Schneier on Security
A blog covering security and security technology.
« Radiation Detectors in Ports |
| Hackers Taking Over Webcams »
March 16, 2005
U.S. Electronic Passports
From the Federal Register: the proposed specifications for the U.S. electronic passport.
Posted on March 16, 2005 at 11:07 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The article states:
The electronic chip will carry the information on the data page of
the passport plus a biometric identifier to enhance the ability to
identify the bearer. The biometric chosen for the initial version of
the U.S. electronic passport is the facial image, one of three
biometrics currently identified by the International Civil Aviation
Organization (ICAO) as suitable for inclusion in international travel
documents, although the facial image was mandatory. Under the proposed
rule, border inspectors would compare the passport bearer with the
digital facial image stored on the electronic chip. ICAO also
recognizes fingerprints and iris scans as acceptable biometrics. ,,,
Facial recognition can be defeated, however for passport controls you can force people to take off hats, glasses and pull hair back. What bothers me is that facial recognition is the easiest way to profile people from a distance. By creating a database of facial images, that could then be compared as the test done at one superbowl not too long ago, what is to say they wont start tapping into muni cameras and feeding it the data from the passports?
If they go to fingerprints, those can eaisly be forged, and if it is like the DMV in california there is no physical inspection of the fingers to ensure they are accurate. The print data is read optically so its easier to fool than some scanners.
The chip also needs to be physically secure, and I do not believe this will be true. Its only a matter of time when people start ripping it apart to see how it works. Will this be like the 'secure' RFID chips used in Ford auto keys and at some gas stations?
Well of course it isn't in the America's best interest to make it secure. Consider this:
CIA Agent Jones needs to travel to Country X under an assumed name (and so false passport). OK, so the passport is legit because it has been issued by an authority of a "good" country, but it is in a false name. But Agent Jones has travelled to country X on holiday or for a previous job. Passport checking of a biometric correlates these two identities, and so blows his cover. The CIA will need a way around this system, and I'm sure this will have been considered in the design.
Well it is easy with basically hollywood techniques to create a face that would be different. Foam latex can be cast in a mold (I bought stuff at 'cinema secrets' in Burbank which sells everything needed). Foam latex is not the same as liquid latex, its lighter, and can be painted (airbrushed) easily, and there is a special powder you apply on foam latex to make it look more realistic.
Using computers a mold can be formed from pictures alone with no 'art' skill to sculpt a face from someone else.
Since facial recognition systems are based on proportions (to compensate for distance from camera, zoom level, and of course weight gain/loss within reason over time) it wouldnt matter if the face was a little larger or smaller than real, as long as proportions are kept the same. This would be similar to what was done in mission impossible (both the 80s tv series maybe the original tv series, and certainly the first movie). Although removing the foam latex would be different than depicted. It could allow for someone to easily cross lines without as easily being caught.
Now this data is on the passport, the ethics groups on this issue is a match and forget system, however there has never been a single database in America, and most likely other countries, where the initial purposes were not expanded to do more. By haaving the facial data on the passport there is no need for a repository of stored info, other than as a master for generation of the passport data.
One problem with foam latex is that thermal imaging would show heat oddities, especially stuff that is sensitive enough to detect blood vessels, which even identical twins do not share. You would not sweat through the foam latex either, so in a hot country that may look odd that you have totally dry skin (mist bottle may fix that though).
Foreign countries most likely will not have the ability to read this, and there is still the ability to travel in various parts of the world without a passport. In europe for example, as long as you dont get on a plane (travel by car, ferry, train, etc) you dont need a passport so long as you have an EU drivers license. In the UK due to common law 'right' to call yourself anything you want (unless for fraud) you can, or at least a couple years ago used to, get a drivers license in any name you choose (California is the same way oddly, or was).
I do not think that the CIA has a problem doing infiltration or exfiltration. In the 70s they did an exfiltration using Canadian passports (and got Canada to change some laws to allow for govt issued passports to non citizens to get a specific group out of Iran). The CIA also has a group whose job it is to travel and get visa documents from various countries so they can continually forge such documents. Either a rubber stamp visa or seperate papers which are copied.
