07 Mar · Tue 2006
Another Private Eye in your Pocket
Here's an interesting post which I've 'clipped' from Bruce Schneier's blogs --- specifically, the section where there's discussion of the use of contactless chips in the new Dutch passport.
"Folks,
As I have said before the biggest danger is not in the data or how it's protected. The danger is in the use of an RFID at all.
An RFID can be so easily detected by the way it absorbes energy at a given frequency (if it re-radiates that's a bonus but it's not required).
Back in the old days of Amature (Ham) radio people where used to the idea of a "Grid Dip Meter" or Grid Dip Oscillator (GDO) basically this was an oscillator that had it's tuned circuit inductor (tank coil) mounted externaly on the box. The oscilator also had the advantage (disadvantage in all other applications) of being extreamly sensitive to external circuits that it got coupled too, the amount of energy in the GDO tank cct was displayed on a meter on it's front.
If you wanted to know the frequency of a tuned circuit or filter in another piece of (unpowered) equipment, you put the GDO tank coil next to it and tuned the GDO up and down the band till you got a dip (or peek) which indicated that the external tuned circuit was taking energy from the GDO's oscillator.
Imagine now a GDO with the external tank circuit built into a door frame, as you walk through it detects the tuned CCT in your passport RFID has taken energy from it. That's you fingered as having a passport on you which is effectively end of game.
Basically the whole stupid system was a busted flush from the first stupid idea, it's just continuing through the design and implimentation phases... I guess this is typical of politicion driven technology ideas (it certainly seams to be the case in the UK).
SO if you are "fingered" you are now a target of a criminal or other undesirable (from your point of view) who will make use of this knowledge for whatever there [sic] chosen method of profit is.
The inverse might also be true if National ID card carrying becomes mandated with on the spot fines. Just imagine you are a crook you will know who has and has not got their ID card. You put on your Police Uniform and then tap them up for their ID card, Whoops not got one pay me the fine now (thank you for the donation to swindelers incoperated [sic]).
Oh and if your RFID does radiate, it may also be possible to identify the RFID manufacturer or country of issue again without resorting to crypto or other attacks to get at the data. Which opens up a whole new set of twisted little passages for the undesirables to exploit.
My appologies to those that have read this before on my earlier posts to Bruce's Blog pages."
Posted by: Clive Robinson at February 2, 2006 09:32 AM
Other interesting comments in the same blog thread:
--- the design of the encryption key setup was criticised: apparently part of the problem is that there is a predictable link between the passport number and the session key. Another problem is that the effective key length in the Dutch system may, as a result, only be about 35 bits, which seems low to the point of daftness. I mean, given that this is for the exchange of passport data between the passport and a law enforcer's terminal, it's not like the law enforcers 'need' a short key in order to be able to crack it easily! It seems a somewhat cavalier treatment of the passport-holder's personal data.
--- It seems that the passport's RFID chip can be read from up to at least 10m, and that the corresponding emissions from the reader terminal can be read from up to 30m away.
I've also found this, which seems a good and clear write-up of the ICAO standards and their potential shortcomings.
ID Cards: voluntary or compulsory?
It's amazing how the same few words can be interpreted by different people as meaning entirely contradictory things.
On BBC Radio Four's 'Today' programme this morning, Home Secretary Charles Clarke said:
"I hope the Lords will recognise that this manifesto commitment, voted through by the elected chamber, should be respected."
He was referring to Labour's commitment to introduce ID Cards if re-elected, and to the Lords' second refusal to let the Bill go through as amended by the House of Commons.
On the other hand, Lord Philips of Sudbury said that the description of ID card plans as voluntary "stretches the English language to breaking point". Baroness Anelay of St. John's referred to the current plans as "compulsion by stealth".
I thought I had better head over and have a look. Here, then, is the text from Chapter Three of the Labour Manifesto for the 2005 General Election. It seems pretty clear.
"We will introduce ID cards, including biometric data like fingerprints, backed up by a national register and rolling out initially on a voluntary basis as people renew their passports."
To my mind, that means that the Bill would need to incorporate provision for UK citizens to make any of the following choices:
1 --- to apply for a new passport but request not to participate in the US Visa Waiver Programme. After all, there is nothing which bars UK citizens from applying for a US visa if they wish. They would then not be required by the US immigration authorities to be able to present a biometric passport.
2 --- to apply for a new passport but request not to have a corresponding entry in the National Identity Register;
3 --- to apply for an ID Card but request not to have a corresponding entry in the National Identity Register (at least one other European country already operates a scheme on this basis).
In the absence of any of those provisions, I leave you to judge whether the Bill does what the manifesto said it would.
I'm looking for sponsors...
No point beating about the bush on this one: I'm after your money.
This is a new and shameless use for my blog --- but I hope you will agree that it's in a good cause.
Over the Easter weekend my daughter, will be canoeing 130 miles. She is 16 and weighs under 100lbs.
Yep. OK, so your initial reaction is probably the same as mine: she must be certifiably insane. Quite possibly.. but she's doing it anyway.
This is the Devizes to Westminster 2006 International Canoe Race, often referred to as 'the canoeists Everest'. For juniors like her it is a 3 1/2 day long haul; the real hard-nut adults do it straight through in one go, but 'all' she has to do is around 34 miles a day (!).
Now then: this year the 6 boats from my daughter's school are raising money for a charity called "Facing Africa", which is working to treat a serious and disfiguring disease called Noma. (If you think 'facial gangrene', you'll get the idea. It's really not nice, and the effects on the sufferer are devastating, in both health and social terms).
So if anyone would like to help sponsor her, please let me know.
I am happy to accept 'email pledges' and settle up with you after the race (April 14th-17th). For convenience, I'd prefer payments through my PayPal account, but if you have other suggestions just let
me know by email to: robin dot wilton at sun dot com.
And in case you think I'm just exploiting my offspring's hard work, let me tell you that we won't be having much fun over the weekend either: we get to be their support crew, providing fluids, carbohydrates, encouragement and sticking plasters at locks every few miles along the course. We're already spending most Saturday afternoons trudging up and down a cold towpath somewhere between here and Reading.
Please stump up generously if you can, folks, not just for the racers' sake but also for the Noma sufferers as well...
- Blogroll
- Alan Mather
- Alec Muffett
- Bill Vass
- Bill Walker
- Burningbird
- CPO - Michelle Dennedy
- Conor Cahill... has an opinion or two
- Consult Hyperion
- Don't Panic - Trust blog
- Eric Mahe
- Eve Maler
- Geoff Arnold
- Gerry Beuchelt
- Greg Matters
- Hubert Le Van Gong
- Ideal Government
- John Sandell's Photography
- Kim Cameron
- Lauren Wood
- Ludovic Poitou
- Mark Dixon
- Masood Mortazavi
- Monkchips - James Governor
- New Drew...
- Oz Yigit's brainstorms
-
POSIWID
- Paul Walker's Getting His Coat...
- Peter Davis
- PlanetIdentity
- Stefan Brands
- Superpat
- Tatsuo-san
- Tim Bray
- Toby Stevens
- Tom Gordon
- Vikram Kumar (NZ)
- Wayne Horkan's eclectic
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}