RFID passport data won't be encrypted

[David Farber <dave () farber net>]

Begin forwarded message:

From: Donna Wentworth <donna () eff org>
Date: October 15, 2004 9:42:47 PM GMT+01:00
To: eff-privacy () eff org
Cc: Subject: [E-PRV] RFID passport data won't be encrypted

-----------------------------------------------

http://hasbrouck.org/blog/archives/000434.html



------------------------------------------------------------------------

Contrary to "what I wrote yesterday":/blog/archives/000433.html , the
identification and biometric (digital photograph) data on "RFID
passports" in the USA will *not* be encrypted.     Jay Stanley of the
ACLU's Technology and Liberty Program describes what they were told in
a briefing by Frank Moss, USA Deputy Assistant Secretary of State for
Passport Services and director of the State Department's Bureau of
Consular Affairs:

bq.. Digital signature technology would be used to ensure that the
information on the chip has not been altered.  A State Department
private key would be used to encrypt a hash of the information on the
chip.  The private keys would be retained in utmost secrecy in the
basement of the State department where they do all their encryption.
The public keys would be shared with ICAO so that, e.g. a German
control officer could look them up to verify authenticity of a
passport.

No harm could be done with the public keys; they could even be posted
on a Web site. The public key can be used to verify that e.g. this
passport was signed using the Sate Department's private key for every
passport issued in San Diego from January 2005 to August 2005.  But you
can't use the public key to then create a signature on a fraudulent
document. And the public key is not used to access the data on the
document -- that is wide open -- it is used only to verify the
authenticity of the passport.

p. I think I didn't grasp this, even when I read the draft ICAO
specifications, because it was, and is, so astonishingly, over-the-top,
unsafe and vulnerable to criminal abuse that I _couldn't_ believe it.

It also becomes clear on rereading the proposed ICAO standards and the
USA government contract proposal (RFP),  that the signature -- the one
thing other than the photograph actually uses to authenticate someone
using a passport, particularly for financial purposes like cashing a
check, sending or receiving money, or opening a bank account -- will be
the one major element of the passport not digitally encoded at all (and
thus not amenable to authentication through the hash or its digital
signature).

So an identity thief, using only the data secretly and remotely
obtainable from your passport, will be able -- without ever having
actually seen you or your passport -- to create a perfectly
valid-seeming passport, with a valid encrypted and properly signed
digital hash, with your photograph but a signature in their
handwriting.

Such a document is the holy grail of identity thieves, organized
criminals, money launderers, and, or course, terrorists.

All they have to do is place an RFID reader somewhere a lot of
travellers will pass nearby, record the data of each passport that
comes within reading distance (up to 20 meters with current readers,
although that will likely increase with future reader technology), and
look through the captured images later, at their leisure, until they
find one with a photo that comes close enough to their appearance for
them to be able to impersonate.  They can create the physical photo for
the forged passport from the digital data secretly and remotely read
from the RFID chip.

Then they can choose, depending on their document forging ability, to
create either (1) an RFID passport with a bitwise copy of the chip
(organized criminals already use similar techniques to clone mobile
phone SIM cards), (2) a non-RFID passport (these will likely remain in
use for up to a decade, the validity period of current standard USA
passports), or (3) a non-RFID passport or identity document of another
country.  This last choice might be the preferred tactic, since a
document with a different nationality would be less likely to produce
"collisions" with the real identity that would bring the identity theft
to the victim's notice.

(It's common for people born in the USA to be citizens of, and carry
passports of, other countries, so this last type of passport would
attract no suspicion at all.  Irish passports would probably be
forgers' first choice, since they permit visa-free movement within the
European Union and are the European passport most commonly held by
people born in the USA.  Or they might pick some other passport that
happens to be especially easy to forge.)

Or they could choose to use the data from the RFID chip (including date
and state of birth, the starting point to getting a birth certificate
and finding out your mother's maiden name) to obtain or produce some
other type of identity document.  But why bother, when they could
conduct their money laundering, open terrorist bank accounts, buy and
use airline tickets, etc. with a properly digitally-signed and
authenticated fake passport with a signature in their handwriting --
but in your name or the name of some other innocent victim?

This makes it imperative, if you are forced to obtain or carry an RFID
passport, always to keep it in a  tin-foil sleeve or envelope, and
*never* to take it out without first demanding conclusive proof that
the person requesting to inspect it is making a binding lawful demand
to do so. When you do display it, try to get as far as possible away
from all other people or anywhere an RFID reader might be concealed,
and try to keep the foil wrapped around the passport as much as
possible, to reduce the range of directions and angles from which it is
exposed to radio reading.

The crucial issue for technical self-defense will be whether a passport
cover can be produced that is transparent to visible light, but opaque
to the frquencies used by RFID transponders.   Stay tuned -- I'll
report anything I hear about such an identity theft protection device
for travellers.  Let's hope one is available by next spring, when the
first USA citizens, other than gevernment employee guinea pigs, start
being issued with RFID passports.

There's more on the "risks of RFID chips in passports and other
identity
documents":http://www.npr.org/templates/story/story.php?storyId=4107310
from Barry Steinhardt of the ACLU (the final interview, beginning at
32:48 of the broadcast) and others on National Public Radio's "Talk Of
The Nation" earlier this week, recorded the day before the RFID
passport contract announcement.


--
Powered by Movable Type
Version 2.661
http://www.movabletype.org/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/