Flaw exploited in RFID-enabled passports
http://news.com.com/2061-10789_3-6130396.html?part=rss&tag=6130396&subj=news
from above:
Security researchers have released proof-of-contact code that they say enables
an attacker to read the passport number, date of birth, and passport expiration
date from passports with RFID tags enabled.
... snip ...
something similar could be claimed behind the switch-over from x.509 identity
certificates
to relying-party-only digital certificates in the mid-90s (i.e. potentially serious
privacy and liability issues)
http://www.garlic.com/~lynn/subpubkey.html#rpo
and as i've pointed out repeatedly, it is trivial to then show that such
relying-party-only digital certificates are redundant and superfluous.
then from three factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor
* something you have
* something you know
* something you are
part of the issue with something like "date of birth" is that it not only is a privacy issue but it
may also represent a serious identity theft and fraud issue, in part because there is pervasive use of
"date of birth" as part of "something you know" authentication.
if the paradigm was sanitized ... then you might at most have "something you
have" authentication ... i.e. you assert some passport number which is in turn,
digitally signed by some hardware token or other embedded chip.
http://www.garlic.com/~lynn/subpubkey.html#certless
even simpler, you have anything that asserts some sort of passport number. the
challenger than
does real-time online lookup (using the supplied number) for photo along with
other identifying and/or pertinent information ... and performs authentication
based on the information just looked up. a person could carry their passport
number in some sort of cellphone/pda ... which requires some response from the
owner for it to be transmitted (in response to a query) ... or alternatively
... as a barcode pasted to the back of their cellphone.
The online, real-time scenario would even eliminate the person needing to carry
some gov. issued registered document ... just that they are able to provide the
appropriate passport number when challenged (which is used to do real-time
retrieval of the necessary registered information).
The returned real-time information reponse can be specific and limited to the
task being performed.
One of the paradigm issues with documents/certificates issued for purely
offline operation ... is a tendency to try and make them (more) useful for
multiple purposes ... which then leads to them being overloaded with lots of
different information for the multiple purposes. Many times there is real
danger that the available aggregate information is far in excess of what is
needed for any specific task/process. However, it is poor human factors to
burden an individual with large set of different documents/certificates that
would be exactly specific for any single operation.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
