Ronny Wichers Schreur / Bart Jacobs Biometric Passport

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Ronny Wichers Schreur / Bart Jacobs Biometric Passport"

Transcription

1 FACULTY OF SCIENCE Ronny Wichers Schreur / Bart Jacobs

2 Wichers Schreur / Jacobs (IPA Fall days ) p.1/34 Contents

3 Wichers Schreur / Jacobs (IPA Fall days ) p.1/34 Contents I. Background II. Standards & requirements III. Low level stuff IV. High level protocols V. Passports for private use? VI. Conclusions

4 I. Background Wichers Schreur / Jacobs (IPA Fall days ) p.2/34

5 Wichers Schreur / Jacobs (IPA Fall days ) p.3/34 International developments

6 Wichers Schreur / Jacobs (IPA Fall days ) p.3/34 International developments After 9/11 international move towards stronger identification of citizens & travellers

7 Wichers Schreur / Jacobs (IPA Fall days ) p.3/34 International developments After 9/11 international move towards stronger identification of citizens & travellers US: Visa waiver program after 25 Oct 06 only for countries with biometric passport

8 Wichers Schreur / Jacobs (IPA Fall days ) p.3/34 International developments After 9/11 international move towards stronger identification of citizens & travellers US: Visa waiver program after 25 Oct 06 only for countries with biometric passport Standards developed by ICAO: International Civil Airline Organisation

9 Wichers Schreur / Jacobs (IPA Fall days ) p.4/34 Role of the Netherlands

10 Wichers Schreur / Jacobs (IPA Fall days ) p.4/34 Role of the Netherlands Large trial 2B or not 2B (6 cities, participants, Sept 04-Feb 05).

11 Wichers Schreur / Jacobs (IPA Fall days ) p.4/34 Role of the Netherlands Large trial 2B or not 2B (6 cities, participants, Sept 04-Feb 05). Philips main supplier of smartmx chips

12 Wichers Schreur / Jacobs (IPA Fall days ) p.4/34 Role of the Netherlands Large trial 2B or not 2B (6 cities, participants, Sept 04-Feb 05). Philips main supplier of smartmx chips SDU Identification (inter)nationally active as document supplier (and also within ICAO).

13 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement

14 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement Membership of expert council set up by ministry of internal affairs (Jacobs)

15 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement Membership of expert council set up by ministry of internal affairs (Jacobs) Participation in enrollment procedure, resulting in test passport (Oostdijk)

16 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement Membership of expert council set up by ministry of internal affairs (Jacobs) Participation in enrollment procedure, resulting in test passport (Oostdijk) Production of own terminal-side software (Wichers Schreur) & test development

17 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement Membership of expert council set up by ministry of internal affairs (Jacobs) Participation in enrollment procedure, resulting in test passport (Oostdijk) Production of own terminal-side software (Wichers Schreur) & test development Role in discussion in media

18 Wichers Schreur / Jacobs (IPA Fall days ) p.5/34 Own involvement Membership of expert council set up by ministry of internal affairs (Jacobs) Participation in enrollment procedure, resulting in test passport (Oostdijk) Production of own terminal-side software (Wichers Schreur) & test development Role in discussion in media Disclaimer: no biometry experts

19 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud

20 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud Forgery of modern (NL) passports very difficult

21 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud Forgery of modern (NL) passports very difficult Production of passports has been centralised

22 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud Forgery of modern (NL) passports very difficult Production of passports has been centralised Criminal organisations collect large numbers of passports, and look for reasonable matches

23 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud Forgery of modern (NL) passports very difficult Production of passports has been centralised Criminal organisations collect large numbers of passports, and look for reasonable matches Look alike fraud is source of concern

24 Wichers Schreur / Jacobs (IPA Fall days ) p.6/34 Passport fraud Forgery of modern (NL) passports very difficult Production of passports has been centralised Criminal organisations collect large numbers of passports, and look for reasonable matches Look alike fraud is source of concern Hence original aim: biometric Verification

25 Wichers Schreur / Jacobs (IPA Fall days ) p.7/34 Reasonable security goal

26 Wichers Schreur / Jacobs (IPA Fall days ) p.7/34 Reasonable security goal Chip in passport with contactless access requires:

27 Wichers Schreur / Jacobs (IPA Fall days ) p.7/34 Reasonable security goal Chip in passport with contactless access requires: No identifying information is released without the consent of the passport s holder. This should include identification numbers of chips and country identification (bomb targeted at individuals/nationals).

