On Sat, Oct 23, 2004 at 03:23:21PM -0400, Adam Shostack wrote: > > The technology will mature *very* rapidly if Virginia makes their > driver's licenses RFID-enabled, or if the US goes ahead with the > passports. Why? Because there will be a stunning amount of money to > be stolen by not identity thieves, but real thieves. Imagine sitting > with a laptop, a good antenna, and some software outside a metro > station in Virginia. Or an upscale restaurant in Adams-Morgan, > reading off the addresses of those who will be away from home for the > next 3 hours.
Correct me if I am wrong, but don't most of the passive, cheap RF or magnetic field powered RFIDs transmit maybe 128 bits of payload, not thousands and thousands of bits which would be enough to include addresses, names, useful biometric data and so forth ? For many if not most applications (inventory control and tracking) a 128 bit unique serial number is enough - are the passport and drivers license (soon apparently to be the same thing here in the USA at least in respect to an internal passport required for travel on public transportation) applications of RFID actually intended to allow reading tens of kilobytes of data or just a unique serial that can be used as a key in an on line database system ? The signaling reliability problem of successfully transmitting say 10 or 100 kb of data error free (enough for reasonable info about someone and some biometric measurements) is quite different from repeating 128 bits over and over and over until the reader succeeds in making the FEC and checksums work for a couple of reads out of thousands of repetitions of the 128 bits. Detecting a weak repeated short pattern in noise is much easier than reading thousands of bits with few or no errors (few enough to be corrected by a reasonable rate FEC). Whilst unique serial numbers read at a distance could be used in a variety of rather sinister ways, they aren't equivalent to dumping the names, addresses, weight, height, birth date, social security number and biometric signatures of someone in the clear. And obviously are much less useful to an unsophisticated thief without access to the database mapping the serial number to useful information. And further it seems reasonable to suppose that if larger blocks of useful data get dumped, it would be encrypted under carefully controlled keys at least for passport and similar applications. Granted that very sophisticated attackers might obtain some of these keys, but the average thief presumably would not have access to them. It does occur to me that RFID equipped passports or internal passports/driver licenses ("your papers please") COULD be equipped with some kind of press to read switch the would require active finger pressure on the card to activate the RFID transmitter - this would leave them disabled and incapable of transmitting the ID when sitting in someone's wallet or purse. Aside from very sinister covert reading applications I cannot think of any reason why a RFID equipped identity card would need to be readable without the active cooperation and awareness of the person carrying the card, thus such a safeing mechanism would not be a real burden except to those with sinister covert agendas. And needless to say, copper screen or foil lined wallets would become very popular... -- Dave Emery N1PRE, [EMAIL PROTECTED] DIE Consulting, Weston, Mass 02493 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]