Schneier on Security
A blog covering security and security technology.
« Using Security Arguments to Further Agenda |
| Oracle's Password Hashing »
November 3, 2005
The Security of RFID Passports
My fifth column for Wired:
The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.
Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny.
The State Department's plan to issue RFID passports by October 2006 is both precipitous and risky. It made a mistake designing this behind closed doors. There needs to be some pretty serious quality assurance and testing before deploying this system, and this includes careful security evaluations by independent security experts. Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy.
My previous entries on RFID passports are here, here, and here.
Posted on November 3, 2005 at 8:30 AM
• 73 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, you're going soft on us! At the risk of sounding paranoid (or maybe "paranoid enough"), I have to believe that the reason for the cleartext GUID is exactly what you suspected in your first 'here'. It's not a mistake, but a deliberate design decision. Recall that the public commentary ran 98% against RFID deployment, yet the State Department presses on. These guys know exactly what they're doing, and what they're doing is tracker-tagging Americans.
Bruce, a comment somebody left on your Wired article raises an important point. If the passport has to be optically scanned to get a key needed to decrypt data on the RFID chip, why not just store the data in a bar code?
What function does the RFID chip serve, other than obscurity?
Simple question: as there is already the need of optical reading, why not scrap RFID altogether and just use optical reading ?
What happens when I locate the RFID chip in my passport and hit it a few times with a hammer? Will I be denied reentry to the US? Will I be subject to increased scutiny? Or will they just wave me through based on the printed content of my passport?
(PS Should I ask less questions?)
The purpose of the RFID chip over a simple barcode is probably to be able to store more data. I seem to recall that there are plans to store a bunch of biometric stuff in the RFID chip, including a complete digital version of the ID photo. A barcode large enough to hold the data they want, even a 2D barcode, would probably be impractically large.
Hmmm....so what exactly happens when you get your passport stolen? What information is on these tags? Obviously a needed upgrade but if these things can be replicated I don't want 50 of me running around the world...
> Simple question: as there is already the need of optical reading, why not scrap RFID altogether
> and just use optical reading ?
Because then people can't read the info on your passport from a distance without you knowing it.
The news this morning said that NZ (i live in NZ) is now going to issue passports with RFID chips, in order to "comply" with the US and other contries passport standards.
There has been little mention of whats stored or of any privacy messures taken.
I think i'm gunna get a nice metal wallet for my passport. Then i know that only airport staff/computers are getting the info.
But I'm shifting to the EU soon and its common pratice to take a passport for ID at many hotels... How much info are they getting, is this info being up on the chip?
Unfortunatly i can't see that there is much i can do about it. Other than realize that someone somewhere can probably get lots of info on me if they wanted too.
But i can't imagian many ppl want to.
If barcode size is an issue, why not a full page of machine-readable code? The reverse of the human-readable photo-page sounds like a nice candidate. There should be substantial cost-savings of a sheet of paper over an RFID.
It seems to me that the only plausible reason for RFID chips, given the security measures in place (optical scanning) must be tracking. If they're willing to optically scan the passport but still want the RFID chips, what other reason could they POSSIBLY have?
Many good points, especially that about the State Dept working on the design behind closed doors. The article helped me see what is going
on so that I can protect myself, somewhat, when this comes up in any of my cards or purchases. So does your BLOG. I'll buy a KIWI made Faraday wallet for passport + ...
The point about 'Behind closed doors' may be as much about who gets what contracts, as anything. In open discussion a better design can be hammered out independently of lobbying or political favourites. Any design needs to be made flexible for the future, rather than locked in for the benefit of contractor and friends.
I do some nutrition and mind training: as in USANA nutritionals and Mind Mapping. Whenever I come across doctors; dentists; education authorities working in secret: the harm done can equal any good. In the case of mercury toxicity from dental fillings; some
immunizations; fossil fuel... many health care professionals only care about keeping quiet to save their reputations. Educators ignore the
damage to young minds; perhaps their own were damaged by earlier versions of pollution?
But Governor Swartzenegger is taking useful steps with DAN! to turn the tide in California. (Defeat Autism Now!) Only the tide is much wider and deeper than autism alone. Ref: CDC surveys of mental health...
We need to break down many doors and listen responsibly: then insist that the public does have a viewpoint that must not be ignored.
(Edward de Bono's 6 hats is an unprejudiced way of discussion of contentious or difficult issues that works. Mind Mapping is a way of seeing an issue 'System Logic' wise.)
Well, enjoy the weather; enjoy the day.
2005 BC Canada
Ignoring for a moment the RFID GUID issues, I have two questions:
Don't Faraday cages only work when connected to a ground? If it's in your pocket or purse, where's the ground? Am I off-base here?
If the barcode is optically scanned by a reader, can't it be optically re-created and scanned from security cameras at the various places you have to show your passport?
Just honestly asking--I don't know.
Seems to me a magnetic stripe could do all of this with a whole lot less hassle.
As most other, I fail to see the use of a RFID+Optical reader
With a pure RFID passport, I can think of the following ploy:
disable the RFID tag on your passport, then show the passport to the RFID reader (by pulling it out of the tinfoil wallet). The reader will read the RFID of a bogus passport hidden in your sleeve, or your hat.
You can even fool optical readers by gluing a photocopy of the other passport bar code over the first passport; don't forget to remove the glu-sticked piece of paper before handing the passport to the nice custom officer, who is watching his screen, anyways.
Maybe the idea is to con Congress into sticking the taxpayers with the bill for an infrastructure to serve the burgeoning espionage-for-hire industry. The users need only to supply their own interrogators and they can track people very cheaply without having spent a cent on the infrastructure themselves.
The "radio shield" better work. Imagine what could be done simply by knowing how many U.S. passport holders pass by a certain spot (airports, etc.) on any given day in any location abroad. Regardless of whether you can read the personal info, isn't there real risk to remote (69ft+) monitoring of who is congregating or passing by a particular place?
I don't understand this supposed threat that is discussed in the Wired article. The chip is still blocked while the cover is closed, right? So the problem is, if you open your passport, an unauthorized reader could find some kind of chip number. This wouldn't reveal any information about you, your name, your identity, just a chip number. Then if you opened your passport somewhere else, someone there could see the same chip number.
