back to article ePassport tests put biometrics through their paces

Results have emerged from tests held in Prague last week designed to put 'second-generation' electronic passports through their paces, and guess what - no-one failed. The tests are partly designed to address recent security and privacy concerns about electronic passports that feature RFID chips containing biometric data. The …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Do we want this?

    Has anyone actually ever asked if we want this, we the citizens of the EU, as opposed to the vendors and the US.

    I'm quite happy to hand my passport to a man at the gate who reads it, I really don't fancy a passport that talks electronically to readers without my intervention. What for example stops readers being placed in more places than the border. It seems to me that the control I previously had over handing over my id has gone, I no longer HAND my id over, it is TAKEN from me. So what would stop police setting up id checks at random location for example? Or the UK going all Jacqui on us and building a tracking database of these ids monitored at lamposts?

    Call me old fashioned, but we had a system that worked and was cheap and was accepted and some foreign power orders the EU to change it, and the EU takes it's orders, like an obedient servant, but at no time has the people they're supposed to represent ever been consulted.

    Kind of like ACTA, what the hell is going on when a treaty is known to a foreign government but not to the citizens the Commission represents?

  2. SImon Hobson Bronze badge

    Oh great, more fantasy science !

    "... would not be able to get at the private key a second-generation passport contains"

    So lets get this right, every chip needs to know the public key used by every reader - which means that the reader key is effectively in the public domain (or will be soon). So no security there then.

    And every reader will need access to the public key for every passport. I think we'll soon see how well that works !

  3. Anonymous Coward
    Anonymous Coward

    This is fantastic news - for passport companies

    If they keep changing the biometrics every couple of years, they'll soon get into the IT mindset of forcing you to upgrade your passport regularly or be deemed a security risk and be doomed to stay in this crappy country.

    'Sorry luv, you're passport's only the Wombat Edition with facial, fingerprint, retina and earlobe analysis. We're only allowing Bushbaby Xtreme with arse-reading on the plane today. Good news though, we're offering a special upgrade price of just £500 and a free cavity search.'

  4. Anonymous Coward
    Anonymous Coward

    SHA 1 has been sort of broken already

    http://ec.europa.eu/justice_home/doc_centre/freetravel/documents/doc/c_2006_2909_en.pdf

    Reading the spec.

    1. Contains a photograph, i.e. machine biometric not defined, they just slapped a photo on it and hope the face comparison algos will get better over time beyond today simple ratios of measurable distances on the face.

    2. Fingerprints, stored as Images (again WTF?)

    3. Certificates propagate and refresh based on time, (yuck, perhaps stale data within the expired time).

    4. I'm digging into the data signing, but the document I find says they're using SHA-1, for data signing, but SHA-1 has been broken, or at least reduced to where it can be broken by brute force by people who want to break it. Is that correct? Is the datasigning algo based on SHA-1?

    They say it's built on this document and version from 2004:

    http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf

    SHA-1 brute force reduced from 2005:

    http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

  5. Anonymous Coward
    Alert

    I've just grown a beard

    Have I invalidated my face?

  6. Anonymous Coward
    Joke

    @ I've just grown a beard

    Growing facial hair (without first making a written application to US Government for permission) will undoubtedly result in a custodial sentence.

    I suggest you dig out those razors.

  7. Anonymous Coward
    Paris Hilton

    Homemade travel documents

    Yes, these bio-enhanced wireless passports would be a great idea if our respective governments controlled 100% of the manufacture of the component bits.

    How-evah ... and nevertheless ... here in the States, the "secure" paper we print our passports on is manufactured in the Far East, and so are the majority of semiconductors that would be used.

    Just how secure do you think these electronic devices would REALLY be, even if we did manage to implement hardware that resolved merely the existing encryption hacks?

    Enabling terrorists to freely cross borders with hacked 'secure" documents is in a whole different realm than using hacked Metro passes.

    Paris, because she likes a free ride too.

  8. Ben
    Stop

    For crying out loud

    Governments (not the people we elect as "representatives" but the institutions that govern us) operate over decades.

