RFID Passport Security Revisited

I've written previously (including this op ed in the International Herald Tribune) about RFID chips in passports. An article in today's USA Today (the paper version has a really good graphic) summarizes the latest State Department proposal, and it looks pretty good. They're addressing privacy concerns, and they're doing it right.

The most important feature they've included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security.

The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security.

Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea. And, more importantly, we have an example of an RFID identification system with good privacy safeguards. We should demand that any other RFID identification cards have similar privacy safeguards.

EDITED TO ADD: There's more information in a Wired story:

The 64-KB chips store a copy of the information from a passport's data page, including name, date of birth and a digitized version of the passport photo. To prevent counterfeiting or alterations, the chips are digitally signed....

"We are seriously considering the adoption of basic access control," [Frank] Moss [the State Department's deputy assistant secretary for passport services] said, referring to a process where chips remain locked until a code on the data page is first read by an optical scanner. The chip would then also transmit only encrypted data in order to prevent eavesdropping.

So it sounds like this access-control mechanism is not definite. In any case, I believe the system described in the USA Today article is a good one.

Posted on August 9, 2005 at 1:27 PM • 78 Comments

Comments

GaryAugust 9, 2005 1:41 PM

The article actually says:

The State Department is also considering adding a layer of protection by encrypting the information so it can be read only by authorized devices, Moss says.

That word 'considering' is key.

Bruce SchneierAugust 9, 2005 1:43 PM

I have additional information that this is more than a consideration, that this is the current design. But yes, the final system has to actually implement the access-control system.

VladAugust 9, 2005 1:49 PM

Wouldn't having to open the passport and swipe it through an optical reader defeat the ostensible purpose of using RFID in the first place? Wouldn't it now take as much work to retrieve the information as it would using a device requiring physical contact?

Bruce SchneierAugust 9, 2005 1:51 PM

That's a good question. My guess is that the original State Department justification for having an RFID chip -- it's hard to get the alignment right for a contact chip -- has some merit.

Joe AAugust 9, 2005 2:14 PM

A question related to Vlad's question: why not just encode the information in a 2D barcode? Do passports really need read/write functionality, or do they need to hold so much data that a bar code can't capture everything? This whole effort strikes me as a technology searching for a problem plus a successful lobbying effort.

floAugust 9, 2005 2:31 PM

i suppose the big deal is that you have way more place to store data on the chip. you could add all kinds of data, whithout having to scan 10 pages in the passport. also, the rfid/optical combination isn't new, it has been made public quite a while ago that germany will introduce passports using this technology soon (this year?)

mcrAugust 9, 2005 2:36 PM

If I remember correctly, the privacy feature was made up here in Germany. Privacy groups and Data protection appointees fought for it. Good news You'll have it too.

The data on the chip will contain at least the picture thats printed on th ID-card, and soon something between 2 and all 10 fingerprints (depends on country). Optionally more BiometIDs, like retina-scans, earprints, what-else-can-you-think-of....
Too much data to fit into a barcode ;-)

TheMattAugust 9, 2005 2:38 PM

@Joe A, I'm not sure there is enough space for all the info the gov't wants. The largest 2D barcode that is easy to read is probably a QR or DataStrip with around 3000 bytes. I think hueCode can do around 40 KB/sq in, but you need a slow scanner to read it.

Bruce SchneierAugust 9, 2005 2:41 PM

"A question related to Vlad's question: why not just encode the information in a 2D barcode? Do passports really need read/write functionality, or do they need to hold so much data that a bar code can't capture everything?"

That's an easy one. They need more information on a passport than either the machine-readable text or a 2D barcode can contain.

Bruce SchneierAugust 9, 2005 2:42 PM

Assume that there'll be a digitized photograph stored on the chip. And perhaps eventually fingerprints. And maybe other biometrics.

I don't know if there are any plans for this, but you could also imagine a series of different documents -- visas and the like -- stored on the chip as well.

KAugust 9, 2005 2:54 PM

How long until tools come out to let you alter the photograph stored on the chip as easily as pasting a new one into the passport? Even assuming a two-key system (one on the reader, one on the passport), it doesn't take a big leak before anyone holding the passport can put what they like on it. How tamper-proof can something you keep with you all the time ever be?

Bruce SchneierAugust 9, 2005 2:57 PM

Presumably the photographs will be digitall signed. Yes, that's not foolproof. But you can design hardware and cryptographic controls to make it pretty damn good.

That's not the hard problem here.

Dennis CarmenAugust 9, 2005 3:00 PM

I'd still feel more secure if the passport was fully optical. You can still power the passport's chip using a radio frequency signal, and you can be more confident that the data stream is secure. Using RFID technology just seems to be an unnecessary expense.

ECMpukeAugust 9, 2005 3:23 PM

The bulk of material to be stored is read-only.
It should be a simple matter to burn necessary data into an optically-readable medium such as is used in CDs or DVDs. About the only limitation would be the design of the reader so as to insure alignment. New data that needs to be put in place would be the place, time and circumstances of each border crossing.
None of this is difficult technology.

SAHAugust 9, 2005 3:45 PM

Bruce said: "Presumably the photographs will be digitall(y) signed. Yes, that's not foolproof. But you can design hardware and cryptographic controls to make it pretty damn good."

Did you mean the signing of the photos can be done perhaps offline, at limited, secure locations and therefore monitored and controlled? Given the large volume of passports and their relatively large longevity, could you kindly shed light on how one protects against a key being compromised?

Filias CupioAugust 9, 2005 4:28 PM

I'm an amatuer at this, but here's my thoughts on altering the content of a passport:

Threats:
1) Rewriting the chip in the passport:
1a) Borrow a legitimate writing machine to do the job
1b) Steal a legitimate writing machine
1c) Create a writing machine
2) Replacement of the RFID with a custom one that the forger can alter at will.

Countermeasures:
0) Make some sections of the chip write-once. The circumstances where someone's name, sex, date of birth or fingerprints change are rare enough we can just issue a new passport to cover them.
1) Require the writing machine to use a public key. There are two variations: the key is unique to the machine, or the machine passes the data online to a secure central server which has the key. Possibly you can do both, having the local key as a fall-back if the network is unavailable for a long time. In any case, anything written by the writer is reported back to a central server.
1a) The modified data is written, but is reported to the central server and may get picked up in auditing.
1b) The keys from stolen machines are reported as no longer valid. The altered passport will be usable only for a brief time before the readers start rejecting it.
1c) Should be impossible without extracting keys from a legitimate machine, which should be impossible without destroying the machine - which reduces to case 1b.
2) (This attack is likely to only be available to major intelligence agencies.) Put a hardware private key in each RFID. Store the public keys in the central server(s). If possible, readers verify the legitimacy of the key when they read it. If not, they store the information for later transfer, at forgeries can at least be detected after the fact.

