UK and Dutch passports can be hacked using brute force because they use short keys to protect the information on their embedded RFID chips, an RFID expert told the European Network and Information Security Agency (Enisa) this week.
The US had chosen a longer key for its identity documentation and was thus better protected, security firm RSA's Ari Juels told Enisa's summer school this week.
Juels said the use of radio frequency identification (RFID) tags was likely to increase vastly because they were so useful for tracking things and recording their histories. But privacy, counterfeit and unauthorised reading concerns needed addressing, he said.
The tags were getting cheap and powerful enough to carry "reasonable" protection such as AES encryption and challenge and response processing, he said.
Key management was the biggest problem, but it could be overcome by having the tag carry its own key, or rather a part of the key, he said.
Splitting the key using a technique called dsecret sharing between several items that were likely to travel together reduced the risk of the key being discovered, he said.
This allowed a farmer to microchip his herd of cows, but because each cow carried only part of the key, its identity could not be discovered unless the rest of the herd was present to complete the key.
A similar principle could be applied to passports and identity cards, drugs and other high value items he said.
The use of RFID chips as vehicle anti-theft devices, where the tag on the key had to match the tag on the car, had cuts thefts by 90%, he said.
The advantage of this was that once the goods were sold or otherwise ended their journey, the key disappeared, he said.
This solved the retailers' problem of having to "kill" tags at the point of sale to stop them from being use to trace the consumer's subsequent journey.