Flaw exploited in RFID-enabled passports

Anne & Lynn Wheeler lynn at garlic.com
Sat Oct 28 17:21:16 EDT 2006


Flaw exploited in RFID-enabled passports
http://news.com.com/2061-10789_3-6130396.html?part=rss&tag=6130396&subj=news

from above:

Security researchers have released proof-of-contact code that they say enables an attacker to read the passport number, date of birth, and passport expiration date from passports with RFID tags enabled.

... snip ...

something similar could be claimed behind the switch-over from x.509 identity certificates
to relying-party-only digital certificates in the mid-90s (i.e. potentially serious 
privacy and liability issues)
http://www.garlic.com/~lynn/subpubkey.html#rpo

and as i've pointed out repeatedly, it is trivial to then show that such relying-party-only digital certificates are redundant and superfluous.

then from three factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor

* something you have
* something you know
* something you are

part of the issue with something like "date of birth" is that it not only is a privacy issue but it may also represent a serious identity theft and fraud issue, in part because there is pervasive use of "date of birth" as part of "something you know" authentication.

if the paradigm was sanitized ... then you might at most have "something you have" authentication ... i.e. you assert some passport number which is in turn, digitally signed by some hardware token or other embedded chip.
http://www.garlic.com/~lynn/subpubkey.html#certless

even simpler, you have anything that asserts some sort of passport number. the challenger than
does real-time online lookup (using the supplied number) for photo along with other identifying and/or pertinent information ... and performs authentication based on the information just looked up. a person could carry their passport number in some sort of cellphone/pda ... which requires some response from the owner for it to be transmitted (in response to a query) ... or alternatively ... as a barcode pasted to the back of their cellphone.

The online, real-time scenario would even eliminate the person needing to carry some gov. issued registered document ... just that they are able to provide the appropriate passport number when challenged (which is used to do real-time retrieval of the necessary registered information).
The returned real-time information reponse can be specific and limited to the task being performed.

One of the paradigm issues with documents/certificates issued for purely offline operation ... is a tendency to try and make them (more) useful for multiple purposes ... which then leads to them being overloaded with lots of different information for the multiple purposes. Many times there is real danger that the available aggregate information is far in excess of what is needed for any specific task/process. However, it is poor human factors to burden an individual with large set of different documents/certificates that would be exactly specific for any single operation.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list