28 Wichers Schreur / Jacobs (IPA Fall days ) p.7/34 Reasonable security goal Chip in passport with contactless access requires: No identifying information is released without the consent of the passport s holder. This should include identification numbers of chips and country identification (bomb targeted at individuals/nationals). Receiver must be able to check authenticity and integrity of contained data

29 II. Standards & requirements Wichers Schreur / Jacobs (IPA Fall days ) p.8/34

30 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD

31 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document

32 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document Open standards, for states and suppliers

33 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document Open standards, for states and suppliers PKI task force with members from US, UK, Can, Ger, NL.

34 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document Open standards, for states and suppliers PKI task force with members from US, UK, Can, Ger, NL. Only facial image mandatory; fingerprints, iris scan, etc. optional

35 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document Open standards, for states and suppliers PKI task force with members from US, UK, Can, Ger, NL. Only facial image mandatory; fingerprints, iris scan, etc. optional Only integrity check mandatory; several other protection mechanisms optional

36 Wichers Schreur / Jacobs (IPA Fall days ) p.9/34 ICAO on MRTD MRTD: Machine Readable Travel Document Open standards, for states and suppliers PKI task force with members from US, UK, Can, Ger, NL. Only facial image mandatory; fingerprints, iris scan, etc. optional Only integrity check mandatory; several other protection mechanisms optional See

37 Wichers Schreur / Jacobs (IPA Fall days ) p.10/34 EU on MRTD

38 Wichers Schreur / Jacobs (IPA Fall days ) p.10/34 EU on MRTD Facial scan included before 28 Aug 06

39 Wichers Schreur / Jacobs (IPA Fall days ) p.10/34 EU on MRTD Facial scan included before 28 Aug 06 Fingerprints later, 3 year after agreement on protection mechanism

40 Wichers Schreur / Jacobs (IPA Fall days ) p.10/34 EU on MRTD Facial scan included before 28 Aug 06 Fingerprints later, 3 year after agreement on protection mechanism Basic Access Control mandatory:

41 Wichers Schreur / Jacobs (IPA Fall days ) p.10/34 EU on MRTD Facial scan included before 28 Aug 06 Fingerprints later, 3 year after agreement on protection mechanism Basic Access Control mandatory: Access key for RFID chip extracted from Machine Readable Zone (MRZ) Intended as consent to read

42 Wichers Schreur / Jacobs (IPA Fall days ) p.11/34 NL on MRTD

43 Wichers Schreur / Jacobs (IPA Fall days ) p.11/34 NL on MRTD Introduction in two stages; start < 28/6/ 06.

44 Wichers Schreur / Jacobs (IPA Fall days ) p.11/34 NL on MRTD Introduction in two stages; start < 28/6/ 06. Original aim (2002): verification only, with decentralised storage of biometric data

45 Wichers Schreur / Jacobs (IPA Fall days ) p.11/34 NL on MRTD Introduction in two stages; start < 28/6/ 06. Original aim (2002): verification only, with decentralised storage of biometric data New aims (Jan. 2005, letter on terror ):

46 Wichers Schreur / Jacobs (IPA Fall days ) p.11/34 NL on MRTD Introduction in two stages; start < 28/6/ 06. Original aim (2002): verification only, with decentralised storage of biometric data New aims (Jan. 2005, letter on terror ): identification, called on line verification central database of biometric data meant as contribution to effectivity of identification laws

47 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms

48 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms basic access ctrl passive authent. active authent. extended access ctrl to protect mechanism EU US

49 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms to protect mechanism EU US basic access ctrl access & confidentiality encryption via key from MRZ + + passive authent. active authent. extended access ctrl