BFD! That is such a minor issue that it is hardly worth mentioning. I can't conceive of a way that this represents an actual threat to a passport holder.
I believe that in the end you are correct to raise these issues, however, do your self a favor and check a few sources prior to printing your opinions.
First, In checking out the article on DefCon , you stated that a tag was read at 69 feet. While this may be true (I believe it), in passports the U.S. government will NOT use Active tags.
Here is a good place to insert "one size does not fit all." Each type of tags (and yes there are many protocols and frequencies) have different strengths. An active tag should have the range of several hunderd feet (i've seen some that go "miles"). A the forefront of technology, passive tags max out at a range of 20 to 30 feet in pratical application.
Yes, Technology Will Get Better with Time. And, yes some vendors claim to read tags at 100m now. but read the fine print. that 100m is in free space. We don't live in free space (At least I'm here on the ground!).
A faraday cage need not be earthed to work properly. An electric/electromagnetic field (but not static/low frequency magnetic field) is shielded by the cage due to field physics. The problem with RFID is that powering the circuitry in the RFID chips is done using relative low frequency (electro-)magnetic fields (about 150-300kHz), the so called magnetic near field H-component. This allows scan distances of up to 25-30 meters with a relative small field power of ca. 10 watts (at the senders location).
To shield this magnetic (H-field) component the faraday cage must be full metal, have a minimum conductivity and (depending on material) a certain thickness.
"Bruce, you're going soft on us! At the risk of sounding paranoid (or maybe "paranoid enough"), I have to believe that the reason for the cleartext GUID is exactly what you suspected in your first 'here'. It's not a mistake, but a deliberate design decision. Recall that the public commentary ran 98% against RFID deployment, yet the State Department presses on. These guys know exactly what they're doing, and what they're doing is tracker-tagging Americans."
I've given that a lot of thought. I actually believe that, in this case, they're just incompetent and not actually malicious.
"Bruce, a comment somebody left on your Wired article raises an important point. If the passport has to be optically scanned to get a key needed to decrypt data on the RFID chip, why not just store the data in a bar code?"
Right now there's no reason, as the chip will only contain the information written on the inside cover. But eventually, the plan is for the chip to contain more information: maybe a digitized picture, maybe visas, etc.
There is no doubt that a chip is required. What is in doubt is contact vs. contactless chip.
"What happens when I locate the RFID chip in my passport and hit it a few times with a hammer? Will I be denied reentry to the US? Will I be subject to increased scutiny? Or will they just wave me through based on the printed content of my passport?"
A passport with a non-functioning chip will be considered invalid.
You might want to consider checking a few sources before expressing your opinon as well. If you check the referenced articles, the 69 feet is quite specifically from a passive RFID.
"Hmmm....so what exactly happens when you get your passport stolen? What information is on these tags? Obviously a needed upgrade but if these things can be replicated I don't want 50 of me running around the world..."
One of the benefits of a digital passport is that the information can be cryptographically signed.
"There is no doubt that a chip is required."
Excuse me, but there is some doubt. I would say, there is a lot of doubt. There should be some very good reasons for saying that a chip is required, given all the impliciations (technological, security, privacy, cost...). Up to now, I haven't seen any.
"I actually believe that, in this case, they're just incompetent and not actually malicious."
I gather that every informed person independent of the state department agrees that there is no legitimate reason for using RFID in passports. (Should I have missed somebody who disagrees, please step forward and explain.) So why on earth do they insist in such a flawed technological design? Maybe they are just incompetent, although this isn't the kind of incompetence usually exhibited by this kind of institution (usually they are well aware of how to use technology in order to better control citizens). *In any case, they don't deserve the benefit of the doubt.*
"I gather that every informed person independent of the state department agrees that there is no legitimate reason for using RFID in passports."
I don't think that's true at all. There are a bunch of arguments for RFID passports. And there are some very good arguments against. I want to see some kind of analysis out of them.
"I've given that a lot of thought. I actually believe that, in this case, they're just incompetent and not actually malicious."
I have also considered another possibility. The RFID industry is currently promoting itself fervently, but are still far short of the production volumes that will enable costs to reach the magical 10c barrier and start Walmart putting them in every damn thing. They need a large scale application to be mandated by the government, which will bring the costs down, close the Walmart deal, then they'll be rolling in the green stuff.
Additionally, as we already know from the EPCglobal fracas, some elements of the industry are highly, umm, unethical.
I'd like to see the Auditor-General investigating this program for, erm, conflicts of interest.
In Germany we now (since 2005-11-01) have RFID passports including the photo on the chip. One main aspect to switch to RFID was that it would be required to travel to the US.
The technical concerns and especially the unanswered questions regarding privacy aren't discussed right now any more.
But there is one other "funny" thing: If your face is a bit asymmetric, you might get problems with the automated "face check" when traveling!
Old passports are still valid - up to 10 years.
I'm not happy about things that aren't a close-to-perfect solution.
@Michael Ash, Bruce:
A standard passport page is 12.5 cm x 8.8 cm. Current industry standard black-and-white 2D barcodes encode 78 bytes per square cm, thus a passport page covered with 2D barcode can encode 8.4 kB. (Some newer 2D barcodes use colour to get even higher density plus better error correction, but are not yet widely supported.) A passport-sized full colour portrait, JPEG compressed to very high quality, can be stored in about 16 kB, so even a high quality picture could be stored on a double page. Increasing compression until you just start to get some visible JPEG artefacts, you can get that down to ~3 kB. Alternatively, keeping maximum quality but turning to grey-scale also goes to 3 kB. Adding a little additional text data (say protocol version number, name, nationality, DOB, issue date, expiry date and passport number, all encrypted ~= 112 bytes, plus 32 bytes ECC encrypted session key) and a 2048 bit RSA signature would increase all this by only about 10~15%.
In short, it is easily feasible to represent public key encrypted personal information plus a digitally signed photograph of adequate quality on a 2D barcode which fits on a standard passport page, using existing commercial off-the-shelf technology with robust error handling. If we are allowed to use two (presumably facing) pages, and/or newer barcode technologies, we can do all that but also increase the photograph quality from "adequate" to "high".
These technologies are very reliable -- probably more so than RFID -- and certainly much cheaper too. Thus, I do not believe data size creates a technical requirement for using a chip, be it RFID or contact based.
