Passport Chip Could Attract High-Tech Muggers

Orangez writes "Wired.com reports that 'business travel groups, security experts and privacy advocates are looking to derail a government plan to insert remotely readable chips in American passports, calling the chips homing devices for high-tech muggers, identity thieves and even terrorists.' and that 'The 64-KB chips will include the information from the photo page of the passport, including name, date of birth and a digitized form of the passport picture.'"

Re:When will people realise that remotely readable

[temojen]

I don't see why they didn't just burn it (cryptographically signed) onto a business card sized CD inserted into a pocket of the passport folder. If they used a standardised format (XML+TIFF+GPG signed) then any country could read it without fancy equipment, and noone could make a counterfit.

Re:Tin foil wrapper

[Uptown Joe]

Found this searching for forensics computer software... They have a tent, too. Now that is one way to look cool, your very own tinfoil tent!

http://www.paraben-forensics.com/catalog/product_i nfo.php?cPath=26&products_id=173 [paraben-forensics.com]

Why biometrics are bad:

[Ironsides]

Posted today at the BBC [bbc.co.uk]

Re:why are travellers worried?

[tomcio.s]

The government would be forcing me to do what they want with my private property.

Any passport issued in any country is not your property. It's the property of the issueing government.

In Canada, even our health cards carry that infomation on the back. It says 'card is property of Minitsty of Health, issued to be used by:' and your name + address.

Sorry no 'property rights violations' here. Whatever those are.

Re:When will people realise that remotely readable

[shaitand]

Because it would be illegal to export encryption of that strength. It does not matter if the other nation already has the technology.

Re:why are travellers worried?

[cosmo7]

I had thought this was alarmist, that the information would be a set of MD5s or in the case of client-side data, public-key encrypted, but that turns out to not be the case [wired.com]. It's all naked data.

Re:Tin foil wrapper

[Anonymous Coward]

These guys have you covered: http://www.berk.com/~lessemf/personal.html/ [berk.com]

the system is secure, stop the FUD

[lordholm]

According to the ICAO standard states can chose to add an authentication scheme to the RFID-tag. This is what Sweden is dong, this is probably what the US is doing.

The authentication is based on the MRZ (Machine Readable Zone) in the passport (this is text that is read through OCR and not visible unless you open the passports photo page). The MRZ-data is hashed by SHA-1 and the high 32 bits of the hash is taken (this reduce the risk of someone computing the MRZ-data backwards (actually guessing) which MIGHT be possible if you have the hash and the basic structure of the MRZ-data). The hash is sent as an authentication code to the RFID-chip in the passport, if the hash is wrong the RFID responds with a "no valid authentication" message and refuse to send any data.

A state may decide to ignore such measures in their passports (but this is unlikely for the EU and the US). And such states have the option to include metallic jackets for the passport.

The range of the RFID transmission will be around 10 cm. IIRC it weakens with the power of 6 to the distance.

Further, it is not practical to have contact chips in a book-formed passport. It is more practical in ID-cards.

While I dislike this in general and would prefer a passport free world, try to avoid spreading untrue FUD about the technology being used, the data is secure and no person is going to get within 10 cm from your passport, and try an average of 2^31 different hashes without you noticing it. Of course, if the person manage to "borrow" your passport, he will use the MRZ to obtain the key, but in that case, he can take the passport to a photocopier as well (and that is probably cheaper).

Re:why are travellers worried?

[Qzukk]

I do have something to hide: my passport has my name, address, phone number, next of kin notification address/phone, passport number, and with these 64KB chips, I'm sure they'll pack everything they can think of on there like SSN, birthdate, and so on.

All that, waiting for someone to just bump into me on a train or in a subway or getting off the airplane. Unlike a normal passport, I'd never know it was "stolen", since it'd still be in my pocket afterwards! By the time I get back to my country, I'd probably be thousands of dollars in debt, with 50 credit cards in my name.

Re:hmm...

[Technician]

I think I'll carry it in an aluminum foil pouch.

Stuff it in an old aluminized mylar potato chip bag, roll it up and stuff it in your pocket. If asked, say it was raining cats and doga at my last stop. I didn't want it to get wet. The added advantage is the tag is unreadable inside the folded up bag.

Re:disabling chip?

[chrispl]

Well I should have RTFA about the RFID. They DID suggest RF blocking fibers in the cover.

Re:Actually that might be part of the plan

[fatcatman]

No, RFID is expensive. iButtons are dirt cheap and almost completely indestructible.

www.ibutton.com

Re:When will people realise that remotely readable

[SquadBoy]

Why not?

I really don't get it and have yet to see a good argument for what is suposedly so borken about paper docs.

Biometrics are good for a large number of things. But they are *not* good for IDs (passports, DLs, ICs those kind of things). This is because for them to be used that way they must be passed over a network. Once you start passing things over a network it becomes very possible to steal that persons biometrics and use them to be him/her.

CFP2005 sesssion on RFID chipped Passports

[SynCrypt]

There will be a session about RFID chipped passports at the 2005 Computers, Freedman, and Privacy conference on Wed. April 13th in Seattle, WA. Bruce Schneier, who has spoken frequently on this issue, and Bill Scannell, who is quoted in the article, will both be keynote speakers at the conference. Right after the panel, there will likely be a demo of RFID technology as it relates to passports.