[LINK] Code highlights e-passport eavesdropping risk

Wed Nov 1 23:40:00 AEDT 2006

At 08:35 PM 1/11/2006, Kim Holburn wrote:
>It is encrypted with a key made from the personal data printed on the
>passport (the passport number, date of birth of the holder, and
>passport expiry date).  It is signed with a special government key.

Ohh no!  Not the big black scary "open and transparent" government, saviour 
of all and accountable to none.

>If you know the personal data on the passport then you can read the
>data in the chip.  The personal data which makes up the encryption
>key is not secret and will be known to anyone seeing the passport or
>a copy of it.
>
>This is not in any way serious encryption, more like a joke.

You'd give it that much credit?

OK, look, I can understand that keys have to have some common basis upon 
which to be created.  A locksmith can copy a known pattern into a specific 
blank and hence you get a key that unlocks your door.

The same fundamentals apply to technology.

But really, DeCSS was more challenging than this, in it's own way - aside 
from the fact that some of the keys were left unencrypted - hence allowing 
decryption of all keys.

But the same rule Kim raises is the rule used - if you know a part, the 
rest is easy.

Even in the simplest form of cryptography, we all learn that to start 
decoding a phrase or document that is in english is simple.  Over lay the 
letters "E" and "T" being the two most common letters of the english 
language and the rest of the letters follow.

This principal applies to all forms of encryption/decryption.  You only 
need part of a fraction of a known and the rest is easy.

>You can only change the data if you have the government key.

Well at least last week that was the case.  It may not be for much longer.

Once you have the ability to decrypt by reading, it's really only a matter 
of time before you have encrypt ability.

>Of course if that key gets out then all passports encrypted with that
>key can be altered.

And lets face it, processors today are not as slow as they were 15 years 
ago where it months for 256 bit encryption to be cracked on an XT (8086).

I can decrypt 1024 bit encryption in a very short time today.  To be quite 
honest, I never expected, in my "youthful" life that I'd be able to sit at 
a laptop and decrypt 1024 bit encoded strings in 5-10 minutes (or less if a 
weak system is used.)  Here I am in my spare time working on 65535 bit 
encryption algorithms, both to create and to "accidently" crack.

Most people work on writing code that creates keys to "create" but when you 
create something, most people fail to remember that someone might want to 
deconstruct or decode it, and they don't (appear to) test how easily their 
key can be worked out.

>It will instantly invalidate all current passport data.

Damn, and I'll bet that if you got a new one for $200 you'll have to get 
another one and pay for that too!