Reading NFC Passport Chips in Linux
38 comments
·June 25, 2025wkat4242
Many passports also contain digitized fingerprint scans. But those are even harder to access. You need a private key that only governments have.
aneutron
Sounds fairly sensible to me
SXX
I always wondered isn't this kind of specification also have digital signature of the passport issuer or something? Otherwise how do other countries can verify it's not a fake one?
I read this article, but seems like any information about it is kind a omited.
landgenoot
Yes. There is even an active function that allows you sign arbitrary bits to check if the passport actually contains the private key. Otherwise you could spoof a passport by just replaying the government signed data.
Source: I have been working on a blockchain implementation in the past that was compatible with the cryptographic functions in an NFC passport. Basically using a standard NFC passport as a cold wallet.
Fun fact. The cryptographic system even differs per country.
E.g. the Dutch don't trust the NIST elliptic curves so use the brainpool curves instead. Some other countries are still using RSA iirc.
SXX
Thanks for details.
Actual validation methods would be actually cool to read about. Since if we ignore legal diffuculties of storing the data then we can actually use passport cryptography as something like actual proof-of-human without pesky 3rd-parties.
janmo
The passports contain a digital signature and a DSC (Document Signing Certificate). This DSC is signed by a CSCA certificate which you can download from the ICAO Public Key Directory. Link here: https://pkddownloadsg.icao.int/
stavros
Hm, he doesn't say whether he managed to decrypt the passport with the missing checksum in the end, or whether the piercing doesn't matter because it's trivial to calculate the checksum from the rest of the info, or how long that would take. Did I miss it, or is that useful information omitted?
edent
OP here. It is trivial to create the missing checksum. It is detailed at https://shkspr.mobi/blog/2025/06/reading-nfc-passport-chips-...
stavros
Yep, I saw that section, but thought that the next section was a continuation of it. Maybe you could say a few more things about it, like "since it was trivial to recreate the checksum, I managed to read my passport fine, and then wondered what it would take to guess the entire MRZ" as a segue.
frelp
I wonder if you could create a chip that could break the passport reader system. That could really disrupt things, so hopefully that’s not possible.
edent
The ICAO documents contain the complete specification. It is moderately complex and involves twiddling lots of bits. So I've no doubt that a passport reader somewhere isn't doing bounds checking properly.
But you could achieve much the same effect with a hammer.
giantg2
But could a hammer deliver a malicious payload that could spread in the system? I'm not sure if you could do that with data on the chip, but maybe.
hypeatei
Burning a zero day like that in front of border / travel officers will probably land you in prison very quickly.
dzhiurgis
Hol up. So what stops you from uploading custom photo + metadata onto random chip and planting it in a fake passport?
edent
The data are signed with the passport issuing authority's private key.
So you could implement a chip which reacts like an official passport. When the border guards see that the signature is invalid, you can explain how it's just a prank and you'll all have a jolly good laugh about it.
wkat4242
I doubt border guards know what a cryptographic signature is. But they'll probably have a big red marker that tells them to hold you and get someone who knows :)
Nextgrid
I remember reading an article or paper that checked the validity and spec compliance of various nations's passports, and found lots of variation, so a valid signature isn't actually a guarantee even in a legit passport.
vbezhenar
Invalid signature probably will result from chip degradation or other electronic failures and I'm pretty sure that you won't be the first they see. Passport is supposed to be valid without any digital things, so they'll proceed with ordinary procedures, with manual entry of data from passport.
23434dsf
So if I strolled through the airport with a high power NFC reader/writer, I could ruin a lot of peoples trips?
crowbahr
In addition to the mechanisms people are describing here - passports have a metal mesh in them to disrupt NFC signals. It's not a full faraday cage but it works on similar principles. The passport has to be _open_ to be read from, and then only after you transmit the MRZ will you get anything.
edent
No.
NFC chips can be locked. That means the data can't be overwritten. No matter the writer, nor its strength, you can't overwrite a passport's chip.
I suppose you could use an EMP - but that would ruin a lot more than just some trips.
lukan
"The NFC chip in a passport is protected by a password. The password is printed on the inside of the physical passport. As well as needing to be physically close to the passport for NFC to work0, you also need to be able to see the password."
daveoc64
What makes you think you could do this?
SXX
Countries like UK actually have publicly database for e-visas (share code) that can easily be verified via online API. So probably at least some foreign governments can cross validate some of passport data with each other.
crowbahr
Countries all know each other's signing certs. There's a question of how much they _trust_ the other country but the certs are all public.
remcob
Besides the data being signed as already mentioned, the protocol is interactive and custom to passport documents. So you can’t just put it on any programmable NFC tag. I also doubt you can buy programmable ones implementing the passport protocols. But maybe you can find general purpose programmable ones you can implement the protocol on.
There are also optional subprotocols that allow the chip to be authenticated (i.e. proof it knows a private key). These prevent copying valid signed data to a different chip.
crowbahr
Yeah but since the USA doesn't sign on to anything above basic auth (MRZ unlock) everyone also has to work on the more basic level. Kinda unfortunate.
neoromantique
Considering how often it is done, not much?
The spec for machine readable travel documents is sadly not the most concise but if you're interested in the nitty-gritty details of how to validate documents, how to read data from them, etc then jump into ICAO 9303:
https://www.icao.int/publications/documents/9303_p10_cons_en...
https://www.icao.int/publications/documents/9303_p11_cons_en...
But please keep in mind that this is just the spec for how it's supposed to be implemented. Real world implementations of it have lots of creative interpretations of the spec in addition to straight bugs in their implementations, so if you're going to write software that has to work with various different documents issued by various governments, you'll have many fun debugging sessions :)