Re: Major Malfunction makes the news again

Last week I was speaking at a conference at which a representative of the State Department department for the ePassports was speaking as well.

Short version is that the covers naturally open approximatly 1 inch when layed on a table. A damaged/destroyed RFID tag does not invalidate the passport. The state department won't release the 'independent' NIST test data

Re: Major Malfunction makes the news again

Ah I love the government. Makes me wonder how they ever catch any hackers I mean how stupid do you have to be. If the chip says the same thing as the paper then the chip is there what, because people are to lazy to compare the people to the paper. Plus like I said the chip says the same thing as the paper and really all you've got to do is write your own chip using the clone of the original as the blueprint and you've got the encryption right there because you've already broken it. Makes me want to find a government IT guy and club him over the head until he gets some common sense. What kind scares me though is what's going to happen when the government starts censoring what people are allowed to buy guess that means I'm going to have to start making my own equipment again. All I can hope (I'd pray but I'm not religious) is that there's something MM and that German professor missed like a really complicated water mark or something. Ha here's a thought include a really nasty virus on the chip that currupts the computers BIOS and does a couple high level formats

Almost makes me want to get a passport just to mess with with it.

Re: Major Malfunction makes the news again

It's a HF 13.43 Mhz chip. The specs are all online. The internals are where the voodoo is.

The crypto relies on a procedure to be 'secure'. The passport gets in proximity and is powered. The MRZ (Machine readable zone, the garbled text stuff at the bottom of the ID page) needs to be scanned into the reader that then barfs out a key to the chip that then 'authorizes' it to dump out the contents (which is the same info as what is on the ID page of the passport)

The key is made up of easily obtainable and guessable info.

2 Issues I foresee are:

1. It took alot of teasing to get the info out, but the tag, when powered, still gives out it's collision avoidance ID (google it), which could be uniquely identifying to the person or nationality (as the speaker pointed out, it's not hard to tell nationality by observation). As locals are unlikely to carry RFID passports, one could make the conjecture that a large density of tags means a number of tourists are nearby, and could signal..... whatever.

2. Unconfirmed reports are that the photo contained on the passport RFID tag is not defaced. The digital photo printed on the ID card page gets embossed to make sure you can't easily substitute a new photo. The rumor is that the photo on the US passports is *NOT* defaced/embossed, thus giving a crook a pristine phot with which to work.

You write a book and you learn a few things. Now buy the damn thing at the link below!

Re: Major Malfunction makes the news again

I agree about the governments ignorance, but you know what they say: ignorance is bliss. By the way about building your own hardware, do you know of any good FREE tutorials? (I'll end up googleing it anyway but I figured I might be able to kill two birds with one stone here.) I also like your idea about the BIOS corrupter and the high level formats it's quite classy. If you put some sort of delay on it you could be on your plane and out of the country before it hit or you could sit and watch as the frustrated worker continues to reboot his/her machine but to no avail.

Re: Major Malfunction makes the news again

You really shouldn't do that renderman. I find it really creepy when someone know what I'm about to do before I do it.

Re: Major Malfunction makes the news again

One of the colleges I work with had an article this week in their campus paper about the new e-passports... There was a quote from the local airport official that stated the advantages of the chip and that it would be "impossible to replicate"

Re: Major Malfunction makes the news again

Correct me if I'm wrong, but don't quite a few members here work for the government's?

Maybe not some 007 job, but doing things like contracted design work etc..

Just seems kind of funny that the people with the ability to influence change are criticizing the people with the ability to influence change.

I'd be interested in seeing a secure system for airports. Not sure if I've ever seen any kind of system that didn't have vulnerabilities, but supposedly they exist.

Maybe one of the authors who write books on vulnerabilitys in other designs could prove that there is such thing as a secure system one day by designing a system that doesn't have security holes. Then selling the practical system to an international medium, so people the world over can be secure, and not have to worry about anyone finding glitches that are the result of the creators mistakes.

I'm sorry if I hurt anyones feelings, but it just seems that none of the enlightened people are putting any effort into the defense half of the security spectrum. Could it be that they're scared someone will expose insecurity in there creation's?

The way people present findings is in the context that they could of done it better. If you made a system where all private data was held in a humans mind you'd have people chasing them around with electrodes, and surgical tools.

Re: Major Malfunction makes the news again

I'd like to correct myself. I don't think that the government is neccesarily ignorant but I think it underestimates its citizens. It's likely that there will be close to or just as many passport frauds as there were before the e-passports.

Re: Major Malfunction makes the news again

It doesn't really matter. It's all security through obscurity.

If any of the "experts" ever sat down at the metaphorical round table, and designed a system they claimed was totally secure there book sales would drop months later when another "expert" published exploits to vulnerabilities in there system.

Just look at how many "uncrackable" encryption algorithms have been demolished over the past 20 years as a result of some mathematician sitting at his bench working out new equations only to stumble upon something that single handedly converts massive amounts of garble to plain text.

20 year's from now some newly discovered mathematics are probably going to do the same to quantum cryptography. Just because the logic you know now doesn't effect it doesn't mean what you evolve to know decades from now wont.

