USA Flag

Official website of the Department of Homeland Security

Transportation Security Administration

TSA Paperless Boarding Pass Pilot Expanding

Thursday, June 18, 2009

We’ve talked about this before , but the paperless boarding pass pilot program is picking up steam and I thought I’d give you an update.

It was just rolled out at the Cincinnati-Northern Kentucky International Airport. Check out the press conference with CVG Federal Security Director Paul Wisniewski and Delta Field Director Paul Baird, along with a brief demonstration.



The program rolled out in 2007 and is now operating at the following 20 airports:

Atlanta Hartsfield International (ATL), Austin-Bergstrom International (AUS), Boston Logan International (BOS), Chicago O-Hare International (ORD), Cincinnati/Northern Kentucky International (CVG),Cleveland Hopkins (CLE), Detroit Metropolitan Wayne County (DTW), George Bush Intercontinental Airport (IAH), Indianapolis International (IND), John Wayne, Orange County, CA (SNA), Las Vegas McCarren (LAS), Los Angeles International (LAX), Memphis (MEM), Minneapolis-St. Paul International (MSP), New York LaGuardia (LGA), Newark International (EWR), Ronald Reagan Washington National (DCA), Salt Lake City International (SLC), San Antonio International (SAT), Seattle-Tacoma International (SEA)

Alaska: SEA
American: ORD, SNA, LAX
Continental: IAH, DCA, EWR, BOS, AUS, SAT, CLE, LGA, LAS
Delta/Northwest: ATL, LAS, MEM, MSP, DET, SLC, CVG
Delta only: LGA
Northwest only: IND

So what do we mean by paperless? Are boarding passes being made out of plastic? Nope… Passengers will be able to receive their boarding passes on their cell phones or PDAs.

Why are we doing this? Well, it’s hip to be green, right? That’s kind of cool, but this has some other perks. First off, you don’t have to worry about that troublesome boarding pass any longer. Now the boarding pass is your phone. You’re far less likely to lose your phone than you are your tickets.

The paperless boarding pass will also prevent fraudulent paper boarding passes that could be created and printed from home.

The paperless boarding pass has a two dimensional state of the art tamper resistant super duper bar code as well as your name and flight information. Our Travel Document Checkers (TDCs) will scan your paperless boarding pass as seen in the video above.

I bet you’re wondering how the two dimensional state of the art tamper resistant super duper bar code works? I can’t just give something a title like that and not take the time to explain it, can I?

Unlike the usual one dimensional single line bar code you would normally see on a box of Cap'n Crunch, this bar code is two dimensional . The encrypted code contains passenger information as well as authentication information from the airline that can only be decoded by a TSA scanner. TSA is also working with the airlines to create the same type of bar code for those who choose to use paper boarding passes. How is it tamper resistant you might ask? Well, I guess you could manipulate the code if you really wanted to, but the scanner will detect any sign of tampering.

As long as youre phone/PDA can receive and open attachments and you’re flying out of one of the airports listed above on a participating airline on the second Tuesday of the month, you can take part in this pilot program. (OK, I was kidding about the second Tuesday of the month…)

Blogger Bob

TSA Blog Team

Comments

Submitted by Anonymous on

This is great to see. An example where the TSA is trying to make peoples' lives easier rather than harder.

My only question is why a limited roll-out? Why not enable this everywhere?

Submitted by Trollkiller on

Barcode hack in 3... 2....

Submitted by Anonymous on

I think I will pass...and this would be great for a hacker to steal any information. Encryption??? Just need to find a good decryption algorithm and a really fast computer...and don't trust the scanners to not save any information or not contain any other personal info. :p

Submitted by Philr on

Sorry, anonymous, but a properly implemented encryption system is more than secure enough. Sure, a "really fast computer" can brute-force any encryption, but if the brute-force pass takes longer than the time until the flight, the "decryption" is useless.


I suspect what is being described here is actually a digital signature, to make sure the data in the bar code has not been tampered with. That's fine, as long as the folks implementing the signature code stay on top of developments in the encryption world, moving to new signature standards as they are released.

Submitted by Anonymous on

Will our date-of-birth and/or gender be encoded in the 2D barcode under the "Secure Flight" dragnet? How about home address?