Bruce, your articles are getting shorter and shorter on content. If I wanted a poorly-maintained blog I'd read Slashdot.
I still don't understand why they chose contactless interface to the chip. Simply having electrical contact would solve the eavesdropping and skimming problem without any need for encryption.
Ari, because they WANT contactless reading!
They WANT to be able to set up a hidden portal around a door and read everyone walking through because their ID/Passport has an RFID on it, download the biometric information, compare it with the camera feed, and do a database search.
Only after somebody evil does the same thing (eg, a totalitarian government to harrass US press, militant assassins) will there be a push against contactless reading.
The other thing is that with contactless they can read without cameras. And reading the data from RFID or similar is far easier than doing an actual compare of facial data due to computer cycles required.
Contact based systems are a little harder, contacts wear out, the card surface can wear, etc. So in high volume processing its a little quicker, at the cost of the privacy of the information, to do.
There are CF based RFID readers (although I have only found one company selling them in Germany). Now that everyone is pretty much using the same 13.65MHz standard instead of 125kHz or 400kHz ... My guess is that the next device in personal protection is going to be a RFID reader detector (since they do emit a signal that can be detected easily enough).
There are devices that claim to basically make a faraday cage to encase your RFID so it cant be read from remote (some unmodified readers can read 30 feet away ...) I do not know how well they work as they arent grounded, but they should attenuate the signal at least a little, making it harder but not impossible to read.
A friend would always carry an old prox card in his wallet next to his real one so both cards would emit at the same time and garble the signal, this is ok for casual reading (the type done by street urchins) but wouldnt stop someone with a good radio and some clever DSP algorithms to process the signal.
If you have 1 old meaningless card and one that is attenuated odds are most scanners that are for casual use would just read the old one and not notice the new one.
I do have to ask though why dont rfid makers put a switch on the units so it takes a positive action of the holder to make it work? Basically there is a coil inside that receives EM from the reader which powers the device, which is a simple radio that transmits via a small antenna. If that coil had a switch (there would be some loss and other issues to deal with though) then the card wouldnt be succeptable to most casual passive reading, although depending on device it may be better to remove power to the IC that is in the RFID.
Anony Mouse has a handle on something vital. If this scheme will be in widespread use, then our spooks will need easy and reliable ways to cheat the scheme without leaving an evidence trail that can betray them. If our spooks can gaff it, any spook can gaff it.
I posted some feedback about this proposal a few days ago on my website that will be making its way to the State Department and Congress... Feedback is welcome:
I have read some of your information regarding RFIDs and you seem to completly forget about a nonce. You can encrypt with a nonce and thus avoid replay attacks. This is a common scheme, and RFID systems are updatable, meaning bidirecitonal communication, so what is to prevent some of this communication being a nonce?
Now if they simply do that what would prevent someone from sending a series of nonces in an effort to crack the system? The RFID could be made to slow down if subsequent queries are given so that it takes longer and longer to get a reply, however when the RFID reader is powered off or moved out of range the RFID would reset itself unless it stores some value (it is unlikely to have bateries, as most if not all RFIDs do not).
As for your ITAR/EAR restrictions, these are government issued devices, infact by the State department, the very group citizens have to apply to for a permit to export crypto. So I doubt those laws are why they did not do this.
I wonder what will happen if you 'accidentally' toss your passport in the micrwave for a few seconds. If it doesnt totally fry it it will at least damage the front end of the radio device so it wont be on frequency anymore and will then not work properly. Does that invalidate the passport? Does it just cause you to get extra scrutiny (most likely). They would be hard pressed to prove that you did this intentionally without a statement to that effect (think 5th amendment) it could have been done by a ham radio or some other radio device accidentally.
One thing people are forgetting about this. When traveling overseas having a US passport can be a dangerous thing depending on where you go. I am waiting for the first case of Americans being attacked because they had a passport hidden on their person but were scanned remotely and thus attacked or worse simply because the RFID gave them away. When that happens it would be a hot topic to undo this. Perhaps that is the best argument, although it has been my impression that people play ostritch too much. They bend over, stick their head in the sand and hope no one comes up behind them. They dont know how or that you can scan RFIDs from a considerable distance over what is thought of, or they think that all people that would od this would not pay $100 to get a reader and scan public areas. Because they dont know no one else must either, just ask em.
