Home Internet of Things Aerospace Apparel Energy Defense Health Care Logistics Manufacturing Retail

RFID Vendors Brief Congress on PASS Card Security

During a meeting with congressional aides, industry representatives explained why they believe the proposed use of EPC UHF Gen 2 tags in the ID cards is problematic.
By Mary Catherine O'Connor
Jul 20, 2007During a congressional briefing in Washington, D.C., on Wednesday, security and privacy advocacy groups and RFID vendors criticized the U.S. Department of Homeland Security's decision to use EPC UHF Gen 2 tags in IDs being developed as part of the Western Hemisphere Travel Initiative (WHTI).

"We have a situation where the government is issuing [identity] cards to themselves that are more secure than what they are about to issue to the citizens. There is something significantly wrong with the situation," said Neville Pattinson, vice president of government affairs and standards at Gemalto, a digital security company based in Amsterdam.

James Wiley
Pattinson was addressing the 50 congressional staffers, government officials and industry representatives attending the briefing. Sponsored by security and identification industry groups SecureID Coalition and Smart Card Alliance, the briefing was intended to provide an overview of best practices for securing electronic identity credentials used in federal programs.

Pattinson, who sits on the DHS' Data Privacy and Integrity Advisory Committee, was referring to the so-called Common Access Card issued by the U.S. Department of Defense (DOD) and used by 12 million active-duty military, other DOD personnel and DOD contractors for access to Department of Defense facilities and computer systems. He contrasted the DOD's card with the proposed PASS (People Access Security Service) card slated to be issued as part of the WHTI, to U.S. citizens making frequent land-border crossings into Canada or Mexico.

Currently, the Common Access Card contains a contact-based embedded computer chip encoded with the bearer's identity information, using data encryption to ensure that the card's data doesn't fall into the wrong hands. Soon, the card is likely to also carry a high-frequency RFID inlay to transmit this encrypted data. The proposed PASS card, on the other hand, would use a standard UHF EPC Gen 2 inlay, which does not support data encryption. As such, the ID number encoded to the PASS card inlay could be easily cloned.

Pattinson urged attendees to question the direction in which government agencies are moving the PASS card. He stated that close-range RFID technology with built-in cryptography—which he, Gemalto and the Smart Card Alliance refer to as "contactless smart-card technology"—would be the only means of ensuring that the PASS card program would be deployed in such a manner as to provide the government with electronically authenticated, forge-proof identity documents, while also protecting the privacy of U.S. citizens by making the encoded data inaccessible to nefarious parties attempting RF-eavesdropping.

Concern over the use of UHF EPC inlays in PASS cards has led to an extension of the public comment period on the proposed card, which closed in January of this year. The Bush Administration conceived of the card as a cheaper alternative to U.S. passports for citizens making frequent land border crossings, and directed the DHS to implement the program under the Western Hemisphere Travel Initiative. The department then charged its U.S. Customs and Border Protection agency with the task of defining the technology to be used in the card. Of the 4,000 public comments the DHS received regarding the proposed PASS card, Pattinson says, all but three expressed opposition to the use of UHF RFID without data encryption. Still, he notes, "[the agencies] are intransigent in considering the alternatives to [using] insecure RFID tags."

However, he adds, Congress is mandating a delay of 18 months to the PASS program because it is unhappy about "DHS rushing to set this up with insecure technology choices." The sponsors of the briefing hope that during this delay, they can convince Congress to call for more trials of the proposed technology before the PASS cards are rolled out to citizens.


Steven Baumhardt 2007-07-23 01:43:24 PM
Security Issues with EPCglobal Gen 2 Mary Catherine O'Connor - I was very interested in your July 20 article re "RFID Vendors Brief Congress on PASS Card Security" and the security concerns identified regarding EPCgobal Gen 2 technology for government sponsored security-orieinted applications. I share these concerns and am hoping you can provide additional information regarding your findings, or those of others, in this area. It would be very much appreciated if you could share any research you are aware of, or point me to such information sources. Many thanks for your assistance

Login and post your comment!

Not a member?

Signup for an account now to access all of the features of RFIDJournal.com!

Case Studies Features Best Practices How-Tos
Live Events Virtual Events Webinars
Simply enter a question for our experts.
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations