Re: Major Malfunction makes the news again

I agree about Wireless, but transponders aren't like RFID that stores formatted data. They respond with bit streams with the functionality of polymorphism. As for the questioning there security. The proof is in the metaphorical pudding in this case. Just look at the results of security research on them by any 3rd party you care to mention. Specifically in vehicle's where they respond to checksums by the cars control modules.

Even in the best attack senerio known they put up a good defense against dedicated computing.

WIFI goes along with Biafras' Law "Give me convienance, or give me death." Of course you probably live in suburbia, so no need to explain. Needless to say a system that requires patience wouldn't be practical in todays world.

Re: Major Malfunction makes the news again

From what I've read, they're RFID ... but they're more obscure, don't deal with collisions well, and, if it matters, are powered by a slightly different energy source. So they're better than "second-generation" two-way authenticated RFIDs how?

I still agree with others in this thread: wireless is a silly pursuit for this application. If the authorities must have physical access to the passport in order to verify, why is it such a burden for them to hold the passport against a physical-contact system?

Then there's the fact that authorities can't trust any of the data they're pulling off the passports in the first place...

Re: Major Malfunction makes the news again

I'd save my self some trouble, and go with Transponders. They have no BUS traces to analyze, and no hex dump functions.

Texas Instruments probably have the best line of glass transponders. Transponders also have a really good track record in the automotive industry. The only vulnerabilitys where results of other components. The only successful direct attack ever where by some college students who basically setup a GATE array to do the real time calculations.

Even if you could do a man in the middle on it you'd have to have a lot of dedicated computing power on the spot with the addition of a short wavelength radio. You'd still get impurity's though because the signal is low yield.

It's also a lot smaller than any chip with the same functionality. It'll fit in a locker key head.

Re: Major Malfunction makes the news again

What's the old adage; "Never attribute to malice what you can attribute to stupidity"?

We know that security never perfect. The goal should not be 'un-breakable' but layers that compliment each other and frustrate an attacker for a suitably long period.

In the case of crypto, having an algorithm that can't be brute forced for 20+ years when the useful lifespan of the data is 10 years is an example. A simpler one is having a safe that takes 30 minutes to manipulate, but having a guard come by every 10 minutes.

In the case of contact based passports, they have a fixed valid lifespan of 10 years, that's the standard to build to. I'm not saying that it's a flawless solution. Power analysis is a facinating field, and Adi Shamir has been doing some great work with RFID on that. However, direct contact would still be needed to read power levels to get the keys for a single passport. If the data is externally encrypted before being written and no data keys are stored on the passport, an attacker could possibly extract the data, but be up against a second problem of decrypting it.

Given gov't history of not properly securing the keys to the kingdom, it is likely that the reader keys could be compromised, however, this still only helps the attacker if they get physical possession of the passport. As well, if you have the ability to revoke keys (i.e. update your passport on the way out of the country, at passport office, post office, whatever), you can maintain the system through the 10 years or more and not have to re-tool each time someone screws up. How much do you think it's going to cost in 2 years for the next epassport version once this one is scrapped for whatever reason?

The contact based solution basically prevents the wholesale collection of passport information and mitigates alot of the passive attacks. It adds the additional layer of a harder to forge, crypto signed 'page' that has to match up with everything else, but reduces threats to classic problems of pick pocketing, mugging, loss, etc. Your left with classic, well understood problems rather than new unforseen ones.

Re: Major Malfunction makes the news again

Deviants procedure is compromised when he turns most of the detailed work load over to third party's.

Rendermans idea is an good security through obscurity method that is slightly more difficult to intercept than the whole RFID procedure.

Even without the RF transponder the chip still emits EMI. The fact that it can execute instructions actually makes it an even bigger threat though. Also smart chips can often be dumped, and cloned.

Even though the key is stored in the airport terminal doesn't mean the data is safe. It all depends on the encryption scheme, and how much computing power it'd take to do a good cryptanalysis on the encrypted data. The potential attacker is probably going to have some good resources in the computing department. He/She may even work at a place with a mainframe. I know some of the Pakistanis here in NC that have been through terrorists camp's hold highly privileged positions at Microsoft...just kidding, or am I!?

