There was a post from trailofbits blog recently about how passport crypto works. Kind of related here.
I wonder if this is some zero knowledge proofs here or what? Reading the passport and its chip implies some terminal authentication capabilities coming from Apple devices. Passport would not allow reading sensitive data from the chip unless the terminal is valid.
Another question is if Apple is allowed to read your biometric data?
Sorry I was meaning to say "passport terminal" capabilities which would require a cert to be issued by a country whose passport chips you want to read. Well maybe they had this for a while but AFAIK you could not read passport details with an apple device before
From that article it looks like all you need to establish a secure connection with the passport is some data that is printed in plaintext on the photo page.
It seems (again, if I'm reading correctly) that you only really need a private key in order to issue a passport.
Yes, that's correct. There have been apps on iOS and Android that can read your passport via NFC for ages. As you noted, all you need is the plaintext information printed on the photo page to generate the Basic Access Control key, which will let you connect to the passport's NFC chip.
Issuing a passport is a different issue entirely, since you need a country's document signing key.
quick note -- I believe you need a separate key to get biometric data out of the passports, but it's been a while since I looked at passport digital infrastructure.
> There was a post from trailofbits blog recently about how passport crypto works. Kind of related here.
>
> I wonder if this is some zero knowledge proofs here or what? Reading the passport and its chip implies some terminal authentication capabilities coming from Apple devices. Passport would not allow reading sensitive data from the chip unless the terminal is valid.
>
> Another question is if Apple is allowed to read your biometric data?
Passport chips aren't that complex, especially not American ones. You just need to transmit part of the MRZ to unlock them (Other ICAO compliant passports have slightly different requirements, still all easily doable for any smart phone with NFC transmit)
The Apple ID isn't a ZKP - IIRC they're doing a CBOR representation of the claims which is signed with their own cert.
I still find it bonkers reading passport doesn't validate it against it some centralised database. Like, $1 in your bank account and a credit card is more advanced than a passport.
Passports are inherently decentralized, which is needed because not all countries cooperate with each other - or have the same budget for technology/security. It's really way something at global scale could work.
(There are national-level databases, but presumably not every country has access to every other country's database.)
I struggle to imagine international airport without a credit card reader. Maybe some borders in some countries could've struggled before cheap ubiquitous internet, but not anymore. And even then it's their problem.
Countries don't need access to database. They need to validate public key / hashsum is valid (or something along those lines).
I wonder if this is some zero knowledge proofs here or what? Reading the passport and its chip implies some terminal authentication capabilities coming from Apple devices. Passport would not allow reading sensitive data from the chip unless the terminal is valid.
Another question is if Apple is allowed to read your biometric data?