One additional issue might be recording of visa information, which means the system needs to be writeable. However, visas are only issued by various central offices, so it is no great obstacle to have them print a barcode on a sticky label to be pressed into the facing page. The information in a visa barcode (say version number, country code, reason code, office reference number, date of issue, date of expiry, and passport number) would all fit entirely inside a signature, so the data size is just 2 bytes (country + version) plus signature, say ~258 bytes for RSA, so each visa code would be about 18 x 18 mm; you could fit 24 to the page, enough for a lifetime for most people who don't travel for business. If you trusted smaller signatures (say ECDSA) you could more than quadruple that, in fact being limited by making the stamps manageable.
"Don't Faraday cages only work when connected to a ground?"
That's for static fields only, these are fairly high frequency. Additionally these are passive chips i.e. powered by the interrogating field, so you get to hit it twice, once on the way in and again on the way out. Even a carefully wrapped sheet of aluminium foil will reduce the effective read distance to millimetres. (However a sturdier case is preferable because rips in the foil can let quite a bit of signal through.)
"If the barcode is optically scanned by a reader, can't it be optically re-created and scanned from security cameras at the various places you have to show your passport?"
Yes, but so what? You're already showing your passport to those people. By making it optical, you can ensure that the digital data can only be read by people who are already reading the same data in analogue form (but it's more secure, because now it can be signed). You might not be happy about them reading that, but you've got no choice; it's the law that certain government officials get to see your passport, or else you can't enter their country. This contrasts with the RFID solution, where the data can be read by any random stranger you pass on the street. If it's encrypted, and they haven't seen the barcode with the key, they might not be able to read (all) the fields, but it will still act as a unique serial number.
"Seems to me a magnetic stripe could do all of this with a whole lot less hassle."
The problem there is reliability. Not of the passport, but of the reader. These readers will probably each be processing more than a million passports per year, so unless they are extremely reliable they are going to cause a lot of foul ups at airports. Non-contact technologies such as RFID and barcodes are inherently more reliable.
Yes, but your face won't match the blown-up large size photograph being displayed on his screen. The identifying feature of both digital and analogue passports is your photograph (some also include height). If you can replace the photograph, then you can use someone else's passport. But by including a digital signature, the digital version makes it essentially impossible to separate the photograph from your name (assuming they've designed the protocol properly!). Hence -- unlike at present -- it will only be possible to use a stolen passport if you happen to find one with an almost identical photograph, which is a much harder task than at present.
Additionally, the fact that the passport number will be instantly available in machine-readable form, and also unalterable, means that stolen passports are much more likely to be flagged as such. In fact even if the whole thing is implemented pretty badly and stolen card lists are on the blink half the time, the probability of being arrested for using a stolen passport will still become so high that demand for stolen passports will plummet, and people will probably stop stealing them. Instead, crooks will mainly rely on corrupt officials issuing genuine passports in false names.
CONCERNING "TINFOIL WALLETS".
Aluminium foil is not the best choice for protecting them. For one thing, most common grades of foil are so thin that a surprisingly proportion of the signal still gets through, especially if they use the lowest frequency RFID standard. It will still stop most of the signal, and reduce the read distance to a few millimetres, but you don't get quite get the guarantee you want because a reader pressed against your (closed) packet might still be able to read it. More importantly, foil is not very sturdy, and even fairly small rips, or imperfect folding down of the edges, can let a lot of signal leak through.
Plus wrapping your passport in alfoil looks bad. If people don't know why you're doing it, it will just look tacky. If they do know, many of them will think you're a either a fruit loop or a drug smuggler. At any rate, neither business travellers nor the teeming masses of holiday makers will do it, so only a very few people will be protected.
Thus, I envisage something more like an old-fashioned cigarette case: a nicely crafted, engraved metal box with chamfered corners and a lid so well made it closes airtight. Basically, take existing cigarette case designs and rescale them to passport sized (nearly every country in the world uses the same size), and maybe make them from mu-metal instead of brass. It would be stylish and elegant, and it will protect the passport from damp, sweat, physical abuse, gnawing insects, and RFID-damaging stray fields. Have a small pocket to keep your credit cards in too, and (if made from mu-metal) it will protect them from stray magnetic fields damaging the magnetic stripes. Most importantly, while it was closed the passport would be totally unreadable, even at contact distance.
It might be nice to have some kind of simple locking mechanism to thwart casual snoops, and also a small metal eye to attach to your key retainer, to foil pickpockets.
I would certainly buy one if somebody made them. If you marketted it right, millions of people would buy one. Hint, hint.
Bruce: "A passport with a non-functioning chip will be considered invalid."
That's going to make coming back into this country a pain in the ass. Have you seen any durability testing results on these passports? Lots of things can happen to a passport in ten years time.
"why not just store the data in a bar code?"
In one of Bruces earlier blogs I gave the answer to this.
Basically if you consider the amount of abuse the average pasport gets in terms of folding, moisture, dirt etc then there is only a certain amount of resolution you can use for a bar code.
I worked out that at best you would get maybe 2K bits in a 2-D bar code in an area the size of a credit card (which is how small they want to make pasports, so that they become a national ID card by default).
They (being various Governments) want to store a very large amount of (unknown to you) data. Possibly including all your financial and medical records and possibly any social/political associations you might have that they have on record (ie Police Colators files etc).
They just cannot get this amount of data into a bar code.
Why do they want to store all this info, well as has been pointed out it will always be possible to "bribe" a single employee to issue a fake pasport with your real DNA / Finger Print / Face Print / Gait Print, but you would have to be very very clever to make a suportable back history that will tie in with all the other Government etc DBs that you would need to appear in or be able to bride a whole lot of individuals.
This leaves only ID theaft of an existing individuals records, again it is unlikley you would be able to find enough information to be able to pass even basic questioning, and even if you could would you be able to remeber enough of it to not cause suspicion on questioning.
Finally, why store it on the passport, well it's a simple online data issue. If you as a Police officer or Imigration official in another country need to get at the data to ask the questions. You come up against three basic issues,
1, Are you going to be able to connect to the DB from where you are?
2, Is the DB going to be secure if it has external access?
3, Can you trust the data you are getting down the wire?
As it will be difficult to resolve these issues for various reasons (the most important being human nature of "It's a pain why bother checking" and people shouting about Human Rights/privecy issues) it's a bit pointless having it online.
