How to secure electronic passports
- 1. How To Secure Electronic Passports
Marc Witteman & Harko Robroch
Riscure
02/07/07 - Session Code: IAM-201
- 2. Other personal info on chip
Other less common data fields that may be in your passport
— Custody Information
— Travel Record Detail(s)
— Endorsements/Observations
— Tax/Exit Requirements
— Contact Details of Person(s) to Notify
— Visa
- 4. Our involvement in electronic passports
• Published weakness in BAC static key in July 2005
• Performed security testing
on electronic passport
technology
• Security Test Lab
— smart cards
— embedded devices
- 5. Overview
• Passport threats and protection mechanisms
• Security challenges and solutions
— Inspection terminal configuration
— Access control to personal data
— Contactless chip
• Conclusion
- 6. What to protect against?
1. Passport forgery
• Criminal organization makes a false passport
• High-tech and more difficult
2. Look-alike fraud
• Criminal organization steals many passports
• Look for the best match
• Low-tech and relatively easy
- 7. Available protection mechanisms under ICAO
1. To address passport forgery
Store a certificate with passport holder data
Store a private key on a smart card
Active Authentication offers this under ICAO
2. To address look-alike fraud
Add personal biometric data
Biometric software should reduce false accepts
- 8. Overview of protection mechanisms in ICAO
• A passport implements one valid combination
• A terminal implements each of these
Authentication
(Passive, Active, Biometrics)
Access Control
(None, Basic or Extended)
Who can access
my data?
Does this passport
belong to this person?
- 9. Test your own passport at Amsterdam Airport
• Public access to a terminal
• Displays personal info from chip
- 10. Overview
• Passport threats and protection mechanisms
• Security challenges and solutions
— Inspection terminal configuration
— Access control to personal data
— Contactless chip
• Conclusion
- 11. Inspection terminal configuration
Risk
• Complex standard with many options; how well will terminals do?
• Most attention is on the passport, not the terminal
Challenges and solutions
• Implementation errors form a risk
• Let’s discuss two specific implementation challenges
1. Many options to be supported by the terminal
2. Proper RSA certificate verification not trivial
How would you detect
a false acceptance?
- 12. 1. Many options to be supported by the terminal
• Typical standardization compromise
• Protocol options
— Basic Access Control
— Active Authentication
— Extended Access Control
— Document signer key on passport
— Biometrics
• Cryptographic options
— Passive Authentication: RSA (PSS / PKCS1), DSA, ECDSA
— Hashing: SHA-1, 224, 256, 384, 512
- 13. 2. Proper RSA verification not trivial
An example in Passive Authentication
• Passport may use PKCS1
• Last year, Daniel Bleichenbacher discovered vulnerability in some
PKCS1 implementations (with exponent 3)
Exploit prerequisites
• Inspection system with this vulnerability
• Country that uses PKCS1 with RSA exponent 3
Then, you may fool a terminal with
a self-made PKCS1 RSA certificate
- 14. Overview
• Passport threats and protection mechanisms
• Security challenges and solutions
— Inspection terminal configuration
— Access control to personal data
— Contactless chip
• Conclusion
- 15. Access control to personal data
Risks to protect against
• Rogue terminal
• Eavesdropping by a 3rd party
• Tracking individuals
• Recognition of citizenship
Challenges and solutions
• How strong is BAC?
• Using the UID to track individuals
• Extended Access Control is underway
- 16. Weakness in Basic Access Control
Static access key is derived from
MRZ data
• Date of birth
• Date of expiry
• Passport number
Predictability & dependency
reduce entropy to 35 bits
0
50000000
100000000
150000000
200000000
250000000
7/24/1998 12/6/1999 4/19/2001 9/1/2002 1/14/2004 5/28/2005 10/10/2006 2/22/2008 7/6/2009 11/18/2010 4/1/2012
Publication in July 2005
- 17. Improve Basic Access Control
Solution
• Country can use unpredictable passport numbers
• But, protection remains limited due to static key that is
visible for any person who had access to the passport
Example: In Aug 2006, Dutch passport moved to
unpredictable numbers to reach entropy of 66 bits
Is 35 bit sufficient to protect personal data?
- 18. UID is another challenge
• UID is a low-level RF identification number (32 bit)
• UID threatens privacy in two ways
• Solution: Randomize the UID
• Performance challenge
— UID very shortly after power up
— On-board random generator
Broadcast
2A73B9F0
- 19. Extended Access Control
• To access most sensitive data on chip (e.g. biometric data)
• Implements mutual authentication
Access Control
(Extended)
Who can access
my data?
- 21. Certificate validation problem
Two solutions can be used for lost or stolen terminals
1. The terminal verifies itself
Is this a sound security principle?
2. Compare with previous date
What is a risk here?
- 22. Overview
• Passport threats and protection mechanisms
• Security challenges and solutions
— Inspection terminal configuration
— Access control to personal data
— Contactless chip
• Conclusion
- 23. Contactless chip
Use of contactless technology appropriate?
• Introduces access and eavesdropping issues
• Shielding is applied (e.g. USA)
• Contact-based chip technology eliminates several
issues
- 24. Overview
• Passport threats and protection mechanisms
• Security challenges and solutions
— Inspection terminal configuration
— Access control to personal data
— Contactless chip
• Conclusion
- 25. Conclusion (1)
• Inspection terminal implementation is complex
• Country can improve privacy protection by
— Maximize passport number entropy
— Randomize UID
• Extended Access Control is promising but also has a small
inherent weakness
• Moving to a contact smart card would eliminate several issues
☺☺☺☺
- 26. Conclusion (2) – The electronic passport ...
• Improves forgery protection when
— Each passport has a chip
— Inspecting officer knows it should have a chip
• Does not address look-alike fraud until
— Reliable biometrics are added to passports
• Introduces privacy concerns
— Contactless (RF) is used
— Easy way to fill a country’s database
— Adding biometrics also challenges privacy requirements
- 27. Thank you. Questions?
Marc Witteman
Chief Technology Officer
witteman@riscure.com
Harko Robroch
Managing Director
robroch@riscure.com
Riscure B.V.
Rotterdamseweg 183c
2629 HD Delft
The Netherlands
Phone: +31 (0)15 2682664
Http://www.riscure.comVisit us at the
smart card pavilion
booth 1742
- 28. References
• International Cival Aviation Organisation web site on MRTDs: www.icao.int/mrtd/
• Riscure, publication of BAC weakness, July 2005:
http://www.riscure.com/2_news/passport.html
• FIDIS Budapest Declaration, Sep 2006:
http://www.fidis.net/press-events/press-releases/budapest-declaration/
• Bleichenbacher attack on RSA implementations:
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
• BSI Technical Guideline - Extended Access Control, Feb 2006:
http://www.bsi.bund.de/fachthem/epass/EACTR03110_v101.pdf
• Security Document World on Extended Access Control:
http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf
- 29. Appendix A: protection mechanisms & shortcomings
Mechanism Protection Shortcoming
None - - Personal data readable
BAC Privacy info Can be cracked
EAC + BAC Most sensitive info Certificate validation
Passive Auth Content OK Can make clone of chip
Active Auth Passport OK Minor: abuse of signing feature
+ Biometrics Passp holder OK Mass deployment?
- 30. Appendix B: Bleichenbacher’s PKCS-1 attack
• Normal RSA payload structure: padding || Length || Hash
• Verifier skips padding, decodes length and reads Hash
• Modified RSA payload structure: padding || Length || Hash || Tail
• Manufacture signature whose cube value matches modified structure
• Inspection system that does not check absence of Tail and uses Length to read
the Hash will not detect the forgery