Tuesday, November 15, 2005

RFID chips in passports

Bruce Schneier offers praise, in his latest Crypto-Gram for State Department officials who have responded sensibly and responsibly to two specific criticisms of the proposal to put RFID chips in US passports. He still has serious concerns about the plan, however:

"RFID passports will now include a thin radio shield in their
covers, protecting the chips when the passports are closed. Although
some have derided this as a tinfoil hat for passports, the fact is the
measure will prevent the documents from being snooped when closed.

However, anyone who travels knows that passports are used for more than
border crossings. You often have to show your passport at hotels and
airports, and while changing money. More and more it's an identity
card; new Italian regulations require foreigners to show their
passports when using an Internet cafe.

Because of this, the State Department added a second, and
more-important, feature: access control. The data on the chip will be
encrypted, and the key is printed on the passport. A customs officer
swipes the passport through an optical reader to get the key, and then
the RFID reader uses the key to communicate with the RFID chip.

This means that the passport holder can control who gets access to the
information on the chip, and someone cannot skim information from the
passport without first opening it up and reading the information
inside. This also means that a third party can't eavesdrop on the
communication between the card and the reader, because it's encrypted.

By any measure, these features are exemplary, and should serve as a
role model for any RFID identity-document applications. Unfortunately,
there's still a problem.

RFID chips, including the ones specified for U.S. passports, can still be uniquely identified by their radio behavior...

To fix this, the State Department needs to require that the chips used in passports implement a collision-avoidance system not based on unique serial numbers...

The State Department has done a great job addressing specific security and privacy concerns, but its lack of technical skills is hurting it. The collision-avoidance ID issue is just one example of where, apparently, the State Department didn't have enough of the expertise it needed to do this right.

Of course it can fix the problem, but the real issue is how many other problems like this are lurking in the details of its design? We don't know, and I doubt the State Department knows, either. The only way to vet its design, and to convince us that RFID is necessary, would be to open it up to public scrutiny...

Right now the State Department has no intention of doing that; it's already committed to a scheme before knowing if it even works or if it protects privacy."

No comments: