State hits the road with e-passports
Connecting state and local government leaders
Amid continued doubts from experts, and with only one approved technology vendor, the State Department is pressing forward with its electronic passport program.<p>
TRAVELING MAN: State's Frank Moss says he's already used his e-passport overseas.
It started issuing e-passports to its diplomatic corps on Jan. 1 and by last week had distributed 299 of them, according to State spokeswoman Laura Tischler. The department plans to roll out the contactless chip technology for the general public this summer, officials said.
The e-passport rollout represents the culmination of a program that has spawned ongoing disputes over security technology [GCN, May 2, 2005, Page 1] and litigation over procurement of contactless chips. And disputes about the safety of e-passport technology haven't dropped off, even with State's decision to start issuing the new documents. Some federal officials, speaking on condition of anonymity, still doubt the technology.
The officials have cited and distributed recent studies claiming that the electronic passports' security measures can be hacked and that the radio-frequency identification chip lacks the capacity to store sufficiently detailed pictures.
State rejects criticism
State officials reject these criticisms. Frank Moss, deputy assistant secretary of State for consular affairs, said the department is using e-passport technology provided by Infineon Technologies North America Corp. of San Jose, Calif.
Moss said Infineon's e-passport components have been tested and approved by the National Institute of Standards and Technology. The company provides contactless RFID chips that store biographical data in machine-readable format.
Infineon's chip and a small antenna are embedded in the passport cover, which also in- cludes a metal shield to prevent eavesdropping on data flowing from the passport to the reading machine.
Three other companies: Axalto Inc. of Austin, Texas; On Track Innovations Ltd. of Ft. Lee, N.J.; and ASK of Sophia Antipolis, France, also have e-passport chips that NIST is testing for possible use in the passports.
NIST would not comment on the status of the tests and referred all questions to State.
An Axalto spokeswoman said her company was continuing to provide support to the electronic passport program. Representa- tives of the other companies either referred questions to the government or could not be reached.
OTI regained its status as a possible contractor for e-passport components after it successfully sued the government in the Court of Federal Claims in Washington to overturn its rejection by the program.
'It is premature to say whether all of those will make it through the NIST tests,' Moss said, adding that the chips must pass before State would buy them.
Digital passports produced by the government comply with a standard forged by the Inter- national Civil Aviation Organiza-tion, as do all e-passports de- ployed or under development worldwide.
In recent weeks, that standard has come under questionfrom a Dutch RFID testing laboratory and a domestic technology analyst.
The Dutch lab, Riscure BV of Delft, recently issued a statement that it has been able, using a PC, to crack the encryption of the Dutch e-passport in two hours.
According to RFID specialist Harko Robroch of Riscure, 'An attacker intercepting the contactless communication between the passport and the border control system can get access to the personal information held on the chip inside the new passport.'
Robroch stated that sequential relationships between the Dutch passport numbering scheme and the key used to encrypt personal information sent from the passport to the reader device reduced the number of possible encryption methods for the personal data.
He urged Dutch authorities to improve the security of their passport encryption.
A second criticism has come from reports that State's technology for storing facial images on passport chips would not provide reliable data.
Moss rejected both issues, noting that State's passport has more layers of security than the Dutch document.
State's security measures include a metal shield in the passport cover to help protect against interception of data. In addition, State has adopted Basic Access Control, a means of securing the data transmission between the passport and reader, and 'random uniqueness,' a more secure encryption key than the Dutch passport's.
Taken together, the State Department methods provide 'security in depth,' Moss said.
Additional questions about the security of the ICAO standard have been raised by federal officials, who noted that a technical committee of the organization has been meeting to plug possible security loopholes in the standard.
Moss acknowledged that an ICAO technical committee recently met to consider strengthening the security of the encryption key used to secure data flowing from the passport to the reading device. The committee is considering lengthening the key by including alphanumeric data from the second line of the machine-readable zone of each passport as well as the data from the first line, which is already included.
Moss said the questions about the security of the passports 'do not represent a fundamental problem that must be corrected [before the documents can be widely distributed].' He added, 'The bottom line is that I have an e-passport myself and have traveled internationally.'