    It's not about "technical feasibility", it's about "do we want it" / "can we allow it to happen?".

    The technological problems are far from insurmountable - even if it takes decades - the question is, do we want to go down that road?

  9. Anonymous Coward
    Happy

    @AC 12:15

    On 1, so all passports already contain a biometric, yet there was no fuss for the last 50 years or so since that was introduced. Machines are already pretty good at spotting facial geometry better than humans. Good luck with moving your eye sockets around.

    On 2, that'll be some new form of storage then; I always thought it was a series of 1s and 0s. Most mark readers are looking for inflection points and then produce a model based on that and the private key. Scanners public key then used to decrypt and look for good enough but not perfect match between reading and value on card (perfect match implies a replay attack)

    On 4, depends if the interaction with the card is timestamped or not; if the data is only accessible for 5 seconds or so, going to have to be pretty lucky to crack it in that timeperiod.

  10. Luther Blissett

    Guess what - no-one failed

    I'm with you on this. Right fellow pigs, race you to the trough. On your marks, get set,...

  11. Simon

    10 years is a long time

    The biggest issue with RFID's in this application is that it takes a couple of years to define a standard then that standard of encryption has to hold up for at least 10 years. This is a VERY long time in Moore's Law terms, even if sensible algorithms are chosen, there are limits to what can be done on an RFID for reasonable cost. By the tail end of these passports validity people are going to be screaming about how easy to hack they are.

  12. Kaitlyn Kincaid
    Paris Hilton

    what happens when one matches and the other doesnt?

    I am currently waiting for my new passport to come in (I'm Canadian), the one I have just expired, but even before that it was unusable due to the fact that I no longer look a THING like my photo. I've lost nearly 100lbs, grew my hair over a foot, dyed it... most people would never buy that the person in my passport is really me (and it has caused issues flying domestically)

    so my question is, with all these biometrics, what happens when my fingerprints, or iris scan is positive but I look nothing like the photo in the file? Which one 'wins'?

    Paris, cause I'm as confused by this as she is.

  13. Anonymous Coward
    Joke

    no-one failed

    Just think... if engineers built skyscrapers they way they built ID systems, the Twin Towers would still be standing!

  14. Patrick O'Reilly

    Thats nice...

    but when I have to get a new passpost it's still going to have a nasty collision with a sledgehammer.

    Woops look at me, butterfingers...

    what happens if it won't scan? Shoot me?

  15. Moss Icely Spaceport
    Black Helicopters

    Move along Citizen....

    Pass right through the red light, there's nothing to fear.

    Hurry now....

  16. Pascal Monett Silver badge

    higher-entropy biometrics ?!?

    Dear God, it seems that there's a new entry in the BullShit Generator. Either that, or the BSG has had a close encounter with the LHC.

    If anything, these new biometrics is going to make things easier for high-tech criminals (forget terrorists - they don't need to pass inspection, they're already on site).

    I can't wait for the day when some border control officer is going to be strung up as a scapegoat for letting a dangerous criminal through.

    "Do you acknowledge having allowed Mr. PsychoticMurderer to enter US territory ?"

    "Well, yes, but his passport said he was Mr. NiceGuy:"

    "But his face, did you not look at his face on the Wanted poster next to the window ?"

    "Yes but his passport said he was really Mr. NiceGuy ! It checked out ! Honest !"

    All the biometric craze is going to do is give properly-equipped criminals with gold-plated, steel-armored excuses to get into whatever country they want. The more tech we add, the more we risk blinding border controls with over-hyped "impossible to falsify" claims.

    Remember : the Titanic was there first.

  17. Peter Gold badge

    But why no shielding ?!?

    What I want to know is why the EU has not mandated shielding in the passport cover? It means any idiot can read the chip from a distance with minimal effort. I don't know what the coding standards are, but if the RFID allows identification of country of origin, the door is open to construct hidden bombs that only go off if enough, say, French passports were in the proximity.

    One benefit, though. If you work with comms equipment the lack of shielding may "accidentally" result in a toasted RFID chip. Not my fault, gov..

This topic is closed for new posts.