The Economist on High-Tech Passports

Really excellent article from the Economist.

...despite the belief that biometrics will make crossing a border more efficient and secure, it could well have the opposite effect, as false alarms become the norm.

Posted on February 23, 2005 at 8:00 AM • 20 Comments

Comments

jayhFebruary 23, 2005 9:29 AM

Looks like a new market for protective cases for passports. True, it's not a faraday shield, but probably will make ad hoc remote reading unreliable.

Roy OwensFebruary 23, 2005 9:55 AM

If the chip's data is unencrypted, make way for cheap programmable knockoffs. My bogus card would faithfully render my face, my irises, and fingerprints, and would dutifully tell whatever lies it was given.

Erik W.February 23, 2005 10:16 AM

Jayh: What do you mean "It's not a Faraday shield?"
All a Faraday shield or cage is is a grounded surround of metal with no holes as large or larger than the wavelength you're concerned about. Wrap your passport in foil and hold it in your hand (or otherwise touching your skin) and it's shielded, as long as your're relatively grounded. Just like the tinfoil hats the black helecopter folks advocate.

An aluminum hard case like the ones my PDA and business cards are in would make my passport fairly reliably scan-proof.

ZwackFebruary 23, 2005 10:45 AM

Given that Belgium has introduced the new passports before the deadline and that there are problems reading the new passports with the new readers (31% - 58% success rate) am I being cynical or is it possible that Belgium has just claimed that they have implemented the new passport standards?

"Sure we've implemented it. You're having problems reading it? It must be your reader." This sounds like the perfect solution to me.

If there is any check digits in the information it sends, perhaps they've implemented something that sends random, garbled information back instead, yes all your passports will be flagged for hand inspection, but it solves the ID theft problem.

Z.

Now where do I get a metal passport case?

Israel TorresFebruary 23, 2005 11:45 AM

All for not... we all know "attackers" do not use normal channels (ie entry points). The simplest to pass an iron door is to walk around it.

As to shielding concerns note above; mylar cases have been available for ages, but if that doesn't suit your needs check out http://www.mobilecloak.com/

Israel Torres

Davi OttenheimerFebruary 23, 2005 12:22 PM

Brilliant piece. You have to love when writers nail the core of the debate: [personal safety] "involves eliminating the remote readability that was envisaged to be such a crucial feature of the system in the first place".

@Bruce
Can you comment on how this might relate to the "Secure Flight Initiative" and passenger tracking?

Alas, no one said authentication would be easy in a world with 6 billion people and accelerating transit. As the scope of personal identification continues to stretch outward from village, to town, city, county, nation, etc. we all know we lack any reliable system of global ID. All the more reason why we need to start trying to figure something out sooner rather than later...

I do not know if it is necessary to go all the way back to the drawing board, but I am surprised that technology is given so much weight when it is the non-technical aspects of identification that seem to be the most successful (per our earlier discussions regarding passenger profiling).

If nothing else I certainly hope nations are able to move quickly enough to find a way to deter/detain militant isolationists from taking matters into their own hands and killing people they "supect" of being illegals:
http://news.findlaw.com/ap_stories/other/1110/2-21-2005/20050221004505_16.html

AnonymousFebruary 23, 2005 12:23 PM

It's almost as ridiculous as this one:

http://edition.cnn.com/2005/TECH/science/02/22/truck.stop.reut/index.html

"Scientists at a top U.S. defense research center have unveiled technology they say could prevent trucks from being used as bombs on wheels"

I mean, please..

Would any "real" terrorist be stupid enough to carry anything with him that would basically be transmitting "I'm a terrorist" signal around? And for any "newly hired" terrorist it wouldn't even matter if he/she used his legal one..

As for that "new technology" would anyone willing to blow up something with a truck loaded full of explosives be so stupid as not to disable that "new technology" first before using that truck as a bomb? And why would they use any new truck potentially having such a device in the first place (yeah like they would go and buy a brand new truck with all the "latest technology" and use that to blow things up) ?

I'm sure everyone realizes you don't need to be bruce schneier (or any kind of security expert at all) to figure out with common sense that most of these things are not going to make anyone more secure..

Nigel SedgwickFebruary 23, 2005 12:40 PM

Roy Owens writes above:

"If the chip's data is unencrypted, make way for cheap programmable knockoffs. My bogus card would faithfully render my face, my irises, and fingerprints, and would dutifully tell whatever lies it was given."

My understanding of the International Civil Aviation Authority (ICAO) standard is that the digital data is not encrypted, but is protected by digital signature. The approach is to use "match-on-station" rather than "match-on-card".

Therefore it would not be possible to substitute, undetected, different biometric templates onto someone else's passport, or create a forged passport from scratch (without breaking the cryptographic protection).

I'm not sure if Roy is hinting, with his "tell lies", at the security weakness with "match-on-card", that might be relevant to other applications. There is a description of this at http://www.camalg.co.uk/pswmoc_040915a/match_on_card_040915a.html, and a comparison with "match-on-station".

Davi OttenheimerFebruary 23, 2005 12:55 PM

Speaking of false-positives and technology, did anyone catch the presentation at RSA on "Vegas Style" profiling (e.g. how to use "customer relationship management" data to find and arrest people) by Systems Research and Development? Apparently the CIA funded this company to help identify terrorists. Their product was called Non-Obvious Relationship Awareness (NORA), and looks to be a ChoicePoint-like database mining system. They presented a similar talk at BlackHat in 2002 called "Cops and robbers - Cheating Las Vegas"
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#Jeff%20Jonas

Simon Hamilton-WilkesFebruary 23, 2005 1:52 PM

How tough are these chips anyhow? What's to stop them getting 'damaged'. Then you're back to the optical machine readable data on the passport and being looked at by a real person. No different from erasing the mag strip on your driving license to confound the bars and clubs that have started scanning them.

