Document Verification

According to The New York Times:

Undercover Congressional investigators successfully smuggled into the United States enough radioactive material to make two dirty bombs, even after it set off alarms on radiation detectors installed at border checkpoints, a new report says.

The reason is interesting:

The alarms went off in both locations, and the investigators were pulled aside for questioning. In both cases, they showed the agents from the Customs and Border Protection agency forged import licenses from the Nuclear Regulatory Commission, based on an image of the real document they found on the Internet.

The problem, the report says, is that the border agents have no routine way to confirm the validity of import licenses.

I've written about this problem before, and it's one I think will get worse in the future. Verification systems are often the weakest link of authentication. Improving authentication tokens won't improve security unless the verification systems improve as well.

Posted on April 5, 2006 at 8:43 AM • 36 Comments

Comments

AGApril 5, 2006 9:53 AM

Interesting "future" problem.

Bombs get smaller and more powerful everyday.

Keg of Gun Powder
Stick of Dynomite
C4
Fuel Air Setup
Nuclear Device
Themo-Nuclear Device

Granted the last three are not "smaller" but they do have a huge punch.

Within the next few years we can expect to see the same trend.
The devices we already know about will become easier to make as technology spreads.

Why would anyone even need to import a weapon? Why not create another Oklahoma bomb? Find some TNT? Etc.

Clive RobinsonApril 5, 2006 10:30 AM

The problem is easily defined,

1, Online verification can be made (reasonably) secure
2, Ofline systems can always be forged.

Checking of documentation in an offline manner (ie the document authenticats it's self) is always going to be subject to forgery, and therfore will always tend to "fail unsafe".

Checking of documentation in an online manner (ie against an import DB) can be designed so that it (very nearly) always tends to "Fail Safe"

The solution, all import licences are uniquely identified, and this information is held in a "secure" online DB that the import officials have access to. The DB logs when and how many times it has been accessed. If the DB shows a customes officer has allready looked at the licence then the goods should be impounded untill the issue is resolved by other means.

However this kind of shifts the problem out to,

1, Integraty of the information in the DB
2, Integraty of the impounding and checking priocess

Both of which are equaly hard problems.

JonApril 5, 2006 10:34 AM

It seems amazing to think that import inspectors see enough import of nuclear materials to not go beyond scanning a sheet of paper and waving it through.

jvdApril 5, 2006 10:47 AM

Now that we have planned the attack ourselves, all we need to do is share it with the enemy via the Internet. It's like we are doing the logistics for the enemy.

One problem. They kill 5,000 of ours, we kill 50,000 of theirs. We do it with remote control technology and announce it first.

The world is dangerous. If you make the USA more dangerous, the world danger multiplies by an even larger factor. If you blow us up, China loses customers and then they suffer. If we blow up China, we end up with a big North Korea and one North Korea is more than the world needs.

JohnssonApril 5, 2006 10:48 AM

"It seems amazing to think that import inspectors see enough import of nuclear materials to not go beyond scanning a sheet of paper and waving it through."

I reckon the inspectors are busy harassing legitimate importers and therefore do not have time to check the bad guys... ;-)

Alun JonesApril 5, 2006 11:10 AM

It's more likely that the inspectors have no idea what the real documents look like.
After my first trip to Mexico, we returned through the drive-through border crossing, and were stopped by an immigration official.
"You're all American, yes?" he asked.
"No, I'm English."
"Oh. Uh..."
"Here's my passport." I offered.
He thumbed through the passport, skipping past the page that had my visa without bothering to stop and check the date on it - if he could read it upside-down in the first place, that is.
Apparently unsure of what to do, he handed me back the passport (technically, he was supposed to stamp it), and waved us through.

AGApril 5, 2006 11:11 AM

My point was missed.

What will better security at the border really stop? Bombs?
Not so since you can make bombs in the USA.
Fissionable material is ALL other the southwestern US. Grab a shovel and dig it up.
Old Dental X-Ray equipment could be used to gather dirty bomb material...

Allix DavisApril 5, 2006 11:14 AM

1, Online verification can be made (reasonably) secure
2, Ofline systems can always be forged.
Checking of documentation in an offline manner (ie the document authenticats it's self) is always going to be subject to forgery, and therfore will always tend to "fail unsafe".
Checking of documentation in an online manner (ie against an import DB) can be designed so that it (very nearly) always tends to "Fail Safe"
The solution, all import licences are uniquely identified, and this information is held in a "secure" online DB that the import officials have access to. The DB logs when and how many times it has been accessed. If the DB shows a customes officer has allready looked at the licence then the goods should be impounded untill the issue is resolved by other means.
However this kind of shifts the problem out to,
1, Integraty of the information in the DB
2, Integraty of the impounding and checking priocess
Both of which are equaly hard problems.>>

Some interesting points, what does "if the DB shows a customes officer has allready looked at the licence then the goods should be impounded untill the issue is resolved by other means." mean?

when you mean online i presume you mean a vpn or lan, otherwise online is not a good idea..