This makes it hard enough for the the bad guys that they resort to a simpler attack:
3) Find the details of someone of appropriate age and sex who is elegable for a passport, but unlikely to get one. Impersonate them to get a passport in their name, but with your biometrics.

RoyAugust 9, 2005 5:00 PM

The "alignment problem" for contact-based chips is a canard. Smartcards solved that years ago. And while some sort of RF shielding may help, I suspect it won't be foolproof. As for encrypting the contents, what about the possibility that a GUID is left in the clear? It wouldn't be "part of the personally identifiable data", so it could be elided in official discussion, yet it would still allow the RFID feature to be used as a taggant for tracking the holder (much as cookies track browser users, though not necessarily with a meatspace correlation). Even without a GUID (or without the correlating database), the chip still can function as a coarse identifier, marking the carrier as a U. S. passport holder.

JDAugust 9, 2005 5:59 PM

How good is the shielding? If it's good enough to shield the contents of the RFID chip, but not good enough to shield the existence of the RFID chip, there's still the issue (which Bruce brought up in an earlier post) that carrying a passport could be like waving a flag saying "American citizen" to any potential attackers.

Rob MayfieldAugust 9, 2005 6:08 PM

Hacking this kind of system could result in very interesting events. Imagine if someone managed to change the details on all the passports that passed within range of a certain point to contain bogus data of some kind - say everyone who entered via a certain door over a period of a half hour all ended up with mickey mouse as their passport photo. In some airports that could be thousands ?

... and restoration, what backup is there if the primary system is compromised ? how will the data be reloaded, and from where, under who's authority, and validated how ?

I guess the upside of such technology is that it should be relatively easy to detect people operating systems that have the ability to change data on rfid tags (they are a source of rf after all), or even jam potential signals in all areas except where permitted rfid interfacing is allowed (I'm no expert on this but I imagine it probably comes down to s/n ratio and proximity, as long as the freq used isnt critical to air traffic). Obviously this would only be practical in places like airports etc where large concentrations of people with these devices can be found, but thats probably where they'd be targeted mostly.

ScoteAugust 9, 2005 6:16 PM

It does seem that there is no point to RFID if the Passport is going to have to be physically swiped for a key anyways. But, what is the point of a key if it can be cached? Wouldn't it be possible to keep a list of keys? You have to show your passport to get into countries and in many countries you have to give your passport up to hotels and such where they, too, can copy the key.

It seems to make sense to use proven Smart Card technology. I'm not swayed by the "alignment" issue since we deal with Smart Cards every day. It is a mature technology that isn't vulnerable to the same remote tracking that RFID is.

Filias CupioAugust 9, 2005 6:26 PM

Has anyone gone to the Smart Card manufacturers and said "show us that you can solve the alignment issue, and there might be a big contract in it for you"?

&rwAugust 9, 2005 6:30 PM

I sure hope that noone'll decide that the tinfoil-shield's "too expensive"/"cumbersome". Because that key's printed on, it's not a session-key, once you have that, it's over with the privacy and control.

Yaniv PessachAugust 9, 2005 6:43 PM

The system as described still lets people follow me around - even if the RFID passport data is encrypted, it is the same on every read, therefore you can identify that 'this passport belongs to the same person as the one I scanned yesterday'. So assuming the metalic cover does not work perfectly, this is a 'track me around' system; and even if the metallic cover works, the ability of an attacker to get my identity (defined as: the full output of the rfid data) is a threat.

Rob MayfieldAugust 9, 2005 7:18 PM

@Yaniv Pessach - "therefore you can identify that 'this passport belongs to the same person as the one I scanned yesterday'"

Indeed, there would be nothing stopping anyone reading the card, taking a photo of you and associating the two. Then associate that with the credit card you used to pay for your goods or services, your vehicle registration number, etc etc. The fact they cant decrypt the contents doesnt mean it cant be used - in fact the crypted contents would likely form an absolutely unique hash to associate with.

elegieAugust 9, 2005 7:53 PM

@Yaniv Pessach:
What they might do is have an initialization vector system for the encryption. This involves randomly-generated data which is used in the encryption process. (It does not have to be secret.) When the encrypted data is sent along, the random data (not encrypted) is included. This way, the encrypted data appears different each time.

Ari HeikkinenAugust 9, 2005 9:21 PM

So how much did they pay you, Bruce?

To me, it still don't make any sense to use RF at all, because the card is swiped anyway. I'm sure if they implemented say USB on the chip it would probably be cheaper, faster to read, simpler to implement, more reliable and more secure. It seems to me like any debate on it is useless, because they've already decided to go with RF no matter what.

Bruce SchneierAugust 9, 2005 10:22 PM

"So how much did they pay you, Bruce?"

Nothing. I don't think this is selling out here.

"To me, it still don't make any sense to use RF at all, because the card is swiped anyway. I'm sure if they implemented say USB on the chip it would probably be cheaper, faster to read, simpler to implement, more reliable and more secure. It seems to me like any debate on it is useless, because they've already decided to go with RF no matter what."

There isn't enough data in the swipe; I knew that -- and wrote it -- from the beginning. The access-control system is a good one; I'm happy with it.

Bruce SchneierAugust 9, 2005 10:31 PM

"So assuming the metalic cover does not work perfectly, this is a 'track me around' system; and even if the metallic cover works, the ability of an attacker to get my identity (defined as: the full output of the rfid data) is a threat"

Agreed. If we assume that the security doesn't work properly, this isn't a good system. But if we asume that both the access control and the metallic cover work properly -- and they're not that hard to get right -- then the system is good.

As I've said before, the devil is in the details. Reserve final judgment for when we have actual prototypes to play with.

Bruce SchneierAugust 9, 2005 10:33 PM

"It does seem that there is no point to RFID if the Passport is going to have to be physically swiped for a key anyways. But, what is the point of a key if it can be cached?"