Farady cages do not need to be grounded, they just need to enclose the object.
THe problem then is how well do they need to enclose and that is the problem.
As any EMC consultant will tell you a Farady cage is an antenuator of only modest value. Even well made cages find it dificult to get >80dB if access is required to the object inside.
Basically any practical In-Pocket Faraday cage is not going to give you more than 20dB or so reduction across a sufficiently wide spectrum.
If you want to know the technical ins and outs it would take quite a few pages to discuss, but as this question comes up on a regular basis maybe somebody should do it @Bruce how about it on another part of your web site ?
Think of it a different way,
I as a politician need votes to get/keep me in office.
To get votes I need money, first directly for my campaign fund, secondly in taxes to give the sort of policies that buys votes.
All this "Security for your Protection" nonsense give me both...
First of there is the largess (sorry campaign contributions) that having the power to award govenment contract buys me...
Second if everebody is taged by an RFID (or many) then I can track everybodies spending etc that makes personal tax avoidance almost impossible for the masses...
So far a Win - Win for me, as a politician.
@Bruce: "A passport with a non-functioning chip will be considered invalid."
So if my passport after a flight to the US at 30.000 ft for X hours is hit by a high energy cosmic particle which flips a bit (or bits) on the RFID entry is refused? I'll then be put on a return flight, but won't be allowed back into my own country since the passport is still invalid...
"So if my passport after a flight to the US at 30.000 ft for X hours is hit by a high energy cosmic particle which flips a bit (or bits) on the RFID entry is refused? I'll then be put on a return flight, but won't be allowed back into my own country since the passport is still invalid..."
I'm sure there's a procedure for showing up at customs with an invalid passport -- expired, torn up, whatever -- already, and that you will be allowed back into the country. It might take several hours, though.
Possibly a naive question. Since we are hearing that Faraday cage is not perfect, would it be possible to build a personal RFID jammer (responds to RFID query with powerful noise instead of useful data), and keep it in the same pocket as the passport or even inside the Faraday cage? So people would be able to see you possess something which responds to RFID, but not retrieve any useful data?
How big would it have to be?
And if I stood near passport control in an airport with one, could I use it deny service, and cause the passport queue to get even longer than it already is?
Not naive at all :)
The size depends more on battery life than anything else, and if you want it to transmit continuously or only when interegated, aditionaly the range you want it to jam at (which would not be greate for a pocket sized device).
A practical system could be built into a mobile phone sized case (Nokia 310 etc), idealy it would send out junk data when interegated, and also vibrate to let the owner know they are being scaned. In fact making it look like a mobile phone might be a good idea ;)
It has the potential to be a usefull security product, however in most countries it would be regarded as an "illegal transmission" and as such could get you into trouble.
IF I was designing one I would make it radiate about ten times the signal level the RFID would radiate, that way it would prevent casual scanning by nerdowells (be they Government or otherwise ;) when it was next to my passport.
At this low level of power you would then also have a reasonable excuse for carrying it (to prevent identity theaft etc). If however you made it radiate enough power to act as a DoS system at an airport or else where I suspect you would sooner rather than later get your "collar felt by the long arm of the law".
There is a provision in 22 CFR 53.2(h) for the USA State Dept. to authorize entry of a USA citizen to the USA without a valid passport, but the State Dept. administrative fees (which can include hourly costs for researching and verifying the would-be entrant's citizenship) far exceed the cost of a new passport.
For those of the commenters who don't understand the threat scenario of the static gloablly unique collision avoidance ID number in the chip, I have details in my blog.
"There is no doubt that a chip is required. What is in doubt is contact vs. contactless chip."
Has there been any public statement why a contact chip would not be the preferred approach? Alignment issues could presumably be worked out by "printing" large contact pads to aid tolerance. Reader lifespan issues could be addressed by design, only moving the reader's contacts into contact after the passport is in position.
Also, has there been discussion on where the chip would be physically embedded? (Where is it in the foreign passports which are already using RFID?) Is it in the cover, or in an interior page? If the latter, then, of course, any attempts at shielding the chip could potentially also be held between the cover(s) and you wouldn't need to have your passport "wrapped in tinfoil".
I think you may have hit the nail on the head, there.
> I'd like to see the Auditor-General investigating this program for, erm, conflicts of interest.
This is an excellent idea. When a government agency pushes ahead with an agenda that isn't getting public support or critical acclaim, it pretty much has to be because either (a) they're incompetent or stupid, (b) someone is getting pressure from congresspeople who get donations from the industry in question, (c) someone with decision making power has stock in the industry in question or plays golf with a CEO from the industry in question, or (d) a completely human problem -> somewhere some fairly high ranking bureaucrat has made this decision and is going through with it come hell or high water.
(c) and (d) are often related to (a).
Katherine Albrecht and Liz McIntyre: "Spychips - How Major Corporations and Government Plan to Track Your Every Move with RFID".
"There are a bunch of arguments for RFID passports."
Really? Which ones? And whose interest do they take into account?
"There are a bunch of arguments for RFID passports."
I agree that there are arguments, e.g. commercial arguments from the point of view of RFID vendors, what I mean is whether there are arguments that justify RFID from the citizen's point of view.
Now an extra question: as the RFID chip can be accessed in read/write mode, how easy would it be for a guy standing near me to zap the chip and pollute it with random bits all over ? or even worse, add a couple of entries like visa for 'terrorist countries' ?
Will this help eliminate the paper forms we have to fill out in the plane before we enter the country? If not this just seams like another episode of Big Government's Big Spending.
"Will this help eliminate the paper forms we have to fill out in the plane before we enter the country?"
No, although airlines operating international flights ot or form the USA are now required to obtain (either directly or thorugh travel agents or other intermediaries) so-called "Advance Passenger Information" (API) and deliver it to the USA government in standardized electronic format when the plane takes off. Even the govt. estimates the cots of this at a billion US dollars:
"Has there been any public statement why a contact chip would not be the preferred approach?"
I have given info on this in past blog pages,
Basically all mechanical contacts are subject to wear and therefore intermitant behaviour and ultimatly compleate failier. Then there is the contamination problem,
The cost of making the electrical contacts on 5 Billion passports very reliable is certainly going to be several orders of magnitude greater than the cost of low tech RFIDs, especially when you have ramped up production to make the required number of RFIDs.
