Tin Foil Passports? 264
Daedala writes "The debate over contactless chips with biometric information in passports continues. Vendors have been chosen for testing in the U.S. and Australia. Privacy advocates are still arguing about the measure, as are security reporters and bloggers. The specs themselves are interesting, to say the least. The EETimes says that in interoperability tests, the potential chips could be read from 30 feet away. However, both they and the New York Times have published articles reporting vendors' low-cost solution: '[I]incorporate a layer of metal foil into the cover of the passport so it could be read only when opened.' Don't they know that the whole tinfoil hat thing is supposed to be a joke?"
Not actually based on a joke. (Score:5, Informative)
a simple layer just won't cut it, though.
Re:Not actually based on a joke. (Score:5, Informative)
I can't believe I spelled it farraday. did I think those measurements I was taking all the time were in farrads? sheesh.
I was in a rush to get first post. some example FARADAY cages are here [hollandshielding.be], here [unitedstatesaction.com] and here [edinformatics.com].
Re:Not actually based on a joke. (Score:5, Informative)
Can anyone confirm this? (Score:3, Interesting)
Can anyone confirm if this really works?
My mother has one of those electronic passes for the toll highway she takes to work and back. The pass comes with a metallized plastic bag into which the user is supposed to place it when she does not want the toll booth to automatically detect and charge (as in money) the pass.
I am not sure if that device uses RFID, but the basic principle is simil
Re:Can anyone confirm this? (Score:2)
Different how? All I've ever seen tollbooths do is say "EZ Pass. $x.xx. OK" and then raise the barrier. Did start to raise the barrier, hesitate, bring it back down and then say "Um. yeah. no ezpass. wink wink"?
Re:Can anyone confirm this? (Score:2)
--Mark
Re:Can anyone confirm this? (Score:3, Informative)
Re:Not actually based on a joke. (Score:5, Interesting)
as well as a lead foil wrapper. Better
still, save the metallized ziplock bag
that your video card probably came in,
and use it. Dual purpose -- keep RFI
out, as well as moisture. If you have
money to burn, buy a nice gold or silver
cigarette case of the right dimensions.
BTW: I don't think that you would actually
need to drag a chain behind you to stay
at earth ground -- that's what the Faraday
cage does. Old fashioned Faraday cages did
have problems -- they generally use a wire
mesh of some particular size, which doesn't
stop ALL RF signals. That is why all the
"spooks" use walk-in steel safes
Re:Not actually based on a joke. (Score:5, Informative)
Anti-static bags have high resistances. They're not completely insulators, but not good conductors either, and a Faraday cage needs a good conductor. Their high resistances allow static electricity (with many thousands of volts) to drain off, slowly. Tin foil *can* be used instead of an anti-static bag, but 1) if your circuit has potential somewhere (like a battery, or a charged capacitator) the tin foil will basically short circuit this, which is bad, and 2) it tends to look like a wad of tin foil, which may get thrown away as trash :)
A Faraday cage really has nothing to do with Earth ground. It certainly does not have to stay at the same potential as the Earth unless it's somehow connected to the Earth, and it'll equally as well connected or not connected to the Earth. There's nothing `old fashioned' about any of this -- the first Faraday cage was built in 1836, and once the radio was invented, it was learned not long after that a Faraday cage will block any RF who's wavelength is much larger than the gaps in the cage. I'll bet this was known (and probably understood) long before 1930 or so. People use Faraday cages with a wire mesh today because it does what they need it to do. To do more would cost and weigh more, and might cause other problems (like not let air in, etc.) -- it's as simple as that.Faraday cages block *electrostic* fields, and you really don't need a tight mesh at all for this. Even your car makes a reasonable Faraday cage. Blocking RF is an added bonus, but for that, you need to make sure the mesh is a good deal smaller than the wavelength of what you need to block.
So, if you need absolute protection against all frequencies of electromagnetic radiation, then you use something with no holes at all. If you also want to block magnetic fields (as the government will want to do to completely prevent TEMPEST attacks and such), then you'll make it out of something magnetic (mu-metal is ideal) and thick. And heavy, and expensive. But secure.
Re:Not actually based on a joke. (Score:4, Informative)
Re:Not actually based on a joke. (Score:2)
No, that's not it. Sure, they're relatively sensitive, but not unusually sensitive.
As for 1% of the signal, that's only a factor of 100, or two bars on an S meter. I imagine that would cost you a bar or two on your cell phone, but not too much. Depending on the appli
Re:Not actually based on a joke. (Score:3, Funny)
http://rave.ca/data/gallery/012596.jpg
Re:Not actually based on a joke. (Score:5, Funny)
It's scarey they think that is a solution (Score:3, Informative)
why does tin foil not solve the issue? well in most european countries you have to hand over your passport to get a hotel room. Presto, the passport reader can work.
likewise their other solution, putting a printed password inside the passport is equally broken. Again the hotel has access t
Re:It's scarey they think that is a solution (Score:2)
Seriously though, they could use some type of barcode system like the UPS and FedEx use..but with data compression, if it's not already. If they laminated it, and used big enough dots, it should be fairly robust.
I'm not a fan of magnetic data storage since magnets are too common. Although, they could use a high coercivity strip...still though.
OCR-Line (Score:5, Informative)
European Passport have at the lower edge a line printed with the OCR-B font which encodes all the necessary data from the passport. All border stations have a small OCR scanner to swipe passports.
This system is simple, robust, easy to verify in case of inconsistency (eg the reader reads something else than the rest of the passport shows) and quite cheap to implement both on the passport and for the reader.
To top it off, the system raises very few privacy concerns, as the content of the encoded line is the same as the human readable part and everybody can easily verify this. No secret data hidden there.
Re:OCR-Line (Score:4, Interesting)
I'm also totally baffled by this RFID craze.
I'll offer two non-mutually exclusive reasons.
First possibility: Someone can make money out of this. We therefore have an incentive for some parties to play up the supposed advantages of this technology.
Second possibility: Some people at "the top" aren't very tech savvy and are easy prey for the former group.
Third possibility: Some people at the top are under constant pressure to be doing something, even if we now have a system that works as well as can reasonably be expected (there comes a point when the resources required to achieve 100% are less than the damage 0.5% that get through). However, if you have to be "doing something" when there is nothing to be done, then you're going to start going backwards.
Re:It's scarey they think that is a solution (Score:2, Informative)
Re:It's scarey they think that is a solution (Score:2)
I don't see what the big deal is, though, but then I was brought up in a country where having an ID card is taken for granted. The cool thing about the Schengen countries is that you don't have to pass through some b
Re:Correction: (Score:5, Insightful)
Huh? Correct me if I'm wrong, but according to my 4.5 years of EE, Faraday cages work on the principal of Gauss' Law. That is, no EM field can be present inside because there is no charge inside. Wikipedia [wikipedia.org] seems to agree with me.
So where does all this discussion of grounding come in? Googling for Faraday cage brings up this detailed article [boltlightn...ection.com] about building one, but it doesn't mention grounding either.
This page [heka.com] mentions grounding, but only in relations to the instruments, not the table. And this humorous article [straightdope.com] says grounding is only required if you have to have edges on your cage (we could design passport books so the edges are metal contacts).
I'd be more concerned with whether tin foil is a sufficient conductor for the higher frequencies.
Re:Correction: (Score:2)
Tin or lead foil is not a good conductor anyway. What you need is a copper or silver foil, best if polished. Aluminum is also OK. Direction of polishing affects the conductivity.
Re:Correction: (Score:3, Informative)
A Faraday cage is a conductor, so charges are free to move inside.
When the outside is exposed to a negative charge, all the electrons 'flee', and leave a positive charge on the surface. They 'flee' to the other side of the surface, to bunch up in negative charges: that is, inside the cage. Hence exposing the inner volume of the cage to negative charges, exactly at the level of incoming negative field to be exact.
When the cage is grounded, 'fleeing' electrons ar
Re:Correction: (Score:2)
Re:Correction: (Score:2)
Right! But it isn't a faraday cage if you let the internal thing you are trying to protect touch the surface. You've defeated the purpose!
Re:Correction: (Score:2)
You dont even have it to touch as I mentioned, a mere proximity will be enough since the gap if small enough will act as a capacitor which passes through RF. Anyhow, I didnt defeat it, since the whole insane idea of RF tags and tinfoil flaps is a product of some seriously bad crack to begin with. Just off the top of my head I can think of many ways of abusing it while at
Re:Correction: (Score:2)
Re:Correction: (Score:5, Informative)
Let's clarify this real quick: I assume you are talking about the inner and outer surfaces, not the volumes.