I assume that all keys will be cached; they'll be stored with the rest of the passport information. That's why the metallic cover is so important; without it the system has a gaping hole in it.

mcrAugust 10, 2005 1:30 AM

Here in Germany, they key is calculated from the numerical data printad on the passport. These numbers contain a passport-number, birthday, expiration date and some checksum on that.
Without that key you may not even access the data within the chip.
There is no need to cache the key, because you can simply recalculate the key from these values.
The thing is, you don't know the numbers from just passing by. You would at least have to find out some data about the person behind the passport, which is more complicated than getting the passport itself.

ExodusAugust 10, 2005 1:42 AM

The anti-counterfeit meassure is worthless as you can still copy the passport if you somehow can borrow the passport. Biometrics are easily circumvented and non-revokable.

And then you have the problems escallating. All the investments are made and the project is creating false security. No-one will take the blaim and pick up the bill, so all loose.

The consequence when this reality is obvious, is implementing a desparate Brin-type trackback approach to the real person and then we have constant centralised surveillance and tracking a reality without security.


The real problem here is that they want strong security but is trying to jump the fence with cheap security that is still too costly for most - ie. the worst of both worlds. The richer countries might be able to and even willing to pay for the cost, but there is no way to pay for the cost for all the poor people in the less developed countries.

And in the meantime ICAO makes the REAL ID Act a peanut problem because it implements and enforces a GLOBAL ID system through the backdoor.

What the communist regimes wasnt able to do - uphold the Iron Curtain - US is enforcing through surveillance and control.

Wellcome to the Age of the Digital Iron Curtain where FREE means government controlled and the term freedom-fighter has been redefined to terrorist.

There are real terrorist out there, but the abuse of fear-politics to destroy democracy is scaring. If we define a terrorist as a threat to democracy we should at the top of the list include all the naive politicians and technocrats in favour of fake security.

Chung LeongAugust 10, 2005 1:48 AM

@Ari Heikkinen,

"To me, it still don't make any sense to use RF at all, because the card is swiped anyway. I'm sure if they implemented say USB on the chip it would probably be cheaper, faster to read, simpler to implement, more reliable and more secure."

I think the justification is that a contactless interface is more than robust than something that requires a connector. Remember, people who live abroad carry their passports with them at all time. The passports will get sat on; they will get wet. You need a technology that can stand up to the daily wear and tear, remaining functional for ten years. RFID can apparently deliver that.

ScoteAugust 10, 2005 1:51 AM

mcr wrote "There is no need to cache the key, because you can simply recalculate the key from these values."

My point was that the key could be cached and kept in a database that can be transmitted anywhere. Once the key is in the wild, the RFID data can be read anywhere if the shield doesn't work perfectly. And the key can't be changed.

Of course, reading the data again is unnecessary since once the data has been read by the country you are entering they can associate it with the possibly imperfectly shielded RFID and track you anywhere in country. Even if the shields do work on the RFID, it is possible that the shields themselves will have an identifiable signature, allowing people to remotely single out Americans. Plus, the shields could make Passports set off metal detectors causing you to have to hand over your passport every time you go through one.

RFID for passports: a poor idea who's time has not yet come.

lionAugust 10, 2005 2:03 AM

the security systems are described in the icao document "PKI for Machine Readable Travel Documents offering ICC read-only access v1.1" (http://www.icao.org/mrtd/download/documents/TR-PKI%20mrtds%20ICC%20read-only%20access%20v1_1.pdf)

passive authentication: the contents of the datagroups are hashed, signed and this security object is saved on the chip.
(to overcome this - if you want to change data - you have to get hold of the private key from your countrys pass production authority)

active authentication: to ensure the chip is not a copy. private key is stored in a secured place on the chip, public key stored in a datagroup. challenge response to verify that chip knows the private key.

basic access control: access to the datagroups restricted. reader has to calculate a key from the mrz of the passport. challenge response to verify. secure messaging to prevent eavesdropping.
->if you know the relevant parts of the mrz you can calculate the key. but if you know those parts you know most part of the data which is stored on the passport and you dont have to read it from the chip.

->i think that for sure there will be ways to attack this authentication cause of the way it works. but for the data it protects I think its a good choice.
Perhaps Bruce can look into the ICAO documents and comment on the Basic Access Control algorithm.

->for later implementations which will include biometric data they are working on an extended access control to secure those data.

HarkoAugust 10, 2005 3:42 AM

Usage of Basic Access Control (BAC) is indeed a great step forward. The next question is: will the implementation be sufficiently secure? Two weeks ago at the WhatTheHack conference in the Netherlands, we presented flaws in the BAC design of the new Dutch passport under development. The strength of the encryption proves to be 35 bits rather than the claimed 50-55 bits. That's rather poor. Note that this weakness only applies to eavesdropped data; it cannot be used to query the chip. For more detail, see: http://www.riscure.com/news/passport.html. The presentation can be downloaded from http://www.riscure.com/wth.html. Home Affairs claimed that they were not aware of the problem and will look at improving the design.

Martin BuddenAugust 10, 2005 3:49 AM

You've overlooked a threat. One of the security risks associated with a passport is having it stolen. If a passport has an RFID chip in it then, unless the shielding is perfect, thieves can detect people who have passports and target them. On vacation you may not want to leave your passport in your hotel, but you don't want to advertise that you have it on your person (or in your bag).

Now I doubt the shielding on these passports will be perfect. It will also deteriorate with time (my passport is pretty dog-eared). And thieves don't need to read the data on the RFID chip, they only have to detect its existence.

Nigel SedgwickAugust 10, 2005 4:17 AM

@Martin Budden, who wrote: "You've overlooked a threat. One of the security risks associated with a passport is having it stolen. If a passport has an RFID chip in it then, unless the shielding is perfect, thieves can detect people who have passports and target them."

Excellent additional point.

Given all the fuss about RF adding risks of passport detection, some possibility of target classification, some possibility of invasion of privacy, perhaps additional risks as yet unidentified, and the very limited to non-existant benefit (compared to contact chips etc), surely it is time to give up on promulgating RF in passports and other critical/compulsory documents.

@Scote, who wrote: "RFID for passports: a poor idea who's time has not yet come."

Good one. Please may I try and improve on it:

RFID for passports: a poor idea, now realised, who's time has passed.

