Hangout for experimental confirmation and demonstration of software, computing, and networking. The exercises don't always work out. The professor is a bumbler and the laboratory assistant is a skanky dufus.

Recent Items
 
How Effective Is Your Software QA?
 
An Entirely New Way of Designing Systems?
 
Trust Points and Trust Issues
 
How Do We Safely Orient for Aspects?
 
Conquering the Business-Application Life Cycle
 
FLINT for bug-free, secure, and reliable software.  That should cover it!
 
TRUST 2: Proliferation of COTS in Critical Infrastructure
 
TRUST: Team for Research in Ubiquitous Secure Technology
 
Bring us Your Metadata, Your Tired, Your Poor, Your Abandoned Document Formats
 
Building Blue Relationships and Partnerships

Archives
2004-06-13
2004-06-20
2004-06-27
2004-08-29
2004-09-05
2004-09-12
2004-09-19
2004-10-10
2004-10-24
2004-11-07
2004-11-28
2004-12-05
2004-12-12
2004-12-26
2005-01-30
2005-02-06
2005-03-06
2005-03-13
2005-03-20
2005-04-03
2005-04-10
2005-04-17
2005-04-24

A Secure RFID-Identification Protocol?

ACM News Service: Feds Rethinking RFID Passport.  As noted by Bruce Schneier as well, the International Civil Aviation Organization has come up with a Basic Access Control protocol for security of RFID chips and their contents in passports.  The US State Department is considering adoption of the approach in response to public comments and realization that RFIDs may be readable at greater distances than intended.  This seems to involve a challenge response scheme using physical information on the passport folder as part of the conditioning scheme.  The BAC seems to operate as follows:

• RFID scanner station A reads optical information from the physical passport folder, P(wallet).  This establishes physical presence of the passport.  This is also sufficient for initiation of an authentication exchange with the passports RFID, P(RFID).
• RFID scanner A engages in a challenge-response exercise with the passport’s RFID, P(RFID) in which P(RFID) demonstrates that it possesses two private keys (and A demonstrates that it has read the physically-imprinted information).  A session key is created out of the process.  The passport data is transmitted from p(RFID) to scanner A encrypted with the session key.
• One concern in the Security Analysis that was carried out is that P(RFID) uses a UID during the challenge response and as a way to deal with collision detection.  If this UID is fixed, it is enough to allow tracking of the passport bearer without knowing any of the encrypted information.
• The decrypted message is presumably signed by a recognized authority. The signed material consists of biometric and other information about the authorized bearer.  It ties to the physical P(wallet) information and provides biometric informaiton.  This is mostly something the authentic bearer is, including a photographic image, a scanned signature, and other information.

Kim Zetter’s 2005-04-26 Wired News article has more information including links to a number of papers on the specifications, trials conducted with BAC-implementing devices, and an analysis that identifies some weaknesses.  The article indicates that BAC has been tested and done well, other than for the slowness introducd in the use of cryptography.  There are also some defects in the scheme, but these are not thought to be critical.  It is the case that the RFID is presumed to be read-only, and PKI techniques are used.

The basic concern of the comments on Schneier’s article seems to be that even transmitting an encrypted response reveals too much about the bearer.  Simply obtaining the RFIDs pong may reveal all the information that a terrorist needs.  And other out-of-band failures may occur, such as timing attacks and related ways of gaining enough information to carry off an exploit (including the ultimate denial of service, death of the bearer).  Secondly, if there is no shared secret, the contents of the RFID message can be obtained by a replay attack.  Based on my sketch, above, derived from a quick review of the available documents, this is not so likely if the recommendations made in the defect analysis are instituted, including having the RFID generate session UIDs via some random scheme.  The recommended precautions in an undated analysis by Juels, Molnar, and Wagner seem reasonable to provide in the case of US passports and entry to the US, because the US scanners will have the prerequisite capabilities.

I have the sense that not all passports need provide the maximum set of security provisions, and not all readers need demand them.  The minimal case is use of the physical passport and its markings and enclosures alone.  One concern of the authors of the weakness analysis is not the limited application of the scheme for passports, where it seems to be reasonably well-suited.  They express concern over function creep and application of the scheme in other settings where there can be unintended consequences of threats and interactions not foreseen for the ICAO use case.  If P(RFID) can be altered—for visa information, say—there are new difficulties to consider.

 

 

posted by orcmid at 4/28/2005 11:31:13 PM, rating data by NewsGator Online