[LINK] Code highlights e-passport eavesdropping risk
Adrian Chadd
adrian at creative.net.au
Wed Nov 1 20:17:04 AEDT 2006
On Wed, Nov 01, 2006, Irene Graham wrote:
> It is completely unsurprising that encrypted data can be read if one knows
> the encryption key.
> >>However,
> >> Laurie reckons this information (the passport number, date of birth
> >> of the holder, and passport expiry date) is obtainable by means other
> >> than physical access to a passport such as poorly secured airline
> >> websites.
>
> If the data needs to be obtained in such a way then obviously the person
> doesn't have the passport. Therefore they don't have the chip that the
> data/key would unlock.
Well, assuming you know how to turn all of that into the key:
* Passport ID is what, 10 digits max? Maybe less IIRC. If its just numerical
then thats at most ~ 20 bits towards the key.
* DoB is easy - 0-31 (5 bits), 0-12 (3.x bits, call it 4 bits), 1900->2100
(call it 8 bits giving you 256 years there.) So 17 bits tops.
* Passport expiry date is something similar. Again, 17 bits tops.
Assuming no logic is used to cut down that key space you're left with
54 bits of keyspace to search. That is before any key space analysis or
other cryptanalysis to drop that down. It is well within the realms of
current computer hardware to brute-force.
(I'm not an expert in cryptanalysis either, so feel free to read
with many bags of salt. I can see a few tricks to cut down on the search
space listed above without too much hassle.)
So "not having the passport to get at the crypt key" isn't a good enough
excuse with whats been covered here. Hopefully there's much, much more
to it than that.
Adrian
More information about the Link
mailing list