I think there is another big question that needs to be answered. Who has the contract to provide the RFID? I will almost guarantee its not a US company but instead a foreign country. The federal government buys a lot of stuff from oversears (most of the stuff they give you in a federal prison is made in china, shoes, soap, toothbrush, etc). Way to keep that trade deficit high.
At least they have not yet proposed what the EU is doing with the Euro currency. The EU is placing RFIDs in 500 EUR notes first but maybe others later. Hitachi has the contract.
Recent concern about skimming seems inflated to me. As soon as my RFID passport arrives (I'm British, but it'll happen here too eventually), I'm going to go out and buy a faraday cage to keep it in - a cigar case should do, but I'm sure there will be plenty of online advice as to what works.
So, I only have to worry about skimming when I take the passport out of its case. Almost always when I take out my passport abroad, it's to show it to somebody I have no reason to trust, such as bar staff or customs officers. So there isn't much more of an information leak than there was before.
Its not an RFID tag. its a smart card chip.
Use aluminium foil to prevent skimming (or even reading for that matter).
Don't forget how unreliable face recognition is. It will create a heck of a chaos once it is used routinely.
What about the question who can read the data on the chip (or can everybody read them anyway)? Will this be confined to the US? Hardly. Other countries will be able to read them as well, and (of course) the other way round.
Will the data be only on the chip or will there be a mega database holding all passport data?
What are they planning to do to prevent people from getting a legitimate passport on a different name?
The data on the chip will only include the information contained on the data page in the passport. There is no need for a new database... the existing db of passport users will do just fine. The process for getting a passport would appear to be the same... Once you apply at a post office or wherever, the application is sent to the State Department where the info on the application is put on to the data page and on to the chip where the State Department will digitally sign it.
A couple of things, iso 14443 type A&B defines contactless smartcards (alternate is iso 15693, and iso 14443 type c,d,e & f havent yet been approved afaik), it uses a RF signal to transmit the data. This can be read from a distance. I should have the standard on my webpage somewhere (I know I have it however I do not know if its up, I will verify later today and put it up if it isnt). The difference between an RFID and a iso14443 smartcard is the same. They are called RFIDs but iso14443 clearly states in section 6.1 it operates at 13.56MHz +/- 7kHz. Which I said before. This is the same frequency the devices mentioned at www.rfidanalysis.org talk about (ford keys and mobile speedpass). Rather than bicker about how its one thing and not the other, it may be more productive to just assume that in todays market place they are the same thing. BTW the CF proxcard reader that I found works on this same frequency as well. CF reader http://tinyurl.com/5ngkr
A faraday cage (as I briefly talked about earlier) is normally a grounded metal box. Grounding is critical to prevent the metal from acting like an antenna and still passing signal through. It would act more like a parasitic antenna than a driven antenna, but still. A metal box in your pocket is not grounded, and while it might attenuate the signal it wont prevent it from traveling out. If it attenuates enough it would prevent the card from getting enough power to transmit, or weaken the power it gets so it doesnt transmit as much. This is most likely how the devices work, however I have never had one so I do not know specifically. The faraday cage blocks signals upto a specific frequency. The lowest frequency allowed out or in is based on the largest hole in the cage using the following:
wavelength = C/f * sqrt(E)
C is speed of light (300,000,000m/s)
f is frequency
E is the dielectric constant of the propagation medium. 1.00 in a vaccuum 1.06 in dry air.
To simplify, sqrt(1)==1 so we can for the most part omit sqrt(E) becuase its close enough to 1. if frequency is expressed in MHz we can shorten C to just 300 meters/sec. This is really not an issue for 13.56 MHz but would be for higher frequencies including harmonics, although that starts to go beyond standard readers.
If the device isnt grounded though I am unsure how well it would work. The only way to find out is to get a reader and actually test.
