Feds Rethinking RFID Passport By Kim Zetter Story location: http://www.wired.com/news/privacy/0,1848,67333,00.html
02:00 AM Apr. 26, 2005 PT Following criticism from computer security professionals and civil libertarians about the privacy risks posed by new RFID passports the government plans to begin issuing, a State Department official said his office is reconsidering a privacy solution it rejected earlier that would help protect passport holders' data. The solution would require an RFID reader to provide a key or password before it could read data embedded on an RFID passport's chip. It would also encrypt data as it's transmitted from the chip to a reader so that no one could read the data if they intercepted it in transit. Frank Moss, deputy assistant secretary for passport services, told Wired News on Monday that the government was "taking a very serious look" at the privacy solution in light of the 2,400-plus comments the department received about the e-passport rule and concerns expressed last week in Seattle by participants at the Computers, Freedom and Privacy conference. Moss said recent work on the passports conducted with the National Institute of Standards and Technology had also led him to rethink the issue. "Basically what changed my mind was a recognition that the read rates may have actually been able to be more than 10 centimeters, and also recognition that we had to do everything possible to protect the security of people," Moss said. Read rates refer to the distance from which an RFID chip can be read. The new RFID passports, or e-passports, were designed with a contactless chip in the back cover, which allows officials to read electronic data on a passport from a distance, using an electronic reader. The distance depends on the design of the chip and the reader. The government had long maintained that the passport chips to be used could be read from only 10 cm away. But at least one test showed that a reader could read a passport chip from 30 feet away. And Barry Steinhardt, director of the Technology and Liberty Program for the American Civil Liberties Union, demonstrated a chip being read from two to three feet away at the Computers, Freedom and Privacy conference last week. Because the government had decided not to encrypt data contained on passport chips, the chips exposed passport holders to privacy risks, such as skimming and eavesdropping. Skimming occurs when an intruder with a reading device in the vicinity of the passport holder surreptitiously reads the electronic information on the chip without the passport holder knowing. Eavesdropping occurs when an intruder intercepts data as it's being transmitted from the chip to an authorized reader. It turns out, however, that a solution to prevent skimming and eavesdropping was actually proposed a while ago, but U.S. officials rejected it. The International Civil Aviation Organization, which created the international specifications for countries adopting RFID passports, designed specifications (.pdf) for a process called Basic Access Control. Basic Access Control, or BAC, works this way: The data on a passport would be stored on an RFID chip in the passport's back folder, but the data would be locked and unavailable to any reader that doesn't know a secret key or password to unlock the data. To obtain the key, a passport officer would need to physically scan the machine-readable text that's printed on the passport page beneath the photo (this usually includes date of birth, passport number and expiration date). The reader would then hash the data to create a unique key that could be used to authenticate the reader and unlock the data on the RFID chip. Basic Access Control prevents skimming because it doesn't allow remote readers to access data on the passport without the passport being physically opened and scanned through a reader. It also prevents eavesdropping since it would encrypt the communication channel that opens when the data is sent from the chip to the reader. Moss said the solution was originally rejected because the United States never planned to include more data on the RFID chip than what could be easily read simply by looking at the passport. That being the case, they believed that anti-skimming technology, such as metal fibers in the passport cover, would prevent anyone from surreptitiously reading a passport as long as it was closed. "We originally thought that the chip could not be read at a distance of more than 10 cm (when the passport was open)," Moss said. "We now find that perhaps there are some more serious threats in the area of read ranges.... The use of BAC now gives you additional protection when the book is actually open." Moss said the German government and other members of the European Union had embraced BAC because they planned to write more data to the chip than just the written data that appears on the passport photo page. Many countries plan to include at least two fingerprints, digitized, in their passport chips. Several vendors have already built and tested readers that function with BAC. A report (.pdf) of the tests reveals that the method actually works, although it takes twice as long to read a passport using BAC than a passport that doesn't use BAC. "(The results) are mixed, quite honestly, and that's one of the issues we're still working through," Moss said. "Part of the problem is that the BAC technology ... is not quite as mature right now with some of the other technologies. That's one of the other reasons we've had some trepidation about taking this step, but we're increasingly convinced that it's the right way to go, that the technology is getting there." Moss said there would be meetings next week in Ottawa and in Lyon, France, later in May to iron out some issues regarding the international standards for BAC. Moss said his department would need to determine what impact, if any, BAC might have on the production schedule of passports to determine whether the government's planned rollout of the passports would still occur on time. There are some minor flaws with BAC, which are detailed in a paper (.pdf), written by Ari Juels of RSA Technologies; David Wagner, professor of computer science at the University of California at Berkeley; and UC Berkeley graduate student David Molnar. "The bottom line is that BAC isn't perfect, but it's better than what we have now," Molnar said. The ACLU's Barry Steinhardt was cautious about praising the State Department's move. "It's an improvement over the current proposal," Steinhardt said. "It sounds at least as if they're beginning to be concerned that there are security concerns with the current proposal. Whether they've really fixed them we'll have to wait and look at the specifications. But I don't understand why it's necessary to have an RFID chip at all in light of these security concerns. There are other technologies that are more proven that are available." But cryptographer Phil Zimmermann, who created Pretty Good Privacy, the popular, free e-mail encryption and authentication program, thinks BAC is the way to go if the government plans to use RFID. In fact, Zimmermann proposed a plan to Moss at the Computers, Freedom and Privacy conference that mirrored Basic Access Control, although he didn't know at the time that the government had already considered such a plan. "The State Department would be able to end the threat of skimming and eavesdropping by using Basic Access Control," Zimmermann said. "It's obviously the right thing to do." You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