50 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms to protect mechanism EU US basic access ctrl access & confidentiality encryption via key from MRZ + + passive authent. integrity of content signature by SDU (by NL) + + active authent. extended access ctrl

51 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms to protect mechanism EU US basic access ctrl access & confidentiality encryption via key from MRZ + + passive authent. integrity of content signature by SDU (by NL) + + active authent. authenticity of document signing of challenge +- NL + - extended access ctrl

52 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms to protect mechanism EU US basic access ctrl access & confidentiality encryption via key from MRZ + + passive authent. integrity of content signature by SDU (by NL) + + active authent. authenticity of document signing of challenge +- NL + - extended access ctrl confidentiality of fingerprints key exchange / sign challenge + n.a.

53 Wichers Schreur / Jacobs (IPA Fall days ) p.12/34 Protection mechanisms to protect mechanism EU US basic access ctrl access & confidentiality encryption via key from MRZ + + passive authent. integrity of content signature by SDU (by NL) + + active authent. authenticity of document signing of challenge +- NL + - extended access ctrl confidentiality of fingerprints key exchange / sign challenge + n.a. Physical: Faraday cage ; prevents eavesdrop

54 Wichers Schreur / Jacobs (IPA Fall days ) p.13/34 International PKI

55 Wichers Schreur / Jacobs (IPA Fall days ) p.13/34 International PKI Country Signing CA (NL) signs certificate of Document Signer (SDU)

56 Wichers Schreur / Jacobs (IPA Fall days ) p.13/34 International PKI Country Signing CA (NL) signs certificate of Document Signer (SDU) SDU signs security object, for passive authentication

57 Wichers Schreur / Jacobs (IPA Fall days ) p.13/34 International PKI Country Signing CA (NL) signs certificate of Document Signer (SDU) SDU signs security object, for passive authentication Passport chip contains: SDU certificate own public key (hash in security object)

58 Wichers Schreur / Jacobs (IPA Fall days ) p.13/34 International PKI Country Signing CA (NL) signs certificate of Document Signer (SDU) SDU signs security object, for passive authentication Passport chip contains: SDU certificate own public key (hash in security object) Self-signed country certificates distributed at first via diplomatic post, later electronically.

59 V. Low level stuff Wichers Schreur / Jacobs (IPA Fall days ) p.14/34

60 Wichers Schreur / Jacobs (IPA Fall days ) p.15/34 Card info I

61 Wichers Schreur / Jacobs (IPA Fall days ) p.15/34 Card info I SmartMX Chip from Philips (P5CT072), with: 72Kbyte EEPROM contactless interface (ISO/IEC A) 3DES, RNG, RSA, SHA1 (ECC?)

62 Wichers Schreur / Jacobs (IPA Fall days ) p.15/34 Card info I SmartMX Chip from Philips (P5CT072), with: 72Kbyte EEPROM contactless interface (ISO/IEC A) 3DES, RNG, RSA, SHA1 (ECC?) High certification: level EAL5+ of Common Criteria

63 Wichers Schreur / Jacobs (IPA Fall days ) p.15/34 Card info I SmartMX Chip from Philips (P5CT072), with: 72Kbyte EEPROM contactless interface (ISO/IEC A) 3DES, RNG, RSA, SHA1 (ECC?) High certification: level EAL5+ of Common Criteria JavaCard OS: IBM JCOP41 version 2.20 Certification by German BSI ongoing

64 Wichers Schreur / Jacobs (IPA Fall days ) p.15/34 Card info I SmartMX Chip from Philips (P5CT072), with: 72Kbyte EEPROM contactless interface (ISO/IEC A) 3DES, RNG, RSA, SHA1 (ECC?) High certification: level EAL5+ of Common Criteria JavaCard OS: IBM JCOP41 version 2.20 Certification by German BSI ongoing Passport Java applet written by SDU: closed source

65 Wichers Schreur / Jacobs (IPA Fall days ) p.16/34 Card info II

66 Wichers Schreur / Jacobs (IPA Fall days ) p.16/34 Card info II Writing to chip (e.g. for visa, children etc.) not foreseen.

