Passports: Another Bad Use of Self-Signed Certificates

By Larry Seltzer
2008-10-04

The offline nature of passport data makes it impossible to validate in any meaningful way. This weakness made it easy for hackers to devise systems for cloning and modifying passport RFID chips.

I'm surprised it took this long: Hackers have released the specs and tools to clone and modify the RFID chips in U.S. passports. Two years ago when the plan to issue them was first widely discussed, I asked what purpose they served and pointed out obvious problems with them. As far as I can tell, e-passports remain a problem born of the notion that a more sophisticated identity system is a better one.

The hackers who revealed the RFID cloning details described how the system works. I believe they draw some questionable conclusions that call for further analysis. In a blog further examining their findings, THC (The Hackers Choice) points out that the terminal that reads the e-passport accepts self-signed data, as opposed to data signed by a CA (certificate authority).

Self-signed certificates are, as I have written before, inherently untrustworthy. I quoted Michael Barrett of PayPal as saying, "In the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones." That's the case with passports—an accurate clone cannot be detected.

The hackers then go on to argue that a CA would not be a good solution because it would be a single point of failure, a potential vulnerability in the system. This is going several steps too far, and missing the real problem in the passport system.

Arguing that a CA is a single point of failure is an argument against the whole SSL infrastructure. Is Amazon.com or Chase.com insecure because the VeriSign Trust Network could go down? Yes, but it's way down the list of problems that could reasonably be expected to develop.

CAs are, as a general rule, reliable, and I would argue that the data in them is relatively static, so even if one went down for a short period, local caches would be an adequate stopgap.

They also argue that the single CA would need to be trusted by all governments. Yes, it would for U.S. passports. Freedonia and Sylvania can choose their own certificate authorities for their passports if they choose to make such an implementation. If, for example, they choose to use the Russian Business Network as their CA, we might take that into account in our evaluations of the trustworthiness of their electronic passports, but the THC claim that CAs somehow take governments out of the decision-making process for passports is wrong. The THC also gives a phony example claiming to show that Freedonia could create a Sylvania passport, but it doesn't make sense.

Why didn't the system incorporate certificate authorities? Because it was designed to operate offline, or at least that's the way it appears to me. They didn't want to assume they could get reliable Internet access everywhere they might want to read passports. And the fact that they had such a constraint is the best reason not to do e-passports at all because it meant that the passports could not be properly authenticated. Of course, having the systems online would also mean securing them properly, which may have been another disincentive to having them online. It all adds up to, "Why bother?"

The hackers go too far one more way by implying that the ease with which passport chips may be cloned means that passports themselves may be easily cloned. In fact, the printed parts of passports look to me to be extremely difficult to counterfeit. And yes, you could take your passport and put a clone chip in for another person, but that sounds like a good way to get yourself a free stay in the holding cell at the airport and multiple body cavity searches.

The government surely knows this. The one time I traveled abroad recently, my wife had a new e-passport and I don't remember anyone not scrutinizing the physical printed data. To the extent that they recognize that the electronic data cannot be trusted, it can't be harmful, but then what purpose does it serve?

My feeling is that, post-9/11, there was a mandate to "modernize" our identification systems and make them more sophisticated. But a more sophisticated system isn't necessarily a better one. Nothing will replace the human being reading the passport and comparing it to the human in front of him. The little white elephants inside the passports won't really have an impact.

Copyright Issues?