[IP] Flaw exploited in RFID-enabled passports
Begin forwarded message:
From: Anne & Lynn Wheeler <lynn@xxxxxxxxxx>
Date: October 28, 2006 5:21:16 PM EDT
To: cryptography@xxxxxxxxxxxx
Subject: Flaw exploited in RFID-enabled passports
Flaw exploited in RFID-enabled passports
http://news.com.com/2061-10789_3-6130396.html?
part=rss&tag=6130396&subj=news
from above:
Security researchers have released proof-of-contact code that they
say enables an attacker to read the passport number, date of birth,
and passport expiration date from passports with RFID tags enabled.
... snip ...
something similar could be claimed behind the switch-over from x.509
identity certificates
to relying-party-only digital certificates in the mid-90s (i.e.
potentially serious privacy and liability issues)
http://www.garlic.com/~lynn/subpubkey.html#rpo
and as i've pointed out repeatedly, it is trivial to then show that
such relying-party-only digital certificates are redundant and
superfluous.
then from three factor authentication model
http://www.garlic.com/~lynn/subintegrity.html#3factor
* something you have
* something you know
* something you are
part of the issue with something like "date of birth" is that it not
only is a privacy issue but it may also represent a serious identity
theft and fraud issue, in part because there is pervasive use of
"date of birth" as part of "something you know" authentication.
if the paradigm was sanitized ... then you might at most have
"something you have" authentication ... i.e. you assert some passport
number which is in turn, digitally signed by some hardware token or
other embedded chip.
http://www.garlic.com/~lynn/subpubkey.html#certless
even simpler, you have anything that asserts some sort of passport
number. the challenger than
does real-time online lookup (using the supplied number) for photo
along with other identifying and/or pertinent information ... and
performs authentication based on the information just looked up. a
person could carry their passport number in some sort of cellphone/
pda ... which requires some response from the owner for it to be
transmitted (in response to a query) ... or alternatively ... as a
barcode pasted to the back of their cellphone.
The online, real-time scenario would even eliminate the person
needing to carry some gov. issued registered document ... just that
they are able to provide the appropriate passport number when
challenged (which is used to do real-time retrieval of the necessary
registered information).
The returned real-time information reponse can be specific and
limited to the task being performed.
One of the paradigm issues with documents/certificates issued for
purely offline operation ... is a tendency to try and make them
(more) useful for multiple purposes ... which then leads to them
being overloaded with lots of different information for the multiple
purposes. Many times there is real danger that the available
aggregate information is far in excess of what is needed for any
specific task/process. However, it is poor human factors to burden an
individual with large set of different documents/certificates that
would be exactly specific for any single operation.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo@xxxxxxxxxxxx
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/