Best regards

GiorgosAugust 10, 2005 4:20 AM

A posssible security hole (copying from USA Today's article): "If the chip is broken or malfunctions, the holder can continue to use the passport as a non-electronic passport, or buy a new one."
Which version will a terrorist use? The electronic or the broken one???

Shai RevzenAugust 10, 2005 5:09 AM

Bruce, I really don't buy the "contact is difficult" argument. Given *any* RF signal, you can always get the same system to work with a single contact electrode - since that is really what an antenna is - an electrode designed to "leak" its energy as photons. Just chop off the antenna, and make a single huge contact instead.

As I've mentioned before, the only way RF makes sense is if you want to access it remotely. Which is why governments like the RFID solution: access it remotely, and verify remotely readable biometrics like faces and walking gaits. This way you narrow down the number of "suspects" you have to deal with in a public place.

BTW, did anyone notice a security problem with deriving the access key for the RFID from the optically readable data? It means anybody who has seen the front page can automatically know your fingerprints, and copy any other biometrics stored in the chip. If the key generation data only contains easily obtainable information, like DOB, etc. it just made it alot easier for people to obtain your fingerprints without your knowledge. I see a crime novel in the making...

And no, it is not an accident that I consider the "RF shielding" completely bogus. The only real protection possible is to ensure that the chip cannot be energized without physical contact.

Clive RobinsonAugust 10, 2005 5:56 AM

One point every one has missed, what happens when the RFID reader etc does not work.... It defaults to the old view by eye process...

I smell a pocket DOS attack you make a little noise source with about +30dBm output in the RFID band in question, bingo your faked pasport looks broken.

Now as the guys looking at the pasports have got out of practice, it will make getting a fake by them that much easier...

@Joe A
I'm glad I'm not the only one whoe things the 2D barcode is a good idea, I did discusse the pro's and con's in an earlier blog posting, and I reconed it would be about enough to hold a small sized public key not more.

@SAH
Actually it is quite difficult, people in the Cambridge Labs in the UK showed that all digitaly signed images, fail with only minimum (almost non visable) distortion. The avarage pasport gets, sat on, sweated on, badly bent and run over quite frequently (it's why the 2D bare code on a credit card sized item is only good for about 2K).

@JD, Bruce Schneier
The problem is two fold, as the RFID contains a tuned circuit, it is always going to be detectable in a sufficiently strong RF field (think store security tags) irespective of the level of "practical" sheilding. Which by the way is very difficult to get right and is always going to age / get dammaged and fail anyway. So a passport carrier can be identified.

The second issue is if the RFID anounces it's pressence in a way that identifies the nationality of the person carrying it. Again as the bods at the Cambridge Computer labs and others have found, it is extreamly difficult to design a chip that cannot be charecterised by it's timings etc (see some of my earlier posts for more details).

@Ari Heikkinen
Your comment was a bit low, basically there is a significant problem with contact systems, they suffer from mechanical wear, even the beast Smart card systems start to be flaky after 15-50 thousand uses. Replacing the contact reader, means another connector, which is maybe good for a thousand changes. In an airport with 20 million people going throgh each year it would be a nightmare to deal with.

Nigel SedgwickAugust 10, 2005 7:10 AM

@Bruce, who wrote: "That's an easy one. They need more information on a passport than either the machine-readable text or a 2D barcode can contain."

@Bruce, who wrote: "There isn't enough data in the swipe; I knew that -- and wrote it -- from the beginning. The access-control system is a good one; I'm happy with it."

Today, from an article on the upcoming Italian identity card:

http://www.publictechnology.net/modules.php?...

I found the following:

"Developed in close cooperation with various agencies of the Italian government, the foreign worker card uses the same LaserCard optical memory platform and follows the same format as the citizen ID card. Each card contains a secure one megabyte optical memory stripe in which an individual's demographics, color facial image, digitized signature, fingerprint and other biometrics are recorded."

Now, I see that (in the detail) Bruce is "only" claiming that storage capacity is insufficient for machine-readable text, 2D bar codes and swipes. However, I see (in what he writes) an implicit argument (in addition to the explicit one of contact chips being impractical), that there are no other non-chip technologies that would have sufficient memory capacity for what is needed.

Is LaserCard's 1MByte optical memory stripe (and any competitive products) deficient in some way? If so, how?

Best regards

Nigel SedgwickAugust 10, 2005 8:32 AM

@Clive Robinson, who wrote: "Your comment was a bit low, basically there is a significant problem with contact systems, they suffer from mechanical wear, even the beast Smart card systems start to be flaky after 15-50 thousand uses. Replacing the contact reader, means another connector, which is maybe good for a thousand changes. In an airport with 20 million people going throgh each year it would be a nightmare to deal with."

Well, I'm not a mechanical engineer or a materials scientist. However, I estimate that the rotor arm in my car makes typically 50,000 contacts in just over 4 minutes when cruising. 20 million contacts comes up after about 28 hours.

Are you sure that the lifetime you quoted is not that designed to meet a reasonable operational MTBF requirement in an application of lower workload than border checks of passport digital data?

Best regards

ECMpukeAugust 10, 2005 9:25 AM

An RFID tag does not necessarily contain a "tuned circuit." That's very old and obsolete technology, and it's not being used in RFID.
Even if it did, a lossy shielded enclosure of will take care of it.
A very simple metallized mylar, foil or conducting mesh enclosure will attenuate both interrogate and response enough to make the thing undetectable. If you want to get a bit fancier, include a lossy material (such as carbon fiber) in the shield, so the shield itself won't be detectable.
RFID is a weak, brittle technology. Once a few ECM pros start messing around, it's done as a threat.
Interrogators can ALWAYS be detected beyond operating range. Once you know there's an interrogator around, you have many countermeasure options, including saturation, jamming, spoof, deception... A priori techniques include stealth...that is, non-detectability.
The dinner bell is ringing!

Clive RobinsonAugust 10, 2005 9:27 AM

@Nigel Sedgwick

The lifetime I quoted is that given by smart card manufacturers from a few years back (remember Mondex?) when I was involved with them (for hotel security and bar payment systems). Admitadly these where not premium parts but you generally only use those in test systems, due not only their cost but their increased physical size etc.

The problem is one of making reliable contact using low force, whilst alowing for the gunk that people accumulate in their pockets, and still reliably communicate large quantities of data, at reasonable speeds.

