SlideShare a Scribd company logo

How to secure electronic passports

Riscure
Riscure

The document discusses how to secure electronic passports. It outlines passport threats like forgery and look-alike fraud. It then summarizes available protection mechanisms under ICAO standards, including storing certificates and biometrics on chips. It analyzes security challenges for inspection terminals and accessing personal data. It concludes that while electronic passports improve forgery protection, look-alike fraud remains an issue without reliable biometrics, and contactless chips introduce privacy concerns.

Related slideshows

Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
 
1 of 31
Download to read offline
How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201
Other personal info on chip Other less common data fields that may be in your passport — Custody Information — Travel Record Detail(s) — Endorsements/Observations — Tax/Exit Requirements — Contact Details of Person(s) to Notify — Visa
How to secure electronic passports
Our involvement in electronic passports • Published weakness in BAC static key in July 2005 • Performed security testing on electronic passport technology • Security Test Lab — smart cards — embedded devices
Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
What to protect against? 1. Passport forgery • Criminal organization makes a false passport • High-tech and more difficult 2. Look-alike fraud • Criminal organization steals many passports • Look for the best match • Low-tech and relatively easy
Available protection mechanisms under ICAO 1. To address passport forgery Store a certificate with passport holder data Store a private key on a smart card Active Authentication offers this under ICAO 2. To address look-alike fraud Add personal biometric data Biometric software should reduce false accepts
Overview of protection mechanisms in ICAO • A passport implements one valid combination • A terminal implements each of these Authentication (Passive, Active, Biometrics) Access Control (None, Basic or Extended) Who can access my data? Does this passport belong to this person?
Test your own passport at Amsterdam Airport • Public access to a terminal • Displays personal info from chip
Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
Inspection terminal configuration Risk • Complex standard with many options; how well will terminals do? • Most attention is on the passport, not the terminal Challenges and solutions • Implementation errors form a risk • Let’s discuss two specific implementation challenges 1. Many options to be supported by the terminal 2. Proper RSA certificate verification not trivial How would you detect a false acceptance?
1. Many options to be supported by the terminal • Typical standardization compromise • Protocol options — Basic Access Control — Active Authentication — Extended Access Control — Document signer key on passport — Biometrics • Cryptographic options — Passive Authentication: RSA (PSS / PKCS1), DSA, ECDSA — Hashing: SHA-1, 224, 256, 384, 512
2. Proper RSA verification not trivial An example in Passive Authentication • Passport may use PKCS1 • Last year, Daniel Bleichenbacher discovered vulnerability in some PKCS1 implementations (with exponent 3) Exploit prerequisites • Inspection system with this vulnerability • Country that uses PKCS1 with RSA exponent 3 Then, you may fool a terminal with a self-made PKCS1 RSA certificate
Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
Access control to personal data Risks to protect against • Rogue terminal • Eavesdropping by a 3rd party • Tracking individuals • Recognition of citizenship Challenges and solutions • How strong is BAC? • Using the UID to track individuals • Extended Access Control is underway
Weakness in Basic Access Control Static access key is derived from MRZ data • Date of birth • Date of expiry • Passport number Predictability & dependency reduce entropy to 35 bits 0 50000000 100000000 150000000 200000000 250000000 7/24/1998 12/6/1999 4/19/2001 9/1/2002 1/14/2004 5/28/2005 10/10/2006 2/22/2008 7/6/2009 11/18/2010 4/1/2012 Publication in July 2005
Improve Basic Access Control Solution • Country can use unpredictable passport numbers • But, protection remains limited due to static key that is visible for any person who had access to the passport Example: In Aug 2006, Dutch passport moved to unpredictable numbers to reach entropy of 66 bits Is 35 bit sufficient to protect personal data?
UID is another challenge • UID is a low-level RF identification number (32 bit) • UID threatens privacy in two ways • Solution: Randomize the UID • Performance challenge — UID very shortly after power up — On-board random generator Broadcast 2A73B9F0
Extended Access Control • To access most sensitive data on chip (e.g. biometric data) • Implements mutual authentication Access Control (Extended) Who can access my data?
Certificate infrastructure Short validity period Time Foreign country Your country Inspection terminal Document Verifier Country CA signed verify issued But a chip does not know what time it is
Certificate validation problem Two solutions can be used for lost or stolen terminals 1. The terminal verifies itself Is this a sound security principle? 2. Compare with previous date What is a risk here?
Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
Contactless chip Use of contactless technology appropriate? • Introduces access and eavesdropping issues • Shielding is applied (e.g. USA) • Contact-based chip technology eliminates several issues
Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
Conclusion (1) • Inspection terminal implementation is complex • Country can improve privacy protection by — Maximize passport number entropy — Randomize UID • Extended Access Control is promising but also has a small inherent weakness • Moving to a contact smart card would eliminate several issues ☺☺☺☺
Conclusion (2) – The electronic passport ... • Improves forgery protection when — Each passport has a chip — Inspecting officer knows it should have a chip • Does not address look-alike fraud until — Reliable biometrics are added to passports • Introduces privacy concerns — Contactless (RF) is used — Easy way to fill a country’s database — Adding biometrics also challenges privacy requirements
Thank you. Questions? Marc Witteman Chief Technology Officer witteman@riscure.com Harko Robroch Managing Director robroch@riscure.com Riscure B.V. Rotterdamseweg 183c 2629 HD Delft The Netherlands Phone: +31 (0)15 2682664 Http://www.riscure.comVisit us at the smart card pavilion booth 1742
References • International Cival Aviation Organisation web site on MRTDs: www.icao.int/mrtd/ • Riscure, publication of BAC weakness, July 2005: http://www.riscure.com/2_news/passport.html • FIDIS Budapest Declaration, Sep 2006: http://www.fidis.net/press-events/press-releases/budapest-declaration/ • Bleichenbacher attack on RSA implementations: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html • BSI Technical Guideline - Extended Access Control, Feb 2006: http://www.bsi.bund.de/fachthem/epass/EACTR03110_v101.pdf • Security Document World on Extended Access Control: http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf
Appendix A: protection mechanisms & shortcomings Mechanism Protection Shortcoming None - - Personal data readable BAC Privacy info Can be cracked EAC + BAC Most sensitive info Certificate validation Passive Auth Content OK Can make clone of chip Active Auth Passport OK Minor: abuse of signing feature + Biometrics Passp holder OK Mass deployment?
Appendix B: Bleichenbacher’s PKCS-1 attack • Normal RSA payload structure: padding || Length || Hash • Verifier skips padding, decodes length and reads Hash • Modified RSA payload structure: padding || Length || Hash || Tail • Manufacture signature whose cube value matches modified structure • Inspection system that does not check absence of Tail and uses Length to read the Hash will not detect the forgery
Appendix C: false passport detection