Will TSA use these barcodes to create a database of who passes through checkpoints, and when and how often they do so? Every time they scan a BP, they can store the info. Maybe they'll store it in the same database along with the "un-savable" virtual strip-search machine image that they want for all of us. :(

Encryption and digital signatures are great, but the devil is in the implementation details. Is the data on the barcode truly encrypted, or is it just signed by the airlines' private key? If that's the case, anyone who finds a 2D-barcode BP on the ground can get all the personal info, because a tamper-resistant signature (which I suspect is TSA's main/real concern) does not mean the data itself isn't in plaintext.

And all it will take to make fake boarding passes is to compromise the private signature key of one airline. Someone will either bribe an airline employee or just start a brute force attack on one of the signature keys. I'm not very confident that TSA will mandate reasonably secure signature keys (2408-bit public/private keypairs, and a modern hash function that excludes those that have been compromised in the last few years like MD5 and SHA-1).

TSA has such a terrible history, and there's just so much opportunity for screwup here. It seems inevitable that either their will be a major breach of private information or an early and obvious breach of the technique's "security" or a major overreach by TSA in creating a database of those who pass the TSA checkpoint. Or all of the above.

Submitted by Carp on

Can only be decoded by the TSA scanner?

You do know thats going to change in about a week and a half? This EXACT thing has been tried before... MA has a 2d bar code on the back of every license.... and within weeks of it happening, half the bars in the state had readers for them.

I mean, if its just a bar code, its going to get figured out really quickly. WHat I didn't see (maybe I missed it) in your writeup was how it works beyond the bar code.

If its properly designed, that bar code would have to have all the boarding pass information plus a digital signature.

If thats what it is, then releasing that that is how it is shouldn't decrease the security at all. In fact, I would say, that if its designed in such a way that telling people how to read the bar code would decrease the security....then you did it wrong... and its going to be broken.

Good math doesn't cheat and can't be cheated.

-Steve

Submitted by Carp on

ANonymous:

> I think I will pass...and this would be > great for a hacker to steal any
> information. Encryption??? Just need to > find a good decryption algorithm and a
> really fast computer...and don't trust
> the scanners to not save any
> information or not contain any other
> personal info. :p

You make some good points but, one of the examples I have always liked is military troop movement data. Does it need to be kept private and secure today? Absolutely. However, if the enemy cracks it next week... who cares? Its not valid anymore.

SO there is an inherent security in these tokens in that, they are of very limited usefulness. Even if I can steal your token and gain entry... when you show up stammering and protesting that you have a valid boarding pass and the system shows a duplicate.... its not like I (the perp in this case) am long gone... I am sitting in a numbered seat.

Even just outright forging them for seats, unless you happen to have access to the empty seats list, and be sure that nobody got bumped to one o fthose seats... its going to be pretty risky to use. NOTHING deters crime like a high risk of being caught.

The real concern in my eyes is what other info might be in there. Honestly, all it needs to be is a random number, then you just keep a whitelist of good numbers for each flight.... simple and deadly effective.

-Steve

Submitted by Carp on

OH my last solution was wrong. I was thinking security in terms of fraud, and what would stop dishonest people.

A simple random serial number would work if you don't care who uses the pass, as long as its the right person (so a "collision" where two people show up naturally indicates either a major system screwup, or a cheater)

To actually verify ID, you need to put the ID into the token, and use a digital signature. A little more data, but not hard at all.

In fact, I almost wonder if the size of the "message" would be small and defined format, might make a birthday attack on the message digest impractical.

Of course, then you want to be expiring and generating new keys on a regular basis.... but I guess it does no good me designing the system... I am really curious how the one you implemented works (again, I point out, the technology exists to do this such that knowing the details doesn't make attack easier, so if thats not the case, you did it wrong)

-Steve

Submitted by Anonymous on

Since information about your boarding card is already stored on computers all around the airport, I think your exposure to "hacking" remains roughly similar.

Also decrypt what? It uses a bar-code exactly like your existing boarding card except, it is a bar code designed to be easily readable using a standard camera.