The rotor arm in your car works on the principle of "Current Wetting" where the high current burns through oxide added to the large mechanical force of the contact closure it is sufficient to ensure some electrical contact. To the car it does not matter if it is one good contact or many lesser contacts in quick succession, the car does not realy care about contact bounce etc, it is sorted out by the small capacitor mounted on the rotor arm. Also the contacts are in a closed environment and to a certain extent protected from extranious muck.

I suspect that although there has undoubtedly been improvments in the contact rates, they will be at a considerably greater expense than most manufacturers of "low cost" systems that governments buy (see the finger print scanners they use at airports) are prepared to stomach.

Dennis CarmenAugust 10, 2005 10:29 AM

@Shai Revzen
I agree. The main thing an RFID system adds to the equation is remote surveilance. However...

I did a quick web search on optical cards. I was surprised to find that optical card was synonymous with optical disk. The only reason I can find to use RFID is market driven. I've been looking for an "OPID" card, and they don't seem to exist. This is what such a card would look like:

- An OPID card would still be powered by a radio frequency (RF) signal. No need for contacts.
- Communications would be achieved via an LED and a light sensor. The data transport would thus be an optical link instead of an electrical link.

If this technology existed, there'd be no reason to use RFID for passports. The only thing I can figure is that either this technology is too expensive (compared to RFID) or that the industry is already too emotionally committed to RFID approach.

ExodusAugust 10, 2005 11:11 AM

Basic access control is presently Security by Obscurity.

If it is anything like EPC generation 2 security, it is worthless as you can simple read the key from a distance while the passport is being authenticated.

RFID Passports are a security disaster waiting to happen - and the bureaucrats continue to claim that it will increase security. Who is liable, when they are proven wrong?

Davi OttenheimerAugust 10, 2005 11:16 AM

Looks like we're starting to see a reasonable approach, but I would have expected nothing less of you Bruce. ;)

Now, if countries of the world could just put aside all those security concerns again and leverage technology to make more convenient travel identity devices. Maybe if they found some way of connecting us via RFID to every little obscure fact as we travel through foreign and interesting spaces...oh, wait that's what our cell phone is for (rough translation):

http://babelfish.altavista.com/babelfish/...

jammitAugust 10, 2005 11:26 AM

I believe the security is pretty good. The RFID in this case is used as another verification of the actual passport and not used in place of the passport. If for some odd reason the RFID doesn't "jive" with the paper, then a few more minutes going over the documents and checking with the appropriate embassy will clear things up quickly by either letting an unfortunate soul through or nailing the right guy.

Ari HeikkinenAugust 10, 2005 1:30 PM

I'm still a bit shocked that Bruce converted so easily to saying "it's easy to get it right" as we all know it's extremely hard to even get contact chips secure even if there isn't any encryption involved. Here we have something that transmits over RF of which security totally depends on strong cryptography and getting it absolutely right. Sorry if I'm a bit skeptical about it. In my opinion it would be totally silly to assume anything other than snake oil until we see complete technical details and have actual prototypes to try out (and even then spotting weaknesses and getting it absolutely right will be anything but easy while anything contact would be automatically safe for this application).

Erik CarlseenAugust 10, 2005 1:43 PM

Problem solved!

What if, rather than using RFID, SmartCard, or some other electronic means to store the information, we actually used this technology called 'Printing' - we would use a grid of colored pixels to create an image of the passport holder directly on the material the passport is made of! We could also use 'text' and 'language' to encode information on the owner of the passport on the facing page!

This approach has several advantages:
* It's inexpensive and easily implemented with technologies that have been matured over several thousand years.
* It can be processed by a customs or other law-enforcement agent without the need for expensive or cumbersome equipment. Can you imagine how cool it would be if the passport could be matched to its holder quickly and easily by almost anyone?
* It's probably no more or less secure than any of the electronic measures described in this forum (at least once hackers and organized crime get to attack it for a few years / months / days / hours / minutes).
* It could be implemented world-wide immediately, as any government would likely have the resources to manage it.


Wait, you mean somebody already...

Shit.

Well, what if we could add an 'evil icon' - similar to the 'evil bit' - to help identify bad people....

Yaniv PessachAugust 10, 2005 4:47 PM

Following up on the 'identify me' attack:

1. Will the 'metal cover' be effective against sensitive electronic equipement?
2. Will is be effective against the equipement people will have in 10 years? (10 years is a lifetime of a passport. People will not download patches for their passports nor will they rush in to 'get a new one' due to a security issue).
3. Will I have to open the metal cover when I show the passport (as my form of ID) to non-border-patrol personnel? at that time, a 3rd party can get my unique identity key
4. How secure will the machines at the border patrol that host the 'secret key'? Even if it is very secure, how hard will it be for a foreign power (or a rich criminal organization or a rich terrorist organization) to simply steal the scanning machine holding the secret and analyze it at their leisure?
5. What's the contingency plan if the secret 'encoding key' is made public (somehow)? telling 100 million people to get new passports?

Frank RiegerAugust 10, 2005 7:10 PM

As has beeen recently shown, the keyspace for the Basic Authenticaion key is shorter then claimed. The specification for Basic Authentication defines that the access key will be generated out of the Machine Readable Zone (MRZ). Depending on country specifics, the MRZ contains the Name, Date of Birth, issuing passport office, issuing date, validity period and passport number. At least for the dutch passports it has been shown at the What The Hack conference by Marc Witteman that the keyspace is smaller then expected. Passports are seldom issued on weekends, so 2/7th of the space of that field is unused. The dutch passport numbers apparently show a statistical increase of about 50.000 per working day. The IDs of the issuing passport office do not fill up the character space of the respective data field. In short, if an attacker can listen to the communication between legitimate reader and passport (which must be assumed), he probably can, with a bit of knowledge, reduce the searchspace of the key to manageable dimensions, way below 56 bit (Wittemann assumed around 35bit). Thus at least one important attack scenario exists that presents a real risk to privacy and security.

I wonder a bit about your sudden enthusiasm for RFID in passports. There is no need for this, except the need of the RFID industry to finally have generous government sponsoring and a large scale test case. All security requirements can easily, safely and cheaper be solved by other, less risky means, especially with security printing technologies. Keep in mind that so far all countries state that a passport without working RFID is still a valid travel document, just that the owner might be submitted to deeper scrutiny. Also it is worth thinking about the real-world procedure on the border. The border guard will ultimatelly rely on the machine. When it makes beep and the green light goes on, the guard will most probably wave the passenger through, which might be just slipping by with a transplanted chip and a modified MRZ on his passport.

