Attack-Defender Paradox
December 14, 2006

By Emerson Tan (et@c4i.org)

Whilst doing my regular troll through the morning’s information detritus, I stumbled upon an article in the “The Register” on the new Biometric Passports that the US Dept of State is insisting that countries issue if they are to remain part of the US Visa waiver program. The first part of the article [1] seems to give it all away:

“But unlike the RFID passports the USA is now issuing, the Irish ones lack a security feature preventing them from being skimmed, or read surreptitiously.

The US government has gone to the trouble of fitting its passports with a layer of foil that interferes with skimming attempts when the document is closed. The Irish government has not.”

Apart from the inevitable jokes about the Irish, this makes me wonder if this or indeed the entire RFID/Biometric passport scheme was ever thought through with an eye to the attacker defender paradox.

For those who don’t remember this essentially points out that attackers have a massive advantage in the game, as they only have to be right once in order to succeed in an attack. By contrast the defender needs to be right every time and does not know where an attacker will strike. The attacker has the initiative.

For a system like the RFID based passport scheme, all protection is completely passive, there is no adaptation possible. Therefore one must be confident that the system is technically invulnerable over the lifetime of a passport (10 years normally). Bearing in mind the advances in technology and the weaknesses discovered to date in other similarly complex system, can we be confident that the system will remain unbroken over the 10 year life of the average passport. Given that millions are issued every year all over the road, we can be fairly confident that we are stuck with this format probably for the next 20-50 years as the forces of technological lock in take hold (the QWERTY keyboard, I’m writing this on is another brilliant example of this).

At the end of the day you can’t substitute Human Intuition V.1.0, I suspect and this emphasis on technology will act to undermine that. I for one don’t feel any safer.

[1] http://www.theregister.co.uk/2006/10/23/smart_chips_for_smart_crooks/

RFID ConsortiUm for Security and Privacy

Share and Enjoy:
  • Slashdot
  • Digg
  • del.icio.us
  • Reddit
  • digg
  • Technorati
  • StumbleUpon
By Independent.Author • Articles, Future Forecast, RFID, Technical • •

Leave a Reply


 Sidebar
  • Pages
  •  
    December 2006
    M T W T F S S
    « Nov   Jan »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Archives
  • Categories
  • Meta

    • copyright 2008 reavis consulting group, llc

    all postings and articles are owned and the copyright is held by the author, all opinions expressed are held by same.

    Riskbloggers is proudly powered by WordPress
    Entries (RSS) and Comments (RSS).

    design by | live | life | loud |