If you did decode it, and it isn't meant to be difficult, you would just end up with a unique number that corresponds to the ticket number generated by the airline.

Submitted by Anonymous on

Trollkiller said...

"Barcode hack in 3... 2...."


Just can't seem to stop with the negativity, can you Trollkiller? lol Its ok, though. It's your life to waste. :)

Submitted by Anonymous on

Hi Steve and Philr:

You both make very good points. Brute force decryption is very tedious and definitely not worth the hassle if you're trying to steal someone's boarding pass. However, assuming that other personal data is there, then maybe there might be some use. I am not really concerned about boarding pass fraud, more into the privacy concerns. Even if a hacker gains the name and maybe even the address of a passenger, then privacy is compromised. With internet research, a hacker can gain more information including phone numbers, credit information, and others (as long name and address is provided). A good stalker's dream, as long he/she doesn't mind the risk of getting caught and the huge penalties.

Sorry, but I have not done much research with barcode encryption/decryption. Thus, don't have much knowledge with those. Closest thing I seen is magnetic card readers...I seen a presentation on how easy it is to read driver license information with just a basic card reader...quite interesting! :)

...And just in cause you are wondering, I do NOT perform or encourage illegal hacking. I am just really interested and studied digital security. :)

Thanks for the feedback.

Submitted by Tony on

I should hope that the barcode is encrypted....
It seems like what people are worried about is the actual security of the barcodes, but it wouldn't be an issue if they were encrypted using SHA-1 or something. Using a secure passkey would make the system take so long to brute-force, it wouldn't be worth it.

Submitted by Anonymous on

Two questions: First, am I allowed to take my cell phone through the detector if it has the boarding pass code on it? If not, it will add time to the process, because the phone will have to be retrieved before I can present it to the guard after the metal detector.

Second question: you say "The paperless boarding pass will also prevent fraudulent paper boarding passes that could be created and printed from home." That of course is only true if only paperless boarding is accepted. How do you plan to work with people who don´t have cell phones or PDAs?

Submitted by TSOWilliamReed on

Alot of talk about ID fraud going around. But what you all need to understand is this machine is just taking all the information thats already on your paper boarding passes and transfering it into a ridiculously difficult to copy format. Your name and information on the flight, same amount of information about yourself that you have been happily giving the airlines when you check in for years. Even if the code was cracked and they could make a copy of the code all that would mean is they have the copy of digital boarding pass that someone else should also have while boarding the plane that day. They will probably randomly generate different codes for every single pass ever so no single pass will ever have the same bar code, like a fingerprint. At least thats how I understand this should work, I could be wrong.

Submitted by Anon_Security_Geek on

This is a reasonable approach, assuming they are using appropriate encryption/key lengths and key custody best practices. (insert pregnant pause here...)

Again as pointed out the time period for required for a successful attack, given all the supporting documentation.

Unlikely to result in a practical attack unless it's an extremely determined dork with all his or her stars lining up.

Someone alert Schneier, geeks on the run!

Submitted by Anonymous on

In the information you provide about what Airlines are providing this feature at certain airlines, you have Alaska:SEA and American Airlines running together on the same line.

Submitted by Anonymous on

Hrmm.. I don't have a PDA, and my cellphone can't receive pictures.

EPIC FAIL for a "universal" system.

Submitted by Anonymous on

It's a very secure barcode. It's actually a two step process:
1: ROT-13
2: 4 'wheel' rotating 40 bit enigma using the ciphertext of "DoYoUwAnTtfLyToDaY" that has been Xor'd with julian date and time of issue.

Submitted by DCA TSO EM on

If people are so worried about using you're phone to access or use it as an EBP/ Ticket, then maybe you should put away you're iPhones & stop using the internet as well.

Honestly, if I was a hacker I would forget about their ticket why not just hack their phone or e-mail address. Take all of their personal info then?

But yes I can see how using a ticket via the internet on you're phone can be risky business. I agree w/ many of you, I sure as heck don't want my info to be hacked.

Submitted by Anonymous on

UPC bar codes are two-dimensional, too: length and width. The boarding pass barcodes simply have shapes besides lines.

