Analysis of Electronic Passport Security

These comments on the security of electronic passports are an excellent primer on the dangers of the technology. Definitely read Attachment 1: "Security and Privacy Issues in E-Passports," a more technical paper by Ari Juels, David Molnar, and David Wagner.

Posted on April 11, 2005 at 8:11 AM • 3 Comments

Comments

Israel TorresApril 11, 2005 8:54 AM

Aside from the obvious vulnerabilities stated in Attachment 1 (attacks on the technology itself). There is little mention of the vulnerabilities rooted in the registration phase of "E-Passport" deployment. If an attacker can successfully manipulate the system at the root such as to convince the system the attacker is a legitimate authorized entity through a battery of attacks (e.g. social engineering, identity theft, etc...) all this technology is no better than current forms of identification. In fact it becomes more of a danger since the identification issued will be deemed almost irrefutably correct. Of course they may not be as simple to forge, but then there really is no need to technically forge something that one can gain legitimately and remain illegitimate at the same time.

Israel Torres

CypherpunkApril 11, 2005 12:37 PM

One of the key points from the Attachment 1 analysis (which they didn't emphasize, apparently because it didn't suit their political purpose) is that some biometrics are more dangerous than others. Fingerprints are somewhat problematic because they are more private and are being used in other contexts, as well as being easier to fake. Facial features are the primary biometric being used in ePassports and they are relatively less sensitive because of obviously being public data.

lionApril 12, 2005 1:14 AM

I don`t realy understand why the US government doesn`t want to use the BAC. BAC will be used in all European countries because of the problem of sniffing and reading out your private data from the distance. Perhaps they want to be able to use this for their own purposes? :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..