British "Secure" Passports Cracked

hard-to-get-a-nickna writes "The Guardian has cracked the so-trumpeted secure British passports after 48 hours of work: 'Three million Britons have been issued with the new hi-tech passport, designed to frustrate terrorists and fraudsters. So why did Steve Boggan and a friendly computer expert find it so easy to break the security codes?'"

How indeed ...

[spellraiser]

I just finished reading the article.

In short, the weakness lies in the fact that although DES3 is used to encrypt the communication between the passport chip and the reader, the key is based upon data that's available on the passport:

By last month, Booth, Laurie and I each had access to a new biometric chipped passport and were ready to begin testing them. Laurie's first port of call was the ICAO's [International Civil Aviation Organisation] website, where the organisation had published specifications for the new travel documents. This is where he learned that the key to opening up the secure chip was contained in the passports themselves - passport number, date of birth and expiry date.
...
The Home Office has adopted a very high encryption technology called 3DES - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.

Re:Governments and computers don't mix

[tonigonenstein]

sn't 3DES being phased out because the cost of cracking it has fallen dramatically recently?

No. DES is easy to crack, but 3DES is quite secure. Its disadvantage compared to e.g. AES is its inefficiency.

The UK is not a democracy

[Anonymous Brave Guy]

We don't have a democracy, in either the pure form (which is an unworkable ideal anyway) or the popular interpretation (which is much more sensible approach in practice).

Blair has an absolute majority of MPs in Parliament, which effectively means he can force through almost anything. That doesn't mean an absolute majority of the electorate support him. Remember, Labour lost the popular vote in England at the last general election, and even with the support of MPs from our neighbour countries to prop them up, they still only received around 1/3 of the overall popular vote.

Blair and co have gone about forcing laws through and creating legacies, but the simple fact is that they have no mandate to bring in the kinds of sweeping change they are championing, unless at the very least they also have support from the other main parties who brought in other people's votes. Clearly in many of these so-called anti-terrorism matters, they do not.

Re:Another DRM?

[Decaff]

The security algorithm was good. The problem was they did not keep the keys secure.

Re:How indeed ...

[xoyoyo]

If you read the TFA you'll find that it doesn't make any claims about being able to modify the data. It does however go on to list the ways an attacker might retrieve the data and make use of it.

To be fair to the system designers it does make the whole system a little more secure in that the data on the chip has to be matched with the paper information. But only a little: if I found someone who looked sufficiently like me AND I could gain access to their passport the system is just a compromised. Arguably moreso as the claimed extra security will lead to an unjustifiable rise in trust.

Considering the following scenario: a crooked hotel clerk (in Europe you usually have to show your passport when checking in) takes your passport "to be photocopied". Using the key information on the passport they clone every passport that comes their way. This way they can build up a stock of passports matching all conceivable faces to be resold. This actually becomes more useful the longer the system is in operation as the ten years of a usual passport's lifespan can make your face change dramatically.

The end result is a system only marginally more secure than before.

Re:Easy to clone

[Richard W.M. Jones]

But that's exactly the point of this 'cracked' encryption: you *can't* clone the passport just by reading the RFID in someone's coat pocket.

Well this is so, but if you read the FA then you'll see a more plausible attack involving someone who knows your name and address (the postman in that case). Nevertheless it seems the fundamental problem here is that the key on the chip can be brute-forced. A simple change ought to fix that - either have the chip shut down after three incorrect keys have been tried, or (better) have it implement an exponential back-off for each failed attempt.

Rich.

Re:How indeed ...

[xoyoyo]

No, the 24 hours the article gives is if you can't see the password but you know some information about the target. If you have access to the actual passport access is instantaneous. Effectively a cloner just does exactly the same as an immigration control officer.

Re:Easy to clone

[protactin]

Please people, support NO2ID [no2id.net] and tell Blair where to shove his flawed ID cards and CCTV cameras.