Submitted by MSP TSO on

Two questions: First, am I allowed to take my cell phone through the detector if it has the boarding pass code on it? If not, it will add time to the process, because the phone will have to be retrieved before I can present it to the guard after the metal detector.

Second question: you say "The paperless boarding pass will also prevent fraudulent paper boarding passes that could be created and printed from home." That of course is only true if only paperless boarding is accepted. How do you plan to work with people who don´t have cell phones or PDAs?

To answer your first question, all the airports that accept the paperless boarding pass shouldn't be checking boarding passes at the metal detector anymore. This was adopted to avoid adding extra time to the trek through security.

You have a good point on your second question. We haven't been told that we are going to stop accepting paper boarding passes any time soon. Unless Bob knows something we don't, you should be fine with paper boarding passes for quite some time into the future.

Submitted by Anonymous on

I am surprised no one has mentioned the most likely problem...

What if it simply fails to work? You have to get out of line, go back to a ticket counter, wait in line to print a boarding pass, and go through security all over again.

By that time, you may have missed your flight, much less a connecting flight.

Sorry, I love my iPhone but don't trust this enough to be willing to miss my flights just to save one piece of paper.

Submitted by Anonymous on

All the information used for the electronic boarding pass is the same information used on the paper boarding pass. The paper boarding pass is printed up off the computer, therefor all of the information used to purchase this ticket is being stored in a computer anyways. What ever database that the airlines store this information hasn't changed. It is all the same except they send you a copy to your PDA that can be read right from your electronic device, instead of printing it. This does not make your information anymore susceptible to being stolen. The information is not stored anywhere on TSA's end. It is simply there for a matter of seconds while the TSO compares your ID to the information. Then it disappears.
No matter what the TSA does (and this is the airlines doing by the way) You people will moan and complain. Your never happy. And you wonder why no one takes your complaints seriously.

Submitted by Carp on

Tony:

Not to be a nitpicker (which of course means, thats exactly what I am about to be) but SHA-1 is a hash not an encryption.

Hash = One way Function (original data can't be recovered)

Encryption = two way (original data can be recovered with the appropriate key)

You can combine the two. Since encryption is computationally expensive, and hashing is relatively "cheap", you can hash a message to create a "secure" checksum (secure in this case just means that it would be very hard to come up with another legitimate message that hashes to the same value) and then encrypt the hash with a private key.

This creates a "digital signature". Verification means computing the hash, and then using the public key to decrypt the encrypted hash.

If the two are the same, then you have a high degree of confidence* that the message wasn't tampered with since the public key decrypted the hash and the hash of the message matched the hash that you decrypted.

(* theoretically its possible to have a collision of some sort... a message that generates the same hash, or a bad decryption key would decrypt the hash to a random value, which could randomly match.... but with most hashes being 128 bits or so, the chances of that are so unlikely that I have yet to hear anyone seriously talk of the possibility)

Submitted by Anonymous on

Anonymous said...

"I am surprised no one has mentioned the most likely problem...

What if it simply fails to work? You have to get out of line, go back to a ticket counter, wait in line to print a boarding pass, and go through security all over again.

By that time, you may have missed your flight, much less a connecting flight.

Sorry, I love my iPhone but don't trust this enough to be willing to miss my flights just to save one piece of paper."

-----------------------------

I work at one of these airports which uses this new technology.

It does happen that sometimes there is a failure for the equipment to read one of these tickets.

What we do is direct the person back to the ticket counter, but not to wait in line. They can go right up to their airline ticket counter, get a new ticket. Or better yet, if there is a self-check-in machine, use that.

Then the person is allowed to come back up to the front of the TSA line. Again, no waiting.

So if it doesn't work, it really doesn't take much more time to get through.

However, and I do not have a percentage, this electronic failure very rarely happens.

Submitted by Anonymous on

Hrmm.. I don't have a PDA, and my cellphone can't receive pictures.

EPIC FAIL for a "universal" system.
___________________________________

It is not for everyone. Only frequent fliers recieve this technology as of now. It is just a trial. It may not even make it outside of its trial period. And if it does, I am sure the paper passes will still be available, so people who are not up on their technology can also fly.