More Related Content

How to secure electronic passports

  • 1. How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201
  • 2. Other personal info on chip Other less common data fields that may be in your passport — Custody Information — Travel Record Detail(s) — Endorsements/Observations — Tax/Exit Requirements — Contact Details of Person(s) to Notify — Visa
  • 4. Our involvement in electronic passports • Published weakness in BAC static key in July 2005 • Performed security testing on electronic passport technology • Security Test Lab — smart cards — embedded devices
  • 5. Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
  • 6. What to protect against? 1. Passport forgery • Criminal organization makes a false passport • High-tech and more difficult 2. Look-alike fraud • Criminal organization steals many passports • Look for the best match • Low-tech and relatively easy
  • 7. Available protection mechanisms under ICAO 1. To address passport forgery Store a certificate with passport holder data Store a private key on a smart card Active Authentication offers this under ICAO 2. To address look-alike fraud Add personal biometric data Biometric software should reduce false accepts
  • 8. Overview of protection mechanisms in ICAO • A passport implements one valid combination • A terminal implements each of these Authentication (Passive, Active, Biometrics) Access Control (None, Basic or Extended) Who can access my data? Does this passport belong to this person?
  • 9. Test your own passport at Amsterdam Airport • Public access to a terminal • Displays personal info from chip
  • 10. Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
  • 11. Inspection terminal configuration Risk • Complex standard with many options; how well will terminals do? • Most attention is on the passport, not the terminal Challenges and solutions • Implementation errors form a risk • Let’s discuss two specific implementation challenges 1. Many options to be supported by the terminal 2. Proper RSA certificate verification not trivial How would you detect a false acceptance?
  • 12. 1. Many options to be supported by the terminal • Typical standardization compromise • Protocol options — Basic Access Control — Active Authentication — Extended Access Control — Document signer key on passport — Biometrics • Cryptographic options — Passive Authentication: RSA (PSS / PKCS1), DSA, ECDSA — Hashing: SHA-1, 224, 256, 384, 512
  • 13. 2. Proper RSA verification not trivial An example in Passive Authentication • Passport may use PKCS1 • Last year, Daniel Bleichenbacher discovered vulnerability in some PKCS1 implementations (with exponent 3) Exploit prerequisites • Inspection system with this vulnerability • Country that uses PKCS1 with RSA exponent 3 Then, you may fool a terminal with a self-made PKCS1 RSA certificate
  • 14. Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
  • 15. Access control to personal data Risks to protect against • Rogue terminal • Eavesdropping by a 3rd party • Tracking individuals • Recognition of citizenship Challenges and solutions • How strong is BAC? • Using the UID to track individuals • Extended Access Control is underway
  • 16. Weakness in Basic Access Control Static access key is derived from MRZ data • Date of birth • Date of expiry • Passport number Predictability & dependency reduce entropy to 35 bits 0 50000000 100000000 150000000 200000000 250000000 7/24/1998 12/6/1999 4/19/2001 9/1/2002 1/14/2004 5/28/2005 10/10/2006 2/22/2008 7/6/2009 11/18/2010 4/1/2012 Publication in July 2005
  • 17. Improve Basic Access Control Solution • Country can use unpredictable passport numbers • But, protection remains limited due to static key that is visible for any person who had access to the passport Example: In Aug 2006, Dutch passport moved to unpredictable numbers to reach entropy of 66 bits Is 35 bit sufficient to protect personal data?
