Tool to backup, modify and clone ePassport released
Tony Naggs
ukcrypto at chiark.greenend.org.uk
Sun, 5 Oct 2008 23:44:32 +0530
2008/10/4 steve <steve@segfault.net>:
> Hi,
Hi
> ... Anyone
> can read the epassport info without any authentication required. This
> means someone can tell when you enter which building or what shop or
> who you meet or sit at the same table with.
The reader has to authenticate with the passport in order to access
the data, using data contained in the passport. Most implementations
also use a new random id each time they are queried, so you can't just
compile a directory of passport id numbers.
You could compile a directory of data from passports you have seen.
Then try these records one by one to authenticate with passports you
see later, if one of the authentication attempts works you have
identified the passport. But (a) you must have collected the
authenticating information previously, (b) exhaustive search through
any significant database is going to be slow, (c) the passport must be
in quite close proximately continuously during the probing, and (d)
this easily blocked with metal foil such as that built into US
passports.
The main problem with unauthorised probing of ePassports is that the
exact behaviour of different passports varies before authentication,
depending on implementation decisions. These variations can be used
to distinguish (groups of) nationality without sight of the passport.
ttfn,
Tony