67 Wichers Schreur / Jacobs (IPA Fall days ) p.16/34 Card info II Writing to chip (e.g. for visa, children etc.) not foreseen. No certainty about absence of backdoors But secret access should be detectable via monitoring

68 Wichers Schreur / Jacobs (IPA Fall days ) p.17/34 Contactless issues

69 Wichers Schreur / Jacobs (IPA Fall days ) p.17/34 Contactless issues Operation distance < 10 cm; eavesdrop < 10m?

70 Wichers Schreur / Jacobs (IPA Fall days ) p.17/34 Contactless issues Operation distance < 10 cm; eavesdrop < 10m? Multiple cards may be in reach of reader

71 Wichers Schreur / Jacobs (IPA Fall days ) p.17/34 Contactless issues Operation distance < 10 cm; eavesdrop < 10m? Multiple cards may be in reach of reader Anti-collision protocol described in ISO

72 Wichers Schreur / Jacobs (IPA Fall days ) p.17/34 Contactless issues Operation distance < 10 cm; eavesdrop < 10m? Multiple cards may be in reach of reader Anti-collision protocol described in ISO With fixed identifier tree walking protocol in current SDU test passport (4 byte id) allows tracing and targeting

73 Contactless issues Operation distance < 10 cm; eavesdrop < 10m? Multiple cards may be in reach of reader Anti-collision protocol described in ISO With fixed identifier tree walking protocol in current SDU test passport (4 byte id) allows tracing and targeting SDU: deployed card will use random identifier Wichers Schreur / Jacobs (IPA Fall days ) p.17/34

74 III. High level protocols Wichers Schreur / Jacobs (IPA Fall days ) p.18/34

75 Wichers Schreur / Jacobs (IPA Fall days ) p.19/34 Basic Access Control I

76 Wichers Schreur / Jacobs (IPA Fall days ) p.19/34 Basic Access Control I MRZ info yields 3DES document basic access keys K ENC,K MAC, fixed for lifetime

77 Wichers Schreur / Jacobs (IPA Fall days ) p.19/34 Basic Access Control I MRZ info yields 3DES document basic access keys K ENC,K MAC, fixed for lifetime Relevant MRZ input: passport nr. + birth date + expiry date

78 Wichers Schreur / Jacobs (IPA Fall days ) p.19/34 Basic Access Control I MRZ info yields 3DES document basic access keys K ENC,K MAC, fixed for lifetime Relevant MRZ input: passport nr. + birth date + expiry date Consent & confidentiality mechanism

79 Wichers Schreur / Jacobs (IPA Fall days ) p.20/34 Basic Access Control II

80 Wichers Schreur / Jacobs (IPA Fall days ) p.20/34 Basic Access Control II Psp N P (8 byte) Rdr

81 Wichers Schreur / Jacobs (IPA Fall days ) p.20/34 Basic Access Control II Psp N P (8 byte) Rdr Psp A:=N R N P K R K Enc {A},K MAC [K ENC {A}] Rdr

82 Wichers Schreur / Jacobs (IPA Fall days ) p.20/34 Basic Access Control II Psp N P (8 byte) Rdr Psp A:=N R N P K R K Enc {A},K MAC [K ENC {A}] Rdr Psp B:=N P N R K P K Enc {B},K MAC [K ENC {B}] Rdr

83 Wichers Schreur / Jacobs (IPA Fall days ) p.20/34 Basic Access Control II Psp N P (8 byte) Rdr Psp A:=N R N P K R K Enc {A},K MAC [K ENC {A}] Rdr Psp B:=N P N R K P K Enc {B},K MAC [K ENC {B}] Rdr Session keys are then derived from K P and K R, for rest of communication.

