Mixing
Is the RFID chip in e-passports read-only or is it read-write?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
61
down vote
favorite
Is the RFID chip in e-passports read-only or is it read-write?
If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?
If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?
Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat
Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.
passports biometric-passports
asked Sep 5 at 1:02
RoboKaren
8,75812854
 |Â
show 11 more comments
up vote
61
down vote
favorite
Is the RFID chip in e-passports read-only or is it read-write?
If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?
If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?
Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat
Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.
passports biometric-passports
asked Sep 5 at 1:02
RoboKaren
8,75812854
1
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
3
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
5
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
2
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
4
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20
 |Â
show 11 more comments
up vote
61
down vote
favorite
up vote
61
down vote
favorite
Is the RFID chip in e-passports read-only or is it read-write?
If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?
If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?
Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat
Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.
passports biometric-passports
asked Sep 5 at 1:02
RoboKaren
8,75812854
Is the RFID chip in e-passports read-only or is it read-write?
If it's read-only, is all of the data locked-down when the passport is issued? Is the read-only portion extensible so that additional data can be burned on later?
If it's read-write, can passport country in any country we pass through enter or change data in the passport? For example, to record entries and departures?
Update: I ask for two reasons. The first is that the only biometric I recall giving when I applied for my passport is my photo and I wanted to know if my government could add other biometrics (iris scan, fingerprints) at a later date — either beknownst to me or surreptitiously at a border station. #tinfoilhat
Second, I wanted to know if foreign governments could add entry or exit or visa e-tags to my passport, especially when passing through automated gates.
passports biometric-passports
asked Sep 5 at 1:02
RoboKaren
8,75812854
edited Sep 5 at 16:01
asked Sep 5 at 1:02
RoboKaren
8,75812854
asked Sep 5 at 1:02
RoboKaren
8,75812854
asked Sep 5 at 1:02
RoboKaren
8,75812854
8,75812854
1
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
3
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
5
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
2
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
4
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20
 |Â
show 11 more comments
1
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
3
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
5
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
2
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
4
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20
1
1
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
3
3
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
5
5
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
2
2
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
4
4
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20
 |Â
show 11 more comments
4 Answers
4
active
oldest
votes
up vote
66
down vote
accepted
TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.
Long version: The specification for e-passports contains two types of data.
Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
currently not used, and most e-passports out there don't even
include this capability.What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
by design read-only. Anybody with access to the key stored in the
passport's machine-readable section (the swipable bit at the bottom)
can read data from here, and the data is electronically signed, so
anybody reading it can confirm that the contents have not been
tampered with.
In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.
The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.
Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)
Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".
answered Sep 5 at 1:26
jpatokal
109k17326482
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
add a comment |Â
up vote
5
down vote
Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.
It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.
Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.
Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.
It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.
Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:
Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.
As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.
Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:
If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.
answered Sep 5 at 16:11
lxgr
1904
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
add a comment |Â
up vote
3
down vote
Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.
So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
add a comment |Â
up vote
-2
down vote
I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.
Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.
answered Sep 6 at 16:39
Sam
1706
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
 |Â
show 2 more comments
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
66
down vote
accepted
TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.
Long version: The specification for e-passports contains two types of data.
Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
currently not used, and most e-passports out there don't even
include this capability.What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
by design read-only. Anybody with access to the key stored in the
passport's machine-readable section (the swipable bit at the bottom)
can read data from here, and the data is electronically signed, so
anybody reading it can confirm that the contents have not been
tampered with.
In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.
The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.
Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)
Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".
answered Sep 5 at 1:26
jpatokal
109k17326482
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
add a comment |Â
up vote
66
down vote
accepted
TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.
Long version: The specification for e-passports contains two types of data.
Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
currently not used, and most e-passports out there don't even
include this capability.What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
by design read-only. Anybody with access to the key stored in the
passport's machine-readable section (the swipable bit at the bottom)
can read data from here, and the data is electronically signed, so
anybody reading it can confirm that the contents have not been
tampered with.
In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.
The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.
Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)
Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".
answered Sep 5 at 1:26
jpatokal
109k17326482
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
add a comment |Â
up vote
66
down vote
accepted
up vote
66
down vote
accepted
TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.
Long version: The specification for e-passports contains two types of data.
Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
currently not used, and most e-passports out there don't even
include this capability.What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
by design read-only. Anybody with access to the key stored in the
passport's machine-readable section (the swipable bit at the bottom)
can read data from here, and the data is electronically signed, so
anybody reading it can confirm that the contents have not been
tampered with.
In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.
The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.
Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)
Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".
answered Sep 5 at 1:26
jpatokal
109k17326482
TL;DR: It's complicated, but for practical purposes, currently e-passports are read-only.
Long version: The specification for e-passports contains two types of data.
