Friday, 15 October 2004
RFID passport data won't be encrypted
Contrary to what I wrote yesterday , the identification and biometric (digital photograph) data on RFID passports in the USA will not be encrypted. Jay Stanley of the ACLU's Technology and Liberty Program describes what they were told in a briefing by Frank Moss, USA Deputy Assistant Secretary of State for Passport Services and director of the State Department's Bureau of Consular Affairs:
Digital signature technology would be used to ensure that the information on the chip has not been altered. A State Department private key would be used to encrypt a hash of the information on the chip. The private keys would be retained in utmost secrecy in the basement of the State Department where they do all their encryption. The public keys would be shared with ICAO so that, e.g. a German control officer could look them up to verify authenticity of a passport.
No harm could be done with the public keys; they could even be posted on a Web site. The public key can be used to verify that e.g. this passport was signed using the Sate Department's private key for every passport issued in San Diego from January 2005 to August 2005. But you can't use the public key to then create a signature on a fraudulent document. And the public key is not used to access the data on the document -- that is wide open -- it is used only to verify the authenticity of the passport.
I think I didn't grasp this, even when I read the draft ICAO specifications, because it was, and is, so astonishingly, over-the-top, unsafe and vulnerable to criminal abuse that I couldn't believe it. But this is the way it is planned.
It also becomes clear on rereading the proposed ICAO standards and the USA government contract proposal (RFP), that the signature -- the one thing other than the photograph actually used to authenticate someone using a passport, particularly for financial purposes like cashing a check, sending or receiving money, or opening a bank account -- will be the one major element of the passport not digitally encoded at all (and thus not amenable to authentication through the hash or its digital signature).
So an identity thief, using only the data secretly and remotely obtainable from your passport, will be able -- without ever having actually seen you or your passport -- to create a perfectly valid-seeming passport, with a valid encrypted and properly signed digital hash, with your photograph but a signature in their handwriting.
Such a document is the holy grail of identity thieves, organized criminals, money launderers, and, or course, terrorists.
All they have to do is place an RFID reader somewhere a lot of travellers will pass nearby, record the data of each passport that comes within reading distance (up to 30 feet -- 9 meters -- with current readers although that will likely increase with future reader technology), and look through the captured images later, at their leisure, until they find one with a photo that comes close enough to their appearance for them to be able to impersonate. They can create the physical photo for the forged passport from the digital data secretly and remotely read from the RFID chip.
Then they can choose, depending on their document forging ability, to create either (1) an RFID passport with a bitwise copy of the chip (organized criminals already use similar techniques to clone mobile phone SIM cards), (2) a non-RFID passport (these will likely remain in use for up to a decade, the validity period of current standard USA passports), or (3) a non-RFID passport or identity document of another country. This last choice might be the preferred tactic, since a document with a different nationality would be less likely to produce "collisions" with the real identity that would bring the identity theft to the victim's notice.
(It's common for people born in the USA to be citizens of, and carry passports of, other countries, so this last type of passport would attract no suspicion at all. Irish passports would probably be forgers' first choice, since they permit visa-free movement within the European Union and are the European passport most commonly held by people born in the USA. Or they might pick some other passport that happens to be especially easy to forge.)
Or they could choose to use the data from the RFID chip (including date and state of birth, the starting point to getting a birth certificate and finding out your mother's maiden name) to obtain or produce some other type of identity document. But why bother, when they could conduct their money laundering, open terrorist bank accounts, buy and use airline tickets, etc. with a properly digitally-signed and authenticated fake passport with a signature in their handwriting -- but in your name or the name of some other innocent victim?
This makes it imperative, if you are forced to obtain or carry an RFID passport, always to keep it in a tin-foil sleeve or envelope, and never to take it out without first demanding conclusive proof that the person requesting to inspect it is making a binding lawful demand to do so. When you do display it, try to get as far as possible away from all other people or anywhere an RFID reader might be concealed, and try to keep the foil wrapped around the passport as much as possible, to reduce the range of directions and angles from which it is exposed to radio reading.
