ePassport: fees and security issues

Posted on December 17, 2006
Filed Under Articles |

Your electronic passport is not safe from the person behind you at the ticket counter. Adam Laurie, a computer programmer from Kent, has released a programme that allows anyone with the book-sized electronic reader device to steal information contained in the passports. “The program will read and display the contents of the ePassport, including the facial image and the personal data printed in the passport,” Mr Laurie said.

Electronic passports now cost £66. Oyster cards, which use a similar — but better — security code, cost only £3. Cracking an Oyster card is “more difficult then winning the national lottery,” said Mr Laurie, who made the programme available for download (http://rfidiot.org/). Once downloaded, it allows anyone with the right device to read a passport in just 15 seconds. Nevertheless, not everything is so easy as it seems. Mr Laurie, contacted via email, said “The government that issues the documents have the private keys for signing the objects stored there (such as image, text etc.) The passport itself is also encrypted with it’s own private key, but that key is derived from data printed in the passport (Passport number, D.O.B. and Expiry date). In this way, anyone with the passport’s individual private key can read it, but only the government can produce a new passport with correctly signed objects.”.

In other words, to write the data in the ePassport, a “key” (like a password) is needed, and only the government has that key. To read the data, a different key for every person is needed. The last is derived using data stored in the passport itself (e.g. birth year times day times passport number). What the police does, is optically reading the data printed, then reading the data on the chip using the key derived by the data. The formula to derive this key is well known (just go to http://www.highprogrammer.com/cgi-bin/uniqueid/mrzp and build your own key!) then everybody, with Mr Laurie’s program, can insert the key of his/her own passport, put the ePassport on the reader, and read it.

That would not be a big deal –problems arise when you have computer powerful enough to guess which is your key. This has been pointed out by Riscure, a Security Test Lab based in the Netherlands. Considering that it is possible to guess the age of someone with an error of plus or minus five years, that many countries use consecutive passport number, a good PC is able to guess the key in a day. The British Home Office, luckily, said that in UK serial numbers are randomly generated, and this make more difficult to guess the key. Nevertheless the problem remains: sniffing the data of an ePassport is more easy then it should be. You can stay in a line, waiting for your check-in, and your neighbour can read the ePassport, go home, produce a key in a month (or a week) and have all your data, picture included. In this sense ePassport do not add any security level, on the contrary they seem to offer a backdoor for privacy intruders.

Another issue is the price: how can the Home Office justify last year £50 increase in the price of a passport? The chip is cheap –about a pound. The reader is not that expensive –about thousand pound. “Passport office is run as a private company. Does not receive any money from the government, and the fees have been increased following an improvement in security measures like interviews, investigations on citizens who ask for a passport”, the Home Office said. Then: why all that has not been clearly announced? The fees are more expansive because:

1) the passport office does not receive money from the state. I.e. although everybody should have the right to have a passport and the expenses should be paid proportionally to the income, poor and rich people pay the same (money should be collected through taxes, then distributed to the different services, like the passport office).

2) The ePassport is not the primary cause of the increase, as normally stated by the Home Office.

By the way, if already paid and got your ePassport, we have some good news: envelop it in some aluminium foil, and nobody will be able to sniff anything –not even the police.

Comments

• 
  

• Google Friends

• Recent Posts

  • AAA Comune Milano Cerca Esperto Derivati?
  • GAS: i saldi arrivano per decreto
  • Installing OpenFVM on Darwin (Mac OS X)
  • Google Friends etc….
  • Making money with water –Quantum of solace

• Archives

  • November 2009
  • July 2009
  • December 2008
  • November 2008
  • October 2008
  • August 2008
  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • November 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • July 2006
  • June 2006
  • November 2005
  • July 2005
  • June 2005
  • May 2005
  • April 2005
  • March 2005
  • February 2005
  • January 2005

• Bottles

  If you see the bottle as half empty you are not a pessimist. You are just giving yourself the opportunity to do something good – stand up and look for some good wine.
• Subscribe via RSS

  notify me (~2/months:)
  ricevi mail notifica(~2/mese:)

  (FeedBurner)

• Links

  • 50 Word Review
  • Bio Loser
  • Bittersweet me
  • Gravitas Free ZZZone
  • Italian Language for English girls
  • Unico Lab (con un po’ di nostalgia)

• Tags

  art article Brazil cartolina economy free bsd Informatics iphone italy leisure MST naples photo Reportage technology Video water World

• del.icio.us
• Digg
• Furl
• Netscape
• Yahoo! My Web
• StumbleUpon
• Google Bookmarks
• Technorati
• BlinkList
• Newsvine
• ma.gnolia
• reddit
• Windows Live
• Tailrank
• 9rules Clips