84 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits

85 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits Actual entropy much lower

86 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits Actual entropy much lower NL: passport numbers sequential

87 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits Actual entropy much lower NL: passport numbers sequential check digit in passport number (Witteman, Riscure)

88 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits Actual entropy much lower NL: passport numbers sequential check digit in passport number (Witteman, Riscure) age can be guessed, say within 10 years

89 Wichers Schreur / Jacobs (IPA Fall days ) p.21/34 Low Entropy I Maximal entropy somewhere between 50 and 60 bits Actual entropy much lower NL: passport numbers sequential check digit in passport number (Witteman, Riscure) age can be guessed, say within 10 years entropy only 35 bits

90 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack

91 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack Skimming too slow: 100 guesses s 1

92 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack Skimming too slow: 100 guesses s 1 Eavesdropped data: 1,000,000 guesses s 1

93 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack Skimming too slow: 100 guesses s 1 Eavesdropped data: 1,000,000 guesses s 1 35 bits: crackable in hours on standard PC

94 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack Skimming too slow: 100 guesses s 1 Eavesdropped data: 1,000,000 guesses s 1 35 bits: crackable in hours on standard PC Ministry: issuance order deeply entrenched in procedures and checks

95 Wichers Schreur / Jacobs (IPA Fall days ) p.22/34 Low Entropy II Brute force attack Skimming too slow: 100 guesses s 1 Eavesdropped data: 1,000,000 guesses s 1 35 bits: crackable in hours on standard PC Ministry: issuance order deeply entrenched in procedures and checks ICAO is studying strengthening of Basic Access Control

96 Wichers Schreur / Jacobs (IPA Fall days ) p.23/34 Passive authentication

97 Wichers Schreur / Jacobs (IPA Fall days ) p.23/34 Passive authentication Read Security Object from chip with: SDU certificate public key for active authentication hashes of all passport data SDU signature

98 Wichers Schreur / Jacobs (IPA Fall days ) p.23/34 Passive authentication Read Security Object from chip with: SDU certificate public key for active authentication hashes of all passport data SDU signature Authenticity check consists of: certificate of SDU, using NL public key signature by SDU, using certificate hashes, after reading data

99 Passive authentication Read Security Object from chip with: SDU certificate public key for active authentication hashes of all passport data SDU signature Authenticity check consists of: certificate of SDU, using NL public key signature by SDU, using certificate hashes, after reading data Cloning still possible. Wichers Schreur / Jacobs (IPA Fall days ) p.23/34

100 Wichers Schreur / Jacobs (IPA Fall days ) p.24/34 Active authentication, against cloning

101 Wichers Schreur / Jacobs (IPA Fall days ) p.24/34 Active authentication, against cloning Passport has private (RSA) key, with public key in (signed) security document.

102 Wichers Schreur / Jacobs (IPA Fall days ) p.24/34 Active authentication, against cloning Passport has private (RSA) key, with public key in (signed) security document. Psp N R (8 byte) Rdr

103 Wichers Schreur / Jacobs (IPA Fall days ) p.24/34 Active authentication, against cloning Passport has private (RSA) key, with public key in (signed) security document. Psp N R (8 byte) Rdr Psp Sig(N R padding) Rdr

104 Wichers Schreur / Jacobs (IPA Fall days ) p.24/34 Active authentication, against cloning Passport has private (RSA) key, with public key in (signed) security document. Psp N R (8 byte) Rdr Psp Sig(N R padding) Rdr Possible risk of signing location + timing data in N R, for tracking.

105 Wichers Schreur / Jacobs (IPA Fall days ) p.25/34 Advanced Security Mechanisms I

106 Wichers Schreur / Jacobs (IPA Fall days ) p.25/34 Advanced Security Mechanisms I For fingerprint protection; optional for ICAO

107 Wichers Schreur / Jacobs (IPA Fall days ) p.25/34 Advanced Security Mechanisms I For fingerprint protection; optional for ICAO Required by EU, but no EU-standard yet

108 Wichers Schreur / Jacobs (IPA Fall days ) p.25/34 Advanced Security Mechanisms I For fingerprint protection; optional for ICAO Required by EU, but no EU-standard yet German (BSI) proposal under consideration: New Diffie-Hellman session key Some protection against eavesdrop Reader must authenticate (certificates) Certificate revocation is problematic

109 Wichers Schreur / Jacobs (IPA Fall days ) p.25/34 Advanced Security Mechanisms I For fingerprint protection; optional for ICAO Required by EU, but no EU-standard yet German (BSI) proposal under consideration: New Diffie-Hellman session key Some protection against eavesdrop Reader must authenticate (certificates) Certificate revocation is problematic Each country controls itself who can read fingerprints