Submitted by Anonymous on

Two questions: First, am I allowed to take my cell phone through the detector if it has the boarding pass code on it? If not, it will add time to the process, because the phone will have to be retrieved before I can present it to the guard after the metal detector.

Second question: you say "The paperless boarding pass will also prevent fraudulent paper boarding passes that could be created and printed from home." That of course is only true if only paperless boarding is accepted. How do you plan to work with people who don´t have cell phones or PDAs?

June 19, 2009 5:25 PM
___________________________________

When we first began the paperless boarding pass, which was months ago at my airport, we were still checking boarding passes at the WTMD. There were laminated passes that said that you were electronicly checked. I am not sure how other airports handle this, but we do not check tickets anymore at the walk through. So you can place your PDA or phone onto the xray belt. There is no need for having to retrieve the phone and holding up the lane so the TSO can see it again.

Not everyone has access to this. It will never be fully electronic, because of cases like yours. Not everyone has a phone or PDA and they are aware of this.

Submitted by HappyToHelp on

I found a Privacy Impact Assessment(PIA) for Boarding Pass Scanning System.

TSA/ Boarding Pass Scanning System

The document should answer a few questions that have been posted here. Just keep in mind that the document is from 2007.

Later,

-Tim “H2H”

TSA Blog Team

Submitted by Traveler on

You may have noticed that the scanners deployed at ORD are used to scan all boarding passes, paper or on cell phones. The process is very efficient and it is a much more modern process than at airports where the scanners are only used when a passenger has a cell phone boarding pass. Why isn't TSA scanning the paper boarding passes at all airports where the scanners are installed? It seems it would improve the accuracy of the screening.

Submitted by Anonymous on

Anon @ "Second question: you say "The paperless boarding pass will also prevent fraudulent paper boarding passes that could be created and printed from home." That of course is only true if only paperless boarding is accepted. How do you plan to work with people who don´t have cell phones or PDAs?"

Simple. Although it looks completely optional in trial, when TSA rolls it out in production, people without TSA-compliant cell phones or PDAs will get retaliatory full-body-pat-downs or make the Hobson's choice of not flying. Just like the "optional" MMW system.

Submitted by Carp on

@Tim (Happy2Help)

Many thanks for the doc! My quick read says that this is done pretty much the way I would expect (and how I would implement it myself, for the most part).

I still don't agree with the conclusion that this will increase security, but, that mostly is because I don't see a threat from totally anonymous boarding passes, but hey... at least you have the technical specifics right.

For any who care, my summary:
The bar code contains your identifying information (including name) and a secure hash that has been signed by the airline with their private key.

However, what I don't see, is mention of which hashes and ciphers will be used, nor how long the keys will be.

Though, given the length of the message, I would assume that birthday attacks on the hash wont be practical?

That would be the main concern that I see. Though, maybe I should just keep my mouth shut :) afterall, I don't see any security problem with someone changing the name on their own boarding pass and handing it off to someone else, and thats the only scenario where a birthday attack would be helpful (for all the previously mentioned reasons that breaking these tokens isn't useful)

-Steve

Submitted by Mothers Rings on

What a great way to go green. But does this make the entrance to the terminal any quicker?

Submitted by Anonymous on

To all those with outdated phones and security fears, stay with the status-quo. You can still use your paper boarding passes.

Don't worry your pretty little heads about 2-D barcodes, encryption and such.

Submitted by Anonymous on

dumb idea more people in line texting and talking on their cell phones just slowing the lines down more. So now all of us have to wait to the complete their call so they can scan the PDA/Iphone. I hope you have a line for us folks that have paper

Submitted by Code Cod on

The 2D codes have a very high tolerance for error reduction in their creation upto 60% on some. So there would be no issue in 'printing' and the codes not working.
However, i do agree with 'Carp' that they can't possibly encrypt a digital signature and all a passenger's details within the barcode because someone will always figure out a way to decrypt/read them.
The only way i can think for these to have any use and not be a major security issue is that they would act as a URL to a login page for the passenger?

Submitted by Anonymous on

Just used it for the first time at DCA--loved it!

Submitted by Unknown on

All the information is totally related or to the point. There is no single line out of the topic. I am strongly agree with you
broken trust quotes