Security
There is a replay attack against the basic access control protocol that allows an individual passport to be traced. The attack is based on being able to distinguish a failed nonce check from a failed MAC check and works against passports with randomized unique identifiers and hard to guess keys.
The basic access control mechanism has been criticized as offering too little protection from unauthorized interception. Researchers claim that because there are only limited numbers of passport issued, many theoretically possible passport numbers will not be in use in practice. The limited range of human age ranges further reduce the space of possibilities.
In other words, the data used as an encryption key has a low entropy, meaning that guessing the session key is possible via a modest brute force attack.
This effect increases when passport numbers are issued sequentially or contain a redundant checksum. Both are proven to be the case in passports issued by the Netherlands. There are other factors that can be potentially used to speed up a brute force attack. There is the fact that dates of birth are typically not distributed randomly in populations. Dates of birth may be distributed even less randomly for the segments of a population that pass, for example, a check-in desk at an airport. And the fact that passports are often not issued on all days of the week and during all weeks of a year. Therefore not all theoretically possible expiration dates may get used. In addition, the fact that real existing dates are used further limits the number of possible combinations: The month makes up two of the digits used for generating the key. Usually, two digits would mean 100 (00-99) combinations in decimal code or (36*36=1296) combinations in alphanumeric code. But as there are only 12 months, there are only 12 combinations. It is the same with the day (two digits and 31 combinations).
The German passport serial-number format (previously 10-digit, all-numeric, sequentially assigned) was modified on 1 November 2007, in response to concerns about the low entropy of BAC session keys. The new 10-character serial number is alphanumeric and generated with the help of a specially-designed block cipher, to avoid a recognizable relationship with the expiry date and increase entropy. In addition, a public-key based extended access control mechanism is now used to protect any information in the RFID chip that goes beyond the minimum ICAO requirements, in particular fingerprint images.
Read more about this topic: Basic Access Control
Famous quotes containing the word security:
“We now in the United States have more security guards for the rich than we have police services for the poor districts. If you’re looking for personal security, far better to move to the suburbs than to pay taxes in New York.”
—John Kenneth Galbraith (b. 1908)
“It seems to me that our three basic needs, for food and security and love, are so mixed and mingled and entwined that we cannot straightly think of one without the others. So it happens that when I write of hunger, I am really writing about love and the hunger for it, and warmth and the love of it and the hunger for it ... and then the warmth and richness and fine reality of hunger satisfied ... and it is all one.”
—M.F.K. Fisher (b. 1908)
“Learned institutions ought to be favorite objects with every free people. They throw light over the public mind which is the best security against crafty and dangerous encroachments on the public liberty.”
—James Madison (1751–1836)