Also, 10 Downing Street have now made it easy for you to petition against the introduction ID cards [pm.gov.uk].

People, people, people

[ajs318]

Have we learned nothing?

The article states that if you can see the human-readable part of the passport, or even just take a good guess at the details, you can extract the rest of the data from the RFID chip -- and clone it. Encryption is used to ensure that nobody can eavesdrop on a transaction once initiated, but that doesn't help the fact that every transaction is presumed legitimate -- and the very nature of RFID means that you aren't always able to know that a transaction is taking place. If there isn't a human being checking passports, just a machine -- and one day, that is exactly how it will be -- one of those cloned RFID chips will be enough to get you past it.

Attempting to automate people out of the loop is asking for trouble, because we can always know what tests a machine is performing and falsify the results. Criminals are not stupid -- and smart people can often be bought. If the anticipated returns are high enough, you can be sure that someone will put up the stake. Security through obscurity is worse than no security, because it leads people to believe that their details are safe when they are not.

By the way, if you want to see how easy it is to commit identity theft, start here [google.co.uk].

Re:No surprise there then

[mikerich]

They should have called in the experts, Microsoft!

Okay I know you're joking, but Microsoft have been one of the biggest critics [theregister.co.uk] of the UK government's ID card system as providing the ideal conduit for ID theft [ntouk.com]; so perhaps the Home Office really should have called them in.

A brief analysis

[mjc82]

The RFID chip makes it much more difficult to alter a stolen passport e.g. by replacing the picture, BUT if you have the resources to clone ALL of the security features and print your own passport, you can conceivably clone the passport without even having to see it. However, on top of the marginally increased cost of manufacturing cloned passports due to the inclusion of an RFID chip (and the possible scenario of having to perform the brute force attack) it is now necessary that the bearer of the fake passport resembles the image of the person stored with the data on the RFID chip. A question that remains unanswered is whether it is possible to create an entirely fake passport including an RFID chip with the "correct" fictional info and picture. If it was previously possible to do this, as I must assume it was, and the inclusion of the RFID chip does not make it "impossible" within current technical limitations, then nothing has been gained.

My non expert analysis of the situation is that the entire system of passport control (whether they be conventional, machine readable, RFID, etc.) depends on the ability of the people chekcing the passports. It is up to them to confirm whether the person presenting the passport is actually the person depicted in the picture as well as confirm the authenticity of the document itself. All these security features, or rather ANY security features that might be added will only serve to make it more difficult and expensive to acquire a fake passport that "works". These new security measures may not guarantee 100% the validity of the passport but it is a move in the right direction and better than nothing changing at all. Given the relatively strict time constraints placed by the US government I have to say that in my mind this particular technology is adequate for the time being. I must admit I have not seen or heard an alternative which might feasibly have been implemented within the same time frame on such a large scale. Do I believe that it is possible for a system to be devised that automatically confirms identity with 100% certainty? Possibly. Do I want that sort of security, no! The better these automatic systems become the easier they can be abused by people who are more concerned by their own pockets rather than my safety & privacy.

As a side note, the article refers to a study where supermarket checkout cashiers were shown to fair badly at the task of matching faces to photos, however I would like to believe that those working in passport control have not only been specifically trained for this task but are also naturally better at it.

The jist of the article is that they don't believe the security added by the RFID chip is worth what was paid for it not that it is inherently making the situation any worse.

Re:Another DRM?

[hey!]

You made a good parallel when you compared this system to DRM. Both systems try to distribute similar content widely, for use by machines it has no direct control or communication with, yet keep that content secure. If it is not impossible to do this without violating best practices of cryptography, it is damned close to imposssible.

However, it turns out they made the same blunder that tyro users of computer systems everywhere do: they chose a key that was easy to guess.

From TFA:

So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat.

I think it can be convincingly argued that the reason they did this is that commercial product development is inherently prone to security blunders.

Start from this well known cryptography maxim: any fool can create a system he cannot break into.

