Not everybody trusts every CA, but everybody trusts some CA. British terminals trust Australian passports because they’re signed with a key signed by the British CA. US terminals trust British passports because they’re signed with a British key signed by the US CAs. What about a PGP-like web-of-trust approach?īritain’s key is separately signed by the US, Australia, etc., or maybe even multiple CAs within each country. Tags: borders, certificates, cloning, forgery, hacking, passports Take the human part away and passport security falls apart. Humans also do an excellent job ‘assessing’ the person and not just the passport. We also know that humans are good at pattern matching and image recognition.
In the end they protected us well for the last 120 years. So what’s the solution? We know that humans are good at Border Control. Revocation lists for certificates only work when a leak/loss is detected. It makes it also more likely for a CA key to leak. The terminal will validate and display the information as data from Country B.This option also multiplies the number of ‘juicy’ targets. Read this sentence again: Country A can create a passport data set of Country B and sign it with Country A’s CA key. Any country could use its own CA to create a valid passport of any other country. This is not practical as this means that passports would no longer be a national matter. The single CA would need to be trusted by all governments.Direct attacks, virus, misplacing the key by accident (the UK government is good at this!) or bribery are just a few ways of getting the CA key. Attractive targets are not good.Īny person with access to the CA key can undetectably fake passports. It becomes the juicy/high-value target for the attacker.
The CA becomes a single point of failure.Using a Certification Authority (CA) could solve the attack but at the same time introduces a new set of attack vectors: The Hackers Choice has released a tool allowing people to clone and modify electronic passports.
0 kommentar(er)
