Media Bashing – Electronic Passports, and why should we care?

Todays link that popped up – and I don’t search for these , I just notice them on the tech feed of Google, is Guardian talking about how easy it is to clone an electronic passport (full link here and also the Times Online) and throughout the day popping up on other sources. The story is always basically the same – given a new passport, this guy has managed to create a “copy” of the passport but edited some of the data on the clone – to be precise he’s swapped the digital image of the person (and he’s used Osama and another terrorist to get the point across).

So what’s that these articles are getting at? Basically, this (And this applies to all smart-card technologies irrelevant of they are contactless or not) – a smart card uses a standard interface to talk over, which your reader calls function calls on the processor on the other side. Now, the functions it can call, even if they’re secret, eventually will be leaked or someone will work out how they work, and publish that info.

What happens then is this – people are able to read off the smart card a whole heap of information – for example, in a credit card, the reader is able to get the card number and the name on the card, as well as other useful information about the type of card etc – this is the whole point of the card. If it wasn’t possible to get this information off, then the card wouldn’t be any use in a merchant’s terminal – a passport which you could never get the details off, would be, well, about as useful as a brick.

The way the security often works however, is that a secret piece of data on the card is used to manipulate some other data – some transaction specific data. So the banks and the passport issuers put this secret on the card which can’t be retrieved (without going into discussions here about side channel attacks). Often this is in the form of a simple hashing algorithm. The Bank/Passport office know what this secret is, and the card does – so when the merchant (or if a passport, the border guard) passes the hash up, it can be confirmed by the computers.

So what is the media raving about? Basically, they’ve got a guy who’s created his own copy of the Passport’s chip – that is he’s taken an off the shelf chip and programmed it with a program which mimics the official program.

He’s then read a copy of the real passport, and read all the “public” data from it – that is he’s called each of the functions in turn and read back the data that the official program sends. He’s then plopped that data into his own version, and changed a bit here and there. Now, this is all very good apart from he can’t clone the secret – he can either do one of two things.

1) try and get by with the same data being returned every time (which the smart card app designers will have written guards in against hackers doing that), or

2) pick a random secret and use that to generate the data that he doesn’t know.

So what he’s done is that second one. And this (in my opinion) is what the news stories should really be focusing on:

According to the news results, whilst 44 countries have signed up to the Electronic Passport scheme, and have agreed to implement it to the same standards, only 5 of them have actually implemented the electronic checks which will confirm if the secret on the card is the correct secret. The message that being sent out by the media should not be “Can we create forged cards” – that, as always, is yes, but instead, it should be “Why haven’t the other 39 countries got their systems ready yet?”. Then the question is much simpler – “Can we spot the forged cards” – with the systems that have been specified in place, the answer will be yes.

So Smart Cards are the answer to All Security Problems. Ever.

I’m not saying that. There are a lot of situations where Smart Card security based solutions don’t quite work, for instance offline transactions where you can’t verify “on the spot” if the details inside the card are genuine. There is a lot of skill and a lot of time and effort being spent by Smart Card programmers to provide very good and very secure programs – if you create a smart card program and algorithm in an afternoon, its not going to be as secure as one that has been well researched, and analysed and so forth. But, they add an extra layer of security on top of the already difficult to forge documents.