Ever since I did my undergrad honours thesis in cyptography, I have had an interest in network security. This interest has widend to most things to do with security. The latest interest is on RFID passports.
In the latest release of Bruce Schneier's Crypto-Gram, he urges us all to renew our passports to ensure we get a version without an RFID. This led me to think about my earier post to his earlier post on the subject. About a year ago, here it is:
I've been following this topic for a long time now, especially since the Canadian Government was thinking of putting bio-metric information into passports. It doesn't belong there... _maybe_ somewhere else. I'll explain.
I think there is a fundamental flaw in putting the "same information" on the RFID chip that is printed on the page. That serves no purpose; certainly it would foil the more naive person who wishes to produce a fake passport, but certainly anyone with any amount of intelligence is going to produce a fake with fake information on the RFID as well as in print. It is folly to believe otherwise. Any kind of biometric information would be the same... If I'm going to create a fake and the validation of the passport is to compare what's on the passport to the person standing there, I'm going to put my own biometric information on the RFID as well. You really need a method of authenticating that the passport is REAL and VALID.
This brings me to my point. If the US State Department is now requiring that the passport be placed into a reader to get the encryption key that will decrypt the information in the RFID chip that will most certainly be identical to that which is printed on the page, doesn't that defeat the whole idea of the RFID in the first place? Wasn't it the intent to have a reader system that didn't have to come in contact with the passport? Doesn't this requirement make that impossible?
And, since that is impossible, why not try to implement a system that actually works? A system that will take into account that passports can be revoked, and that fakes are going to be really good. Wouldn't it be better to have a system that read some sort of serial number off the passport (this already exists) and queries a US State Department database of passports (which already exists)... then the information that the US State Department has on file as being associated with that passport number would then pop up on the screen of the customs official (or whomever else with proper access) and the information can be verified by looking at it. An automated system could do things like make sure all the text is correct... and the official could look at the two pictures, and look at the person, and see if they match... they could even... if they wanted... send an "update" to the picture and you could have not only a copy of the photo that is on the passport, but you could watch someone grow a beard in extreme slow motion :)
Why is this better? It means that only people with authenticated access to the US State Department system can get information about you from your passport automatically... everyone else would be limited to the information that is printed on the page. That's not that good for anyone. The only thing that might happen is that someone could create a copy of your passport and they try to make themselves look like you... they wouldn't be able to change the picture as that is validated in real-time with what is on file.
I think in this case the RFID is a bit of technology that is being applied where it shouldn't. It doesn't belong here... there are other ways that are less prone to problems that could solve the problem.
Further on, I say:
After reading some more of this, I think there is a fundamental misunderstanding of passports that is missing. Passports were brougt into being, partially, because up until quite recently we didn't have any sort of infrastructure to do real-time authentication of a person at the border. We can do that; we have the technology. The idea of putting my picture, biometric ID, visas, revocations, and a list of previously visited countries on or in my passport is very unsettling. This information shouldn't be anywhere in my control.
We have the techology to build the infrastructure that will allow us to do better than a system designed wholly on the fact that "fakes" are hard to make. They aren't hard to make any more, and any system that relies only on information presented by the authenticatee will be much more open to intrusion.
I'm not saying that such a system is easy to make. Certainly not. However, it is a better direction.
Others then critisized this idea with arguments that the idea of having all this information on your passport was "Less unsettling than the idea of putting them in a central database!". To think that such a database does not already exist, or being deployed, is naive.
I don't have enough information to solve this problem, but I know that the current implementation is bad. There is no good reason to have the information that is printed on the passport be on the RFID. There is no good reason to have an RFID (especially with the "contact" requirements). There is no good reason to store any information electronically on your passport. Passports are a means by which people can verify your identity. I have used them in many places, and never has it been a problem for the information to be read by a person. Any enhacement to the system can only be made by allowing for the information to be validated in real-time to allow for the detection of fake, lost, stolen, or revoked credentials.
