About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Shell game | Main | The ID computer debate »

Cloning e-passports

By davebirch posted Aug 4 2006 at 3:51 PM

[Stuart Fiske] Because of the CHYP Electronic Passport Interoperability Service, we've already had a few calls about today's Wired News story on the cloning of e-passports.   But what exactly is this story about?  Is it about uncrackable e-passports being broken open by hackers?  Or is it about someone reading the specifications and discovering that e-passports work as they are supposed to?

Technorati Tags: , , ,

I don't understand the word "crack" in the context of the electronic passports. There is nothing personal stored in the chip that is not human readable on the data page of the passport.  If you want to make a clone of the data inside the chip in my passport, you can do it by reading my passport: you don't need to read what's in the chip.  Obviously it saves a bit of time getting the digital photo out of the chip, but it's just the same as the photo in the passport. "Basic Access Control" doesn't protect the data stored in the chip: it just means that you have to have access to the physical passport in order to read the chip.  "Active Authentication" in the specifications allows the data to be linked to the specific chip, but it's an optional extra which can be implemented if any government so chooses.  It's a bit like the Static Data Authentication (SDA) versus Dynamic Data Authentication (DDA) issue for "chip and PIN" cards. Of course, if you have physical access to my passport you can read all the other chip data which secures my personal data as being valid, but you can't change it, only copy it.   So you could copy my passport but what's the point if you can't change my data to match your face? When a passport control person puts your passport in their reader, it displays the picture inside the chip: if it doesn't match the picture in the passport (or your face), I expect they will notice. Much as we love them, this is just not a "brilliant hackers break unbreakable code" story.  It's a "person reads specification" story.


The comments to this entry are closed.