Tool to backup, modify and clone ePassport released

Charles Lindsey ukcrypto at chiark.greenend.org.uk
Wed, 01 Oct 2008 11:02:49 +0100 

On Tue, 30 Sep 2008 19:21:34 +0100, Ian Batten <igb@batten.eu.org> wrote:

> I wouldn't be at all surprised if it were possible to place onto a  
> passport a set of information signed with a self-signed cert.  Indeed,  
> short of the passport itself embodying containing some root keys and the  
> hardware to test data against them --- which would require substantial  
> power, which isn't available --- it's hard to see how you would stop  
> this.  It's some memory.  I can load bits into it.  Why wouldn't I be  
> able to?

In a sensibly designed chip, there would be data that could be altered  
after manufacture and data that could not, with a fusible link to be  
destroyed after the unalterable data had been loaded. That data might also  
be unreadable externally, but available for the internal electronics of  
the chip to access as part of its verification procedures.

If the Bad Guys want to clone chips by altering stuff in an  
already-existing passport, then they could not do it. With the hidden  
stuff not even readable, they might not be able to do it even if they  
could lay their hands on virgn chips.
>
> The question is if that data will be seen as valid by a reader at the  
> border of (a) the issuing country (b) a country on friendly terms with  
> the issuing country and (c) an arbitrary country, and what benefit it  
> gives me.
>
> In the case of (a) the answer is clearly `no', because the data isn't  
> read anyway: the passport's serial number is extracted and the  
> photograph is retrieved from the UKPA database.

I would not necessarily expect such readers to be online to the UKPA  
database. They would verify the chip on the consistency of tha data  
contained within it, using their knowledge of the Public Key with which it  
should be secured. Just as current Chip'n'Pin cards are usually verified  
offline.

The problem with the Dutch (?) readers is that they apparently do not have  
even the Dutch Public Key loaded into them.

> In the case of (b) it depends on if the country has access to the UKPA  
> passport data.

Not so (see above). It only needs to know the relevant UK Public Key  
(which, of course, it needs to have obtained by some reliable means).

> If (c), the border won't have access to UKPA data and may not have  
> practical access to any signing technology.

Sure, but if they do choose to invest in signing technology, then they are  
in the same position as country (b), at least to the extent that they  
trust whatever Public Key they have been able to obtain.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl@clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5