As for the visual data confirmation on screen I'll make a broad reference to the voter machine audits.

Re: Major Malfunction makes the news again

that sort of questioning is what keeps me up occasionally at night and makes my head ache... for me it comes down to the debate of "are they really that malicious and power mad?" versus "are they really that stupid and cheap?"

on the one hand, we have the possibilty that the government intentionally adopts weak security measures (at least as far as protecting citizens is concerned) so that they remain confident in their ability to break them / compromise them / etc. is someone in the DoD or in a shadow department of the executive branch actually contemplating a world where federal monitoring devices are installed in every "Don't Walk" sign which employ high sensitivity RFID technology in order to track and monitor as many citizens as possible? this remains a highly unlikely situation, and it would be one that's rather easy (at least for a skilled subculture like ours) to counteract to one degree or another. but it's the scarier of the two possibilties.

on the other hand, we have the possibility that the government is just wildly ignorant of security matters, listening to the testimony and advice of hand-picked appointees as opposed to requesting comments and input from the whole secuirty community. beholden to american firms (and let's face it, you can see how RFID and BlueTooth are two technologies that the western tech sector is heavily pimping these days) the government adopts new systems based on marketing and potential sales dollars to their campaign donors. this scenario is more likely, and perahps less scary (which is worse... ignorance or malice on the part of authority figures?) but is more likely to result in damage, compromise, and increased risk in the short term.

Re: Major Malfunction makes the news again

Deviant hit the nail on this one quite well, where the security theater becomes more important than the actual security metric.

One comment is that by removing the need for ID, everyone is on the same level and treated as the same amount of threat. This means that logic can pervail and you can inspect nervous guy #1 more closely, rather than trying to bar a six month old baby whi's name shows up on some list.

Arguements aside, we can all agree that poking holes is easier than designing the whole thing. Problem becomes when complacency and general half assed 'ness comes into play.

The current street value of an american passport is about $60-80,000. For a crook to forge and sell 10 passports, that's a buttload of money. It's worth his effort to dump $100K into forgery R&D. Against this kind of well funded adversary, 'good enough' should not enter into the debate. However it seems that it has.

The original ICAO specs for biometric passports did not specify contactless chips. They specified the amount of memory, acceptable biometrics, how to store them, etc. but the interface was left to member countries. It was the US that arm twisted other countries into adopting RFID.

At the time of the original spec, there were plenty of *contact* based technologies that would have worked but were not selected. Embedded smart chips, ibuttons, and even some more exotics were possible, yet they selected RFID and introduced a whole host of problems they have been trying to patch ever since. With a contact based system, you have no radio leakage and since you have to hand the passport to the border guard anyways, no loss in productivity or effeciency.

My quick 'n dirty secure solution:

- Smart card chip embedded in the inside back cover
- Hand the passport to the border guard who inserts it into a reader
- PKI handshake, dump cryptographic signed and encrypted data to terminal
- Terminal does decryption (so key never leaves the terminal)
- Information is presented on screen for verification against printed info and person
- Passport is returned and decrypted info is not stored on the reader/terminal

To clone the passport, you would need to take physical posession of the passport to read the info. No radio leakage of information, and depending on how you setup the system, the chips could be upgradable with new crypto and/or keys should the system be comprimised.

This system is not unreasonably complex or expensive. It meets ICAO criteria, and is significantly more secure. The tin foil hat side of my brain asks why they did not go further and use a contact system, or use a metal shield that stays closed at the very least. Why was the deployed implementation 'good enough'

Re: Major Malfunction makes the news again

well, peer review and criticism from knowledgeable colleagues and people with ties to the industry is, in my opinion, a better thing than having random outsiders throwing stones and having an array of half-informed or totally ignorant comments from the peanut gallery of the mainstream every time the news does a story about a security vulnerability.

however, your comments are very loaded and deserve adequate attention on a more point-by-point basis. i'll try to break things down a bit here and i assume others will have similar thoughts to share, many of which (like my own) will address broad themes which, while they may not be the most exacting fit to your specific points, cut to the core of what we all strive towards... better security for everyone.