(digging out my handy Elements of Engineering Electromagnetics, 5th Edition, Rao)
Right, this is a physical explaination of the boundary condition that says the discontinuity in the E field between the sides is equal to the amount of charge present on the conductor. However, you're forgetting to mention that our conductor in this case is a closed surface, and that surfaces are equipotential. Charges don't bunch up on one part of the inner surface, they distribute equally. And assuming the surface is closed, mathematics necessitates that all the internal E fields will cancel.
Otherwise, you would have an imbalence, and would create an E field in a region that does not contain any charge.
True, but unnecessary. The E fields are going to balance perfectly anyways, and cancel themselves out.
Ummm... not really. Assume you have a positive current on the center wire. Using the right hand rule, this creates a positively charged, cirularly symetric E wave that radiates outwards (think throwing a rock in a pond). If you pass the negative equivalent of this signal on the outer shielding, you generate an opposing E field that will directly cancel the internal one. Again, you don't have to ground the external shielding.
Of course, this is all theoretical. As someone else mentioned [slashdot.org], the electrons can only propagate so fast, and there will be some delay. But I believe it will work well enough. I'm not sure what frequency they use for these chips, but it can't be too high for something so simple.
Re:Correction: (Score:3, Interesting)
That's the part where grounding comes in: grounding essentially means connecting
Faraday cages (Score:3, Informative)
There are other, more subtle issues. The usual textbook explanation of how a Faraday cage works assumes a static equilibrium. Fluctuating elect
So, they really are out to get me... (Score:5, Funny)
They tried to have me committed when I said the government was tracking me.
Now they all want to buy my sporty Faraday Cagewear (TM) line of geek clothing, made of fine woven nylon and copper wire.
Bwahahaha!
Re: So, they really are out to get me... (Score:5, Funny)
Maybe then you can put your new passport on your head? Or no, that wouldn't work, because... "they" put the tinfoil on that passport, so *that* tinfoil would surely allow mind-control rays to pass through.
(For uninformed /. readers: for good shielding from "them", you need to make your own tinfoil from raw material)
Now they all want to buy my sporty Faraday Cagewear (TM) line of geek clothing..
Where can I buy some? I need some new underwear, and a couple of T-shirts. Have them in black? Oh yeah, and some socks too. Strange... never seen that brand in a shop... "they" had it removed from the shelves, I suppose?
Re:So, they really are out to get me... (Score:2)
Hey, I'd buy that! Sounds cool to be Tazer-proof!
Professional Shoplifters (Score:5, Interesting)
I was watching it on TV, you saw this lady open up her purse and could see the tinfoil.. She shoved a waffle iron or some such thing in there and out she went.
He ain't kiddin'. (Score:4, Informative)
I've actually seen one of these things in use during after-Christmas returns season. We were standing in the excessively long line, an' this guy comes up to one of the clothing racks. He opens up his shopping bag lined with foil and duct tape, stuffs a sweater inside, and walks off through the security gate without setting it off. Clerk was busy, it was done at an oblique angle from the security cameras, and 5 minutes later he looks just like some regular bloke walkin' the mall.
All he'd have to do after that is pull the tags and trash them, and he could pick off any store he wanted.
Re:Professional Shoplifters (Score:5, Funny)
I know bugger all about EE (Score:5, Funny)
Re:I know bugger all about EE (Score:2)
10 bucks says... (Score:5, Insightful)
Re:10 bucks says... (Score:2, Insightful)
why (Score:5, Insightful)
The whole point of the biometrics (even the lowly photography) is that you confirm the data in the passport with the person in front of you at a booth as you check everyone as they go through.
There is no reason to broadcast this info at ALL.
It's like having two computers next to each other (2 meters apart) in a "security" installation and using 2 wifi cards to link them instead of cat5.
1) it's more expensive to use wifi
2) you have no need to broadcast due to range
3) not only do you not need to, there are now a pile of security problems you have to deal with which aren't needed.
When will these fucktards learn to stop pissing taxpayers money away on "futurists" to help enslave us with at worst crappy overbearing over intrusive government leaning toward fascism, at the least they are wasting our money and enslaving us with red tape.
