State launches e-passports, rejects security concerns
- By Wilson P. Dizard III
- Feb 27, 2006
The State Department started pilot production of electronic passports earlier this month and plans to roll out e-passports for the general public this summer, officials said.
The senior official in charge of the project also said that technical issues raised recently about e-passport security would not prevent the general distribution of the documents.
Frank Moss, deputy assistant secretary of State for consular affairs, said in an interview this morning that the department is using e-passport technology provided by Infineon Technologies North America Corp. of San Jose, Calif.
Moss said Infineon's components for the e-passport have been approved by National Institute of Standards and Technology testing. The company provides contactless chip radio-frequency identification device technology that stores biographical data in machine readable form.
Infineon's chip and a small antenna are embedded in the passport cover, which also includes a metal shield to prevent eavesdropping on data flowing from the passport to the reading machine.
Three other companies'Axalto Inc. of Austin, Texas; On Track Innovations Ltd of Ft. Lee, N.J.; and ASK of Sophia Antipolis, France'also have e-passport chips that NIST is testing.
"It is premature to say whether all of those will make it through the NIST tests," Moss said, adding that the chips must pass the tests before State would buy them.
Digital passports produced by the federal government comply
with a standard forged by the International Civil Aviation Organization, as do all e-passports deployed or under development worldwide. In recent weeks, that standard has come under questioning from a Dutch RFID testing laboratory and a domestic technology analyst.
In recent weeks, a Dutch RFID testing laboratory, Riscure BV of Delft, has issued a statement that it has been able to crack the encryption of the Dutch e-passport using a PC in two hours. According to RFID specialist Harko Robroch of the Dutch laboratory, "An attacker intercepting the contactless communication between the passport and the border control system can get access to the personal information held on the chip inside the new passport."
Robroch stated that sequential relationships between the Dutch passport numbering scheme and the key used to encrypt personal information sent from the passport to the reader device reduced the number of possible encryption methods for the personal data.
He urged Dutch authorities to improve the security of their passport encryption.
A second criticism of the State passport technology came from Joseph Anlage, president and chief executive officer of ALDC, which reportedly is a startup company involved in laser technology. Anlage issued a statement asserting that State's technology for storing facial images on passport chips would not provide reliable data.
Moss rejected both lines of attack on the technology that State has adopted. He said that the U.S. passport has more layers of security than the Dutch document. They include a metal shield to help protect against interception of data transmitted between the passport and the reading device. In addition, State has adopted
Basic Access Control, a means of securing the data transmission between the passport and reader and "random uniqueness," which is a more secure encryption key than the Dutch passport.
Taken together, the State Department methods provide "security in depth," Moss said.
Additional questions about the security of the ICAO standard have been raised by federal officials, who noted that a technical committee of the organization has been meeting to plug possible security loopholes in the standard.
Moss acknowledged that an ICAO technical committee recently met in Rome to consider strengthening the security of the encryption key used to secure data flowing from the passport to the reading device. The committee, reviewing a technology known as "entropy," is considering lengthening the key by including alphanumeric data from the second line of the machine readable zone of each passport as well as the data from the first line, which is already included.
Moss said the questions that have been raised about the security of the passports "do not represent a fundamental problem that must be corrected [before the documents can be widely distributed]."