the federal government in the United States. A standard forgovernment ID cards (FIPS 201) is seeing rapid develop-ment by the National Institute of Standards and Technology(NIST). We expect PIV cards will include the same blendof technical mechanisms as e-passports: a combination of RFID and biometrics. The biometric of choice for PIVcards, however, will probably be ﬁngerprint recognition. Atthe time of writing, the U.S. House of Representatives re-cently passed a bill called the Real ID Act; this seems alikely impetus for states to issue identity cards containingbiometrics, and probably RFID tags as well .The goal of the ICAO and PIV projects is the same:strongauthenticationthroughdocumentsthatunequivocallyidentify their bearers. Data integrity and physical integrityare vital to the security of ID cards as authenticators. Forauthorities to establish the identity of John Doe with cer-tainty, for example, Doe’s passport must carry a photographof irrefutable pedigree, with a guarantee that no substitutionor tampering has taken place. Without this guarantee, pass-ports can be forged, enabling unauthorized persons to entera country.Strong authentication requires more than resistance totampering.
, i.e., secrecy of data storedon ID cards, is also critical. Protecting biometric and bio-graphical data is essential to the value and integrity of anauthentication system. In particular, data secrecy affords animportant form of protection against forgery and spooﬁngattacks. Therefore protecting e-passport data against unau-thorized access is a crucial part of the security of the entiresystem.Conﬁdentiality protection for stored data is importantfor other reasons as well. Both RFID and biometrics arehighly privacy-sensitive technologies. Sensitive data, suchas birthdate or nationality, are carried on passports. Theprivacy, physical safety, and psychological comfort of theusers of next-generation passports and ID cards will dependon the quality of data-protection mechanisms and support-ing architecture.We identify security and privacy threats to e-passportsgenerally, then evaluate emerging and impending e-passporttypes with respect to these threats. We primarily analyzethe ICAO standard and the speciﬁc deployment choices of early adopter nations. Where appropriate, we also discussthe Malaysian e-passport. Here is a summary of the majorpoints we touch on:1.
: It is well known that RFIDtags are subject to clandestine scanning. BaselineICAO guidelines do not require authenticated or en-crypted communications between passports and read-ers. Consequently, an unprotected e-passport chip issubject to short-range clandestine scanning (up to afew feet), with attendant leakage of sensitive personalinformation including date of birth and place of birth.2.
The standard for e-passportRFID chips (ISO 14443) stipulates the emission (with-out authentication) of a chip ID on protocol initiation.If this ID is different for every passport, it could en-able tracking the movements of the passport holder byunauthorized parties. Tracking is possible even if thedata on the chip cannot be read. We also show that theICAO Active Authentication feature enables trackingwhen used with RSA or Rabin-Williams signatures.3.
Skimming and cloning:
Baseline ICAO regulationsrequire digital signatures on e-passport data. In princi-ple, such signatures allow the reader to verify that thedata came from the correct passport-issuing authority.
Digital signatures do not, however, bind the data to aparticular passport or chip, so they offer no defenseagainst passport cloning.4.
: “Faraday cages” are an oft-discussedcountermeasuretoclandestineRFIDscanning. Inane-passport, a Faraday cage would take the form of metal-lic material in the cover or holder that prevents thepenetration of RFID signals. Passports equipped withFaraday cages would be subject to scanning only whenexpressly presented by their holders, and would seemon ﬁrst blush to allay most privacy concerns.Faraday cages, however, do not prevent eavesdroppingon legitimate passport-to-reader communications, likethose taking place in airports. Eavesdropping is partic-ularly problematic for three reasons.
As envisioned in the ICAOguidelines, e-passports will likely see use not justin airports, but in new areas like e-commerce;thus eavesdropping will be possible in a varietyof circumstances.
Unlike clandestine scanning, eaves-dropping may be feasible at a longer distance—given that eavesdropping is a passive opera-tion .
As it is purely passive anddoes not involve powered signal emission, eaves-dropping is difﬁcult to detect (unlike clandestinescanning).5.
: Among other data, e-passportswillincludebiometricimages. Inaccordance
Digital signatures and indeed, e-passports and secure ID cards in gen-eral do not solve the problem of validating
. Depending on hownew users are validated, it may be possible to obtain an authentic ID bypresenting inauthentic credentials or through circumventing issuing guide-lines. Indeed, the 9/11 hijackers had perfectly authentic drivers’ licenses.Digital signatures would merely have conﬁrmed their validity. We do nottreat the issue of enrollment here, but note that it is pivotal in any ID sys-tem.