Richard Forno
Mon, 16 Jan 2006 08:22:51 -0800
US Government begins testing e-Passports 1/14/2006 8:23:02 PM, by Peter Pollack
http://arstechnica.com/news.ars/post/20060114-5982.html This weekend marks the beginning of a three-month-long test run on the use of e-Passports at San Francisco Airport. E-Passports contain a radio frequency identification (RFID) chip inside the binding which can be used to store personal data and biometric information for retrieval by customs personnel equipped with RFID readers. As is often the case, increased technological tracking carries with it a supply of controversy. The State Department says it received a total of 2,335 comments regarding its proposal to introduce e-passports. The department categorized 98.5 percent of the comments as negative, 1 percent as positive and 0.5 percent as neutral. The main area of concern has to do with the potential for unauthorized reading or hacking of the RFID data. Although RFID chips are supposed to have a limited readable range of just a few centimeters, tests have been conducted which suggest that the readable distance can be several meters or more under certain conditions, meaning anyone in your vicinity with an RFID reader would be able to scan your data. The technology has gone through some changes since it was first proposed. Originally, the US Department of State saw no reason to implement any security measures into the RFID program, arguing that the chip's limited range was protection enough. They have since backpedaled on that assertion, and the system being tested in San Francisco addresses the concerns of many by incorporating several anti-identity-theft measures. ... the Department [...] will include an anti-skimming material in the front cover and spine of the electronic passport that will mitigate the threat of skimming from distances beyond the ten centimeters prescribed by the ISO 14443 technology, as long as the passport book is closed or nearly closed. The Department will also implement Basic Access Control (BAC) to mitigate further any potential threat of skimming or eavesdropping. [...] BAC utilizes a form of Personal Identification Number (PIN) that must be physically read in order to unlock the data on the chip. In this case, the PIN will be derived from the printed characters from the second line of data on the Machine-Readable Zone that is visibly printed on the passport data page. The BAC also results in the communication between the chip and the reader being encrypted, providing further protection. These are good steps in the right direction. Is it enough? Security guru Bruce Schneier believes it to be. Assuming that the RFID passport works as advertised (a big "if," I grant you), then I am no longer opposed to the idea. And, more importantly, we have an example of an RFID identification system with good privacy safeguards. It looks like this may turn out to be a victory for common sense. Of course, a three-month pilot program in one airport will probably tell us more about the efficiency benefits than the security of e-Passports, so the real test against ID predators will come once this technology is released into the wild. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.