The "paper version" is still required - the RFID is authenticated with information from the passport. The idea is at a border the passport itself will be scanned, OCR'd (from the data in the machine-readable zone) and then that information will be used to read the information + signature from the RFID chip to authenticate the document.
No, you're wrong. The person's passport number is a primary key into the issuer's database of valid documents as the ultimate source of truth. The RFID is another means in case the paper version wasn't legible, but at the expense of over-communicating details.
Strangely, to decrypt the data off the passport you need the passport number, the date of birth, and the expiry date. I assume this is why that playstore app needs to get a photo of your passport. Sure enough, my phone could read off other details about me including my photo after a few seconds of reading.
Never knew how it worked before, and assumed it was like how mifare DESfire cards work since the bytes I got from a simple reader app were different every time. (I assume that's done so you can't wirelessly ID people using their passports)
[1] says the decryption key is derived from those pieces of information, and the key derivation logic is public info, e.g. [2] is an implementation.
It's somewhat clever, if someone takes a photo of the first page, they already have your personal info, to steal it from the chip they still need to have visual on the info on that page.
The design on the passport made me thing that it would be really handy if the anti-forgery stuff contained information useful to a traveller, and not just be decorative.
Pretty when presented on a design-heavy site. Would have to see it in-person.
Still has the privacy-invasive RFID/NFC. I would not recommend inadvertently deactivating such an unwanted privacy thief by forgetting it in a microwave and definitely not accidentally turning it on for 1 second because then government entities would have to rely on document identifiers from the OCR scanner as a primary key into regulated database access instead.
21 comments
[ 2.6 ms ] story [ 39.9 ms ] threadFor either party to be clear...
You would want a paper version as a backup anyway in case the electronics fail.
Strangely, to decrypt the data off the passport you need the passport number, the date of birth, and the expiry date. I assume this is why that playstore app needs to get a photo of your passport. Sure enough, my phone could read off other details about me including my photo after a few seconds of reading.
Never knew how it worked before, and assumed it was like how mifare DESfire cards work since the bytes I got from a simple reader app were different every time. (I assume that's done so you can't wirelessly ID people using their passports)
It's somewhat clever, if someone takes a photo of the first page, they already have your personal info, to steal it from the chip they still need to have visual on the info on that page.
[1] https://randomoracle.wordpress.com/2012/08/27/reading-the-us...
[2] https://github.com/AndyQ/NFCPassportReader/blob/main/Example...
That document looks beautiful though, very reminiscent of CHF notes.
Still has the privacy-invasive RFID/NFC. I would not recommend inadvertently deactivating such an unwanted privacy thief by forgetting it in a microwave and definitely not accidentally turning it on for 1 second because then government entities would have to rely on document identifiers from the OCR scanner as a primary key into regulated database access instead.