Grandmom: So tell me about this electronic passport thing they're talkin about.
Me: blah blah blah techie jargon blah blah blah political implications blah blah blah false sense of security
Grandmom: Jesus that's just going to be a big pile of crap!
Me: That's an affirm, silver fox.
==========
e-Passports Using Contactless Chips Show Security Flaws
By Junko Yoshida, EETimes
PARIS The Department of Homeland Security's first tests of electronic-passport interoperability exposed technology flaws, including myopic and dyslexic smart-card readers. Some readers could not detect the presence of e-passport chips, many could detect the chips but could not read them and others were befuddled about what information they were supposed to display.
On the other hand, in the absence of a private data encryption requirement under the proposed U.S. scheme, readers in one test were able to spy on and copy sensitive personal data from a distance of 30 feet. That has some security experts and privacy rights advocates calling for a rethinking of the planned system.
The results of last month's three-day testing event, held at National Biometric Security Project facilities in Morgantown, W.Va., sent vendors scrambling to tweak their products in time for the second round of interoperability testing, which began last week in Sydney, Australia. But most technology providers said the technical difficulties were an inevitability for first-generation products based on varying interpretations of the International Civil Aviation Organization's e-passport spec.
The tests did show that e-passports based on the ISO 14443 Type B contactless interface had more problems than those using the Type A interface. The ICAO spec provides for the use of either interface but mandates that readers support both types.
Joerg Borchert, vice president and head of secure mobile solutions for Infineon Technologies North America, compared the tests to the PC industry's plugfests. USB, Ethernet and Firewire, he noted, were "never that precise in the beginning, but interoperability testing helped work out the details."
But it was intrusion, not precision, that was on the minds of the security experts and privacy advocates who expressed alarm last week at the results of a National Institute of Standards and Technology trial at Morgantown. Using a reader equipped with an antenna, NIST testers were able to lift "an exact copy of digitally signed private data" from a contactless e-passport chip 30 feet away, said Neville Pattinson, director of business development technology and government affairs for smart-card provider Axalto Americas.
The basic ICAO spec the basis for the U.S.approach does not require personal-data encryption. "Unless the government reconsiders its current position and decides to add a security mechanism beyond the digital signature to its e-passport," said Pattinson, the system will be insecure.
[...]
full at -
<http://nwc.securitypipeline.com/showArticle.jhtml?articleID=46200129
>
...
.d.