By Anne Broache
Staff Writer, CNET News.com
Published: August 16, 2006, 4:43 PM PDT
"A first wave of U.S. passports implanted with radio tags will soon begin making their way into the hands of American travelers despite lingering privacy and security concerns, federal officials said Monday.
Not long after researchers at a pair of security conferences in Las Vegas demonstrated potential risks associated with the new documents, the U.S. State Department insisted the documents are tamperproof and said it had begun producing them at the Colorado Passport Agency, which serves applicants from that state and the Rocky Mountain region.
The agency said it plans to issue the documents through the nation's other passport facilities within the next few months, as part of its original plan to make all future passports electronic by October. It was unclear how many e-passports would be mailed out this year, although a State Department representative said Monday that the agency expects to distribute a total of 13 million passports by year's end.
The new passports, which have been undergoing testing for several months and have already been issued to some U.S. diplomats, will be equipped with radio frequency identification (RFID) chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitized photograph of the passport holder. They employ a "multilayered approach" to protect privacy and reduce the possibility that passersby can skim data from the books, the agency said.
"The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level," the agency said in a statement.
State Department officials claim that a layer of metallic antiskimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed. The document will also employ a cryptographic technique called Basic Access Control, which means the RFID chip unveils its contents only after a reader successfully authenticates itself as being authorized to receive that information.
State Department spokesman Kurtis Cooper dismissed recent concerns raised by security researchers that the passports could nevertheless be "cloned"--that is, copied and used in a forged passport. The agency is confident that other security features built into the book would foil would-be imposters, he said.
The cloning technique demonstrated at the Las Vegas events is simple: It requires only a laptop equipped with a $200 RFID reader and a smart card programmer. The laptop's software scanned information from the RFID chip and wrote it to the smart card, which can then be embedded in a fake passport.
Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorized changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.
"The digital photograph of the passport holder embedded in the data page and the digital signature on the data, combined with our human U.S. border inspection process, would prevent someone from using a forged passport to gain entry into the United States," Cooper said in a telephone interview."