Technorati Tags: identity, passport, security
Mind you, I’m sure that’s the least of e-passport worries, especially with the rash of newspaper stories about passports being "cloned" in transit. They’re not actually being cloned, of course. But the idea is this: you can brute force the key to read the data in the chip (but not the secret key in the chip, which is why you can’t clone) and therefore obtain the data that is printed inside the passport without having to open the envelope. Identity thieves use a device to copy the new e-chip while the permit is on its way to its owner, without having to open the envelope. To do this, they have to brute force the BAC key (because normally you have to read the printed data inside the passport in order to obtain the read key). Unfortunately, it’s easier to brute force than you might think, because you can deduce some of the data in the passport (eg, the validity, because it’s ten years from the issue date). Thus, in about four hours, it is claimed that you can read the chip contents without opening the envelope.
What all of this means is that to get better security, the "system" needs to move to Extended Access Control (EAC) so you can’t get access to passport data that isn’t on the passport: in particular, the "secondary bioemtrics" (ie, fingerprints). That’s that sorted then. Remember that to implement EAC the passport readers (at the border control post in, say, Bostwana) would have to be issued with key pairs and certificates to prove to the passport that they are authorised. If I remember correctly, the certificates will have short life — say a month — to reduce exposure should the readers be stolen. That means, in turns, that gazillions of new key pairs will need to be generated all the time and gazillions of certificates will need to be distributed. When the reader interrogates a passport, it must provide its public key inside a valid certificate, otherwise passport cannot be sure it is a proper reader. This, in turn, means constantly sending out masses of data to passport readers. This is a significant technical problem, so you can expect to read "e-passport cracked/cloned/useless" for some time to come.
My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public.
[posted with ecto]