The implication is that you need bring in outside people to criticize, even break your product. But that's not how businesses operate. Businesses run on sales; you have to convince buyers to have confidence in your product. Sales can't plant confidence in the customers' minds if they have doubts in their own. That's fine for sales, but what about engineering? Well, you don't start into the development of a product without at least a healthy dose of optimism. Businesses run on optimism. And they protect themselves by denial.

Security problems are very easy to deny. There is no such thing as evidence of security; you can only try to find evidence of insecurity and fail. So how hard and long should you look? Most of the time if things look OK, they're taken to be OK.

I think it's no accident that RSA, one of the best companies in the field, was started by academics. The academic approach isn't better in every case, but it does have a lot more respect for the importance of proving the null hypothesis.

Re:Governments and computers don't mix

[TheBogBrushZone]

In any case, isn't 3DES being phased out because the cost of cracking it has fallen dramatically recently?

DES has been cracked by brute force in a short time for a limited cost but estimates are that DESede (or 3DES or whatever name you prefer) would still require milennia with current methods. The fault lies at the weakest link - the choice of encryption key.

The problem is that with encryption of static data (i.e. in a situation where you can't use something like Diffie-Hellman to negotiate a random key) you need to store the key somewhere and you have lots of options both good and terrible, for example:
1. Derive it from the public information in the data
2. Store it in a database on a secure system to be retrieved when required
3. Use the same key for all data

Option 3 is prone to internal leaks (once your fixed key is out all of the passports are compromised) but option 1 (which was chosen) is prone not only to people leaking how the key is stored but also to crackers just playing around with the data to see what works, especially if you choose something really stupid and obvious like using an MD5 or SHA hash of the passport number (or worse just the raw unmodified number). This applies equally to the Rijndael (or AES) algorithm that is replacing DES or even public-private key encryption if your half-baked developer with his cushy government contract decides the private key should be embedded in the passport.

Re:Nothing to see here...

[Paradise Pete]

if they can handle 3DES, then the answer is probably yes.

all they have to do is verify the key. They don't have to do any heavy lifting.

Re:The UK is not a democracy

[alib001]

Small point: 'Absolute majority' [wikipedia.org] is generally defined as a system that takes into account the total number of potential voters (i.e. those who abstained or were absent are included) in the number required for a majority. In the UK, governments are elected by a simple majority [wikipedia.org], the "first past the post" system and bills are passed based on counts of those who actually voted.

Re:The UK is not a democracy

[wodon]

Erm, I was convinced we were a Monarchy actually.

Wait a second, I'll go check.

Yup, definitely a Monarchy.

Admittedly the PM has most of the power, but only as long as the queen lets him....

deja vu, nothing new, happened in Holland too

[Abstract]

This is the same situation as in Holland. The new Dutch passport also contains RFID technology and security experts cracked the system even before it was released. See this article [engadget.com].

Weak encryption keys are the part of the problem.

Anyway, this project cost some millions euros, and solves nothing. It only creates new problems making identity theft much easier to accomplice.

Re:Bullshit.

[Anonymous Brave Guy]

Of course it's not a democracy. In a strict "one man, one vote" definition, a democracy should always act as the majority wish on any specific subject. But in practice, this only works in the presence of a completely informed and rational population, which you can never realistically achieve (regardless of good will) because of the sheer scale of what's involved.

Hence we commonly use the word "democracy" informally, to mean a government that acts according to the overall principles and intents of the population, yet without holding a referendum on each specific subject, and we elect representatives whose views are supposed to reflect those of the population to do the detail work. But Blair's Labour government isn't even that kind of democracy, as plenty of surveys show when you look at the government's position on controversial subjects such as Iraq or civil liberties vs. the general population's preferences.

Re:Another DRM?

[Ken D]

There was a specific requirement for a contact-less solution as they were concerned that any contact would potentially wear out after 10 years of frequent travel.