Germany To Roll Out ID Cards With Embedded RFID 235
An anonymous reader writes "The production of RFID chips, an integral element of the new generation of German identity cards, has started after the government gave a 10-year contract to the chipmaker NXP in the Netherlands. Citizens will receive the mandatory new ID cards starting from the first of November. The new card allows German authorities to identify people with speed and accuracy, the government said. These authorities include the police, customs and tax authorities and of course the local registration and passport granting authorities. There are some concerns that the use of RFID chips will pose a security or privacy risk, however. Early versions of the electronic passports, using RFID chips with a protocol called 'basic access control' (BAC), were successfully hacked by university researchers and security experts."
identity cards, not passports (Score:2, Informative)
The passports already have RFID. This is about the identity cards. (which is only a card, compared to the passports that are too big to carry them around with you all the time).
time to buy (Score:4, Informative)
The ID cards are technically not mandatory (Score:2, Informative)
Germans must be able to identify themselves with either a passport or an ID card. There is no obligation to have either of those with you at any time.
The new cards do not use classic RFID chips but near field communication, which is much harder to attack from a distance (if at all).
Anyone who wants to sit this out can get a new ID card before November. The old ID cards cost 8 EUR and are valid for 10 years.
Re:EU passports (Score:3, Informative)
On the contrary. Since the new EU passports contain fingerprint data and a digital version of the picture, much of the contention about the new passports revolved around the creation of a central database of biometric information. If the passports were just an index into the database, then that database would be inevitable.
It is important that technology-minded users learn not to apply the usual centralist approach to everything. We are not cattle.
Re:The ID cards are technically not mandatory (Score:2, Informative)
Germans must be able to identify themselves with either a passport or an ID card. There is no obligation to have either of those with you at any time.
The new cards do not use classic RFID chips but near field communication, which is much harder to attack from a distance (if at all).
Anyone who wants to sit this out can get a new ID card before November. The old ID cards cost 8 EUR and are valid for 10 years.
I guess you have never lived in Germany and heard of Ausweispflicht ? Which by law requires any citizen to be able to identify his or her self. Even only being there on holiday as a visitor you must still be able to identify yourself , been there done that. The authorities do not take it lightly if you "forgot" your ID either, depending on the situation. Although I will credit you the sitting out part, if they get the new ID now then they can wait it out. Although didn't the Germans already implement biometrical Passports (not to be confused with ID cards)?
Anyways looking at http://www.personalausweisportal.de/ [personalausweisportal.de] really is weird if you cannot speak German then I suggest translator of some sort . They talk about new "Identity Management" and "Online Identification functions" etc etc . Sounds more controlling/keep track than anything else. I really feel bad for the German's at times. But hey you know there is a saying: "The Germans will never complain or demonstrate to any problem because they is a sign saying it is forbidden"
Re:Awesome... (Score:5, Informative)
True to that check this out:
http://www.personalausweisportal.de/cln_164/DE/Neue-Moeglichkeiten/Online-Ausweisfunktion/online-ausweisfunktion_node.html [personalausweisportal.de]
The new online functions! If you dont understand german try google translate, here a quick translation
Identification on the Internet and on machines can in the future be done with the new identity card. This is simple and safe as the presentation of your previous card today.
Even without being personally present you can use the online identity function (also: eID function) authenticate everywhere (where personalized services - are consequently offered and directly tailored to the individual user). With your new personal ID and your 6-digit PIN you can prove your identity in the electronic world simple, safe and reliable.
That is just the first paragraph , better than the Sunday comics !
Re:The ID cards are technically not mandatory (Score:3, Informative)
Yeah I guess you are right:
http://de.wikipedia.org/wiki/Ausweispflicht [wikipedia.org]
Only if they ask for it , interesting , but still..
Re:The ID cards are technically not mandatory (Score:3, Informative)
Yeah I guess you are right:
http://de.wikipedia.org/wiki/Ausweispflicht [wikipedia.org]
Only if they ask for it , interesting , but still..
Shit I meant this one (damn copy buffer) : http://bundesrecht.juris.de/persauswg/__1.html [juris.de]
Re:time to buy (Score:5, Informative)
For the curious, it takes approximately 4 layers of aluminum foil to block a scanner from activating the RFID signal when your Al lined wallet is point blank from a standard scanner.
(After receiving an RFID enabled ID card here in the Netherlands last year, I tested it on our office copy/scanner RFID reader, and then simply lined my wallet with double the number of layers it took to block the signal. Works like a charm!)
Re:identity cards, not passports (Score:3, Informative)
The full-sized US passport fits in my back pocket without any problem, my wallet sits comfortably in front of it.
Too big, what? It's just over 3"x5" in size.
The US started it (Score:3, Informative)
After 9/11, the US mandated biometric passports for all (if you wanted to enter the US).
