The Uncertainty over RFID-enabled Passports
December 20, 2005
A number of countries, such as the United States, Sweden, and Pakistan -- to name a few -- are in the process of implementing a global plan to embed Radio-Frequency Identifiers (or RFIDs for short) in all newly issued passports.
Briefly, RFIDs (also know as RFID tags) are small devises that can be attached both to objects and living beings in the purpose of identifying them. RFID tags are equipped with antennas to receive and respond to radio-frequency queries from RFID readers. RFID tags can be queried from a distance and without a line of sight, which gives them a whole spectrum of capabilities, ranging from the localization of a smart-ball in soccer to the real-time monitoring of inmates. We distinguish two main families of RFID tags:
1. Passive tags, they carry no internal source of power, and function on current induced by the electro-magnetic field generated by the RFID reader at the time of query.
2. Active tags, however, are equipped with their own internal power supply, and are therefore capable of more elaborate computations. Active tags could also be permanently sending signals to the outside world, the same way cellphones do to ensure a timely reception of calls.
Both, passive and active RFID tags, may contain a non-volatile memory to store data.
In the following we concentrate on the US passport proposal, but the same line of reasoning may apply to other proposals with similar architectures. The US authorities' goal from implanting RFIDs in passports is presumably to better control borders, speed up lines in airports, and swiftly recognize suspects and counterfeit travel documents. The RFID tag was henceforth set to contain personal data such as name, sex, nationality, date and place of birth, and a digitized photo of the passport holder, as well as information about the passport validity. The US authorities intend, in addition, to store other digitized biometric data into the RFID; data such as fingerprints and iris scans already being collected from foreign nationals under the US-VISIT program.
Now the question that comes to mind is how will the data be stored on the RFID? Is it going to be stored in the clear, as in the Norwegian case, or will it be encrypted? the answer to this question is still not clear yet, and there are even contradictory answers. According to a recent Washington Post article
The [State] department rejected calls to encrypt, or scramble, the data on the passport. Instead, the transmission stream when the data is passing from the passport to the reader will be encrypted.
Elsewhere, it is stated that
[...] the State Department announced it would look once again at Basic Access Control (BAC), a privacy technology it had originally rejected.
Assuming the data is encrypted, how will the decryption keys be stored? Does it make sense to use one single master key for all passports? obviously no; because then the comprise of one single passport will lead to the compromise of all passports in the system. Alternatively, one may store the decryption key (or the data needed to generate it) on the passport itself (as suggested here). Now remember that the main motivation for using RFIDs is the ability to scan them remotely and without a line-of-sight. Therefore, by following the same logic, the decryption key should be also readable from a distance (otherwise the whole design will reduce to the simple traditional barcode technology), which is what indeed the first proposal put forward by the US authorities was. As a consequence, anyone with a proper RFID reader could be roaming around, reading data from passports without their owners' knowledge. Another possible attack would be to intercept the data between the passport and the RFID reader. This kind of attacks is called "skimming".
One of the ideas put forward by experts to fix the first vulnerability is to wrap the passport into a metallic shield playing the role of a Faraday-cage -- a sort of "tinfoil hat" for passports to prevent any (remote) rogue readers from querying the RFID contained in the passport and reading the data. Many see this technique as very inefficient (e.g., see Bruce Schneier's forum) for the following reasons:
1. the passport still needs to be opened for reading, and information can be remotely intercepted while the passport is being scanned by an authorized reader.
2. the passport does not always close very well to protect the data against possible prying radio beams from unauthorized readers.
Another technique that has been proposed to block unauthorized RFID queries consists of responding with a powerful jamming signal whenever the query received does not contain some secret code. The technique has been developed by RSA Security, and is known as the RFID Blocker Tag Technology.
The blocker tag, which can be placed over a regular RFID tag, prevents a receiver from scanning information transmitted by a tag by sending the receiver more data than it can read -- the equivalent of a denial-of-service attack.
This technique, however, has the disadvantage of assuming that some master secret code is known to all authorized RFID readers, a constraint that represents on its own a major security vulnerability!
For now, let's assume the first technique based on the metallic shield works, and that passports cannot be remotely queried by unauthorized rogue readers. In this case, one would ask (and rightly so) why do we need the RFID tag anymore? since a mere traditional barcode would, not only, do the job, but in a much cheaper and safer way. RFID proponents justify their choice by invoking the fact that RFID technology is better suited for future extensions as stated in this ICAO (Internation Civil Aviation Organization) report on "Machine Readable Travel Documents" (MRTD):
The intent [...] is that States adopt as high a capacity as they possibly can and which is operationally feasible and practicable, for the following reasons:
• Future-proofing: the data storage medium deployed in an MRTD must last for the life of that MRTD (typically 5 years up to, for some States, 10 years)...
• Flexibility: the LDS (Logical Data Structure) has been developed to allow for the storage of all types of biometrics [...] face + finger + iris, and multiple instances of a particular biometric eg 10 fingers, 2 eyes, different face poses (if countries had an interest in such); as well as working towards the development of storage of visa and travel information in the LDS. States, therefore, who choose to do so will be able to add additional biometric data to MRTDs either at issue or subsequent to issue, and, in such cases the chip must provide available additional data capacity to enable this.
[...] the arithmetic is clear: the addition of just two fingerprint images to this data results in a required chip data storage size of 64K (12+5+10+10 > 32). Similarly a 30K facial image results in a required chip data storage size of 64K (30+5 > 32). Add one iris, or a second updated instance, and the size becomes 128K.
Issuing States should bear in mind that the new-technology, very high capacity chips (> 64K) can have larger overheads in terms of space required for memory management, operating systems and command sets – this can be up to 256K for 512K and 1024K (1MB) capacity chips. Therefore to facilitate future-proofing and flexibility via high capacity (in excess of 64K), it follows that 512K or larger is a chip size for States to target towards, guaranteeing 256K+ of available user data space that can be used over the life of the MRP (Machine-Readable Passport).
RFID opponents, on the other hand, denounce the technology as an attempt by governments to relentlessly collect as much data about them as possible, and argue that 2D barcodes (up to the size of a passport page) provide sufficient space to encode in an encrypted form all the data needed about an individual, including a digitized photo and fingerprints (see this PDF417 code sizing example for instance). In addition, 2D barcode technology seems to have reached some level maturity and robustness. So far, it has been used in a variety of applications involving identification and access control, and is already being used by a number of countries for travel related documents, e.g., Tunisia for passports, and the United States for visa applications.
In summary, what is worth keeping in mind is that 1) there are not one but several electronic passport designs, all with various levels of security and privacy, and 2) that the less invasive 2D Barcode technology is sufficient to convey all the functionalities of a regular passport. Therefore, unless we want to give passports other special functionalities, we dont need to turn them into some sort of "rigged" gadgets. And if so, then those functionalities should be clearly stated, debated, and implemented only after a consensus has been reached.