MycroftApril 5, 2006 11:18 AM

Mmm. Given the government's track record with rolling out technological systems, I have this bias towards a low-tech hack until a proper system can be rolled out. In this case, it might be something like "if the radiation alarm goes off, get this guy's documents, and call this number to verify, where there will be a very bored bureaucrat on the other end."

AleApril 5, 2006 11:22 AM

"1, Online verification can be made (reasonably) secure"

Why is it that we have cash, then? If this were true, the complete virtualization of the economy would then render it inexpugable. There is a very large gap between theory and practice on this one, and the devil is in the details.

Borders are extremely difficult to manage, and the correct identification of import licenses is only one part of the process. In this case, I think proper procedures and judgement will be more beneficial than technology based approaches. If the procedure called for positive confirmation by the Nuclear Regulatory Commission before allowing access, these attacks would not have suceeded.

Clive RobinsonApril 5, 2006 11:44 AM

@Allix Davis

Sorry what I was saying is that if the DB shows the import certificate has been seen by a customs officer, then I was assuming the goods had also been presented and imported.

@ Ale

"Why is it that we have cash, then?"

Because it's historical conveniance and the limited amount of forgery in the past gave an exceptable trade off.

The is nolonger true which is why a lot of Laser printers and photo copiers have "currency" detection software in them to try and limit forgery using these technologies.

arlApril 5, 2006 12:41 PM

It comes down to how the protocol works. You could have the agent call an 800 number, key in the permit number and have some information read back by a computer.

Interesting information might be "That number was last checked 5 days ago on the Canadian border", if the container was coming accross the southern border.

But they have to know the protocol and follow it. It might help if the radiation detectors started something that the phone call stopped.

JohnJApril 5, 2006 12:57 PM

@ Ale:"Why is it that we have cash, then?"
@Clive Robinson:Because it's historical conveniance and the limited amount of forgery in the past gave an exceptable trade off.

We more or less lack the ability to track individual pieces of currency so cash is pretty much anonymous. For that reason alone we need to maintain cash (or an anonymous equivalent).

Bruce SchneierApril 5, 2006 1:50 PM

"Why is it that we have cash, then? If this were true, the complete virtualization of the economy would then render it inexpugable. There is a very large gap between theory and practice on this one, and the devil is in the details."

Really good point.

Bruce SchneierApril 5, 2006 1:53 PM

"Agreed, but the next question is what should be considered a reasonable improvement to the verification system."

I've been thinking about this. It has to be some sort of universal verification system, one that can work with an infinite variety of credentials. It has to be peer-to-peer: anyone can issue credentials, and anyone can verify them. There's more.

Pat CahalanApril 5, 2006 2:43 PM

Re: universal verification system

Now there's the holy grail of security systems!

RichApril 5, 2006 2:46 PM

The real reason the undercover agents were able to get through with scanned images of documents on the Internet is that they were middle-aged clean-shaven white men in suits, not young middle eastern bearded men in turbans.

jonApril 5, 2006 2:55 PM

"It's more likely that the inspectors have no idea what the real documents look like."

As an expatriate living in the US, it's been my experience that very few people know much about official documents.

Twice in the past five years I have refinanced my mortgage, and found that at the closing my green card was refused as ID because neither the notary nor anyone else involved knew what it should look like, whereas my British passport was immediately accepted, I suppose because it "looks like" a passport.

AGApril 5, 2006 3:50 PM

I know yall love security systems and verification systems, but these proposals are like putting a steel door on a tent.

Millions of people just walk into the US every year.

How would a better verification or a taller chain link fence really stop "The Bad Guys"?

JamesApril 5, 2006 6:24 PM

"Enough radioactive material to make two dirty bombs" - wha? Critical mass is well known, but exactly how dirty do you have to make a bomb before it becomes a dirty bomb?

(If you're out for panic and chaos, 'not at all' still works...)

think backward thenApril 5, 2006 8:46 PM

1. bombs are easy to make, people are easy to kill

2. but most people don't want to kill people, even when they think they do they usually fail or end up in prison for the supidest mistakes

3. or they kill themselves in the process. hardly a sign of professionality, the crime is not repeatable if you are dead.