Re:The US started it (Score:4, Informative)
Oh, I guess a source would be helpful ;)
http://www.alternet.org/story/142239/will_biometric_passports_lead_to_a_state_of_constant_surveillance/ [alternet.org]
Re:The US started it (Score:4, Informative)
Re:perfect bomb triggers (Score:2, Informative)
Really? I've never been asked to show my identity card. What you may required to show in certain situations (as in, when caught using the transport without a valid ticket, or in case of using a price-reduced personalized ticked), is an official paper with image ("amtlicher Lichtbildausweis"), but that doesn't have to be your identity card, your driving license should work anyway (I don't have experience with this, though, because I've never been asked to show it in public transport anyway, not even with personalized train tickets).
Re:EU passports (Score:1, Informative)
Fingerprints are only optional in the ID card ("Personalausweis"). The comment was about the biometric passports, for which two fingerprints are mandatory (left and right index finger).
Re:A little bit of perspective... (Score:2, Informative)
You have to actively go out, apply for an ID card and pay the fee to get one. You can live a long and productive live and never use your ID at all, unless you're a lawyer by profession or get arrested a lot...
Not quite. You will have to use it if you want to get a bank account (and I assuem you want one). If you're younger, you will have to use it to get a driver's license, probably to sign contracts, to get into music clubs late night, to get alcohol, even to play the lottery and of course everytime you fly within the EU.
So I say you can live a long and productive live alone in the mountains and never use your ID at all.
Re:perfect bomb triggers (Score:1, Informative)
Actually, tests by various groups have shown that RFID chips are easily read from several METERS away.
Re:right, before Zee Germans get there (Score:4, Informative)
You are mistaken as to what is freedom of speech in USA, nobody is allowed to make direct threats of murder for example, but one can have an opinion that abortion doctors must be killed, it's an opinion.
Of-course one person's opinion may lead to another person's action, but the correct thing to do is to hold the one who takes action as the responsible party, not the one who says he has an opinion.
I am not American, in fact at this very moment I am in Germany, though I am Canadian, born in the former USSR.
I hold every single thing that government says or does as suspicious, I don't trust government at all, in any single one thing ever, and I am not an American.
Re:identity cards, not passports (Score:1, Informative)
The old German identity cards are 105 x 74 mm,
the new ones will be 85.6 x 53.98 mm.
i.e. 4.12 x 2.93 inch old and 3.37 x 2.12 inch.
I.e: you can put your identity card into your
wallet. (especially as it is only a card and not
multiple sheets of stuff).
The passports are 104 x 78 mm. That is only slightly larger, but too large (and also too thick) for most wallets.
Fry it (Score:5, Informative)
Re:Outsourced to the Netherlands (Score:1, Informative)
I find the most intriguing part of this whole thing is the decision to outsource the chips to a Dutch company
NXP is the research division (now independent) of Philips, still considered to be one of the world's leading companies in the electronics department. It would be equally intriguing to see European governments turning to a certain US-based software company for their desktop software.
This is the same company responsible for the Mifare [wikipedia.org] series of travel cards, which are used in the London Underground and Dutch public transportation. And in Moscow, Bucharest, (all of) Slovakia, Seattle (WA), Minneapolis (MN), Boston (MA), Brisbane, Melbourne, Montreal, ...
Re:perfect bomb triggers (Score:5, Informative)
Re:perfect bomb triggers (Score:3, Informative)
They just spoofed, they haven't talked to the TAG at all!
ISO14443-A and other NFC tags simply don't work like this:
You need a two way communication. From the reader to the tag, and from the tag to the reader. The ISO14443-A tag is not capable to actively send out answers. Instead it loads down the magnetic field that powers it. This load is measured on the side of the reader and interpreted as answers from the tag.
If I remember right the tag must be able to pull about 10% of energy out of the magnetic field to transmit data.
And this puts a simply physical constraint on the range:
You can't simply make the reader put out a stronger magnetic field. This would increase the range from the reader to the tag, but it would also make it almost impossible for the tag to answer because it can't remove that much energy anymore. If you lower the energy of the field the tag doesn't has enough power to operate.
The 15 cm
In the lab you can get a longer distance than 15 cm... Maybe up to half a meter or so. To do so you have to calibrate the resonant frequency of the tag and the reader so that they are almost perfectly coupled. And you have to do this in an RF shielded room because every disturbance in the RF field would interfere the transfer.
What the Defcon guys did was to listen to a running communication between a reader and a tag from afar. That is indeed possible up to such a range.. That will not tell you anything interesting except the fact that a tag was read because the first thing the pass does is to do a Diffie-Hellmann key exchange (part of the PACE protocol). Oh - you get the ID from the tag, but as I wrote earlier the ID is random ...
Not much gained..
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
Re:God bless America! (Score:2, Informative)
Americans are NOT required to carry ID at all times.
Neither are us Germans (yet), we only have to own one. Most people do carry it, though.