Re: Are new passports [an] identity-theft risk?

2004-10-25 Thread Dave Emery
On Sat, Oct 23, 2004 at 03:23:21PM -0400, Adam Shostack wrote:
 The technology will mature *very* rapidly if Virginia makes their
 driver's licenses RFID-enabled, or if the US goes ahead with the
 passports.  Why?  Because there will be a stunning amount of money to
 be stolen by not identity thieves, but real thieves.  Imagine sitting
 with a laptop, a good antenna, and some software outside a metro
 station in Virginia.  Or an upscale restaurant in Adams-Morgan,
 reading off the addresses of those who will be away from home for the
 next 3 hours.

Correct me if I am wrong, but don't most of the passive, cheap
RF or magnetic field powered RFIDs transmit maybe 128 bits of payload,
not thousands and thousands of bits which would be enough to include
addresses, names, useful biometric data and so forth ?

For many if not most applications (inventory control and
tracking) a 128 bit unique serial number is enough - are the passport
and drivers license (soon apparently to be the same thing here in the
USA at least in respect to an internal passport required for travel on
public transportation) applications of RFID actually intended to allow
reading tens of kilobytes of data or just a unique serial that can be
used as a key in an on line database system ?

The signaling reliability problem of successfully transmitting
say 10 or 100 kb of data error free (enough for reasonable info about
someone and some biometric measurements) is quite different from
repeating  128 bits over and over and over until the reader succeeds in
making the FEC and checksums work for a couple of reads out of thousands
of repetitions of the 128 bits.   Detecting a weak repeated short
pattern in noise is much easier than reading thousands of bits with few
or no errors (few enough to be corrected by a reasonable rate FEC).

Whilst unique serial numbers read at a distance could be used in
a variety of rather sinister ways, they aren't equivalent to dumping the
names, addresses, weight, height, birth date, social security number and
biometric signatures of someone in the clear.   And obviously are
much less useful to an unsophisticated thief without access to the
database mapping the serial number to useful information.

And further it seems reasonable to suppose that if larger blocks
of useful data get dumped, it would be encrypted under carefully
controlled keys at least for passport and similar applications.  
Granted that very sophisticated attackers might obtain some of these
keys, but the average thief presumably would not have access to them.

It does occur to me that RFID equipped passports or internal
passports/driver licenses (your papers please) COULD be equipped with
some kind of press to read switch the would require active finger 
pressure on the card to activate the RFID transmitter - this would
leave them disabled and incapable of transmitting the ID when sitting in
someone's wallet or purse.  Aside from very sinister covert reading
applications I cannot think of any reason why a RFID equipped identity
card would need to be readable without the active cooperation and
awareness of the person carrying the card, thus such a safeing mechanism
would not be a real burden except to those with sinister covert agendas.

And needless to say, copper screen or foil lined wallets would
become very popular...

   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Code breakers crack GSM cellphone encryption

2003-09-08 Thread Dave Emery
On Mon, Sep 08, 2003 at 09:55:41PM +, David Wagner wrote:
 Trei, Peter wrote:
 Why the heck would a government agency have to break the GSM encryption
 at all?
 Well, one reason might be if that government agency didn't have lawful
 authorization from the country where the call takes place.
 (say, SIGINT on GSM calls made in Libya)
Just to amplify this a bit, does anyone seriously think the
NSA's satellite and embassy based cellphone interception capability is
primarily targeted against - US - GSM calls ?   Or that they can
routinely get warrants to listen in using the wired tapping
infrastructure in say Russia or France or Iran ?

And for that matter would you want the US government to grant
the Mossad or GCHQ or other allied spy agencies the right to ask for and
use CALEA wiretaps within the US on targets of interest only to THEM who
might well be law abiding US citizens minding their own business (at
least more or less) and not subject to legal US wiretaps ?

It is true that POLICE (eg law enforcement) wiretaps can be
mostly done with CALEA gear (and should be to ensure they aren't done
when not authorized by a suitable warrant), but national security and
intelligence wiretaps are a completely different kettle of fish,
particularly overseas.

And this says nothing at all about the need for tactical
military wiretaps on GSM systems under battlefield conditions when
soldiers lives may depend on determining what the enemy is saying over
cellphones used to direct attacks against friendly forces.

   Dave Emery N1PRE,  [EMAIL PROTECTED]  DIE Consulting, Weston, Mass 02493

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]