Dedicated Files (DF) are writable and is meant for storing visas and various authorizations in the future. However, this is
currently not used, and most e-passports out there don't even
include this capability.What is in active use is the Logical Data Structure (LDS), which stores biometrics etc and is
by design read-only. Anybody with access to the key stored in the
passport's machine-readable section (the swipable bit at the bottom)
can read data from here, and the data is electronically signed, so
anybody reading it can confirm that the contents have not been
tampered with.
In practice, e-passports are implemented using EEPROM memory, which expands to the somewhat paradoxical Electrically Erasable Programmable Read-Only Memory. For practical purposes, these are read-only, a casual reader can't go in there and change or add anything.
The catch is that the EEPROMs are also by definition erasable, so the contents can be erased and rewritten from scratch. However, since EEPROMs can typically be locked/"frozen" to prevent any further changes, any attacker would need to work around this. What's more, since the LDS contents are digitally signed, if a malicious country or agent were to gain access and erase & rewrite them, they would also need to provide a new valid signature, which they can't do without the original issuer's private key. They could reprogram your Sylvanian passport's chip to return data signed by Borduria instead, but I presume this would be caught pretty easily, since it would now be out of sync with what the machine-readable stripe says. And this is also why the originating country is also unlikely to change any data on the chip, even if they technically can, because it would now risk having the information physically printed on the passport from being out of sync with the digital copy in it.
Some more reading on the topic: https://www.researchgate.net/publication/221406395/download (free PDF download)
Edit for clarity: I'm not claiming any of this makes e-passports secure or tamperproof. However, if the question is "are countries I visit recording things in my e-passport when I pass through immigration", the answer is pretty unequivocally "no".
answered Sep 5 at 1:26
jpatokal
109k17326482
edited Sep 6 at 12:49
answered Sep 5 at 1:26
jpatokal
109k17326482
answered Sep 5 at 1:26
jpatokal
109k17326482
answered Sep 5 at 1:26
jpatokal
109k17326482
109k17326482
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
add a comment |Â
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
Comments are not for extended discussion; this conversation has been moved to chat.
– Willeke♦
Sep 6 at 15:56
add a comment |Â
up vote
5
down vote
Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.
It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.
Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.
Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.
It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.
Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:
Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.
As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.
Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:
If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.
answered Sep 5 at 16:11
lxgr
1904
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
add a comment |Â
up vote
5
down vote
Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.
It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.
Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.
Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.
It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.
Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:
Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.
As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.
Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:
If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.
answered Sep 5 at 16:11
lxgr
1904
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
add a comment |Â
up vote
5
down vote
up vote
5
down vote
Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.
It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.
Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.
Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.
It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.
Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:
Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.
As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.
Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:
If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.
answered Sep 5 at 16:11
lxgr
1904
Passports conforming to the ICAO doc 9303 specification use a smart card conforming to ISO 7816, which is very broadly speaking not just a storage device, but rather a miniature computer.
It is possible to restrict read or write access to parts of its storage to only properly authenticated entities.
Looking at the relevant part of the specification (parts 10 and 11 at the referenced ICAO site), there only seem to be commands relating to reading basic data, cryptographically authenticating the travel document or authenticating the reader to the document in order to access sensitive information like fingerprints.
Without any command to actually modify data on a smartcard, it wouldn't be possible to do so.
It is of course possible that the issuing country implements additional commands, for example for the purpose of correcting information after issuance. However, such commands, if they even exist, would very likely require authentication of the reader before any write or delete access to the storage would be granted.
Regarding your specific question about the issuing authority adding biometric data after issuance, this does seem to be allowed under the specification:
Only the issuing State or organization shall have write access to
these Data Groups. Therefore, there are no interchange requirements
and the methods to achieve write protection are not part of this
specification.
As there is nothing in the specification regarding write access to the general writable area, it seems to be up to the issuing country to specify access privileges (for reading or writing) to these memory areas.
Theoretically, countries could agree on commands for accessing these optional storage areas outside of the ICAO specifications, of course, but I consider that quite unlikely:
If the intent is to exchange travel data, why not just exchange it out-of-band, for example through server-side systems communicating passport numbers? This seems much simpler and more effective.
answered Sep 5 at 16:11
lxgr
1904
edited Sep 5 at 16:30
answered Sep 5 at 16:11
lxgr
1904
answered Sep 5 at 16:11
lxgr
1904
answered Sep 5 at 16:11
lxgr
1904
1904
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
add a comment |Â
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
2
2
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
Further, as far as I'm aware, while multiple countries have made possession of a biometric passport a condition of (easy) entry, none of them have required that it works.
– origimbo
Sep 5 at 17:59
add a comment |Â
up vote
3
down vote
Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.
So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
add a comment |Â
up vote
3
down vote
Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.
So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
add a comment |Â
up vote
3
down vote
up vote
3
down vote
Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.
So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
Just to answer the "tinfoil hat" aspect, a standard doesn't prevent a country from making passports and readers which implement features in addition to the standard.