The crucial issue for technical self-defense will be whether a passport cover can be produced that is transparent to visible light, but opaque to the frequencies used by RFID transponders. Stay tuned -- I'll report anything I hear about such an identity theft protection device for travellers. Let's hope one is available by next spring, when the first USA citizens, other than gevernment employee guinea pigs, start being issued with RFID passports.
There's more on the risks of RFID chips in passports and other identity documents from Barry Steinhardt of the ACLU (the final interview, beginning at 32:48 of the broadcast) and others on National Public Radio's "Talk Of The Nation" earlier this week, recorded the day before the RFID passport contract announcement.
Posted by Edward on Friday, 15 October 2004, 10:56 (10:56 AM)
| TrackBack (5)
wow -- that is staggeringly insecure!
It's pretty common practice for budget travellers in the more crime-prone areas of the world, to carry their passports in a money belt on their person. An identity thief then just needs to set up a scanner in a location where travellers are likely to pass -- a shopping area, for example -- and they can cherry-pick hundreds of passports, daily, without ever even *seeing* the passport.
With the cooperation of a store owner, a hidden reader could pick up a lot of data without being detected for months.
Note that the range of a reader can certainly be increased; I was talking to some guys from the Schmoo Group (a group of computer security guys) last month about this, and they were pretty sure a high-power directional RFID antenna is doable, and would boost the range greatly.
Sounds like an entrepreneurial type should start making tinfoil wallets for passports ASAP ;)
(thanks for the weblog btw!)
My reading of the RFC is that the data will be "encrypted" in a technical sense, but can be decrypted using the public key, so the encryption provides only authentication, not security against unauthorized reading. I mention this just because someone might quibble that the RFC does specify encrypted data.
Reading encrypted data at a large number of stations is a very messy problem. If you store the decryption key on each station -- well, you remember what Nazi encryption was worth once the Allies got hold of one of their machines. The bidders may have realized that the problem of unauthorized reading would wreck the whole concept, and managed to keep it out of the RFC.
Is it possible to make a device that can scan for readers? Or maybe overload them so they get "static"?
Maybe when it is shown that the rfid passports are insecure, there will be a push to install chips under your right hand...
What would the penalties/repercussions be if you "accidentally" broke the chip with a icepick or something?
The passport could always have an unfortunate accident in the microwave. :-)
One clarification: The devices being proposed for passports are contactless smart cards, not RFID tags. The distinction is one of level of capability and esoteric trivia such as operating frequencies, rather than type, but the distinction *is* important in one way: range.
Certain RFID tags, under ideal conditions, can be read at up to 20 meters, but you'd be doing extremely well to communicate with a contactless smart card at 20 centimeters. In fact, I don't know of anyone in the industry who has ever claimed to achieve that much range... the claims are usually around 10 cm, and the reality is that the reliable range is significantly less than that. The reason for the huge difference is that although both RFID tags and smart card chips are powered by the reader's RF field, the smart card chips require much, much more power to operate. Since the transmitted power decreases with the *cube* of the distance, it's very difficult to deliver significant power over long ranges. Directional antennas help somewhat, but that really only improves the range at which you can power and transmit to the passport. The passport will still be transmitting its responses omnidirectionally, and at a very low power. Regardless of how much power you can supply to the chip, it will still transmit at very low power levels. In a RF-shielded lab environment, it might be possible to receive the responses at longer ranges (I'm not aware of any work that's been done to see how far), but the "longer ranges" will probably be in the sub-meter range at best. In the RF-noisy world we live in, you'd have a very hard time picking out such a weak signal (cube of distance, remember).
None of this really changes the issue, of course. It's still stupid to deploy these things without any kind of access control, particularly when smart card chips are perfectly capable of performing good, PKI-based access control. In addition, I would like to see some sort of shielding integrated into the passport. A thin foil layer, or even just a metallic mesh, integrated into the front and back covers would hold the chip incommunicado unless the cover were open. Or simple metallic contacts on the antenna could touch against a metallic strip inside the cover, shorting out the antenna when the passport was closed. These simple precautions would provide passport holders with a very simply way to protect their privacy, even in the far-fetched scenario where the access authentication keys were disclosed to bad guys (or where government agents were using the passports to track holders).