Davi OttenheimerFebruary 23, 2005 2:40 PM

You would think the passport technology would be at least designed to survive a few good washings, the drycleaner, a microwave, and the known attacks (i.e. how many access cards for pay-TV have been reverse engineered since the early 1990s?).

With luck, the presence of the new ID regulations will generate real innovation in chip design such that people will be unable to access the chip surface directly, reprogram the chips via software, intercept and decode the signal, or force malfunctions:
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

The technology clearly raises more questions than answers at this point:
http://www.smartcardalliance.org/pdf/industry_info/smartcardhandbook.pdf
http://www.securitymanagement.com/library/OSE_AccessControl0504.pdf

Rhys GibsonFebruary 23, 2005 4:08 PM

What am I missing here? To steal your identity, someone still needs to steal your passport to fill in the rest of the ruse, and make themselves look like you.

I don't mind a system that reads my passport remotely if it saves me queuing for 2.5 hours at LAX. Heck, they can even update my passport over the same connection and put my visa stamp on the chip if they want.

Thomas SprinkmeierFebruary 23, 2005 5:08 PM

Some people advocate tinfoil to store your passport unless it's being scanned (first only at airports, but eventually whenever you buy petrol or, heaven forbid, fertilizer).

Isn't the greatest threat to your private data when the passport is being legitemately read?

The RFID chip is passive, and needs to be irradiated to work. Once it responds, anyone can pick up the signal.

Instead of carrying around expensive (and easy to detect!) active readers, wouldn't the bad-guys just carry passive scanners, hang around the legitimate readers and record the info?

telyFebruary 23, 2005 8:31 PM

How tough are these chips anyhow? What's to stop them getting 'damaged'. Then you're back to the optical machine readable data on the passport and being looked at by a real person. No different from erasing the mag strip on your driving license to confound the bars and clubs that have started scanning them.

PeterFebruary 24, 2005 8:31 AM

Rhys, here is a scenario for you:
Passport electronically stores face, name and some other demographic info (like address).
In many countries, kidnapping for profit is a big business.
Bad guys have scanners to read your passport and run a credit report, like from ChoicePoint.
Once they have your credit score, they can determine if it is economically viable to kidnap you, and the biometrics on the card include a photo of your face, making identification of you a lot easier.

If you don't think its possible, I could make a long range RFID reader fit inside a briefcase for under $2k (there are some RFID reader kits for sale for under $200, the new thing you need to add is a decent antenna and amplifier). By long range, I don't mean 2 feet, I mean 20-100 feet. Add a bluetooth/wi-fi transceiver in the briefcase and you can distribute the kidnapping gang to where no one person needs to be around you the whole time.

Quick read near customs, decide who is worth it, and you can pick up your new "customer" in the baggage claim area.

Nigel SedgwickFebruary 24, 2005 12:47 PM

When considering the security implications of lack of encryption of the new passports, it is worth remembering that the decryption keys (for both digital signatures, as planned, and encrypted passports, as not planned but suggested) would need to be available to every border checkpoint, throughout the world. This could be by on-line access, nation by nation, to national passport centres. However, it is more likely to be by copies being held at each border point, and probably (in some nations at least) on each individual border-point computer.

Also, the validity of these keys will be 10+ years, as keys must be shared over many passports, even if they are different for each issuing nation and are changed several times per year on an issue basis (for damage limitation in the event of compromise of any single encryption key).

Therefore, it is quite likely that decryption keys would be compromised quite quickly, and certainly well within their period of validity. This could be by theft and reverse engineering of a border-point computer, or by suborning a single staff member (of any one of the world's national border agencies) with access to issued decryption keys.

It is therefore best to assume that the decryption keys are all compromised (as one would for a public key system offering originator authentication).

Thus only casual and/or opportunistic attackers (of the RFID communications) would be unable to decrypt the data. Encryption (rather than only digital signatures) would not offer protection against more sophisticated attackers. It is also possible that decryption keys might be "published" illicitly, making them available to all.

Given that encryption would offer protection only against those who could skim or poll the RFID signals but did not acquire knowledge of the decryption keys, I can see that the question might well be asked "What do we really get from using encryption rather than just digital signatures?"

The real problem is the use of RFID communications, not the lack of encryption.

With RFID communications, privacy can be invaded surreptitiously (without theft of the passport), and some sorts of attacks against identity checks can be made easier (eg attack against medium-performance biometrics by infiltrator selection).

If RFID were dropped, then access to the on-passport data would only be by theft and contact communications. In that case (of lower-technology access), there would be a somewhat stronger case for using encrypted data in addition to digital signatures, as there would be a larger proportion of attackers against whom encryption would offer protection.

XIIIFebruary 24, 2005 2:58 PM

Just a note regarding EM shielding: it can be harder than it looks to do right. As a young physics student, I observed a demonstration in which a portable radio was placed into a solid aluminium box. The lid was placed on, but the radio continued to play clearly and did not stop until the lid was *screwed down tightly*. Because of the slight bend in the lid, when it was placed loosely it didn't make good electrical contact with the box on all edges and the shielding failed even though the gaps were far smaller than the wavelength (<1mm to several meters). Further tests with different types of wire mesh showed that just being smaller than the wavelength is not enough.

Rhys GibsonFebruary 24, 2005 3:11 PM

Peter,

Gibson's Third Law: The more you think about security the more paranoid you get.

I see your point, but I'll still risk it until I have to go to Iraq, the backblocks of Indonesia or deepest darkest Liberia. At which point, I'll just try and look poor.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..