Jef PoskanzerAugust 10, 2005 10:05 PM

I did a little googling for how much data they propose to store in the passport's RFID chip. Unless I'm mis-reading things, it's less than 100 bits. That is less than the barcode would store. I must conclude that the RFID and metal cover are redundant and add security risks, so they should re-design the system to use only the barcode.

Glen TurnerAugust 11, 2005 2:21 AM

Bruce, I doubt there is sufficent trust between all governments for visas to be encoded onto the RFID chip. Would the US trust Iran to alter the information on a US citizen's passort's RFID chip?

As a non-US person I must say I'm glad that a contactless scheme is being pursued. An RFID password scanned outgoing at Sydney is likely to still work when scanning incoming at LAX. I don't have the same faith in a contact.

In any case, what is the procedure when the RFID chip fails? Am I refused entry and put on the next plane back to Australia? With the current passport it is apparent to me when packing my bags that it still "works", and I can get it replaced before boarding.

Dirk WetterAugust 11, 2005 11:50 AM

The USA today article is rubbish. The writer didn't understand the difference between RFID technology and smartcard chips.
Speaking of it: I don't understand in the first place why for the passports RFID chips instead of smartcards chips should be used (except the price). The latter ones are considered to be more secure for several reasons. The important one being you need A CONTACT AND NOT TO BE SOMEWHERE in the surroundings. How about replay attacks while the officer is sending the key and reading out my bio data? I doubt that somebody needs to be closer than an inch, maybe with the right angle.... As long as this is not proven over a longer period of time I would rather assume its bad security. It's just what experience says (see bluetooth sniper gun, good cantennas). So why use a technology in the first place which gives a potential opportunity for a hack and then trying to make it more secure? For something really crucial in terms of security would you use WLAN and try to make it secure by means of a proprietary encryption or by obscurity or rather use wired ethernet with a point to point connection? I would not label this with "good security". It's hackish or better: flawed design.

Curt SampsonAugust 11, 2005 8:06 PM

"I doubt there is sufficent trust between all governments for visas to be encoded onto the RFID chip. Would the US trust Iran to alter the information on a US citizen's passort's RFID chip?"

If you have a chip similar to those used in smartcards such as Sony's Felica, this isn't an issue, since every country could download into the card their own visa application, with its own security systems.

Paul OAugust 11, 2005 8:42 PM

I've forgotten: how much does it help The Bad Guys to have access to, say, thousands of instances of sample passport data when trying to compromise the keys? Is it considered to be irrelevant?

And what would be the effect of any such miscreants using a computer virus or worm to create a massively parallel attack on the keys? (Or, for that matter, having folks outside the U.S. actively offer their computer time, along the lines of the SETI project?)

At the end of the day, is this a mere convenience for accessing data at Passport Control, or is it really aimed at adding security? Can it be protected against a determined enemy, or is it just a more convenient form of the same processes we're familiar with today?

pigletAugust 26, 2005 7:42 PM

Canada is now using optical (if I understand correctly) cards for permanent residents (http://www.cic.gc.ca/english/pr-card/).
"The card’s optical stripe contains all the details from the cardholder’s Confirmation of Permanent Resident form or IMM 1000 Record of Landing document. This encrypted information is accessible only to authorized officials (such as immigration officers) as required to confirm the status of the cardholder. The card cannot be used to monitor the activities or track the movement of the cardholder."

Can anybody explain which problem is solved by RFID which can't be solved in that way? Does anybody know how good the security of that system is?

pigletAugust 29, 2005 2:36 PM

Canada is now using optical (if I understand correctly) cards for permanent residents (http://www.cic.gc.ca/english/pr-card/).
"The card’s optical stripe contains all the details from the cardholder’s Confirmation of Permanent Resident form or IMM 1000 Record of Landing document. This encrypted information is accessible only to authorized officials (such as immigration officers) as required to confirm the status of the cardholder. The card cannot be used to monitor the activities or track the movement of the cardholder."

Can anybody explain which problem is solved by RFID which can't be solved in that way? Does anybody know how good the security of that system is?

bernAugust 29, 2005 5:36 PM

To give credit where credit is due, the general principles of Basic
Access Control (reader needs data from passport's MRZ to access chip)
and Extended Access Control (reader needs approval via issuing country's
PKI) were/are being developed by the ICAO. Since ink can do neither (BAC
involves a random session key, too), we can attribute "no 2-D bar codes"
to them as well.

What I did *not* see in the ICAO documents I've read so far, except
one backwards reference, is the term "RFID"; they say "contactless chip"
instead. Note that an attacker can access an RFID chip with BAC while *and
after* the bearer flipped the passport open to him, while a chip using
*optical* communication would restrict access to *while* the document's
out and flipped open, even without BAC. Apparently billions of infrared
remote controls and thousands of laptops and PDAs with actively used
IrDA ports weren't enough to develop IR technology to the point where
you can integrate it onto a smartcard style chip ...

Of course, an optical chip would have to be put under laminate, rather
than being hidden in the cover, which is what at least Germany currently
plans to do. Note, however, that the laminated "data page" is the
most tamperproof part of passports - and the cover, the only part *not*
having the passport's number on it, the *least* protected one. Separating
"a passport" and its chip (for whatever ends) thus becomes a task of
merely knowing how to deal with the glue used.

Another thing that the ICAO doesn't address is what the chip's
characteristics *besides* the e-passport "application" should
be. Run-of-the-mill RFID product tags communicate a unique, plaintext
serial number; while it mightn't disclose the actual data stored on the
chip, it'ld threaten to broadcast more general information ("I'm carring
a German passport", "the guy whose passport you skimmed yesterday is in
this bus", etc.) to all and sundry. Sure enough, one news release from
the German government I came across mentioned that e-passports *will*
have a "lot number", with no information on whether that number will be
BAC protected or not.