The data on the chip is said to have facial patterns as well as bio data on the person. the bio data is already known, however the database would have to be extended to store the facial data as well. Facial data is a requirement for biometric passports according to ICAO. Other information can be fingerprints (easily forged going to be documenting my now 5 year old project on this on my webpage) and retina scans (schipol airport in Amsterdam has done this for years on an opt-in basis for EU citizens that travel frequently, they can read retinas upto 30 feet away).
The fact that the bio data is available that would allow someone to know that you have a US passport. That in itself is a security risk in some places in hte world (and has been for many many years). In the 70s people were seized in Iran becuase they were americans, and the exfiltration that was done was in part with Canadian officals help to give them Canadian passports to sneak them out.
Roy Owens got my point entirely.
Bret McDanel - It doesn't matter which countries agree to issue spies with passports. The fact is the target country can now correlate entries of agents with their other identities (provided a suitably "good" biometric is used).
The CIA cannot let this happen. The authentication mechanism must be weak to allow individuals to have multiple identities. If it is weak, then this weakness will be exploited by the "bad guys".
Well, could debate about this forever, but reading all the comments on this topic I'd still say the contactless interface isn't really needed. If everyone's required to properly shield their passports then your government's hidden bigbrother readers aren't going to work either. Without going into any other details, wouldn't it be equally convenient to just use ordinary contact cards where people would simply wait in line, insert their passport halfway to the reader when it's their turn, wait half a second for that "green led" and be done? People really think carrying a thick shield and removing their passport from it everytime it's being read is convenient? If the idea is to be able to read everyone's ID from distance and then compare that to some "terrorist database" it's simply not going to work.
Who's to say the farraday cages won't be banned on aircraft as a security measure?
All it takes is a farraday cage, a pair of nailclippers and a book of matches and you can build a weapon to hijack the plane!
Anony Mouse I think you miss an overall fact. Even without this data being on the passport hostile countries can already implement their own facial recognition systems (or gait or retina or ...) and subject individuals coming in to those checks. This would be a system and database they own and totally control. They could then quite easily match the data. They dont need to rely on biometric data from a US issued passport to do this. To think that anyone who distrusts the US would rely on data provided by the US as authoritative is silly and absurd.
Previously Bret McDanel wrote:
>A faraday cage [...] is normally a grounded metal box.
> If the device isnt grounded though I am unsure how well it would work.
In the high frequncy limit, the ground doesn't matter much---there is no time for the ground to communicate with the signal.
Some experience shielding some sensitive detectors from the large EM pulse of a spark lamp suggests that smooth, ungrounded conductors simple pass the signal through, but crinkled aluiminum foil can suppress it by better than 1 order of magnitude.
The spark noise in question had structure at the sub-nanosecond scale, so you (that is anyone who cares) will want to test the idea in the appropriate band.
I use heavy-duty kitchen foil for the shield, and ball it up before applying it. Very high tech.
Thanks for the update David. I had not played with ungrounded shields, so I left that open.
As for related stories CNET has one.
The guy claims inside knowledge in the title, and while there are electronic fields and magnetic fields, at certain frequency ranges they tend to be closely coupled and thus you can refer to them as electromagnetic fields. This is not the case at really low frequencies (below normal radio) so it would be more accurate there to say that you have 2 distinct fields.
An electric field is present when a device has electricity (even if off, if its plugged in there is an electric field). A magnetic field is caused by current flowing through a device. At 13.56 MHz (well into the radio spectrum) odds are high that there would be a EM field that could be decoded. I have not played with this specific device but my guess is that with appropriate radio receivers and DSP algorithms you could read the devices transmission data from greater distances. Of course you still have to supply power to the device, which the readers all have built in.
I would be more concerned with someone reading it and identifying me as American than with them getting my name (which I use freely both here and on my website), date of birth (which even the government messed up on and is incorrect there, didnt catch it until the credentials were issued), etc. If they are close enough to read the facial data off my passport they are close enough to take a picture and generate their own facial biometric data.
How about a smart bomb reacting to the presence of enough RFID of the correct type (ie: US citizens)?
just throw it in the microwave for 5 seconds...no more chip...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.