[LINK] Code highlights e-passport eavesdropping risk

Adam Todd link at todd.inoz.com
Wed Nov 1 23:47:05 AEDT 2006


At 09:20 PM 1/11/2006, Irene Graham wrote:
> > So "not having the passport to get at the crypt key" isn't a good
> > enough excuse with whats been covered here. Hopefully there's much,
> > much more to it than that.
>
>The length of the key data is an issue that has had very little media
>publicity. If the article had raised that issue, then it would have been
>worth publishing imo. Instead it talks about being able to work out the key
>to a particular passport chip if one can find out particular info that is
>printed on the passport (which has long been known to be how the system
>works by anyone who's taken an interest in this topic)

Yes but the same rule ALWAYS applies, if you can create a key, you can 
copy/decrypt it.  You don't need to the information contained within the 
passport to crack it.

You need only have the data stream, and perhaps, maybe, some time to let 
some simple very easy to write, (in PERL or C in my view, Python is a bit 
unknown to me) and let it run .... looking for what is known.

And a LOT is known without the need to sight the passport.

>without apparent
>regard to the question of what use is the key without access to the
>relevant chip (and, further, if one has the chip then one also has the
>passport with the relevant key data printed on the paper anyway).

If one has a datastream, one has the CONTENT of the chip.  Forget the chip.

But that's a separate issue.

>On the matter of the key space, ICAO docs say it's maximum 56 bits
>(depending on the country). Reportedly ICAO is considering increasing

Might be nice.  I'd start with 4096 :)  Slows down the PDA's :)  (Unless 
you create a parallel processing bluetooth network of PDA's!!)

>The only reason I consider the current entropy not to be *major* worry in
>relation to the *Australian* e-passport chip is because what is on the chip
>is also printed on the passport anyway (and long has been).

That was my view last month.  Hasn't changed much really.

My only concern is that unless you "read" the chip and your "sight" the 
printed version, and you use your BRAIN to compare the TWO lots of 
information, properly, it's all pretty pointless.

But then, in my own experience, too many, Police, Judges and "Employees" 
rarely actually look at things and come to understand even the simplest of 
things.

If there isn't a "check box" to tick, then either give up or reject seems 
to be the attitude.

>It is however
>of concern that access to the chip gives access to an electronic copy of
>the person's photo. It would be vastly more of a worry if there was other
>types of biometric data on the chip.

You mean like your facial features?





More information about the Link mailing list