Speaking of interesting after-the-show announcements by the German
government, there has been a paper saying that a digital signature will
be provided as well. In my opinion, for the security provided by BAC
(EAC is, as always, a different matter), *that* subtle change really
promises to come back and haunt them:
In order to get through BAC, the reader has to read the MRZ and compute
an "access key" from that data. The problem is that the MRZ does not
hold much data, which gives you keys of rather limited length; the BSI
theorized that it has a full 56 bit of entropy, but I find it hard to
believe that someone trying to get access to the e-passport in your
pocket won't, for example, be able to pinpoint your age better than a
100 year range.
As originally designed, that wasn't a real problem because there had not
been *that* much data protected by BAC (but not EAC); the most sensitive
data was *part* of the access key in the first place. However, add that
signature to it and that balance is gone. To someone who wants to forge
a passport, such a signature is an asset; his forgery will plain not work
if he doesn't include a proper signature on it. Thus, he suddenly has an
*incentive* to hang out at the airport, find someone looking sufficiently
similar, crack his RFID chip / BAC, and copy the data including the
precious signature onto his forgery. I don't think that BAC, resp. the
access key, is strong enough for *that* determined an attack.

Michael L. DavisNovember 17, 2005 12:23 PM

Bruce,

In your latest CryptoGram newsletter, you state that an RFID tags read range at DEFCON "was demonstrated earlier this year to be 69 feet." This is an erroneous statement regarding 13.56 MHz technology.

I have attached an internal report that I wrote on this subject explaining the real facts behind this. While I acknowledge that 13.56 MHz RFID transponders can certainly be read at greater distances that what is ordinary expected, it was not 69 feet as misquoted by all of the media regarding the DEFCON event. I was there and, as proof, include some attachments which includes photos and an audio link to an interview with the person who conducted this experiment in which he acknowledged that the 3.5 meter limit [11.5 feet] for 13.56 MHz is “absolutely totally impossible to overcome “ even with “thousands of thousands of watts of power."

If you look at the pictures, you will clearly see that the antennas were Yagi antennas and that they were reading UHF tags which IS designed to be read at longer distances.

While I also agree that technology gets better and better as time goes by, the basic laws of physics sets some limits that may eventually be disproven because our formulas or understanding is incorrect, not necessarily because technology gets better and better.

The press has not pointed out that the DEFCON world record was for UHF and some people in the media are stating that "this is the very same technology that is being used in our passports." This kind of reporting is just plain false and is exacerbating the fear of RFID. Certainly someone with your credentials could at least point this out for the record.

Along these same lines, I would like you to comment in a subsequent CryptoGram about the new book entitled "Spychips."

===========Report===============

What was reported was not a complete accounting of the facts and the articles are misleading. Here are the points left out:

1) This experiment was used to read passive UHF-type tags used by Wal-Mart and other companies in the logistical supply chain management industry.

2) The RFID was UHF-based technology in the range of approximately 800 MHz to 2.5 GHz which is designed for longer read operation. When we hear the term RFID, we must not always assume that it’s 13.56 MHz.

3) RFID used in contactless smart cards incorporate serious security measures to protect its data and from talking to a rogue reader including mutual authentication and encrypted data transmissions. Only the CNN article mentioned that encryption is used in some RFID applications.

4) Although RFID technology IS being mandated for passports, UHF technology is NOT being incorporated into passports as stated in the article by Erik Michielsen. And the passports will use encrypted technology and other security measures.

5) Even the record-holder himself acknowledged that the 3.5 meter limit [11.5 feet] for 13.56 MHz is “absolutely totally impossible to overcome “ even with “thousands of thousands of watts of power “. (Note that ISO 15693 calls for a maximum operating distance of 1.5 meters that is compliant with regulatory emissions standards; non-compliance can yield the 3.5 meter maximum distance cited by the record-holder.)

6) Nobody can violate the laws of physics; 13.56 MHz Contactless Smart Cards communicates in the electromagnetic near-field which has an inverse sixth power (1/r6) relationship with range. UHF tags deal with radiated energy in the far-field which has an inverse squared power (1/r2) relationship with range.

============================

Text of Interview Kevin Mahaffey of Flexilis (http://www.flexilis.com/)
“Theoretically, that is possible – there is some asterisks in that a lot of libraries use may use a different standard of RFID [than UHF] – it has nowhere near the same range, its due [to the laws of] physics and you have a maximum possible range of given thousands of thousands of watts of power that you could not go past … for example in 13.56 MHz, that’s 3.5 meters, that’s absolutely totally impossible to overcome but with the [UHF] RFID we are doing now, you are going to be seeing this at Wal-Mart, Target, any supply chain implementation of RFID ..��?.

Links
For more info, consult the following links:

Photos – http://www.makezine.com/blog/archive/2005/07/...

Audio - http://downloads.oreilly.com/make/... (Note that your computer must support MP4 streams, if you have Apple’s QuickTime installed this link will work.)

==============================

Brian Krebs on Computer Security
Excerpt from Column found at http://blogs.washingtonpost.com/securityfix/
Posted at 08:20 AM ET, 08/ 5/2005
Six Windows Updates on "Black Tuesday"
“DefCon 13 also was notable for being the location where two new world records were set -- both involved shooting certain electronic signals unprecedented distances. Los Angeles-based Flexilis set the world record for transmitting data to and from a “passive��? radio frequency identification (RFID) card -- covering a distance of more than 69 feet. (Active RFID -- the kind being integrated into foreign passports, for example -- differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)
The company’s feat is also a reminder of the security and privacy issues presented by RFID technology, which is increasingly being used by companies like Wal-Mart to store information about their products. Using a device like the one Flexilis built, someone could conceivably sit out in the parking lot and peer inside the shopping bag of a customer leaving a store, or use the RFID tags to keep tabs on that person’s movements. Using slightly different methods, attackers could send signals that effectively jam or manipulate a store’s RFID readers, tricking the devices into reading a $99 item as a 99-cent item, for example.��?
---------------------------------------
Michielsen Watch: Defcon Hackers (Erik Michielsen, Director of RFID & Ubiquitous Wireless)
Original article can be found at http://www.rfidnews.org/weblog/2005/08/02/...
Tuesday, August 2 2005
"A group of twenty-somethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.
RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.
"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem.""
Ah to be a twenty-something.
---------------------------------------
Excerpt from article titled “Geeks flex hacker muscles at Defcon��? that appeared in CNN
Full text is available at http://www.cnn.com/2005/TECH/08/02/...
“Radio frequency identification tags … that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments -- also came under scrutiny.��?
“A group of 20-somethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet (21 meters). That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.��?
“RFID companies had said the signals didn't reach more than 20 feet (six meters), said John Hering, one of the founders of Flexilis, the company that conducted the experiment.��?
"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."
“Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims.��?These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.��?
---------------------------------------
RFID at DEFCON
Found at http://geekmuse.net/blog/index.php?...
Monday, August 1, 2005, 20:50 - Nem W. Schlecht
MAKEZine.com has an audio podcast with images (requires iTunes) on a world record attempt at fetching RFID tags at extended lengths. They test with the RFIDs that retailers will use and successfully read a tag at 69 feet.