So, a country could easily issue passports which e.g. record entries and exits or store recent photos taken by the border control of that country in your passport. Passports could also store information about border control in other countries, even if foreign border control equipment isn't actively writing to it (thanks @jcaron). This information could be read out when you return to your country, and be used to estimate how many countries you have visited during your trip. If those countries have accessed information which requires active authentication, it may also be possible to know which ones you have visited.
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
edited Sep 6 at 9:24
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
answered Sep 6 at 8:05
Dmitry Grigoryev
5,6691743
5,6691743
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
add a comment |Â
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
And the information would be lost with the passport (if lost, destroyed...) whereas the information on the servers would remain. However, what they could probably do is make a note of accesses to the passport and read the information when you get back "home". Not sure if there's a way to detect which country is reading the passport? In that case they could know which countries you have visited (provided those countries actually used the RFID chip).
– jcaron
Sep 6 at 8:32
2
2
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
@jcaron That's a possibility only when reading the EAC-protected fields (i.e. the "sensitive" ones like fingerprint or other biometrics). The "public" data is protected only by using the MRZ as a key (BAC), which does not allow identifying the reader. (Again, if the reader voluntarily discloses its identity, it is free to do that; but then it might just also report its identity and the passport number server-side to the issuing country.)
– lxgr
Sep 6 at 12:44
3
3
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
@lxgr the issuing country may want to know where its citizens go without letting the visited countries know they record that. It is also easier to read a chip when it comes by than setting up interconnects between immigration services to transmit data back to the issuing country.
– jcaron
Sep 6 at 13:10
add a comment |Â
up vote
-2
down vote
I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.
Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.
answered Sep 6 at 16:39
Sam
1706
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
 |Â
show 2 more comments
up vote
-2
down vote
I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.
Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.
answered Sep 6 at 16:39
Sam
1706
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
 |Â
show 2 more comments
up vote
-2
down vote
up vote
-2
down vote
I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.
Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.
answered Sep 6 at 16:39
Sam
1706
I am a firm proponent of that belief that the black-hats will always win. Hackers have eventually broken every known encryption and data protection protocol. The hope is that with anything that matters the white-hats can update and move ahead of the black-hats, but with a system as slow and expensive as international treaties and immigration control, it is unlikely that white-hats will always be ahead. Even the digitally signed portion of your data is more likely to be broken into eventually than not.
Passports last 10 years in the U.S. Imagine what computing and encryption looked like 10 years ago, how about 20 years ago when the standards lag starts taking effect? Given the other answers on this page, it's all read-write, or will be soon.
answered Sep 6 at 16:39
Sam
1706
answered Sep 6 at 16:39
Sam
1706
answered Sep 6 at 16:39
Sam
1706
answered Sep 6 at 16:39
Sam
1706
1706
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
 |Â
show 2 more comments
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
1
1
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
I think you greatly underestimate how long encryption algorithms are used. AES was first published 20 years ago and was adopted by NIST 17 years ago. The Diffie-Hellman key exchange algorithm was published in 1976. Cryptographic algorithms are used for so many years that it's even common for processors to have built-in instructions specifically for accelerating a particular algorithm.
– reirab
Sep 6 at 20:51
2
2
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
@reirab, How long did it take for the blue ray and hd-dvd keys to get out?
– Sam
Sep 6 at 21:20
1
1
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
@TobiaTesan Wiki: AES instruction set. If you want a specific triple: (any Intel or AMD x86 processor with AES-NI, AES, AESENC)
– reirab
Sep 6 at 21:55
4
4
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
@Sam Leaking a key and breaking an encryption algorithm are two very, very, very different things.
– reirab
Sep 6 at 21:55
3
3
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
@reirab, I'm sorry I misspoke.
– Sam
Sep 6 at 22:30
 |Â
show 2 more comments
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2ftravel.stackexchange.com%2fquestions%2f121827%2fis-the-rfid-chip-in-e-passports-read-only-or-is-it-read-write%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
There is an ICAO standard which specifies the technical features of such passports. The answer is probably somewhere in there.
– Nate Eldredge
Sep 5 at 1:13
3
Why would you need it read/write? All you need is the Passport Number and then the rest can be stored in government cloud servers.
– Stewart
Sep 5 at 9:47
5
@Stewart There's a lot more than just passport number on those chips (they'd frankly be pretty pointless if that's all they stored). You can try it out using a NFC-capable phone.
– Lightness Races in Orbit
Sep 5 at 10:46
2
Also lol at the notion of the government using the cloud to store immigration/citizen data. Perhaps you just meant "servers".
– Lightness Races in Orbit
Sep 5 at 10:47
4
@Stewart "which is useful when processing 500 tired people getting off a flight": many countries start processing passengers' data while the passengers are checking in, so it's not such an intensive process. "The biometric data could be on a server": government servers do not necessarily talk to each other. The country issuing a passport may keep the biometrics on its servers, but in most cases the country being entered will not have access to those servers.
– phoog
Sep 5 at 16:20