Saying security is a possibility is the same as claiming to truly understand the universe. I don't care how enlightened you think you are. Most people's self confidence is the product of there short sighted aspirations anyway.

Re: Major Malfunction makes the news again

Yeah VAX I see what your saying your saying. Your saying basically if it can be created it can be destroyed right. So (and here i go again shooting my mouth off) maybe we shouldn't rely on one set of encryption but have have a new and random encryption applied every time cause you said it yourself.

And one of the main rules of a secure password is that it should be changed every 60 days. So what every 60 days(or more depending on how long it takes to recode the new encryption) the encryption should be changed and the old one should be scrapped and replace so people don't have time to crack it? I know it would be a strain and would take a BIG group of mathematicians to do but it's all in the name of security right.

Re: Major Malfunction makes the news again

well, peer review and criticism from knowledgeable colleagues and people with ties to the industry is, in my opinion, a better thing than having random outsiders throwing stones and having an array of half-informed or totally ignorant comments from the peanut gallery of the mainstream every time the news does a story about a security vulnerability.

however, your comments are very loaded and deserve adequate attention on a more point-by-point basis. i'll try to break things down a bit here and i assume others will have similar thoughts to share, many of which (like my own) will address broad themes which, while they may not be the most exacting fit to your specific points, cut to the core of what we all strive towards... better security for everyone.

that's a bit of a fallacy there... the notion of a "secure" system in the manner that you describe seems to be a "totally impervious" system... one in which no holes are found, now or anytime in the future. we all know that they do not exist and can not exist. security isn't about eliminating risk, it's about adequately assessing and predicting risk, then mitigating and minimizing said risk.

there are, in fact, systems that do exist now which can do an absolutely outstanding job of providing physical security in terms of area access and weapons screening... just look at DoD facilities, casinos, etc. however, all this security comes at a cost... there are financial costs of design, implementation, training, etc. there are also non-fiscal "costs" of use in terms of hassles, delays, and general dissatisfaction on the part of the public. you can tell someone that they aren't getting through the doors of the pentagon without passing through various procedures and checkpoints... if they don't like it they don't have to work there. you can't just outright tell airline passengers that they must blindly accept all the delays and intrusions of such a system, however. an 80-year-old grandmother has the right to travel without being subjected to overly-excessive security provisions.

ah, now here is a whole separate can of worms. designing a security solution is in many ways wholly unrelated to selling said solution and getting it accepted and implemented.

realize... there are generally three parties (at a minimum) who are represented in this sort of relationship:

1. those who designed a security product/system
2. those who are in charge of providing "security"
3. those who are subjected to / affected by / allegedly "protected" by said security

usually -- indeed... i would say always -- the values and goals of all three parties are not the same.

in terms of airport security, designers want to make something that is cheap on paper (so that people will buy it) and even cheaper to produce (so that the designers make a profit)... the people in charge of adopting it want it to be visible more than they want it to be effective (because "security theater" is far better for one's public image than most real security)... and the public is generally split between wanting to "feel" safe but not wanting to have it cost them anything in additional fees or delays during check-in and travel.

in my opinion, the biggest problem with security comes down to group #2 in my list above... those in charge of adopting it and implementing it. these people are generally the most conscious of costs (and how to reduce them by cutting every goddamn corner possible) and do everything in their power to keep group #3 misinformed and placated while simultaneously sending the message to everyone in group #1 that designing phony security is a great way to win contracts but designing real security is a great way to wind up out of business.

you want my quick and dirty run down of a "highly secure" solution to this one, explicit situation? (air travel) ok, here goes... i highly encourage others to further develop this theme in their own posts.

---- --- -- -[ Deviant's Secure Air Travel System ]- -- ---- ----

1. key above all things as follows: prevent the threat of planes being hijacked or blown up in the air. all other concerns are secondary. that means that stopping drug smuggling (or any other smuggling) should get almost zero consideration. airlines should not be in charge of enforcing duty taxes... that's the job of the Customs department. they can figure that shit out themselves.

2. travelers should not only have the right to travel anonymously... but ID should never be part of the check-in process. by removing identification we totally eliminate the possibility of "watch lists" or "cleared traveler lists" and any other similar bullshit. such databases are nothing but a means to disrupt the lives of law-abiding citizens while simultaneously being a point of weakness to be potentially exploited (you think terrorists haven't already started to learn what it takes to get on the "trusted traveler list?) assessing whom to subject to additional scrutiny or security screening should be handled both with random checks as well as methods like behavioral profiling and other tecniques which have been shown to be far more advanced and accurate.

3. security checkpoints should concern themselves exclusively with keeping items off planes that are actually dangerous to have. liquids, blades, tools, lighters... all of these make almost zero impact in the security equation if they are possessed by passengers in the cabin. i'm alright with firearms being checked and stowed as baggage. potentially explosive compounds (in hazardous amounts) are fine to be excluded from the plane entirely.

add up those three points and you can already get warmed up to take a few very powerful swings as a devil's advocate against me...