110 Wichers Schreur / Jacobs (IPA Fall days ) p.26/34 Advanced Security Mechanisms II (SK P,PK P,D P ) Psp Security Doc PK P,D P Rdr

111 Wichers Schreur / Jacobs (IPA Fall days ) p.26/34 Advanced Security Mechanisms II (SK P,PK P,D P ) Psp Security Doc PK P,D P Rdr Psp PK P ( SK R, PK R,D P ) Rdr

112 Wichers Schreur / Jacobs (IPA Fall days ) p.26/34 Advanced Security Mechanisms II (SK P,PK P,D P ) Psp Security Doc PK P,D P Rdr Psp PK P ( SK R, PK R,D P ) Rdr K = KA(SK P, PK R,D P ) K = KA( PK R,SK P,D P )

113 IV. Passports for other use? Wichers Schreur / Jacobs (IPA Fall days ) p.27/34

114 Wichers Schreur / Jacobs (IPA Fall days ) p.28/34 Secure logon via your passport

115 Wichers Schreur / Jacobs (IPA Fall days ) p.28/34 Secure logon via your passport Give your machine / local network: your passport s K ENC and K MAC your passport s public key

116 Wichers Schreur / Jacobs (IPA Fall days ) p.28/34 Secure logon via your passport Give your machine / local network: your passport s K ENC and K MAC your passport s public key Authenticate yourself via challenge-response: what you have

117 Wichers Schreur / Jacobs (IPA Fall days ) p.28/34 Secure logon via your passport Give your machine / local network: your passport s K ENC and K MAC your passport s public key Authenticate yourself via challenge-response: what you have Possibly add picture check: what you are.

118 Wichers Schreur / Jacobs (IPA Fall days ) p.28/34 Secure logon via your passport Give your machine / local network: your passport s K ENC and K MAC your passport s public key Authenticate yourself via challenge-response: what you have Possibly add picture check: what you are.

119 Wichers Schreur / Jacobs (IPA Fall days ) p.29/34 Digital signature via your passport?

120 Wichers Schreur / Jacobs (IPA Fall days ) p.29/34 Digital signature via your passport? Better not, because:

121 Wichers Schreur / Jacobs (IPA Fall days ) p.29/34 Digital signature via your passport? Better not, because: a. anyone who holds your passport can sign for you.

122 Wichers Schreur / Jacobs (IPA Fall days ) p.29/34 Digital signature via your passport? Better not, because: a. anyone who holds your passport can sign for you. b. Proof of identity requires release of your MRZ (and hence access to your chip), since: MRZ contains your name + birth date hash of MRZ signed by authorities, as part of security object

123 VI. Conclusions Wichers Schreur / Jacobs (IPA Fall days ) p.30/34

124 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I

125 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I Biometric passports are on their way

126 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I Biometric passports are on their way General approach (ICAO, EU): careful.

127 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I Biometric passports are on their way General approach (ICAO, EU): careful. Basic Access Control weak link.

128 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I Biometric passports are on their way General approach (ICAO, EU): careful. Basic Access Control weak link. Protection of fingerprints not fully settled yet

129 Wichers Schreur / Jacobs (IPA Fall days ) p.31/34 Conclusions I Biometric passports are on their way General approach (ICAO, EU): careful. Basic Access Control weak link. Protection of fingerprints not fully settled yet Open communication with Ministry & SDU

130 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II

131 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II Biometry much overrated:

132 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II Biometry much overrated: Silly approach: same password, used everywhere (no template protection)

133 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II Biometry much overrated: Silly approach: same password, used everywhere (no template protection) Large scale use of biometrics uncertain

134 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II Biometry much overrated: Silly approach: same password, used everywhere (no template protection) Large scale use of biometrics uncertain Substantial false positives/negatives to be expected

135 Wichers Schreur / Jacobs (IPA Fall days ) p.32/34 Conclusions II Biometry much overrated: Silly approach: same password, used everywhere (no template protection) Large scale use of biometrics uncertain Substantial false positives/negatives to be expected Identification goals undermined: by widespread use in other applications if many citizens (obnoxiously) put their fingerprints on the web

136 Wichers Schreur / Jacobs (IPA Fall days ) p.33/34 Conclusions III

137 Wichers Schreur / Jacobs (IPA Fall days ) p.33/34 Conclusions III Function creep risks: Who will use passport s biometrics? Welfare authorities, banks, casinos etc.? Central storage: risks of compromise, misuse, etc.