  • 18. UID is another challenge • UID is a low-level RF identification number (32 bit) • UID threatens privacy in two ways • Solution: Randomize the UID • Performance challenge — UID very shortly after power up — On-board random generator Broadcast 2A73B9F0
  • 19. Extended Access Control • To access most sensitive data on chip (e.g. biometric data) • Implements mutual authentication Access Control (Extended) Who can access my data?
  • 20. Certificate infrastructure Short validity period Time Foreign country Your country Inspection terminal Document Verifier Country CA signed verify issued But a chip does not know what time it is
  • 21. Certificate validation problem Two solutions can be used for lost or stolen terminals 1. The terminal verifies itself Is this a sound security principle? 2. Compare with previous date What is a risk here?
  • 22. Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
  • 23. Contactless chip Use of contactless technology appropriate? • Introduces access and eavesdropping issues • Shielding is applied (e.g. USA) • Contact-based chip technology eliminates several issues
  • 24. Overview • Passport threats and protection mechanisms • Security challenges and solutions — Inspection terminal configuration — Access control to personal data — Contactless chip • Conclusion
  • 25. Conclusion (1) • Inspection terminal implementation is complex • Country can improve privacy protection by — Maximize passport number entropy — Randomize UID • Extended Access Control is promising but also has a small inherent weakness • Moving to a contact smart card would eliminate several issues ☺☺☺☺
  • 26. Conclusion (2) – The electronic passport ... • Improves forgery protection when — Each passport has a chip — Inspecting officer knows it should have a chip • Does not address look-alike fraud until — Reliable biometrics are added to passports • Introduces privacy concerns — Contactless (RF) is used — Easy way to fill a country’s database — Adding biometrics also challenges privacy requirements
  • 27. Thank you. Questions? Marc Witteman Chief Technology Officer witteman@riscure.com Harko Robroch Managing Director robroch@riscure.com Riscure B.V. Rotterdamseweg 183c 2629 HD Delft The Netherlands Phone: +31 (0)15 2682664 Http://www.riscure.comVisit us at the smart card pavilion booth 1742
  • 28. References • International Cival Aviation Organisation web site on MRTDs: www.icao.int/mrtd/ • Riscure, publication of BAC weakness, July 2005: http://www.riscure.com/2_news/passport.html • FIDIS Budapest Declaration, Sep 2006: http://www.fidis.net/press-events/press-releases/budapest-declaration/ • Bleichenbacher attack on RSA implementations: http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html • BSI Technical Guideline - Extended Access Control, Feb 2006: http://www.bsi.bund.de/fachthem/epass/EACTR03110_v101.pdf • Security Document World on Extended Access Control: http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf
  • 29. Appendix A: protection mechanisms & shortcomings Mechanism Protection Shortcoming None - - Personal data readable BAC Privacy info Can be cracked EAC + BAC Most sensitive info Certificate validation Passive Auth Content OK Can make clone of chip Active Auth Passport OK Minor: abuse of signing feature + Biometrics Passp holder OK Mass deployment?
  • 30. Appendix B: Bleichenbacher’s PKCS-1 attack • Normal RSA payload structure: padding || Length || Hash • Verifier skips padding, decodes length and reads Hash • Modified RSA payload structure: padding || Length || Hash || Tail • Manufacture signature whose cube value matches modified structure • Inspection system that does not check absence of Tail and uses Length to read the Hash will not detect the forgery
  • 31. Appendix C: false passport detection