Shostack + Friends Blog Archive


No RFID In Real ID

So DHS finally released the proposed new standard for drivers licenses as mandated under the Real ID Act. It’s a rather long document (over 150 pages) so I haven’t had a chance to read the whole thing but 27B Stroke 6 has some highlights, including:

While some expected Homeland Security to require the licenses to have smart cards or RFID chips, DHS instead proposes a 2D bar code (magnetic stripe) similiar to those used on many licenses. That information will not be encrypted.

The FAQ (also linked to by 27 B Stroke 6) goes into more depth about both of the above facts, saying:

The regulations propose the use of the 2-D barcode already used by 46 jurisdictions (45 States and the District of Columbia). DHS leans towards encrypting the data on the barcode as a privacy protection and requests comments on how to proceed given operational considerations.

I can’t begin to describe how happy I am to hear that RFID is not part of the proposed new standard. It is delightful to see that our objections have been heard and that we will be protected from proximity based attacks. I’m sure it doesn’t hurt that 45 of the states and Washington DC already use 2D barcodes, thus making that portion of the standards much more palatable and reducing the costs in that realm.

3 comments on "No RFID In Real ID"

  • Tim says:

    This leaves me wondering how significant it really is that DHS suggests a bar code strip rather than RFID. The most common objection to RFID is that its encryption is weak and therefore should not be relied upon as a security measure. Since DHS is proposing that the data not even be encrypted, what difference does it make if it is kept in RFID or a bar code strip?

  • Arthur says:

    The most common objection to RFID is not just weak encryption. The most common objection is that RFID is easily grab-able from a distance and in the case of passports originally added with no encryption to protect the data. In the end, the crypto key was added to passports in a 2D barcode, thus obviating any potential use value for having a contactless reader. Passive RFID was never intended as a security product and pretending that it can be made secure is just sticking your head in the sand.
    As for encrypting the 2D barcode, I suggest reading the full PDF. It brings up several legitimate concerns on how to deal with the problem in a scenario were over 1500 different jurisdictions need to able to decode the information.

  • Micah says:

    Personally, I am still not happy. My big concern is that the “Real ID” was never about security ( it wouldn’t have prevented 9/11), it is really about DLHS desiring to gather as much info about all of us as possible. That makes it much easier to control the population as a whole by giving them the ability to more quickly terminate your employment and/or bank accounts whenever DHLS determines you are in violation of one of their policies of the day. We are already seeing a guilty until proven innocent policy being used for terrorism suspects. What happens when the Fed makes new laws that suudenly make you and I criminals for something that is legal now. It will happen!
    As for security: Once all states compile their (OUR)info into one federally accessible data base, it creates one large, centrally accessible data bank for cyber theives to enjoy a feeding frienzy (instead of the 50 smaller ones which already get hacked). Also, illegals will still be able to get a “Real ID” by obtaining the same false documents that get them State ID’s now. The difference is, now when they get a “Real ID” they will gain legitimacy and more freely be able to live without fear of deportation, because they can “prove” they are here legally. It’s just the government giving the appearance of doing something about illegal immigration while really making it easier and taking a pass on it.
    STOPPING The “Real ID” period is what needs to be done

Comments are closed.