"under your system, osama bin laden could be the passenger seated next to you with a lighter and a box cutter in his pocket and you wouldn't even know it!"

yeah, and your point is what, exactly? he can't get into the cockpit because the doors are all (or nearly all) reinforced now and a box cutter won't do shit against steel. he can't bring down the plane, either... what's he gonna do? use his lighter to ignite an airline bottle of Bacardi 151? he can flambée his in-flight meal but he can't blow apart the fuselage.

- -- --- ----

like i said... this is a very complex issue with a whole lot of multifaceted answers. security isn't about wielding the flaming sword of the almighty, smiting down all those who could ever think to threaten you. security is about avoidance, deterrence, and de-escalation of risk. it's at its best when practiced completely in the open, freely criticized by experts and lay people alike... and without properly defined goals and priorities, anything that someone designs is likely dead on arrival.

that's the main reason i feel we are not secure today... so many of our solutions are designed with social control in mind as opposed to risk management. then they are implemented and carried out in secret, with little or no opportunity for people to actually identify and fix what's broken.

Re: Major Malfunction makes the news again

Deviant hit the nail on this one quite well, where the security theater becomes more important than the actual security metric.

One comment is that by removing the need for ID, everyone is on the same level and treated as the same amount of threat. This means that logic can pervail and you can inspect nervous guy #1 more closely, rather than trying to bar a six month old baby whi's name shows up on some list.

Arguements aside, we can all agree that poking holes is easier than designing the whole thing. Problem becomes when complacency and general half assed 'ness comes into play.

The current street value of an american passport is about $60-80,000. For a crook to forge and sell 10 passports, that's a buttload of money. It's worth his effort to dump $100K into forgery R&D. Against this kind of well funded adversary, 'good enough' should not enter into the debate. However it seems that it has.

The original ICAO specs for biometric passports did not specify contactless chips. They specified the amount of memory, acceptable biometrics, how to store them, etc. but the interface was left to member countries. It was the US that arm twisted other countries into adopting RFID.

At the time of the original spec, there were plenty of *contact* based technologies that would have worked but were not selected. Embedded smart chips, ibuttons, and even some more exotics were possible, yet they selected RFID and introduced a whole host of problems they have been trying to patch ever since. With a contact based system, you have no radio leakage and since you have to hand the passport to the border guard anyways, no loss in productivity or effeciency.

My quick 'n dirty secure solution:

- Smart card chip embedded in the inside back cover
- Hand the passport to the border guard who inserts it into a reader
- PKI handshake, dump cryptographic signed and encrypted data to terminal
- Terminal does decryption (so key never leaves the terminal)
- Information is presented on screen for verification against printed info and person
- Passport is returned and decrypted info is not stored on the reader/terminal

To clone the passport, you would need to take physical posession of the passport to read the info. No radio leakage of information, and depending on how you setup the system, the chips could be upgradable with new crypto and/or keys should the system be comprimised.

This system is not unreasonably complex or expensive. It meets ICAO criteria, and is significantly more secure. The tin foil hat side of my brain asks why they did not go further and use a contact system, or use a metal shield that stays closed at the very least. Why was the deployed implementation 'good enough'

Re: Major Malfunction makes the news again

that sort of questioning is what keeps me up occasionally at night and makes my head ache... for me it comes down to the debate of "are they really that malicious and power mad?" versus "are they really that stupid and cheap?"

on the one hand, we have the possibilty that the government intentionally adopts weak security measures (at least as far as protecting citizens is concerned) so that they remain confident in their ability to break them / compromise them / etc. is someone in the DoD or in a shadow department of the executive branch actually contemplating a world where federal monitoring devices are installed in every "Don't Walk" sign which employ high sensitivity RFID technology in order to track and monitor as many citizens as possible? this remains a highly unlikely situation, and it would be one that's rather easy (at least for a skilled subculture like ours) to counteract to one degree or another. but it's the scarier of the two possibilties.

on the other hand, we have the possibility that the government is just wildly ignorant of security matters, listening to the testimony and advice of hand-picked appointees as opposed to requesting comments and input from the whole secuirty community. beholden to american firms (and let's face it, you can see how RFID and BlueTooth are two technologies that the western tech sector is heavily pimping these days) the government adopts new systems based on marketing and potential sales dollars to their campaign donors. this scenario is more likely, and perahps less scary (which is worse... ignorance or malice on the part of authority figures?) but is more likely to result in damage, compromise, and increased risk in the short term.

Re: Major Malfunction makes the news again

Deviants procedure is compromised when he turns most of the detailed work load over to third party's.

Rendermans idea is an good security through obscurity method that is slightly more difficult to intercept than the whole RFID procedure.

Even without the RF transponder the chip still emits EMI. The fact that it can execute instructions actually makes it an even bigger threat though. Also smart chips can often be dumped, and cloned.

Even though the key is stored in the airport terminal doesn't mean the data is safe. It all depends on the encryption scheme, and how much computing power it'd take to do a good cryptanalysis on the encrypted data. The potential attacker is probably going to have some good resources in the computing department. He/She may even work at a place with a mainframe. I know some of the Pakistanis here in NC that have been through terrorists camp's hold highly privileged positions at Microsoft...just kidding, or am I!?

As for the visual data confirmation on screen I'll make a broad reference to the voter machine audits.