that's a bit of a fallacy there... the notion of a "secure" system in the manner that you describe seems to be a "totally impervious" system... one in which no holes are found, now or anytime in the future. we all know that they do not exist and can not exist. security isn't about eliminating risk, it's about adequately assessing and predicting risk, then mitigating and minimizing said risk.

there are, in fact, systems that do exist now which can do an absolutely outstanding job of providing physical security in terms of area access and weapons screening... just look at DoD facilities, casinos, etc. however, all this security comes at a cost... there are financial costs of design, implementation, training, etc. there are also non-fiscal "costs" of use in terms of hassles, delays, and general dissatisfaction on the part of the public. you can tell someone that they aren't getting through the doors of the pentagon without passing through various procedures and checkpoints... if they don't like it they don't have to work there. you can't just outright tell airline passengers that they must blindly accept all the delays and intrusions of such a system, however. an 80-year-old grandmother has the right to travel without being subjected to overly-excessive security provisions.

ah, now here is a whole separate can of worms. designing a security solution is in many ways wholly unrelated to selling said solution and getting it accepted and implemented.

realize... there are generally three parties (at a minimum) who are represented in this sort of relationship:

1. those who designed a security product/system
2. those who are in charge of providing "security"
3. those who are subjected to / affected by / allegedly "protected" by said security

usually -- indeed... i would say always -- the values and goals of all three parties are not the same.

in terms of airport security, designers want to make something that is cheap on paper (so that people will buy it) and even cheaper to produce (so that the designers make a profit)... the people in charge of adopting it want it to be visible more than they want it to be effective (because "security theater" is far better for one's public image than most real security)... and the public is generally split between wanting to "feel" safe but not wanting to have it cost them anything in additional fees or delays during check-in and travel.

in my opinion, the biggest problem with security comes down to group #2 in my list above... those in charge of adopting it and implementing it. these people are generally the most conscious of costs (and how to reduce them by cutting every goddamn corner possible) and do everything in their power to keep group #3 misinformed and placated while simultaneously sending the message to everyone in group #1 that designing phony security is a great way to win contracts but designing real security is a great way to wind up out of business.

you want my quick and dirty run down of a "highly secure" solution to this one, explicit situation? (air travel) ok, here goes... i highly encourage others to further develop this theme in their own posts.

---- --- -- -[ Deviant's Secure Air Travel System ]- -- ---- ----

1. key above all things as follows: prevent the threat of planes being hijacked or blown up in the air. all other concerns are secondary. that means that stopping drug smuggling (or any other smuggling) should get almost zero consideration. airlines should not be in charge of enforcing duty taxes... that's the job of the Customs department. they can figure that shit out themselves.

2. travelers should not only have the right to travel anonymously... but ID should never be part of the check-in process. by removing identification we totally eliminate the possibility of "watch lists" or "cleared traveler lists" and any other similar bullshit. such databases are nothing but a means to disrupt the lives of law-abiding citizens while simultaneously being a point of weakness to be potentially exploited (you think terrorists haven't already started to learn what it takes to get on the "trusted traveler list?) assessing whom to subject to additional scrutiny or security screening should be handled both with random checks as well as methods like behavioral profiling and other tecniques which have been shown to be far more advanced and accurate.

3. security checkpoints should concern themselves exclusively with keeping items off planes that are actually dangerous to have. liquids, blades, tools, lighters... all of these make almost zero impact in the security equation if they are possessed by passengers in the cabin. i'm alright with firearms being checked and stowed as baggage. potentially explosive compounds (in hazardous amounts) are fine to be excluded from the plane entirely.

add up those three points and you can already get warmed up to take a few very powerful swings as a devil's advocate against me...

"under your system, osama bin laden could be the passenger seated next to you with a lighter and a box cutter in his pocket and you wouldn't even know it!"

yeah, and your point is what, exactly? he can't get into the cockpit because the doors are all (or nearly all) reinforced now and a box cutter won't do shit against steel. he can't bring down the plane, either... what's he gonna do? use his lighter to ignite an airline bottle of Bacardi 151? he can flambée his in-flight meal but he can't blow apart the fuselage.