Although there is a problem, and it needs to be solved, all of the misinformation about long-range reading of these passports just clouds the issue. Please correct it. Thanks.
In response to the comment from Shawn Willden:
The proposed amendments to ICAO document 9303 refer to the ISO 14443 type transceivers by the nonstandard term "contactless integrated circuits". Most other sources refer to ISO 14443 chips as "RFID chips".
More important than which term is used, or the range at which the chips will be readable by the readers used by the USA government, is the maximum range at which they can be read by any reader.
Even more important is the likely maximum range at which they will be readable by the best readers available ten years from now, since standard passports being issued now are valid for ten years.
Tests in which ISO 14443 chips were read at 30 feet (9 meters) were reported in Electrical Engineering Times (I've added a link to the article) in a quote attributed to a spokesperson for Axalto -- one of the vendors for the components to be used in USA passhports -- and describing tests conducted at the USA National Institute of Standards and Technology.
In practice, 30 feet is far longer range than would be needed for clandestine reading of passports. The 10 cm. working range of the government's readers would be ample. A reader placed just below waist height in each side of a turnstile would be within 10 cm. of passports in the pockets of a large percentage of people passing through.
Even modest imcreases in range -- either with different readers using currently available technology, tuned for directionality and range, or improvements in technology and range over the next 10 years -- would drastically increase the potential for abuse. At 20-25 cm. range in a turnstile, a reader would reach the vast majority of passports in waist-height pockets. A reader with a range of 50 cm. would give complete coverage of passports carried by people passing through a standard doorway (with readers in the frame at each side). Range of 1 meter would allow easy reading of passports of people standing or sitting next to an identity thief in a public place with a reader in a suitcase or backback.
I continue to encourage USA citizens to get new passports while it is still possible to get ones that aren't secretly and remotely readable.
Regarding the posting by Shawn Willden:
If I remember correctly, for the far field the magnitude of both E and H is proportional to 1/r and the radiated power density is proportional to 1/r^2. Is the 1/r^3 factor due to RFID reader operating within near field distance limits? For a 100 MHz signal the crossover distance between the near and the far field is around 50 cm. For higher frequencies the crossover distance is even smaller.
It is an interesting contrast between the proposed lack of data protection in the passports and all hardware and software design tricks that the system and micro-controller manufacturers employ to enhance data protection. Few of those tricks mentioned in another EET article are non-contiguous data storage and buses, active shielding, and environmental sensors.
In response to the question from Ralph:
Passports containing an RFID chip will be issued with a distinctive ICAO-stnadard identifier to show that they are supposed to be RFID-readable. If such a passport is found not to be RFID-readable (e.g. because the RFID chip has been microwaved, mechanically damaged, or otherwise disabled) the passport will be considered to have been damaged or mutilated, and will no longer be valid. In addition to voiding the passport, deliberate damage to, or mutilation of, a passport is a violation of some countries' laws.
Another area of concern for Ruiz: State Department rules state that if your new passport's electronic chip is damaged or stops working you don't have to replace it. The agency reasons that since that same information resides on the data page of the passport, there's no need to replace a damaged chip.
Ruiz finds that policy puzzling. "If that component is broken," he says, "it's no more secure than what we have now."
I am Master student studying in Germany. Currently, doing research in RFID area.
Is there any realistic evesdrop scenario at passport system? I guess, U:S govt. issues passport with ISO 14443 RFID specification that can be read within 10 cm. In this case, an intrusion or attack or eavsdrop by an unknown reader is possible within this short range?
Second query, is it possible to read within a distance of 5m?
Please reply back to my email id with answers and related resources.
I will be greatful if I would get information from you.
Well, A reader placed just below waist height in each side of a turnstile would be within 10 cm. of passports in the pockets of a large percentage of people passing through.
Well, I would like to see some sort of shielding integrated into the passport. A thin foil layer, or even just a metallic mesh, integrated into the front and back covers would hold the chip incommunicado unless the cover were open.