Short keys leave UK passports open to hackers

UK and Dutch passports can be hacked using brute force because they use short keys to protect the information on their embedded RFID chips, an RFID expert...

UK and Dutch passports can be hacked using brute force because they use short keys to protect the information on their embedded RFID chips, an RFID expert told the European Network and Information Security Agency (Enisa) this week.

The US had chosen a longer key for its identity documentation and was thus better protected, security firm RSA's Ari Juels told Enisa's summer school this week.

Juels said the use of radio frequency identification (RFID) tags was likely to increase vastly because they were so useful for tracking things and recording their histories. But privacy, counterfeit and unauthorised reading concerns needed addressing, he said.

The tags were getting cheap and powerful enough to carry "reasonable" protection such as AES encryption and challenge and response processing, he said.

Key management was the biggest problem, but it could be overcome by having the tag carry its own key, or rather a part of the key, he said.

Splitting the key using a technique called dsecret sharing between several items that were likely to travel together reduced the risk of the key being discovered, he said.

This allowed a farmer to microchip his herd of cows, but because each cow carried only part of the key, its identity could not be discovered unless the rest of the herd was present to complete the key.

A similar principle could be applied to passports and identity cards, drugs and other high value items he said.

The use of RFID chips as vehicle anti-theft devices, where the tag on the key had to match the tag on the car, had cuts thefts by 90%, he said.

The advantage of this was that once the goods were sold or otherwise ended their journey, the key disappeared, he said.

This solved the retailers' problem of having to "kill" tags at the point of sale to stop them from being use to trace the consumer's subsequent journey.



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Antivirus, firewall and IDS products

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.




  • Passive Python Network Mapping

    In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against ...

  • Protecting Patient Information

    In this excerpt from chapter two of Protecting Patient Information, author Paul Cerrato discusses the consequences of data ...

  • Mobile Security and Privacy

    In this excerpt from chapter 11 of Mobile Security and Privacy, authors Raymond Choo and Man Ho Au discuss privacy and anonymity ...