The big problem with pasports are thet they naturally hold both moisture and some quite corosive chemicals that they get from their holders (yes folks sweat is more offensive to electronics than to us mobile bio masses :)
Also there is the places the passports get taken to, for the average person this is likley to be on their holiday abroad to the Beach / Jungle / Mountin / Other extream environment place we get entertainment from.
It does not take much imagination to realise just how much muck would get on the passport contacts, and for infrequent travelers this might have had the better part of a year to work in good an proper, and become as hard as good quality building materials ;)
Finally there is the issue of the readers how are they going to make contact reliably with a million or so passports every year for each machine... To make it work well for mucky contacts is going to certainly damage clean contacts...
People often talk about Bank Smart cards reliability, well they frequently forget to mention that the number of people who have to take their card to more than one Auto-teller, or to a real teller is actually quite high. Although acceptable to the avarage punter, imagin what fun this would be at a large airport imigration hall?
If the number of complaints about the Finger Print readers having to be frequently cleaned is something to go by then expect ques four to five times the length.
Basically it is a problem which is not going to be easy to resolve for a contact based system so RFIDs are an apparent easy solution.
Unfortunatly nobody has considered how unreliable the RFIDs are going to be, as most of the figures are based on Retail type experiments where the merchandise is not subject (for obvious reasons) to any kind of stress.
However it would appear that there is something like a 5% failier in the "Pet Passport" system where your pet gets an embeded RFID. I actually know of somebody whos dog has four chips in and only two work...
When your dog gets a RFID chip injected the vet usually picks a point where it is not going to get damaged easily. How many of you have put your passport in your back pocket and then sat down on a hard seat or railing or some other surface that is going to crush the RFID?
It will be interesting to see what the reliability is going to turn out to be.
" ... in an area the size of a credit card (which is how small they want to make pasports, ..."
Where did you get that information? The published final ruling specifically states they have rejected a card format and will continue with the booklet format currently mandated by international treaties.
"They (being various Governments) want to store a very large amount of (unknown to you) data. Possibly including all your financial and medical records and possibly any social/political associations you might have that they have on record (ie Police Colators files etc)."
The published ruling lists all the data fields that will be included, and it is nothing like the above. It will only include the information currently in the passport data page (long mandated by international treaties), plus administrative information about the passport itself, and security coding. Specifically: "name, nationality, sex, date of birth, place of birth, and digitized photograph of the passport holder. The chip will also contain ... the passport number, issue date, expiration date, and type of passport. Finally, the chip will contain ... a high strength digital signature." Indeed much of the information you list as being included is actually prohibited: "The chip will not contain home addresses, social security numbers, or other information that might facilitate identity theft."
They leave open the possibility that they may eventually include other information (notably fingerprints or iris codes) but require that this be subject to a complete new rule-making process open to public comment. Further, the total it will ever have (unless they scrap all the new passports and issue a totally revamped system again) cannot exceed the total chip capacity, which is 64 kB. That will hardly fit all your financial and medical recrods (unless you're a hermit.)
Don't get me wrong, I think that much of this process is wrong-headed and am opposed to it too. But a lot of information one finds circulating in the blogosphere is uninformed speculation promoted to wild rumour by oft retelling.
"I worked out that at best you would get maybe 2K bits in a 2-D bar code in an area the size of a credit card..."
A credit card is 85 mm x 54 mm. The best current mainstream, commercially available 2D bar codes encode 78 bytes per square cm. (Some newer ones, not yet widely supported, can get much more.) That means you can get 3.5 kB on a credit card. Except the photograph and signature, all the data listed above could be represented in about 90 bytes. Signature is about 256 bytes for RSA, or 32 bytes for EC-DSA if you trust the latter. A JPEG compressed passport sized portrait in high quality grey-scale, or full colour but just a little choppy, comes to 3 kB. Total, 3.3 kB.
First off I am from the UK and therefore have a slightly different outlook to other parts of the world
The credit card sized pasport has been touted around Europe in one way or another for the past twenty or thirty years. More specifically in the UK the propossels for the National ID card started life as a "Benifits entitelment card" then got more features added (medical card driving licence etc) all of which where proposed as credit card sized. Only latterly has the Passport aspect been included, but the documentation still talks about the ID card being credit card sized.
With regards to the extra data, there are various "Anti Terorist" asspects to the UK National ID /Passport propossels which is why the latest LSE report estimates the total cost as being around 500GBP (900USD) per person (as reported in the UK press over the past couple of days).
With regards my estimate for the amount of data for a 2D code, I used a similar scaling as is used for the ABA mag stripe in that the card is assumed to get damaged edges and therefore the data is started a reasonable way in from the edge (they also have an alowance for Mag Head bounce as well). I also made an assumption about there being a high degree of redundancy for error checking as well as space left for a smart card set of contacts (in Europe these are very common used for banking and E-payments etc).
Sorry I forgot to say that yes in the current limited International Pasport proposalls you are quite correct.
Unfortunatly the current UK administration wants to have the "best in the world" combined everything card, that just happens as an asside to also include a passport. What is not clear is if there will be two chips in it or just the one (it probably has not been decided yet).
It is unfortunatly a very stupid idea but a number of the card / RFID manufactures have be sponsoring meetings at various political party conferances and they are pushing all kinds of "wonderfull" things and the politicos appear to be picking it up like it was free money :(
At least one of the companies has made a compleat botch of a voter system in South America but nobody appears to be woried about the companies ability to produce a system several orders of magnitude more complicated.
I will try and dig out a URL for the latest LSE report and post it here.
Here's offical information on the German e-passport (only available in German):
It's sad they have gone ahead with this, despite lots of criticism (http://www.ccc.de/epass/?language=en). All new passports will include an RFID chip with the picture in jpeg (about 15 kB). Finger prints will be added in 2007. They claim that the RFID can only be read from 15 cm distance, more is "unrealistic due to the laws of physics". There are no sources given for that claim. The biometric data will NOT be stored in a central database, it seems that this would is explicitly excluded in the law.
According to this information, the passport will NOT become invalid if the chip doesn't work.
