Schneier on Security
A blog covering security and security technology.
« Texas Cars with RFID Chips? |
| Insider Attack Against Citibank »
April 11, 2005
Analysis of Electronic Passport Security
These comments on the security of electronic passports are an excellent primer on the dangers of the technology. Definitely read Attachment 1: "Security and Privacy Issues in E-Passports," a more technical paper by Ari Juels, David Molnar, and David Wagner.
Posted on April 11, 2005 at 8:11 AM
• 3 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Aside from the obvious vulnerabilities stated in Attachment 1 (attacks on the technology itself). There is little mention of the vulnerabilities rooted in the registration phase of "E-Passport" deployment. If an attacker can successfully manipulate the system at the root such as to convince the system the attacker is a legitimate authorized entity through a battery of attacks (e.g. social engineering, identity theft, etc...) all this technology is no better than current forms of identification. In fact it becomes more of a danger since the identification issued will be deemed almost irrefutably correct. Of course they may not be as simple to forge, but then there really is no need to technically forge something that one can gain legitimately and remain illegitimate at the same time.
One of the key points from the Attachment 1 analysis (which they didn't emphasize, apparently because it didn't suit their political purpose) is that some biometrics are more dangerous than others. Fingerprints are somewhat problematic because they are more private and are being used in other contexts, as well as being easier to fake. Facial features are the primary biometric being used in ePassports and they are relatively less sensitive because of obviously being public data.
I don`t realy understand why the US government doesn`t want to use the BAC. BAC will be used in all European countries because of the problem of sniffing and reading out your private data from the distance. Perhaps they want to be able to use this for their own purposes? :)
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.