Basic access control: Difference between revisions

The basic access control mechanism has been criticized as offering too little protection from unauthorized interception. Researchers claim <ref>{{cite web|last=Hancke|first=Gerhard|url=http://www.rfidblog.org.uk/Hancke-IEEESP-RFIDPracAttacks.pdf |title=Practical Attacks on Proximity Identification Systems (Short Paper), Security and Privacy, 2006 IEEE Symposium on, Gerhard Hancke, 10 April 2012 |publisher=Security and Privacy, 2006 IEEE Symposium on |date=2006 |accessdate=2012-05-10}}</ref> that because there are only limited numbers of passport issued, many theoretically possible passport numbers will not be in use in practice. The limited range of human age ranges further reduce the space of possibilities.

 

 

This effect increases when passport numbers are issued sequentially or contain a redundant [[checksum]]. Both are proven to be the case in passports issued by the [[Netherlands]] {{Citation needed|date=July 2015}}. There are other factors that can be potentially used to speed up a brute force attack. There is the fact that dates of birth are typically not distributed randomly in populations. Dates of birth may be distributed even less randomly for the segments of a population that pass, for example, a check-in desk at an airport. And the fact that passports are often not issued on all days of the week and during all weeks of a year. Therefore, not all theoretically possible expiration dates may get used. In addition, the fact that real existing dates are used further limits the number of possible combinations: The month makes up two of the digits used for generating the key. Usually, two digits would mean 100 (00−99) combinations in decimal code or (36×36=1296) combinations in alphanumeric code. But as there are only 12 months, there are only 12 combinations. It is the same with the day (two digits and 31 combinations or less, depending on the month).