Re:why (Score:2)
Re:A seriously dumb idea (Score:2)
Just don't microwave it... (Score:3, Interesting)
Oh, and let me guess... I'm going to have to remove this from my person as well just to pass through the metal detector unmolester, right?
It doesn't work that way, it's passive (Score:2, Informative)
Anyone trying to read your passport is likely to be less concerned about damaging your kidneys than you would like.
Re:Just don't microwave it... (Score:4, Insightful)
Was my idea! (Score:2, Funny)
All it takes (Score:2, Interesting)
Of course the first person to steal that data would most likely be labeled a terrorist and be...disappeared.
Cliche (Score:3, Funny)
Now I just have to wait for the day that my PDA, phone and laptop can form a wireless Beowulf cluster that I can wear...
If the issue is forged passports (Score:5, Interesting)
The name, photo and other information is hashed and then signed by the issuing authority. Airport checks are then a matter of verifying the signature. You can't forge a passport without the private key of the issuing country (which I presume they will guard closely), and modifying an existing passport will invalidate the signature.
The only tricky point here is photos: You can't scan the straight photo for the check because of all sorts of tricky alignment and scan quality issues, but that's what a chip might be useful for - it contains a hi res photo, along with the other data and signature. The hi-res photo from the chip is displayed on a terminal for the person checking the documents, along with signature verification.
Yes, you still have to have people checking photos. No, that isn't foolproof. But realistically it is as good as what we have now, with the added bonus that forged, faked, or munged passports will display as invalid due to the signature check. That's pretty damn good, especially when the resulting passport is no more invasive than what we have now.
Jedidiah.
Ain't gonna happen (Score:4, Insightful)
Re:Ain't gonna happen (Score:3, Funny)
what happens if the private key is compramised? (Score:2)
Re:what happens if the private key is compramised? (Score:3, Insightful)
Still not perfect, but even if the cryptographic part failed completely it would still work as well as it does now.
Re:what happens if the private key is compramised? (Score:2)
Presumably each country has it own keys, and potentially a large number of keys each. If one key gets compromised the number of passports invalidated is reduced to a manageable size. You can create a new key pair whenever you need to, so potentially a single key might only cover 10,000 people or so.
But yes, compromise of a key would be a very serious issue indeed, even with those measures. That just means that prot
Re: (Score:3)
Re:what happens if the private key is compramised? (Score:2)
Jedidiah.
Re: (Score:2)
Re:If the issue is forged passports (Score:4, Insightful)
Re:If the issue is forged passports (Score:4, Interesting)
Re:If the issue is forged passports (Score:2)
In summary if the crypto could be pretty it would have a better chance of being implemented.
Re:If the issue is forged passports (Score:4, Interesting)
And what of all the people who don't trust the governments word? Well the paranoid are exactly the people that will know and understand the crypto, so it's not a problem.
I think the real issue is that it would actually involve real change, and odds on if they did do it they'd make a complete mess of the crypto used, there would be outcries from those in the know, and everyone else would just blindly assume it worked perfectly.
Jedidiah.
Re:If the issue is forged passports (Score:2)
Crypto for a ten year document? Not likely . . . (Score:2)
Of course one could start issuing passports with a shorter expiration time . . .but then one must get into a cost benefit analysis of replacing passports on a much more frequent timeframe . . .
Re:Crypto for a ten year document? Not likely . . (Score:2)
Re:If the issue is forged passports (Score:2)
There's nothing wrong with cryptographic signing, nothing at all. In fact, it would be a pretty good thing for precisely the reasons you gave, and I would even extend it to banknotes.
But what I strongly object to is contactless transmission, including any kind of RFID.
Nowadays everybody and his dog can read out RFID chips. They don't have to decipher it, they don't have to forge it - it's bad enough they can read it. It's just none of their business! Back in 189
Re:If the issue is forged passports (Score:2)
thanks for playing, try again.
That would be a major PITA (Score:4, Interesting)
Re:That would be a major PITA (Score:2)
Bzzt. American over here! (Score:5, Interesting)
Re:Bzzt. American over here! (Score:2)
Re:Bzzt. American over here! (Score:3, Informative)
No. The EU is also discussing this, and most likely, other countries are as well.