4. but because of 1, there is very little chance of preventing 2 and 3 from being attempted, even by controlling various substances

5. but it seems wise to put in an effort that reaps a big reward when the substances and behaviours in question are popular .. cultish

6. 5 has a finite payoff .. where else in the process can we try to make gains?

7. oh yeah, 1 .. why do mpeople try to kill people, and what can be done to reduce it. Why is there a risk of people smuggling dirty bomb material, and how can the people be demotivated or distracted from doing this?

8. but .. people may be wise to your motive in 7 .. in fact perhaps this motivation of controlling others for your own self-interest forms part of their motivation .. so any addressal of concerns of the 'bomb makers' must be genuine.

9. oh! look how many bombs we have in the back yard, dad! we've got lots more than they have! why are they trying to blow us up all the time? don't they know we'll blow them up more?

Arms races are unwinnable, we had one a while back ... most people understood the situation then, but somehow now they seem to think the reasons are different. The reasons are the same, and the material evidence of the reasons is not the cause, nor is the availability of resources. It is the control of resources and the means and motivations of control that are the motivations for attempts at counter-control.

think backwards thenApril 5, 2006 8:52 PM

and btw, well publicised and effective means of addressal of grievances and education on when and why certain grievances actually cannot be addressed, and help with dealing with that psychologically are helpful in diffusing the motivations which drive people to anger.

Unilateral domination of the situation and disregard for negotiated means of addressal of grievances does the opposite.

Neal LesterApril 5, 2006 11:07 PM

>It seems amazing to think that import
>inspectors see enough import of nuclear
>materials to not go beyond scanning a
>sheet of paper and waving it through.

Radioactive materials are commonly used in industry, medicine, and academia. Commerce in these materials is not unusual:

"The U.S. Nuclear Regulatory Commission has estimated that approximately one licensed U.S. source is lost every day of the year."

"On 13 September 1987, two scrap metal scavengers broke into an abandoned radiotherapy clinic and removed a source capsule from the protective housing of a teletherapy machine. The International Atomic Energy Agency (IAEA) estimates that the source capsule contained 1375 Ci of cesium-137 chloride (137CsCl) in soluble form ... several people sprinkled
or rubbed the material on their bodies as they might have done
with Carnival glitter.... According to the IAEA report on the incident, a total of 249 people were identified as contaminated by the Cesium-137, 151 people exhibited both internal and external contamination, 49 people were admitted to hospitals, with the 20 most seriously irradiated having received doses from 100 to 800 rads. The internally contaminated patients were themselves radioactive, seriously complicating their treatment. In the end, 28 people suffered radiation burns and five people died, including three men, one woman, and one [six year old] child."

"By far the most likely route for terrorist acquisition of intermediate quantities of radioactive material (100–10,000 curies) is open and legal purchase from a legitimate supplier."

from

http://www.ndu.edu/ctnsp/dh38.pdf

Peter DowleyApril 6, 2006 1:05 AM

It strikes me that the verification problem in this case (agents not knowing how to validate an import license) is much the same as the problem discussed in the previous article on this blog (Why Phishing Works).

The paper on phishing mentions that there are a range of security identifiers used by browsers (and web sites) so that customers can tell that they're at a secure site ... but most customers don't know the indicators at all. And they're also very bad at assessing them, due to lack of understanding.

Perhaps the best analogy between the cases is how the study participants reacted to a self-signed certificate; just like the fake import license, this is something that most people haven't ever seen and they have no way to tell what a good certificate should look like. The browser warning was ineffectual (like the radiation alarm).

Clive RobinsonApril 6, 2006 3:36 AM

The history of "Secure Documents" is interesting in that untill the last few years they have relied on the "Faith of the Observer".

For instance Passports as late as the 1950's the UK Government where issuing Diplomatic travel documents on Velum that had hand written instructions to the "observer" about the "bearer" and their authority...

Just fifty years later we are talking about putting "leading edge" (at least to polititions) technology into Passports.

The reason is that the "observers" are now lacking in faith of the documents, it has become clear just how easy it is to make forgeries that are so exact that the probability of detecting it as a forgery is less than 0.5.

A lot of people who are caught for Pasport Forgery the evidence against them is that they "had 200 blank Pasports in their possesion", it is easy to convince a jury that they must have been illegaly owned without having to say if they where forgeries or not...

RogerApril 6, 2006 4:58 AM

One problem with document verification is that while we are hardening many types of commonly forged documents (e.g. money, passports, drivers' licenses) there are many, many others which are still simply printed paper forms, possibly bearing the signature of some random minor bureaucrat. There is no verification system other than Mk I eyeball (which has been inadequate since the invention of photography ~170 years ago) or very slow off-line examination by expert document examiners.

