I have a very practical question with big political implications: Can electronic passports be used to make large-scale elections without government involvement?
I am thinking of authoritarian countries that issue modern e-passports but do not allow free elections. Can activists organize an election for all citizens of that country in some online form, asking the voters to scan their passports using their phones, so that
- only legitimate citizens (who have passports) can vote
- votes remain anonymous
- everybody can vote only once
- the whole election can be audited
I never realized how much complexity goes into a passport, the cryptography, authentication layers, and others are mind blowing.
It’s impressive that something so small carries so many trust anchors. I’m wondering how they will manage to upgrade them - for future algorithms without breaking compatibility.
Washington State “Enhanced ID” (which is also REALID compliant) was one of the first DHS-approved IDs from way back in 2005 . Ari Jeuls et al (see below) found a number of vulns including remote cloning and remote disablement, publishing their findings a few years after the launch.
I talked to WA DOL Privacy Officer about it a couple years ago, and found that the tech platform had remained unchanged. WA maintains the printed material and DHS maintains the RFID package which is over 20 years old now .
Think of other 20 year old tech and how safe you feel having that in your wallet.
Wait, so these IDs essentially just broadcast what amounts to a static identifier wirelessly (which allows tracking and cloning, but not document authentication)? What's the point of that?
Or was there some cryptographic scheme that has since been broken?
Nice overview, although it seems to be missing one of the most important changes from AA to CA: AA uses signatures for challenge/responses, which are by definition non-repudiable.
This means that any second party with access to your passport can prove to any (unaffiliated/untrusted) third party that they had access to your passport and can even include something like a cryptographic timestamp to prove that they did so at a given point in time.
There were even some experimental schemes explicitly making use of ICAO biometric passports as a "proof of personhood", as far as I remember, but given that the ICAO scheme does not have any notion of document holder consent (e.g. via a PIN or other means of authentication), there are also significant privacy and security problems.
CA intentionally avoids all of that, since the risk of entities using ICAO passports as unintentional and insecure digital signature tokens was apparently deemed too high.
But what kind of cryptography makes it mathematically impossible for bribed officials to issue perfecly legal and cryptographically protected fake passports, and if none, then what problem do electronic passports actually solve other than creating even more opportunities to surveil common people?
> The filesystem architecture is straightforward, comprising three file types: master files (MFs) serving as the root directory; dedicated files (DFs) functioning as subdirectories or applications; and elementary files (EFs) containing actual binary data.
AFAIK, this is the exact same protocol used in all other kinds of smart cards, including credit / debit (EMV) chip cards, both standard and contactless, as well as SIM cards.
Not sure whether public transit, employee ID and TV cards use it too, but I wouldn't be surprised.
So, if I understand this article correctly, if a single terminal private key ever leaks, all the protections preventing any random passer-by from reading your biometric data go out the window[1].
You could partially mitigate such a weakness by including "not valid before" and "not valid after" timestamps in the certificates, which would have to be short-lived. Passports would then verify that the timestamp supplied by the terminal is in the correct range, as well as that it is greater than any previous timestamp this passport has ever recorded.
U.S. passports have a unique shielding which prevents them from being read whilst closed. It’s a low tech solution but I think it’s an amazing example of clever mitigations.
Not an expert but my understanding is that active authentication only occurs after the basic “I can see the MRZ data” authentication passes first. You can’t skip proving you can read the MRZ in any scenario.
German passports are valid 10 years. When my previous one was maybe 7 years old, to my surprise UK border control told me, your chip is dead. He was very friendly and said that's not a problem.
I never traveled to any country with less friendly border control after that, partly it were pandemic years anyway. But I wouldn't want to experience such surprise at the US border or probably many others, too.
I have no idea where, when, and how the chip got damaged. The passport was only used a couple of weeks every year. It had never been soaked, heated, frozen, severly bent or otherwise mechanically damaged. Once it got a bit moist at a sweaty bike trip in the mountains.
As embedded SW engineer I'd say: It's always the hardware :)
I had heard something about some sort of counter being incremented in the passport when it's read, which was meant to dissuade you from messing with it, since the next check-in at a border crossing would report this information...
This article doesn't really give much useful information beyond what is mostly well-known.
i went through border control twice at an airport after going to the wrong gate and when i returned to the uk the e-gates immediately declined to process it (the camera etc. didn't move and e.g. reject the facial recognition, it just immediately said go to the desks). i've always wondered what that was about, how do they know i didn't just go to a third country?
16 comments
[ 3.1 ms ] story [ 38.2 ms ] threadI am thinking of authoritarian countries that issue modern e-passports but do not allow free elections. Can activists organize an election for all citizens of that country in some online form, asking the voters to scan their passports using their phones, so that
- only legitimate citizens (who have passports) can vote - votes remain anonymous - everybody can vote only once - the whole election can be audited
It’s impressive that something so small carries so many trust anchors. I’m wondering how they will manage to upgrade them - for future algorithms without breaking compatibility.
I talked to WA DOL Privacy Officer about it a couple years ago, and found that the tech platform had remained unchanged. WA maintains the printed material and DHS maintains the RFID package which is over 20 years old now .
Think of other 20 year old tech and how safe you feel having that in your wallet.
https://www.arijuels.com/wp-content/uploads/2013/09/KJKB09.p...
Edit: clarified Enhanced ID because there are differences in the program
Or was there some cryptographic scheme that has since been broken?
This means that any second party with access to your passport can prove to any (unaffiliated/untrusted) third party that they had access to your passport and can even include something like a cryptographic timestamp to prove that they did so at a given point in time.
There were even some experimental schemes explicitly making use of ICAO biometric passports as a "proof of personhood", as far as I remember, but given that the ICAO scheme does not have any notion of document holder consent (e.g. via a PIN or other means of authentication), there are also significant privacy and security problems.
CA intentionally avoids all of that, since the risk of entities using ICAO passports as unintentional and insecure digital signature tokens was apparently deemed too high.
AFAIK, this is the exact same protocol used in all other kinds of smart cards, including credit / debit (EMV) chip cards, both standard and contactless, as well as SIM cards.
Not sure whether public transit, employee ID and TV cards use it too, but I wouldn't be surprised.
You could partially mitigate such a weakness by including "not valid before" and "not valid after" timestamps in the certificates, which would have to be short-lived. Passports would then verify that the timestamp supplied by the terminal is in the correct range, as well as that it is greater than any previous timestamp this passport has ever recorded.
German passports are valid 10 years. When my previous one was maybe 7 years old, to my surprise UK border control told me, your chip is dead. He was very friendly and said that's not a problem.
I never traveled to any country with less friendly border control after that, partly it were pandemic years anyway. But I wouldn't want to experience such surprise at the US border or probably many others, too.
I have no idea where, when, and how the chip got damaged. The passport was only used a couple of weeks every year. It had never been soaked, heated, frozen, severly bent or otherwise mechanically damaged. Once it got a bit moist at a sweaty bike trip in the mountains.
As embedded SW engineer I'd say: It's always the hardware :)
This article doesn't really give much useful information beyond what is mostly well-known.