Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.
His first bestseller, Applied Cryptography , explained how the arcane science of secret codes actually works, and was described by Wired as "the book the National Security Agency wanted never to be published." His book on computer and network security, Secrets and Lies , was called by Fortune "[a] jewel box of little surprises you can actually use." His current book, Beyond Fear , tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.
Schneier also publishes a free monthly newsletter, Crypto-Gram , with over 100,000 readers. In its seven years of regular publication, Crypto-Gram has become one of the most widely read forums for free-wheeling discussions, pointed critiques, and serious debate about security. As head curmudgeon at the table, Schneier explains, debunks, and draws lessons from security stories that make the news. Regularly quoted in the media, Schneier has written op ed pieces for several major newspapers, and has testified on security before the United States Congress on many occasions.
The Hackers Choice has released a tool allowing people to clone and modify electronic passports.
The problem is self-signed certificates.
A CA is not a great solution:
Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors:
The CA becomes a single point of failure. It becomes the juicy/high-value target for the attacker. Single point of failures are not good. Attractive targets are not good.
Any person with access to the CA key can undetectably fake passports. Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key.
The single CA would need to be trusted by all governments. This is not practical as this means that passports would no longer be a national matter.
Multiple CA's would not work either. Any country could use its own CA to create a valid passport of any other country. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A's CA key. The terminal will validate and display the information as data from Country B.This option also multiplies the number of 'juicy' targets. It makes it also more likely for a CA key to leak.
Revocation lists for certificates only work when a leak/loss is detected. In most cases it will not be detected.
So what's the solution? We know that humans are good at Border Control. In the end they protected us well for the last 120 years. We also know that humans are good at pattern matching and image recognition. Humans also do an excellent job 'assessing' the person and not just the passport. Take the human part away and passport security falls apart.
Please note: Blogs contain items that are the responsibility of the author and are presented "as is" with no endorsement from, nor editing by, nor approval from complianceandprivacy.com. The copyright owner for the blog items is that of the originator of the item. Each blog item is reproduced from the relevant feed from the originating blog, either in full or in part as that feed itself determines. All blog item header links lead directly to those items on the original blog. Blogs are dynamic. We offer them in good faith, but, where the content is outside our control we cannot be responsible for their errors, omissions or other conduct. Some of the links on this page remain on this site, others go to other sites; that is the nature of a blog. When you leave this site you are encouraged to be aware of the privacy policy of the new site before leaving personal data there.
This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.
Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier. 