We already have both the technology and the technical infrastructure to remedy this. Probably the main obstacle is that modern unforgeable documents cannot be verified by humans alone; some kind of technological reader is required, whether it be a secure communications link to an on-line database, a 2D barcode scanner + cryptographic module, or whatever.

As such, there is only slight benefit to making (say) all government issued documents unforgeable withotu first making the verification equipment ubiquitous. And the way current trends are going, the best bet for that would be to somehow embed it in cellphones.

@Jon:
> It seems amazing to think that import inspectors see enough import of nuclear materials to not go beyond scanning a sheet of paper and waving it through.

That's because (since they are talking about a "dirty bomb", i.e. a conventional high explosive used to scatter nonfissile radioactives) it wasn't nuclear material.

With the exception of tritium (which is rather heavily controlled), non-fissile radioactives have nothing to do with the manufacture of nuclear weapons. I don't know if they are commonly imported from Mexico, but they are indeed widely transported, mainly for medical purposes but also several industrial applications such as manufacture of smoke detector fire alarms.

Another question is how much material the undercover agents imported. The report describes it as "enough for two dirty bombs", but the NRC says it wasn't even enough for one. In point of fact, unlike a fission weapon there is no minimum amount of material required in a "dirty bomb". It's just that the less the bomb maker has available, the less harm it will do. A terrorist presumably wants it to cause significantly more harm than the explosives alone, but several studies -- including actual field tests by the former Iraqi regime -- have shown that the amount required to achieve that is surprisingly large. Consequently many discussions of "dirty bombs" these days revolve around the psychological impact, which allows a great deal of leeway in considering how much material is significant.

another_bruceApril 6, 2006 11:49 AM

@bruce schneier and ale:
i'm sorry, but "inexpugable" isn't a valid word. no scrabble points for you!

Clive RobinsonApril 6, 2006 12:00 PM

When it comes to the amount of radio active materials required for a dirty bomb you have to consider a number of variables in the bombs design.

If for instance you had a block of plastic explosive and you made a hole in it and put your radioactive material in the hole it's effect would be mainly to compact the material and not disperse it.

However wrapping the radioactive material around an explosive core is also not going to give you as wide spread a dispersal as you would like.

The design of dirty bombs is a bit like that for FAE/FAX (fuel air explosives) in principle it is easy to understand in practice it is very difficult to get a good let alone optimum yield from a design.

As a starting point you would want a two stage device, the first to get the radio active material into the optimum state for dispersal, the second to do the actual dispersal.

It has been pointed out in the past that perhaps the best thing to do is to cause the radio active material to actually burn in a jet of air to do an effective dispersal.

JamesApril 11, 2006 12:56 PM

Secure document verification is a pretty simple technology that we've had for quite some time.

Digitally sign a copy of the document with the private key of the certifying authority (I suppose the US DOE in this case) and you have a field verifiable document that does not require any infrastructure at the verification point (no network connection, etc.) just a simple handheld PDA would do the job.

Am I missing something here?

Grapho-LockSeptember 21, 2006 8:21 AM

If we were enhancing our centuries long lasting custom to put a handwritten signature (verified ) in a digital document backed up with a digital signature (both certificateX509 and signature template with a fingerprint issued by state dept and for example encrypted over a chip should it be a phone smartcard chip, or smartcart ) then we would be able to authenticate and notarize any document from a desktop or at any shop or any bank desk, or internet website access or physical access... The only mandatory point needed is the State dept has to be responsible for safe Identity , Fingerprint , Signature template, X509 certificate binding over the encrypted support. No CA's can achieve that, Otherwise we will never face a trustworthy IT World.
In addition the DSV techno stands as a unique way to collect proof of intent, and allow to embed the evidence in the document to non repudiation purpose (a posteriori verification )

Grapho-Lock Dynamic Signature verification algorithm has a FAR of 0% and a FRR of less 1% both in one to one and one to N searches, Fingerprint has a far of 0%, (An ESFORS.ORG Member)

A web service would be a very nice way to achieve it. A ping to a state server or FBI server to check if the used identity has a normal status would also ease any federal inquiries needs

Grapho-LockSeptember 21, 2006 8:30 AM

As all regular readers from Bruce's lines, we all know that digital signature alone provides only a reasonable assurance that "someone" has used a "given certificate" to encrypt a document Hash at a claimed time., the "someone" could be a server alone or a malware.

swathiMarch 3, 2008 1:52 AM

i applied for a passpor before 20 days.i got a key number of 6535304908.how can i chek the date of verification n some details

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..