Reading NFC Passport Chips in Linux

(shkspr.mobi)

287 points robin_reala | 1 comments | 25 Jun 25 07:33 UTC | HN request time: 0.288s | source

Show context

SXX ◴[25 Jun 25 11:19 UTC] No.44375970[source]▶

I always wondered isn't this kind of specification also have digital signature of the passport issuer or something? Otherwise how do other countries can verify it's not a fake one?

I read this article, but seems like any information about it is kind a omited.

replies(2): >>44376059 #>>44376136 #

landgenoot ◴[25 Jun 25 11:42 UTC] No.44376136[source]▶

>>44375970 #

Yes. There is even an active function that allows you sign arbitrary bits to check if the passport actually contains the private key. Otherwise you could spoof a passport by just replaying the government signed data.

Source: I have been working on a blockchain implementation in the past that was compatible with the cryptographic functions in an NFC passport. Basically using a standard NFC passport as a cold wallet.

Fun fact. The cryptographic system even differs per country.

E.g. the Dutch don't trust the NIST elliptic curves so use the brainpool curves instead. Some other countries are still using RSA iirc.

replies(3): >>44376312 #>>44376728 #>>44379711 #

bluesign ◴[25 Jun 25 12:52 UTC] No.44376728[source]▶

>>44376136 #

but why would passport contain a private key ?

replies(1): >>44378447 #

1. landgenoot ◴[25 Jun 25 15:30 UTC] No.44378447[source]▶

>>44376728 #

The public key information is signed by the government and readable.

This enables the passport to prove it's integrity by signing responses with its private key.

↑