As the U.S. government prepares to complete a conversion to the controversial RFID-based electronic passports, traditional paper-only IDs are still available for a few months to those listening to the raging debate over security and privacy concerns swirling around the electronic documents.
Many security experts are still questioning whether e- passports, which have a 10-year life span, have enough security built in to survive a decade of hackers and technology advancements while protecting e-passports users from data theft, identity theft and other security and privacy intrusions.
"If the government is right, this will be the first time in the history of mankind that a perfectly secure application will be produced. Of course it will be hacked," says Bruce Schneier, the noted security guru, author and CTO of Counterpane Internet Security.
The government thinks otherwise and has already started to issue the cards from two of its regional offices in Colorado and Washington, D.C.
"Let me be blunt," says Frank Moss, deputy assistant secretary for passport services at the Department of State. "We have obviously gone through an elaborate process here, and, I think, with the exception of a relatively small number of people, have addressed most people's security concerns."
Moss, along with other government and military officials, has been using an RFID-enabled passport since last year.
The e-passport is a contact-less smartcard with a secure microprocessor that employs a passive radio frequency to transmit data over an encrypted wireless link to a reader. The passive technology requires a reader to power the chip and is different from an RFID vicinity chip used for tracking items from a distance.
A technology called Basic Access Control (BAC) uses an electronic key, derived from machine-readable data printed on the passport's page, to unlocked the data on the chip, and a digital signature protects the integrity of the digital data.
The chip, which is embedded inside the cover of the passport, contains only a duplicate copy of the passport photograph and the printed data. The digital data is intended to prevent forgeries by allowing inspectors to compare the printed and digital data.
"This is not a security device for you, it is a security device for the government," says Schneier. "As long as you don't benefit from this why should you be a guinea pig?" Schneier recommends people get new passports, which are valid for 10 years, without RFID technology while they are still available. The government does not plan on recalling passports before their expiration date.
But once regional passport offices convert to e-passports, the traditional paper-only versions will not be available. The Colorado office converted on Aug. 4, while the Special Issuance Agency in Washington is completing a conversion. The other 15 offices will convert during the next five to six months.
The State Department is confident the e-passport has the security it needs because it has already incorporated feedback from security experts and citizens.
Last year, the department received 2,335 comments after the February introduction of the e-passport plan and 98.5% were negative while mostly citing security and privacy concerns.
The State Department later took steps to improve the e-passports including adding a shielded cover to block the RFID signal when the passport is closed, using a passive RFID technology that is powered by the reader and only transmits data over about four inches, and adding encrypted digital signatures.
But security, privacy and other questions have not gone away, with many experts saying it is not that the e-passport is inherently insecure but that some recently demonstrated hacks and the inevitable advancement of technology, such as an increase in the power of RFID antennas, show that the e-passport may not weather its 10-year life span.
Earlier this year, Dutch security firm Riscure conducted a test where it was able to intercept a data exchange between an e-passport and RFID reader and crack the encrypted files to expose fingerprints, photographs and other data.
The Dutch passports employ the same ISO 14443 chips and the BAC encryption scheme standards used by the United States and other countries issuing e-passports. Those global standards were set by the International Civil Aviation Organization, a group within the United Nations.
In addition, at the Black Hat hacker conference this summer, a German researcher was able to clone an e-passport chip, although he admitted it is impossible to change the data on the chip.
"I travel abroad frequently and I would hate to be among the guinea-pigs who become subject to identity theft while this new technology is essentially beta-tested in the real-world," says Andre Duran, CEO of Ping Identity, which develops identity federation technology. "While an optimist, I've learned the hard way it's safer to assume a hostile environment. Securing this chip from those with malicious intent appears to have been an afterthought."
Others agree there are enough lingering questions to move cautiously.
"It is clear that there are ways to read the information from these e-passports, but whether that constitutes a security exposure that the average person should be worried about is not clear," says Bob Blakley, principal analyst with the Burton Group. "But 'not clear' is not necessarily a good case for something that is going to be issued to millions of people. Conservatism is probably a good stance when working at that scale." Currently there are 70 million passport issued to U.S. citizens.
Blakley, who formerly was chief scientist for security and privacy at IBM, says one security questions that needs to be asked is if the e-passport solves any real problems at the U.S. border.
"We are gong to spend a very large amount of money to produce a more complicated [identity] artifact and it is not easy to quantify what we are buying for all that money and effort," says Blakley.
Proponents say what is clear is that the smart card technology used in the e-passport has a track record from its use in millions of mobile phones and payment cards.
"It's true this is new technology for passports, but the technology has been around for 25 years and it was designed to be a secure form of data protection," says Randy
Vanderhoof, executive director of the Smart Card Alliance. "Speculation from the Bruce Schneier's and others is that nobody knows what can happen in the future in terms of people's ability to come up with new and innovative ways to break into systems so therefore we should not trust any system out there. Our view is you can't go around predicting something might happen in the future and therefore stop all innovation and change."
The State Department's Moss says the e-passport is but one line of defense.
"This is not a magic bullet, it's just another major [security] tool."
This story, "Storm building over RFID-enabled passports" was originally published by Network World.