Perhaps I'm confused, but I have been unable to determine how relevant the '69 foot' passive RFID reading is to the discussion of ePassports. The proposed ICAO ePassport RFID is 13.56MHz, which uses inductive coupling. If you read the Flexilis presentation at http://www.blackhat.com/presentations/bh-usa-05/... , and listen to their podcast, http://downloads.oreilly.com/make/... , it seems to me that the 69 foot (21 meter) read was on a UHF (capacitive coupling) tag. They also claim (smarter people than I would need to confirm this) the theoretical limit on the 13.56MHz inductively coupled tag is 3.5m (11.5 feet) - based on lambda/2pi for near field, further degraded by the sine of the angle of incidence to the tag.
The far field effects were NOT discussed, though keep in mind that's relevant for eavesdropping, not (as far as I can determine with what I understand of E&M) inductive coupling.
Given that the latest rule is that the passports WILL have shielding, and based on @Clive's claim that 20dB is the best they could achieve (since they use load modulation, 20dB is what we care about, not 40dB, right?), and you want to read them with arbitrary orientation, we're talking remarkably strong fields, sensitive readers, and technology that (today) has some physical limitations. (the laws of physics do not yield to enthusiasm...)
Obligatory disclaimer: I do not intend to imply the problem of reading ePassports at farther than 10cm distance is nonexistent. I'm merely trying to reduce some of the exaggerations and misconceptions. I believe this is an important point to make, since if you are trying to make a point with authorities, the special interest groups will discredit your arguments by focusing on minutia.
I would be thrilled to read a Faraday FAQ (particularly one that includes discussion of near field effects), as @Clive recommended.
As far as I am aware, the original ID issue raised by @Bruce remains valid. Is there further discussion on that?
As always, I appreciate the thoughtful discussion you Wise Ones have provided above.
I read your RFID article in Wired with interest - and disappointment.
Unfortunately you repeated the "69 feet RFID read range"
story out of context. It's bad enough when journalists
do this kind of thing, but I expected better from a scientist...
"RFID" is not one technology. There are quite a few variants,
whose most important differentiator is the frequency range.
E-passports, contactless smartcards, secure door openers
and such use the 13.56MHz frequency with the ISO 14443
standard - whose nominal range is ~10 cm. The "69 feet"
at DefCon was acheived using something like 800MHz. Talk about
apples and oranges... more like sesame seeds and watermelons!
You are correct that "nominal" is not "theoretical maximum" - but the
maximum is nowhere near 69 feet. My student Ziv Kfir and I calculated
recently that you could reach about 40cm with better equipment
and quite a bit of effort, see
I suspect you could do better, inside an insulated room, with
real big antennas and super-sensitive receivers, but being able
to actually "skim" an E-passport from 1m away would be a huge,
if not astonishing, achievement. Skimming from 3m away
I totally agree with the the privacy concerns regarding e-passports,
and I'm happy that our work was used as ammunition in the
(apparently successful) campaign to change the state department regulations
on E-passports. But let's try to keep our facts straight:
E-passports have not been, are not, and can not be, read at 69 feet
(using physics as we know it)
School of Electrical Engineering,
Tel Aviv University, Ramat Aviv 69978, ISRAEL
I haven't yet seen any good analysis or reasoning why RF is needed in the first place. When your personal data is transmitted around, be it encrypted or not, it makes no sense to do it if there isn't any good reason to do so.
"RFID" is not one technology. There are quite a few variants,
whose most important differentiator is the frequency range.
E-passports, contactless smartcards, secure door openers
and such use the 13.56MHz frequency with the ISO 14443
standard - whose nominal range is ~10 cm. The "69 feet"
at DefCon was acheived using something like 800MHz.
More on NZ Passports:
The NZ Goverment (department of internal affairs) started issuing the new passports on the 5th of November 2005. All new passports issued from now on are "epassports".
Graphic of what the passport will look like and what data it will contain:
Cryptographic challenge issued by the NZ Minister of Internal Affairs:
I've been following this topic for a long time now, especially since the Canadian Government was thinking of putting bio-metric information into passports. It doesn't belong there... _maybe_ somewhere else. I'll explain.
I think there is a fundamental flaw in putting the "same information" on the RFID chip that is printed on the page. That serves no purpose; certainly it would foil the more naive person who wishes to produce a fake passport, but certainly anyone with any amount of intelligence is going to produce a fake with fake information on the RFID as well as in print. It is folly to believe otherwise. Any kind of biometric information would be the same... If I'm going to create a fake and the validation of the passport is to compare what's on the passport to the person standing there, I'm going to put my own biometric information on the RFID as well. You really need a method of authenticating that the passport is REAL and VALID.
This brings me to my point. If the US State Department is now requiring that the passport be placed into a reader to get the encryption key that will decrypt the information in the RFID chip that will most certainly be identical to that which is printed on the page, doesn't that defeat the whole idea of the RFID in the first place? Wasn't it the intent to have a reader system that didn't have to come in contact with the passport? Doesn't this requirement make that impossible?
And, since that is impossible, why not try to implement a system that actually works? A system that will take into account that passports can be revoked, and that fakes are going to be really good. Wouldn't it be better to have a system that read some sort of serial number off the passport (this already exists) and queries a US State Department database of passports (which already exists)... then the information that the US State Department has on file as being associated with that passport number would then pop up on the screen of the customs official (or whomever else with proper access) and the information can be verified by looking at it. An automated system could do things like make sure all the text is correct... and the official could look at the two pictures, and look at the person, and see if they match... they could even... if they wanted... send an "update" to the picture and you could have not only a copy of the photo that is on the passport, but you could watch someone grow a beard in extreme slow motion :)
Why is this better? It means that only people with authenticated access to the US State Department system can get information about you from your passport automatically... everyone else would be limited to the information that is printed on the page. That's not that good for anyone. The only thing that might happen is that someone could create a copy of your passport and they try to make themselves look like you... they wouldn't be able to change the picture as that is validated in real-time with what is on file.
I think in this case the RFID is a bit of technology that is being applied where it shouldn't. It doesn't belong here... there are other ways that are less prone to problems that could solve the problem.
I'm a software engineer working at a RFID reader company that designs UHF frequency RFID devices. I'm not an RF engineer, nor do I have much experience with HF tags (like ISO 14443 devices) but it sounds like you're really spreading some misinformation.