P.S. They briefly mention that some RFID tags have a 3.5m range (3.56Mhz) that is impossible to overcome. However, retailers will not be using these tags.

jkleinhansJanuary 26, 2006 9:44 AM

From what I've read so far on this, RFID passports aren't for access control, instead will be used for auditing and passive reconnaissance.

I am satisfied with the security of the devices but I can't see the ACLU letting this happen...especially with all the negative press of the Patriot Act and Warrantless Wiretapping recently.

Jon

BorisFebruary 15, 2006 7:02 AM

I am wondering... why is everyone confusing RFID tags with contactless smart cards? The passports will *not* use RFID, but rather a contactless smart card chip. There's a huge difference.

Bruce, why don't you make this clear once and for all for everybody? I really think it would make a big difference in this confusion and mixup of terms.

I am sure you know that no one in their right mind would even consider using RFID tags for passports.

simonApril 10, 2006 4:02 PM

I have a question, can cruiseships or hotels legaly hold on to the passports? Some foreing banks take your passport godknows where, and disapear with it, are they making copies?

JamesJuly 14, 2006 11:03 AM

Why is it essential for the biometric data to actually be on the chip/passport? Couldn't all sensitive data such as that be stored in a database, then accessed using a key field stored on the passport? This key field would probably be some kinda of big-ish number. The number could then be quite easily stored as a barcode read by an optical reader, thus eliminating RFID entirely whilst still keeping biometric authentication.

If RFID was essential, then why not store this database key rather than the biometrics? They could even transmit the key in encrypted form.

Why would it be any more secure to actually store the biometrics on the passport rather than in a database with the passport storing the key/index?

IdahoEvJuly 14, 2006 3:23 PM

How much data does a passport need that a 2D barcode or other optical scan cannot possibly encode? Does a passport need some significant fraction of a megabyte?

DataGlyph at 600DPI can store a bit over 15/k per passport-sized page (~1k/sq. in.). With a two-page open field, you could get 30k. That's enough for a jpeg of your photograph *and* all the text in your passport. It could be superimposed on the human-readable text.

sarahSeptember 18, 2006 3:46 PM

How do I find out if the Chicago passport office is currently issuing passports with rfid? My passport expires in a year; am I better off to get a new one now (if the Chicago office isn't yet installing rfid chips), or waiting as long as possible in hopes that the technology will be tweaked so that my passport will be more secure?

rufus13September 19, 2006 12:48 PM

My passport is one year from expiration, and it looks like all the new ones will have some kind of RFID or silicon in it. How hard would it be to burn out the chip without visibly damaging the passport? Bulk tape eraser or HERF gun?

Oops, I took my passport into the MRI machine with me. Oops, I attached it in front of a naval radar transmitter. Oops, I used it to elevate my cup-o-noodles in the microwave oven.

It seems like "burned out chip" passports would be processed manually (looking and holding) just like the old kind.

Thanks.

jeffOctober 4, 2006 4:56 PM

my friend is a fugitive on the run, how long can he use his passport for before its no good?

Israel TorresOctober 4, 2006 5:26 PM

"my friend is a fugitive on the run, how long can he use his passport for before its no good?"

@jeff

Most likely until your door gets kicked in and all your stuff goes away in boxes and paper bags? Sometime after that.

Israel Torres

EnfermeraOctober 6, 2006 8:31 PM

Is there anyway of knowing which offices are already using the chip and is it still possible at this date (10-6-06) to get one without the chip?

AlissaFebruary 11, 2007 8:46 PM

Hey does anybody know how to change the year on your passport illegally by hand without looking like its been tampered with...
i'm trying to change it from 1987 to 1985.
Jus wondering what kind of tools i should use to do that.

Please, if anybody knows, MESSAGE me at isayshhitlike@aim.com

Thanks so mucH!!
Alissa

Bruce SchneierFebruary 11, 2007 8:53 PM

"Hey does anybody know how to change the year on your passport illegally by hand without looking like its been tampered with..."

So, is this a Fed looking to entrap someone, or just a girl trying to get a drink at a bar?

JerryJune 23, 2007 9:51 AM

Here is an update. With all the furor over passports lately, we won't have to worry about RFID chips any time soon. Using a courier service is probably your safest move.my brother had success with Passportready.com. RFID chips are an interesting idea but maybe a little too invasive for my tastes. A nation that trades a little freedom for more security deserves neither.

JerryJune 23, 2007 9:51 AM

Here is an update. With all the furor over passports lately, we won't have to worry about RFID chips any time soon. Using a courier service is probably your safest move.my brother had success with Passportready.com. RFID chips are an interesting idea but maybe a little too invasive for my tastes. A nation that trades a little freedom for more security deserves neither.

MauroFebruary 6, 2008 3:07 AM

Bravo, Jerry. Wake up people, this is the next step to a BRAVE NEW WORLD or 1984. The government wants to track your every move.
RFID's are completely unnecessary, and only aid the government in their quest to take your freedom.

Rachell SnowNovember 10, 2008 1:05 AM

To Whom It May Concern:
I am taking a coarse called ITGS, Information Technology in a Global Society, and the topic I selected for my portfolio is electronic passports. My motive for sending this email is to ask if it was possible to interview you on this matter. If you have the time please answer the following questions.

Thank you for your time,
Rachell Snow


Is the government’s motive for implementing passports with RFID tags because of long waits in airports? If no what other motives is this action for?


What information regarding a person does the RFID tag normally contain?

Do you believe that having RFID tags implemented into passports is a potential threat to a person’s privacy? If so why or why not and how?

Is there a way to prevent a person from accessing your passport information? If so what are the ways?

Do you believe it is better to have a passport that doesn’t have an RFID tag rather than one that does?

Could biometrics (Fingerprint scanners and retina scanners etc.) be a better solution to the problem of long waits in airports, rather then electronic passports?

Are there any regulations stating that it is illegal to access the information on a person’s passport?

Are there different kinds of RFID tags that can be used? If so, what are they and what are their differences?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..