This is also the reason why Bruce Schneier thinks terrorists will love this technology: [schneier.com] if they want to specifically target a certain nationality (e.g. US), they can easily find people of this nationality in a crowd.
Re:Bzzt. American over here! (Score:2)
One step forward... (Score:5, Funny)
Good Times (Score:2, Funny)
Then Microsoft "blessed" the world with Outlook Express.
Warning: (Score:5, Funny)
So now I can't open my passport safely? (Score:5, Interesting)
Well that's just a fantastic idea. Now I don't have to worry about someone surrepticiously snagging my personal data as long as my passport is closed. Of course, my passport isn't actually useful if I can't let someone open it.
RFID is an interesting technology with a lot of potential, but passports are a stupid, stupid application for RFID. There are much better technologies for passports. Magnetic stripes and bar codes both do the same thing RFID does, but only at close range and with the permission of the document's holder. There are some 2D bar code symbologies out there that store more than enough data for this application and which are highly redundant, therefore resistant to dirt, wear, etc. Bar codes can be read very quickly and require no contact, which means less wear on both the documents and the readers.
The main thing that RFID gives you over bar codes is the ability to read them without the document holder's knowledge, and that makes me very suspicious of anyone who insists that we must have RFID in passports, drivers licenses, etc.
Valid ten years (Score:5, Informative)
wront thing at the wrong time (Score:2, Insightful)
So why not microwave it?? (Score:4, Insightful)
either as a social protest, or just to convert it back to a paper-based document.
Microwaving it should make it invalid (Score:3, Insightful)
An invalid passport should be only as good as no passport at all. Your social protest would have little more success than holding you up, and then, you would need to get a new RFID-enabled passport before you could do anything for which a passport is needed, and you would be back exactly where you started.
I doubt that they are putting the RFIDs in for the hell of it; they probably actually intend to use
Re:Microwaving it should make it invalid (Score:3, Interesting)
Since there's no way a normal person can test whether their passport works or not I'm guessing a lot of people will be stopped at the airport for not having a valid passport even though they believed they had.
How would you feel if you were on your way home for the holidays and they didn't allow you to fly just because of a damaged chip, a problem that didn't exist just
Australia is the new US Poodle (Score:2)
Rule #1: Passport is in enemy hands (Score:2)
Given that the passport document is in the hands of an untrustworthy source, it seems that placing trust in the passport is a bad thing, regardless of what information is encoded and how it is stored in the passort. If I put the name "George W. Bush" in my forged passport, stored with my RFID encoded image, iris scan, and fingerprints (which I would have no diffi
Re:Rule #1: Passport is in enemy hands (Score:2)
If you're going to have biometric scanners, why not lookup the information in a networked database to determine who the person is, regardless of what piece of paper they are carrying?
Absolutely! It's far easier to forge documents that people are required to show, than that networked (hopefully heavily secured) database.
Of course, this won't stop a determined attacker from compromizing the database using classic techniques of wetware hacking, corruption etc... It's always possible (given enough resourc
Yeah, great idea to track us all (Score:2, Insightful)
The UK ID card scheme proposes just this. The Government wants private sector organizations to use the ID card and the database (called the National Identity Register). So everything you do with your ID card gets tracked.
Am I the only one who is a teensy bit troubled by this proposal?
K.
Re:Rule #1: Passport is in enemy hands (Score:2, Funny)
You're a Best Buy manager, aren't you?
Use Copper Instead (Score:5, Funny)
The problem is that a shielded passport, if the RFID is applied correctly, would be an invalid passport. It therefore should do you no good since the identification methods (which should not be set to allow all until a problem comes up) should flag you for coming through without being read. Otherwise, the only ones they would likely catch are those who aren't smart enough to know how to shield their ids, which is something someone with the motive to do something would make it their business to know, thus rendering this measure ineffective. Also, if one has to remove their passport from the shielding to be read, then it is exposed (if briefly), and that invalidates the measures taken if you subscribe to the privacy concerns that someone with a reader (which you will be suprised to know are very accessible and fairly cheap for someone who stands to benefit from having one, and can actually be built practically by someone with enough know-how) could use that time to lift the information.
I am hoping that there is strong encryption involved with this implementation of RFID; not all RFID implementations are very secure and, the sad truth is, from my experience, that most are not.