Passive RFID tags are powered by the reader, and HF tags are powered by induction, this severely limits their range. I don't know what was seen at 69 feet, but I sincerely doubt that it was a reader powering a tag at that distance.
The ISO 14443 standard uses a 13.56 MHz signal, with a wavelength of about 22m. ISO tags are powered by inductive coupling in the reactive near field, where power drops off with 1/d^3. This means that since the standard read range is 0.1m (10cm), to increase that distance to 1m, you would need to supply 1000x more power. Since the power supplied to an antenna is normally limited by FCC rules to 1 Watt, this would mean you'd require 1 KW to power them at 1m, or 1MW at 10m. You may be able to eavesdrop on the signal at a long distance, but unless I completely misunderstand this stuff, you won't be powering it at that distance. Technology gets better, but physics just doesn't change.
As for the "secrecy" of the protocol... I simply went to the ISO site and searched for 14443, voila, documents. Sure, you have to pay for them, which I find to be a real pain for standards, but right there in the search results, "Part 3: Initialization and anticollision"
I think you're right that RFID tags in passports are a bad idea. You're also right that they need to do more to make it difficult for people to read the tags, and decrypt the data they contain. On the other hand, we shouldn't be completely paranoid. People routinely give out their passport numbers in insecure online forms to book hotels, etc. Really, on its own, the number isn't too helpful. It's not *good* to just give it out, but it isn't the end of the world either. If it's easier to pick someone's pocket to get their passport than it is to read it from a distance then the security of RFID-based tags is probably good enough.
After reading some more of this, I think there is a fundamental misunderstanding of passports that is missing. Passports were brougt into being, partially, because up until quite recently we didn't have any sort of infrastructure to do real-time authentication of a person at the border. We can do that; we have the technology. The idea of putting my picture, biometric ID, visas, revocations, and a list of previously visited countries on or in my passport is very unsettling. This information shouldn't be anywhere in my control.
We have the techology to build the infrastructure that will allow us to do better than a system designed wholly on the fact that "fakes" are hard to make. They aren't hard to make any more, and any system that relies only on information presented by the authenticatee will be much more open to intrusion.
I'm not saying that such a system is easy to make. Certainly not. However, it is a better direction.
I would encourage people to look directly at the RFID passport specs, at http://www.icao.int/mrtd/Home/Index.cfm, particularly the "Annex I" document that includes the rationale for RFID. There is a "machine readable zone" (MRZ), which requires insertion into an optical reader. It doesn't have as much data capacity as an RFID tag, hence the desire to use RFID. Nations may optionally use part of the MRZ to contain an encryption key for the RFID data, some nations are choosing to do this and some are not. My understanding is that the US is not choosing to do this, I won't comment on the rationale presented by the US. The US position also explains why they did not favor the use of a contact technology with, for example, wire leads on the passport connecting to a reader device.
I would also like to support the previous posts about "reading passive tags at 69 feet". There are literally dozens, probably hundreds of varieties of RFID, including passive varieties that have a design range of about 1 inch (e.g. Omron V700). It makes sense to say that a very determined snooper can read a tag 10x farther away than the design range. But it doesn't make sense to say that all passive tags are subject to the same read range. I support the analysis of the responders above on this issue. It was very misleading in the GAO report to see blanket read ranges for passive and active tags, implying that all tags (of each kind) have the same read range. It is misleading yet again to see that error repeated on this widely read blog and in articles, authored by a respected scientist, and I hope Bruce will take an opportunity to clear the air on this issue very soon.
Thanks to some posters for clarifying the issues surrounding ISO 14443. The article to which Bruce refers actually points out that the 69 ft refers to passive RFID tags which are not the ones used in passports (they may be used by Walmart etc.). I agree that exaggerating the privacy threat isn't a good strategy.
@David Benoit: "Wouldn't it be better to have a system that read some sort of serial number off the passport (this already exists) and queries a US State Department database of passports (which already exists)... then the information that the US State Department has on file as being associated with that passport number would then pop up on the screen of the customs official (or whomever else with proper access) and the information can be verified by looking at it." You mean the information (including biometrics) should be stored in a central database instead of on the passports? This would be very dangerous. The privacy/big brother threat from having a central database is much worse than the information directly stored on the passport. Moreover, the passport must work as identification independent of a central database, otherwise, everybody who might have to check a passport (banks, hotels, foreign authorities) must have online access, in other words, the data won't be secret (not mentioning here the problem of technical failure).
"The idea of putting my picture, biometric ID, visas, revocations, and a list of previously visited countries on or in my passport is very unsettling." Less unsettling than the idea of putting them in a central database!
RF Tags and Encryption.
If one of the purposes of RF tags in passports (or whatever) is to be able to track the holder without their knowledge or permission then any form of encrytion is irrelevant and useless - apart from providing a false sense of security. It does not matter what form of encoding is used as decoding is not required - if your purpose is simply to track the geographical location of a device containing a (fairly) unique "digital signature", encrypted or not. Reading distance and proximity is a function of the number, density and strength of readers. It is easy to corale people through restricted passage ways (doorways / metal detectors / elevators / turnstiles) and pack those areas with hidden RF readers. Add security cameras to this RFID equation and you can build your tracking database on the fly.
@piglet: Every piece of information that is on your passport is already stored in a centralized database. The government isn't going to issue passports and then forget about all the data!
As for hotels, etc. you would still have the information that is present today printed on the page, but nothing else.
I'm not suggesting that my suggestion is the be-all and end-all of personal identification and authentication, but I do know that having a biometric on an RFID that is easily read is MUCH less of a concern than "big brother" having it in a database that they're already going to have. If biometrics are going to be used, they should never be stored _anywhere_ other than the authority. Then you have an audit trail on the data, you have one place to go to if there is a problem, and you don't have people that shouldn't have access to the information just reading it off your passport.
(I meant that having a biometric on an RFID is much MORE of a concern)
First things first, reading out of the data from an RFID is a two stage process,
1, The reader exicites the RFID.
2, The RFID radiates it's signal.
What is of interest is not the power or adjacency of the exciter just that it does the job (ie at the imigration desk or in a door frame etc).
