this post was submitted on 05 Feb 2024
214 points (97.8% liked)
Technology
59575 readers
4577 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
ID cards without chip are pointless. I’d like to see them try to fake a chipped document.
Chip cards wouldn't work online unless we had some sort of reader in electronics to insert the chip into like the credit card terminals. But yes, that would help a lot.
Good news then. We do have a reader. Chances are you are looking at one right now.
Almost all passports have chips (with the exception of a few developing countries, but even they are starting include them) and a lot of ID cards do as well (most ID cards in Europe already do and new ones are required to have then).
You might not see them, as they are contactless chips. They can be read by the NFC reader in your phone.
If you want to try it, search in the App Store or Play Store for an app called “ReadID Me” and test it on your passport.
Isn't NFC pretty vulnerable to short-range cloning attacks? Obviously it's better than nothing but it still has issues compared with a chip that requires electrical contact in order to be read.
The chip in a passport or ID card is not a simple data storage device. It's more like a tiny computer that the reader talks to. This is unlike a simple NDEF tag that you can easily clone, there are several layers of protection.
First, you need a key to even access the chip. This key is derived from 3 pieces of information on the document: the document number, the date of birth and the date of expiry. The idea is that to get this data, you already have to be looking at the data page of the passport, that is: to access the privacy-sensitive data inside the chip, you already have to be able to look at that same data printed on the page.
This data then goes into a key derivation function. Some handshake messages are exchanged which I won't bore you with, and both the chip and the reader should at that point be able to derive another key that will then be used to encrypt any communication between chip and reader. There are actually 2 different mechanisms for this, the older BAC mechanism (Basic Access Control) and the newer PACE mechanism (Password Authenticated Connection Establishment). The latter uses newer and even more secure crypto.
This prevents eavesdropping and ensures you cannot remotely read the document.
Once the connection has been established, the reader can request certain chunks of data from the document. This includes everything that is printed on the data page, as well as a higher-quality color version of the photo on you document.
The data that can be read from the document is digitally signed by the government of the issuing country. You can verify this signature against a list of trusted certificates. Only the government that issued the document should have access to the corresponding private key and as such you cannot forge this data (unless you are able to break certain cryptographic standards, but if someone can do that we have bigger problems than fake IDs). This is called 'passive authentication'.
Now, if you get your hands on someone's passport, you could still copy the data, you can't modify it, but you can clone it. To prevent this passports also have a clone detection mechanism. Again there are multiple versions of this, but the most basic form is called Active Authentication. Part of the data read from the passport, is a public key. The chip in the passport has the corresponding private key, but there is no way to read this key. You can confirm it's not a clone by sending a piece of random data to the passport and asking it to sign that data with its private key. You then use the public key to check the signature and confirm the document is in possession of the corresponding private key. You can also confirm the authenticity of the public key, because that is also signed with the private key of the issuing government.
Now, theoretically you could try to extract the private key used in clone detection from the physical document, you would need some extremely advanced tech to do this, and the chips in ID documents have all kinds of physical protections against these kind of attacks. Maybe some intelligence services would have this capability, but it would only allow you to clone a document, not forge one.
After reading about all the trouble they go to for passports, social security numbers are hilariously fucking inadequate by comparison (or even in absolute terms, for that matter).
Thank you so, so much for this explanation! I’ve been wondering for years and years and I finally get it, it’s so cool to see public key cryptography being used for clone detection.
Okay, I was not aware of that and I can't use the Play Store because I have lineage OS on my phone with no Google Play Services so it's likely an app like that would break.
You can just use the Aurora store, and I'm sure there's an NFC reader app that doesn't rely on GPS, maybe even on F-Droid.
$15 for a USB ID card reader on Amazon and many laptops ahead have this built in. It's usually some unremarkable slit on the side.
You use cards for offline authentication (bars/festivals/etc.), and use a different process for online authentication.
Proving someone has the physical card in their possession (which is what a reader does) isn't really useful for proving identity when you can't also check the picture.
Mmm. Good point. Otherwise, somebody could just steal the card from you and insert it into the reader and would therefore be you. My guess is something like that would at least require some sort of OTP 2 factor authentication. If you were going to do it that way, and it would have to be application based and definitely not text based.