Earlier this year the UK Passport Service (now the Identity and Passport Service) started to introduce Biometric Passports (pdf link) in an effort to vastly improve the security of the passport system. In their words
To:
• help fight passport fraud and forgery;
• help the public and the UK to fight identity fraud;
• ensure the British Passport stays one of the most secure and respected in the world;
However it seems that according to a report in today’s Guardian that these new ultra-secure passports aren’t all they are cracked up to be and that the security has been severely undermined by a number poor decisions made in the implementation of the system.
Firstly they have opted to use RFID chips to store the data in accordance to standards drawn up by the International Civil Aviation Organization. The use of RFID to store the data is bad enough but the ICAO standard also directs that the key used to access the data should be comprised of , in the following order, the passport number, the holder’s date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a “machine readable zone.”
Bruce Schneier an authority in the area of security has written a number of times about the security wreckage associated with passports containing RFIDs.
• April 28, 2005 RFID Passport Security
• November 03, 2005 The Security of RFID Passports
Including on August 03, 2006 Hackers Clone RFID Passports a very similar hack to the one carried out by Adam Laurie on behalf of The Guardian newspaper.
Most recently Schneier has revealed that The Data Privacy and Integrity Advisory Committee of the Department of Homeland Security has recommended against putting RFID chips in identity cards. Whether the US government heeds this advice is yet to be seen but unfortunately for us in Britain our government has already made the poor choice.
The security measures in place to prevent unauthorized access to the data held on the chip work by creating a encrypted ‘conversation’ between the chip and the reader. Interestingly they have used the Triple DES algorithm for the encryption instead of AES which was introduced to replace Triple DES in 2002 and which is much more efficient. However the choice of algorithm is a secondary concern compared with how it was implemented with a key that is comprised of non-secret information that is published in the passport itself.
As Laurie puts it so eloquently “That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.”
