Satch
MB Enthusiast
- Joined
- Nov 24, 2003
- Messages
- 3,508
- Location
- Surrey
- Car
- S211 E320Cdi Avantgarde Estate & Toyota Land Cruiser
And this is supposed to help?
Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did (we) find it so easy to break the security codes?
"I was amazed that they made it so easy, the information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.
The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.
The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."
"If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country."
The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was "poorly conceived" and added: "European governments have effectively forced citizens to adopt new ... documents which dramatically decrease their security and privacy and increase risk of identity theft."
http://www.guardian.co.uk/idcards/story/0,,1950226,00.html
Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did (we) find it so easy to break the security codes?
"I was amazed that they made it so easy, the information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.
The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.
The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."
"If you can read the chip, then you can clone it," he says. "You could use this to clone a passport that would exploit the system to illegally enter another country."
The Home Office insists that UK passports are secure and among the best in the world, but not everyone agrees. Last week, an EU-funded body entitled the Future of Identity in the Information Society (Fidis) issued a declaration on machine-readable travel documents such as RFID-chipped passports and ID cards. It said the technology was "poorly conceived" and added: "European governments have effectively forced citizens to adopt new ... documents which dramatically decrease their security and privacy and increase risk of identity theft."
http://www.guardian.co.uk/idcards/story/0,,1950226,00.html