more on STATE DEPT. TO RETHINK PRIVACY SUPPORT IN RFID PASSPORTS

[David Farber <dave () farber net>]

------ Forwarded Message
From: "Trei, Peter" <ptrei () rsasecurity com>
Date: Tue, 26 Apr 2005 15:25:38 -0400
To: <dave () farber net>
Subject: RE: [IP] STATE DEPT. TO RETHINK PRIVACY SUPPORT IN RFID PASSPORTS

For IP, if you wish...

I'm afraid I can only give a one-and-a-half cheers for this
proposal. From a technical and security point of view,
it's half-baked.

While this certainly prevents silently skimming the data
off of a passport, it may still endanger American citizens
abroad.

It's not clear from the description if the chip remains
utterly silent in the absence of it's specific key. If
this is not the case - if it responds to an energizing
field by announcing its presence - then it's still the
electronic equivalent to wearing a US flag on your
back.

As such, it imposes needless dangers on Americans.

Since the claimed intended use is now to optically scan
the passport's barcode for the chip's key, and then
use that to unlock the chip, why is a wireless
component needed at all?

Why not embed a smartcard chip in the cover, with the
contacts exposed on the inside?  That *would* be
secure against remote scanning, and allow much more
capable chips to be used.

Peter Trei

------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/