Merc - the energy required for excitation is directly proportional to field strength, in a closed loop the field can easily be made to be effectivly uniform with little difficulty (think about the inside of your microwave oven for a very very lose analagy)
What is of interest is how far the resulting signal from the RFID can and will travel after it has been excited. This is all that is required to passivly listen at a distance to an RFID at any frequency.
Avishai - You forgot to put a limit on your statment by talking about "Free Space Radiation" only, and at the fundemental frequency of the RFID.
Even at the fundemental frequency of the ISO RFIDs of 13.5MHz, it will travel a very very long way if coupled into a suitable carrying medium such as a surface mounted electrical cable or metal hand rail or any other suitable conductor that gets coupled in the near field (which at 13.5MHz is quite large).
These problems have been known about for years (TEMPEST and EMC again ;) and in various forms reports of these effects have made it into various national press reports, usually at some famous persons expense.
The most usuall being the old cordless phones that transmitted the "line signal" at 1.8MHz and could sometimes be heard (and recorded) as much as 20KM (12.5Miles) away. Bearing in mind that these systems where only supposed to have a maximum range of 0.2KM (650ft) on free space calculations.
At 100 times "over range" on the cordless phone this sugests that under favourable conditions the RFID could be picked up 10m (32.5ft) away at least purely by accident....
If however you specifically designed a suitable transmission line (coaxial, waveguide or G-Line) then your RX range boils down to coupling loss and line loss only...
As a solid example have a look at the design of an EMC Stripline, TEM or Crawford cell transmission lines (see IEC 801 part 3 and EN 55 020 for more details).
The Stripline variaty is a form of physically open transmission line into which you put test objects like personal sereo systems etc). In essence it is a two plate transmission line with widly spaced plates and matching networks into a charecteristic impedence (usually 50 ohms).
The stripline is fairly easy to calibrate in that the field between the plates is directly proportional to the voltage at the feed point divided by the distance between the plates,
E = V/h volts per meter
You will see from this that the field is proportional to distance not distance squared or distance qubed...
This tends to hold good up to distances approaching a half wavelength which is around 11meters at 13.5MHz so the stripline can easily be the size of a small house or large vestabule in a public building and still work effectivly.
So the question boils down to who wants to build a more moderatly sized test system just to see how well it works?
For those not familier with Dr. Gaubau's G-Line open wire transmission line take a look at
Which is a copy of a artical from the Aug 1960 Electrical Engineering Magazine.
David Benoit, actually this is not the case, at least not necessarily. In Germany, there is not going to be a central database holding the biometrics of all the country's citizens, unless they change the law. The purpose of the biometrics (as publicly stated) is to match the passport holder to the person who applied for it and submitted the biometrics. No more than that. For that purpose, no central database is necessary.
Perhaps I should give you some additional background. Germany and several other European countries have a registration obligation for all residents. This registration makes identity verification much more reliable and in fact, identity theft is much less common. But those highly sensitive data are *not concentrated in a giant national database*, as is planned for example in Britain. The registers are administered by the municipality. The police cannot, for example, make a lookup to find out the address of "David Benoit" anywhere in Germany. On the other hand, it is relatively easy to verify if somebody has given a fake adress, e.g. when applying for a credit card, or indeed a passport.
"I meant that having a biometric on an RFID is much MORE of a concern."
I disagree because you have a better chance to protect what is directly on your passport than what is in some database with online access to a lot of people. I agree that there is concern about RFID, maybe less than I used to think as the range is apparently short. However my main concern is with the biometrics in principle. The technology is not reliable for large scale application. Dealing with thousands of false negatives will absorb much energy that could be better spent on reasonable security.
I liked your article "Security of RFID Passports, but I must make a couple of comments about the use of the term 'RFID', and your interpretation of the security implications of the collision avoidance function.
1. RFID is a term widely associated with very simple, very low cost tags that store just a product ID code and maybe a product serial number, designed to be read automatically, typically in supply chain applications - e.g. on a packet of razor blades. Security is of little concern in these applications - on the contrary the aim is to facilitate reading the product code. However, I am sure that the chip being proposed for use in passports is much more sophisticated than this, having much greater memory capacity (say 1-4 kilobytes), fairly complex read and write password access control, and chip to reader mutual authentication, such as the Philips Mifare S40 and S70 chip family (there are other manufacturers of this technology, but I am most familiar with the Philips implementation). I am disappointed not to have seen any reference in the literature (including apparently in your excellent Crypto-Gram) to the (relatively) advanced security features that such a chip has compared to the basic RFID chip used in the 'razor blade' example above.
2. The chip ID number on the Philips chip is not 'buried deep within the chip' - on the contrary it is the only part of the memory that can be read without using secret key protected access access control.
3. There should be no linkage between the chip serial number and the identity of the passport holder. If I were designing a passport application I would certainly NOT use the chip ID for any purpose other than collision avoidance (and preferably would disable the function if I could, as procedures can generally be designed to avoid the need for it).
4. On the Philips chip passport information would be written to one or more of the protected sectors of the chip memory, and would be accessible only after the chip and reader had successfully participated in a 3 way authentication process requiring the exchange of 48 bit keys. Properly implemented, such security should avoid the need to encrypt the passport data itself. Therefore, unlike supermarket RFID tags, where any reader is capable of reading any tag, the Philips chip is designed to be read only by readers programmed to read the correct sectors, using the correct keys.
Whilst key compromise is always a risk, to suggest, as its many detractors do, that passports using this technology can be easily read by a bystander is either simply misleading, or indicates gross technical ignorance.
5. Whilst I agree that the potential read distances are likely to be significantly higher than the published 4 inches or so, whilst this could allow a perp to read the chip ID, it is unlikely to garner any other information unless the perpetrator knows both the correct sector/s and the secret 48 bit key. If a single key is used for every passport globally, then the key will eventually be exposed and will fail to provide protection against this type of attack. However another feature of the Philips technology allows for each chip to be allocated a different key (derived keys), which would strengthen the key system.
6. The decision by US Customs (?) to print the decryption key in human(?) readable form on the passport may help, but will only be effective if the algorithm that allows the key to decrypt the information is itself kept secret. Otherwise the perpetrator can simply arrange to capture an image of the decryption key (say by means of a covert mobile phone camera), and program this into the covert reader. Maybe the decryption key is only readable by means of say ultra-violet light?
Cheers, and keep up the good work!
I found that the information that was given too me was too long to read
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.