- -- --- ----

like i said... this is a very complex issue with a whole lot of multifaceted answers. security isn't about wielding the flaming sword of the almighty, smiting down all those who could ever think to threaten you. security is about avoidance, deterrence, and de-escalation of risk. it's at its best when practiced completely in the open, freely criticized by experts and lay people alike... and without properly defined goals and priorities, anything that someone designs is likely dead on arrival.

that's the main reason i feel we are not secure today... so many of our solutions are designed with social control in mind as opposed to risk management. then they are implemented and carried out in secret, with little or no opportunity for people to actually identify and fix what's broken.

Re: Major Malfunction makes the news again

Yeah VAX I see what your saying your saying. Your saying basically if it can be created it can be destroyed right. So (and here i go again shooting my mouth off) maybe we shouldn't rely on one set of encryption but have have a new and random encryption applied every time cause you said it yourself.

And one of the main rules of a secure password is that it should be changed every 60 days. So what every 60 days(or more depending on how long it takes to recode the new encryption) the encryption should be changed and the old one should be scrapped and replace so people don't have time to crack it? I know it would be a strain and would take a BIG group of mathematicians to do but it's all in the name of security right.

Re: Major Malfunction makes the news again

It doesn't really matter. It's all security through obscurity.

If any of the "experts" ever sat down at the metaphorical round table, and designed a system they claimed was totally secure there book sales would drop months later when another "expert" published exploits to vulnerabilities in there system.

Just look at how many "uncrackable" encryption algorithms have been demolished over the past 20 years as a result of some mathematician sitting at his bench working out new equations only to stumble upon something that single handedly converts massive amounts of garble to plain text.

20 year's from now some newly discovered mathematics are probably going to do the same to quantum cryptography. Just because the logic you know now doesn't effect it doesn't mean what you evolve to know decades from now wont.

Saying security is a possibility is the same as claiming to truly understand the universe. I don't care how enlightened you think you are. Most people's self confidence is the product of there short sighted aspirations anyway.

Re: Major Malfunction makes the news again

I'd like to correct myself. I don't think that the government is neccesarily ignorant but I think it underestimates its citizens. It's likely that there will be close to or just as many passport frauds as there were before the e-passports.

Re: Major Malfunction makes the news again

Correct me if I'm wrong, but don't quite a few members here work for the government's?

Maybe not some 007 job, but doing things like contracted design work etc..

Just seems kind of funny that the people with the ability to influence change are criticizing the people with the ability to influence change.

I'd be interested in seeing a secure system for airports. Not sure if I've ever seen any kind of system that didn't have vulnerabilities, but supposedly they exist.

Maybe one of the authors who write books on vulnerabilitys in other designs could prove that there is such thing as a secure system one day by designing a system that doesn't have security holes. Then selling the practical system to an international medium, so people the world over can be secure, and not have to worry about anyone finding glitches that are the result of the creators mistakes.

I'm sorry if I hurt anyones feelings, but it just seems that none of the enlightened people are putting any effort into the defense half of the security spectrum. Could it be that they're scared someone will expose insecurity in there creation's?

The way people present findings is in the context that they could of done it better. If you made a system where all private data was held in a humans mind you'd have people chasing them around with electrodes, and surgical tools.

Re: Major Malfunction makes the news again

One of the colleges I work with had an article this week in their campus paper about the new e-passports... There was a quote from the local airport official that stated the advantages of the chip and that it would be "impossible to replicate"

Re: Major Malfunction makes the news again

You really shouldn't do that renderman. I find it really creepy when someone know what I'm about to do before I do it.

Re: Major Malfunction makes the news again

I agree about the governments ignorance, but you know what they say: ignorance is bliss. By the way about building your own hardware, do you know of any good FREE tutorials? (I'll end up googleing it anyway but I figured I might be able to kill two birds with one stone here.) I also like your idea about the BIOS corrupter and the high level formats it's quite classy. If you put some sort of delay on it you could be on your plane and out of the country before it hit or you could sit and watch as the frustrated worker continues to reboot his/her machine but to no avail.