This reminds me of a story I was once told by someone who did work that brought in all kinds of conspiracy nuts claiming that they were reading these people's minds. This woman came in every day with an aluminum foil hat folded on her head. Every day they would sort of shrug her off, feigning interest in what she had to say. Well, finally one day one of them decided to have a little fun with her and said "You know, we can read your mind because your little hat there isn't grounded." The next time she came by the desk, she had a chain of paperclips from the hat, dragging the ground. heh heh. Needless to say, it provided a bit of amusement for some time.
Make it a stealth passport... (Score:2, Interesting)
The materials vary, from resistive carbon and film laminates (super-cheap, short-lived) to to ferrite-embedded epoxies (very cheap, very hard, brittle, very long-lived) to amorphous magnetic alloys (cheap, stiff, useless-if-bent, very long-lived) to nanocrystalline magnetic metals (expensive, hard, stiff, bendable, very long-lived) to magnetic nanocystalline-embedded plastics (pricey, soft, flexible, not to
From the viewpoint of an RFID reader designer... (Score:5, Informative)
First of all, I agree it's unlikely that a reader could energize an ISO14443 tag from much farther than about 4 inches. It's possible to use a stronger field than allowed by local EM regulations, but with magnetic coupling antennas such as ISO14443 systems use, the field strength drops approximately with the third power of the distance, and the power needed to get that field is the square of the field strength. To read at 4 inches, a power of about 100 mW is needed. So to read at 40 inches, you would need some 10,000W, and trying to operate a reader for 400 inches would be like detonating a bomb...
So the likely scenario for reading at 30 feet would be "listening in" using a big antenna and sensitive receiver to the exchange of data between a legitimate reader that is much closer to the tag. Such an antenna could be mounted in a big suitcase, for example. As it would not transmit it would be difficult to detect.
Secondly, I can confirm that any well-conducting sheet metal covering the tag will effectively short the magnetic field of the reader, so that the tag can not be energized, there's simply no way to read it. Aluminium foil would work perfectly.
Thirdly, many ISO14443 tags contain support for public-key cryptography. The reason to include this is that the data exchange between the reader and the tag can be encrypted so if someone would be "listening in" it will be very difficult to obtain any useful information. Because of this security feature this kind of tag is often chosen for transport fare systems, access control, etc. It seems a shame not to use this, but I think the reason is that the tags should be readable worldwide, so that many readers containing the private key will have to be in existance. It would only be a matter of time before some wrongdoers get such a reader in their hands, and the private key contained in it gets out. Once an unauthorized party has the private key, the encryption will be practically useless anyway (compare this to the CSS encryption of DVD's).
Re:From the viewpoint of an RFID reader designer.. (Score:2)
Re:From the viewpoint of an RFID reader designer.. (Score:2)
EZ Pass works from about 30 feet
Because it's a powered transmitter [ezpass.com]. The RFID tags in passports would be passive.
Happy to Hear This (Score:3, Informative)
If You're Going to get Searched With The Wand (Score:2)
Mmm bet I'll be on the TSA's shit-list after posting this...
What a stupid hacked work around (Score:2)
Is the Faraday Cage the same thing as padded cell? (Score:2)
I've already tested this (Score:3, Interesting)
With no foil, the card will read from 20 cm. With one piece of foil on the back side, it will read from about 1cm. With the foil on the front, it will read, eventually, if you rub it right on the receiver. With foil wrapped completely around, you can't make it read.
I have no doubt that much more sensitive receivers could be built, but the foil does significantly reduce the read range.
Also, keep in mind that a reader has to transmit an RF pulse strong enough to power the chip for a fraction of a second, and the transmitted power is going to obey the inverse cube law. If the chip is shielded and the RF power pulse has to get through that, if you want to read from 20 feet away, you're going to be carrying around (or mounting if you're part of the establishment) a not-insignificantly-sized battery pack, transmitter, and directional antenna in order to get enough power cranked out to power that chip inside its foil wrap.
In fact, it may be so much power that it would be hazardous if someone stepped in front of it near the antenna.
I’d be happy with a smart chip… (Score:2)
This is a bunch of B.S. (Score:2)
Re:Hah! (Score:5, Funny)
Christ, what was I thinking?
Re:What? ITS A JOKE? (Score:2)