May 29, 2017

U.S. Considering Wireless Passport Protection

The U.S. government is “taking a very serious look” at improving privacy protection for the new wireless-readable passports, according to an official quoted in a great article by Kim Zetter at Wired News. Many people, including me, have worried about the privacy implications of having passports that are readable at a distance.

The previously proposed system would transmit all of the information stored on the inside cover of the passport – name, date and place of birth, (digitzed) photo, etc. – to any device that is close enough to beam a signal to the passport and receive the passport’s return signal.

The improved system, which is called “Basic Access Control” in the specification, would use a cryptographic protocol between the passport and a reader device. The protocol would require the reader device to prove that it knew the contents of the machine-readable text on the inside cover of the passport (the bottom two lines of textish stuff on a U.S. passport), before the passport would release any information. The released information would also be encrypted so that an eavesdropper could not capture it.

I have not done a detailed security analysis of the crypto protocols, so I can’t vouch for their security. Juels, Molnar, and Wagner point out some protocol flaws (in the Basic Access Control protocol) that are probably not a big deal in practice. I’ll assume here that the protocols are secure enough.

The point of these protocols is to release the digital information only to an entity that can prove it already has had access to information on the inside of the passport. Since the information stored digitally is already visible (in analog form, at least) to somebody who has that access, the privacy risk is vastly reduced, and it becomes impossible for a stranger to read your passport without your knowledge.

You might ask what is the point of storing the information digitally when it can be read digitally only by somebody who has access to the same information in analog form. There are two answers. First, the digital form can be harder to forge, because the digital information can be digitally signed by the issuing government. Assuming the digital signature scheme is secure, this makes it impossible to modify the information in a passport or to replace the photo, steps which apparently aren’t too difficult with paper-only passports. (It’s still possible to copy a passport despite the digital signature, but that seems like a lesser problem than passport modification.) Second, the digital form is more susceptible to electronic record-keeping and lookup in databases, which serves various governmental purposes, either legitimate or (for some governments) nefarious.

The cryptographic protocols now being considered were part of the digital-passport standard already, as an optional feature that each country could choose to adopt or not. The U.S. had previously chosen not to adopt it, but is now thinking about reversing that decision. It’s good to see the government taking the passport privacy issue seriously.


  1. Anonymous says:

    That only seems to solve one half of the problem, though. Sure, Joe Identity Thief could not just collect passport data by walking through a crowd with the right equipment, but the state would probably still be able to read passports from a distance – so, for example, the police could gather the personal information of everyone participating in a demonstration, without the affected people even realizing.

    If passports weren’t readable at all without some sort of physical contact, this problem would be avoided, too.

  2. That is less of a problem than one might think, because of the way the protocol is designed. In your scenario, the police have to guess which passport you have, and then run the authentication protocol. If they guess right, then their guess is confirmed. If they guess wrong, then the protocol fails and they learn nothing. And note that it takes a noticeable amount of time to run the protocol.

  3. Peter Trei on the IP list brings up the point that if the RFIDs respond in the negative (or respond at all to a bogus query) they could be use to at least know that you have an American passport… which could be used to trigger bombs and such. Is this much of a worry with this protocol?

  4. If a reader fails to guess the device’s crypto key, then the reader learns only that some device is present that implements the protocol. The reader doesn’t learn anything that lets it tell apart different devices, or categories of devices, that implement the protocol.

    The protocol may be implemented by U.S. passports. It will apparently be implemented by passports of some other countries, including some in Europe. It may be implemented by devices implanted in things other than passports, as well.

  5. Cypherpunk says:

    I never really believed in the scan-the-crowd attack, the fourth power distance effect is prohibitive, plus they said some time back they were going to put wire mesh in the covers. Nor did the eavesdrop-on-customs attack seem credible, because of the difficulty of smuggling the required equipment into the heavily secured vicinity within the airport.

    That leaves the cloning attack, where someone who gets access to the passport can copy it. Adding RFIDs (even without encryption) helps against this, otherwise the attackers could replace the photo. But attackers could still choose a victim who physically resembled one of their agents, and succeed even with an exactly cloned passport.

    The encryption will help somewhat against this, because it relies on a secret key. However that key must be built into every passport reader, equipment which is dispersed globally. Once that key leaks, encryption will no longer defend against cloning attacks.

    In the end, I don’t see that this adds much security against realistic attacks.

  6. Still, why RFID? So, they’ve managed to “fix” some of the privacy issues that RFID introduced. But your previous posts persuaded me, at least, that a contact-based solution is preferrable. Is there any legitimate benefit to any kind of broadcast protocol over a contact solution?

  7. Anonymous says:

    The inverse square law only applies if the broadcast is omnidirectional. As a comparison, a 5 watt light bulb is harmless but a 5 watt laser can cause serious burns. For crowd scanning a cone shaped transmission would be much more efficient. Since you only need a radio pulse and not a continious transmission I would also use a capacitor bank attached to a portable generator for power. It would take a good portable generator less than 15 minutes to charge up a capacitor bank capable of producing one megawatt-second worth of power to the transmitter.

  8. Cypherpunk says:

    The inverse square (or actually in this case, inverse fourth power) law still applies even when a directional antenna is used. The antenna adds a certain amount of gain but the signal strength will still go as the 4th power of distance.

    As far as irradiating the crowd with a megawatt microwave burst, I suspect that might have some unpleasant side effects.

  9. Anonymous says:

    If the inverse fourth power law still applies even to a perfectly directional antenna then why can a five watt laser cause severe burns at a fair distance but a five watt light bulb can’t do anything?

  10. Randy Zagar says:

    Because merely saying that some quantity is proportional to an inverse fourth power law is not enough. There’s always an implicit constant of proportionality to consider.

    If P = A / r^4, then it makes a big difference if A is 10,000 instead of 0.00001.

  11. “If the inverse fourth power law still applies even to a perfectly directional antenna then why can a five watt laser cause severe burns at a fair distance but a five watt light bulb can’t do anything?”

    Because the whole five watts are, in the case of a laser, all focussed on one point, whearas the 5-watt lightbulb spreads it over a large area. In both cases, though, the power of the light decreases proportionally to the square of the distance.

    Looked at another way, if you cranked the power of the laser down so that it was emitting the equivalent amount of light that a similar-sized point on the light-bulb emitted, they’d both have the same power at any given distance.