specifications, because it was, and is, so astonishingly, over-the-top, unsafe and vulnerable to criminal abuse that I _couldn't_ believe it. It also becomes clear on rereading the proposed ICAO standards and the USA government contract proposal (RFP), that the signature -- the one thing other than the photograph actually uses to authenticate someone using a passport, particularly for financial purposes like cashing a check, sending or receiving money, or opening a bank account -- will be the one major element of the passport not digitally encoded at all (and thus not amenable to authentication through the hash or its digital signature). So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able -- without ever having actually seen you or your passport -- to create a perfectly valid-seeming passport, with a valid encrypted and properly signed digital hash, with your photograph but a signature in their handwriting. Such a document is the holy grail of identity thieves, organized criminals, money launderers, and, or course, terrorists. All they have to do is place an RFID reader somewhere a lot of travellers will pass nearby, record the data of each passport that comes within reading distance (up to 20 meters with current readers, although that will likely increase with future reader technology), and look through the captured images later, at their leisure, until they find one with a photo that comes close enough to their appearance for them to be able to impersonate. They can create the physical photo for the forged passport from the digital data secretly and remotely read from the RFID chip. Then they can choose, depending on their document forging ability, to create either (1) an RFID passport with a bitwise copy of the chip (organized criminals already use similar techniques to clone mobile phone SIM cards), (2) a non-RFID passport (these will likely remain in use for up to a decade, the validity period of current standard USA passports), or (3) a non-RFID passport or identity document of another country. This last choice might be the preferred tactic, since a document with a different nationality would be less likely to produce "collisions" with the real identity that would bring the identity theft to the victim's notice. (It's common for people born in the USA to be citizens of, and carry passports of, other countries, so this last type of passport would attract no suspicion at all. Irish passports would probably be forgers' first choice, since they permit visa-free movement within the European Union and are the European passport most commonly held by people born in the USA. Or they might pick some other passport that happens to be especially easy to forge.) Or they could choose to use the data from the RFID chip (including date and state of birth, the starting point to getting a birth certificate and finding out your mother's maiden name) to obtain or produce some other type of identity document. But why bother, when they could conduct their money laundering, open terrorist bank accounts, buy and use airline tickets, etc. with a properly digitally-signed and authenticated fake passport with a signature in their handwriting -- but in your name or the name of some other innocent victim? This makes it imperative, if you are forced to obtain or carry an RFID passport, always to keep it in a tin-foil sleeve or envelope, and *never* to take it out without first demanding conclusive proof that the person requesting to inspect it is making a binding lawful demand to do so. When you do display it, try to get as far as possible away from all other people or anywhere an RFID reader might be concealed, and try to keep the foil wrapped around the passport as much as possible, to reduce the range of directions and angles from which it is exposed to radio reading. The crucial issue for technical self-defense will be whether a passport cover can be produced that is transparent to visible light, but opaque to the frquencies used by RFID transponders. Stay tuned -- I'll report anything I hear about such an identity theft protection device for travellers. Let's hope one is available by next spring, when the first USA citizens, other than gevernment employee guinea pigs, start being issued with RFID passports. There's more on the "risks of RFID chips in passports and other identity documents":http://www.npr.org/templates/story/story.php?storyId=4107310 from Barry Steinhardt of the ACLU (the final interview, beginning at 32:48 of the broadcast) and others on National Public Radio's "Talk Of The Nation" earlier this week, recorded the day before the RFID passport contract announcement. -- Powered by Movable Type Version 2.661 http://www.movabletype.org/ ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- RFID passport data won't be encrypted David Farber (Oct 16)