Doubts don't hinder e-passport debut
State Department approves one vendor, though technology's readiness still unsure
- By Wilson P. Dizard III
- Mar 10, 2006
Even amid the continued doubts of experts, and with only one approved technology vendor, the State Department is pressing forward with its electronic passport program.
The agency recently started issuing e-passports to its diplomatic corps and plans to roll out the contactless chip technology for the general public this summer, officials said.
The e-passport rollout is the culmination of a program burdened by disputes over the security technology in contactless chips and litigation over the chips' procurement.
Disputes about the safety of e-passport technology haven't dropped off, even with the State Department's decision to start issuing the new documents.
Some federal officials, speaking on condition of anonymity, still doubt the technology. They have cited and distributed recent studies claiming that electronic passports' security measures can be hacked, and that the radio frequency identification chip lacks the capacity to store sufficiently detailed pictures.
State Department officials reject these criticisms. Frank Moss, deputy assistant secretary of state for consular affairs, said the agency is using e-passport technology provided by Infineon Technologies North America Corp. of San Jose, Calif.
The National Institute of Standards and Technology has tested and approved Infineon's e-passport components, Moss said. Infineon offers contactless RFID chips that store biographical data in machine-readable format.
The chip and a small antenna are embedded in the passport cover, which also includes a metal shield to prevent eavesdropping on data as it flows from the passport to the reading machine.
Three other companies ? Axalto Inc. of Austin, Texas; On Track Innovations Ltd. of Fort Lee, N.J.; and ASK of Sophia Antipolis, France ? also have e-passport chips that NIST is testing for possible use in the passports. NIST would not comment on the status of the tests and referred all questions to the State Department.
A spokeswoman for Axalto said her company was continuing to support the State Department's electronic passport program. Representatives of the other companies either referred questions to the government or could not be reached for comment.
On Track Innovations regained its status as a possible contractor for e-passport components after it successfully sued the government in the Court of Federal Claims in Washington to overturn its rejection by the program.
"It is premature to say whether all of those will make it through the NIST tests," Moss said, adding that the chips must pass before the State Department would buy them.
Digital passports produced by the government comply with a standard forged by the International Civil Aviation Organization, as do all e-passports deployed or under development worldwide.
In recent weeks, that standard has come under question from a Dutch RFID testing laboratory and a domestic technology analyst.
The Dutch lab, Riscure BV of Delft, recently issued a statement that, within two hours and using a PC, it has been able to crack the encryption of the Dutch e-passport.
According to RFID specialist Harko Robroch of Riscure, "An attacker intercepting the contactless communication between the passport and the border control system can get access to the personal information held on the chip inside the new passport."
Sequential relationships between the Dutch passport numbering scheme and the key used to encrypt personal information sent from the passport to the reader device reduced the number of possible encryption methods for the personal data, Robroch said. He urged Dutch authorities to improve the security of their passport encryption.
A second criticism has come from reports that the State Department's technology for storing facial images on passport chips would not provide reliable data.
Moss rejected both lines of attack, noting that the agency's passport has more layers of security than does the Dutch document.
The State Department's security measures include a metal shield in the passport cover to protect against interception of data. In addition, the agency has adopted Basic Access Control, a means of securing the data transmission between the passport and reader, and "random uniqueness," a more secure encryption key than that in the Dutch passport.
Taken together, the State Department's methods offer "security in depth," Moss said.
Federal officials have raised additional questions about the security of the International Civil Aviation Organization standard. A technical committee of the group has been meeting to plug possible security loopholes in the standard, they said.
Moss acknowledged that a technical committee of the organization recently met in Rome to consider strengthening the security of the encryption key used to secure data flowing from the passport to the reading device.
The committee, reviewing a technology known as entropy, is considering lengthening the key by including alphanumeric data from the second line of the machine-readable zone of each passport, as well as the data from the first line, which already is included.
Questions about the passport's security "do not represent a fundamental problem that must be corrected" before the documents can be widely distributed, Moss said.
"The bottom line is that I have an e-passport myself, and I have traveled internationally," Moss said.
Wilson P. Dizard III is a senior writer with Government Computer News. He can be reached firstname.lastname@example.org.