138 Wichers Schreur / Jacobs (IPA Fall days ) p.33/34 Conclusions III Function creep risks: Who will use passport s biometrics? Welfare authorities, banks, casinos etc.? Central storage: risks of compromise, misuse, etc. Set-up for improved identity management can lead to large scale identity theft.

139 Wichers Schreur / Jacobs (IPA Fall days ) p.33/34 Conclusions III Function creep risks: Who will use passport s biometrics? Welfare authorities, banks, casinos etc.? Central storage: risks of compromise, misuse, etc. Set-up for improved identity management can lead to large scale identity theft. Real test (also for privacy!) are the in integration in backoffice databases

140 Wichers Schreur / Jacobs (IPA Fall days ) p.33/34 Conclusions III Function creep risks: Who will use passport s biometrics? Welfare authorities, banks, casinos etc.? Central storage: risks of compromise, misuse, etc. Set-up for improved identity management can lead to large scale identity theft. Real test (also for privacy!) are the in integration in backoffice databases Slow increase of use to be expected

141 Wichers Schreur / Jacobs (IPA Fall days ) p.34/34 Further reading

142 Wichers Schreur / Jacobs (IPA Fall days ) p.34/34 Further reading Juels (RSA labs), Molnar & Wagner (UC-Berkeley) at:

143 Wichers Schreur / Jacobs (IPA Fall days ) p.34/34 Further reading Juels (RSA labs), Molnar & Wagner (UC-Berkeley) at: Kc (U-Colombia), Molnar & Karger (IBM) at:

Keep Out of My Passport: Access Control Mechanisms in E-passports

Keep Out of My Passport: Access Control Mechanisms in E-passports Keep Out of My Passport: Access Control Mechanisms in E-passports Ivo Pooters June 15, 2008 Abstract Nowadays, over 40 different countries issue biometric passports to increase security on there borders.

More information

e-passports Erik Poll Digital Security Group Radboud University Nijmegen

e-passports Erik Poll Digital Security Group Radboud University Nijmegen e-passports Erik Poll Digital Security Group Radboud University Nijmegen overview e-passports functionality and security mechanisms problems, so far future 2 e-passports e-passport contains RFID chip /

More information

Implementation of biometrics, issues to be solved

Implementation of biometrics, issues to be solved ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents

More information

Preventing fraud in epassports and eids

Preventing fraud in epassports and eids Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,

More information

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Security by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Agenda Motivation Some basics Brief overview epassport (MRTD) Why cloning? How to attack the

More information

Statewatch Briefing ID Cards in the EU: Current state of play

Statewatch Briefing ID Cards in the EU: Current state of play Statewatch Briefing ID Cards in the EU: Current state of play Introduction In March 2010, the Council Presidency sent out a questionnaire to EU Member States and countries that are members of the socalled

More information

Moving to the third generation of electronic passports

Moving to the third generation of electronic passports Moving to the third generation of electronic passports A new dimension in electronic passport security with Supplemental Access Control (SAC) > WHITE PAPER 2 Gemalto in brief Gemalto is the world leader

More information

Efficient Implementation of Electronic Passport Scheme Using Cryptographic Security Along With Multiple Biometrics

Efficient Implementation of Electronic Passport Scheme Using Cryptographic Security Along With Multiple Biometrics I.J. Information Engineering and Electronic Business, 2012, 1, 18-24 Published Online February 2012 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijieeb.2012.01.03 Efficient Implementation of Electronic

More information

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions July, 2006 Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked

More information

MACHINE READABLE TRAVEL DOCUMENTS

MACHINE READABLE TRAVEL DOCUMENTS MACHINE READABLE TRAVEL DOCUMENTS (Logo) TECHNICAL REPORT PKI for Machine Readable Travel Documents offering ICC Read-Only Access Version - 1.1 Date - October 01, 2004 Published by authority of the Secretary

More information

Entrust Smartcard & USB Authentication

Entrust Smartcard & USB Authentication Entrust Smartcard & USB Authentication Technical Specifications Entrust IdentityGuard smartcard- and USB-based devices allow organizations to leverage strong certificate-based authentication of user identities

More information

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD) International Civil Aviation Organization WORKING PAPER TAG/MRTD/22-WP/24 16/04/14 English only Revised No 1. 06/05/14 Revised No. 2 13/05/14 TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS

More information

Biometric Passport: Security And Privacy Aspects Of Machine Readable Travel Documents

Biometric Passport: Security And Privacy Aspects Of Machine Readable Travel Documents Final Report Biometric Passport: Security And Privacy Aspects Of Machine Readable Travel Documents Swiss Joint Master of Science in Computer Science Students Name: Hesam Kolahan, Tejendra Thapaliya Students

More information

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER with Convenience and Personal Privacy version 0.2 Aug.18, 2007 WHITE PAPER CONTENT Introduction... 3 Identity verification and multi-factor authentication..... 4 Market adoption... 4 Making biometrics

More information

European Electronic Identity Practices Country Update of Portugal

European Electronic Identity Practices Country Update of Portugal European Electronic Identity Practices Country Update of Portugal Speaker: Anabela Pedroso anabela.pedroso@umic.pt Date: 3 November 2006 1. Status of National legislation on eid Are eid specific regulations

More information

Electronic Passports in a Nutshell

Electronic Passports in a Nutshell Electronic Passports in a Nutshell Wojciech Mostowski and Erik Poll Radboud University, Nijmegen, The Netherlands {woj,erikpoll}@cs.ru.nl Abstract. This document tries to give concise, (semi)formal specifications

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

A Note on the Relay Attacks on e-passports

A Note on the Relay Attacks on e-passports A Note on the Relay Attacks on e-passports The Case of Czech e-passports Martin Hlaváč 1 and Tomáš Rosa 1,2 hlavm1am@artax.karlin.mff.cuni.cz and trosa@ebanka.cz 1 Department of Algebra, Charles University

More information

Full page passport/document reader Regula model 70X4M

Full page passport/document reader Regula model 70X4M Full page passport/document reader Regula model 70X4M Full page passport reader with no moving parts inside. Automatic reading and authenticity verification of passports, IDs, visas, driver s licenses

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Electronic machine-readable travel documents (emrtds) The importance of digital certificates Electronic machine-readable travel documents (emrtds) The importance of digital certificates Superior security Electronic machine-readable travel documents (emrtds) are well-known for their good security.

More information

Discover Germany s Electronic Passport

Discover Germany s Electronic Passport Discover Germany s Electronic Passport Starting 1 Nov. 2007 E-Passport 2nd Generation www.epass.de 1 Introducing Germany s e-passport If you want to know why there are electronic passports and how to recognize

More information

Operational and Technical security of Electronic Passports

Operational and Technical security of Electronic Passports European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, Legal

More information

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council

Best Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity

More information

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010)

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010) Common Criteria Protection Profile for BSI-CC-PP-0064 Version 1.01 (15 th April 2010) Federal Office for Information Security Postfach 20 03 63 53133 Bonn Phone: +49 228 99 9582-0 e-mail: zertifizierung@bsi.bund.de

More information

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-78-3 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William E. Burr Hildegard Ferraiolo David Cooper I N F

More information

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke Agenda eidas Regulation TR-03110 V2.20 German ID card POSeIDAS Summary cryptovision mindshare 2015: eidas

More information

PKD Board ICAO PKD unclassified B-Tec/36. Regulations for the ICAO Public Key Directory

PKD Board ICAO PKD unclassified B-Tec/36. Regulations for the ICAO Public Key Directory Regulations for the ICAO Public Key Directory last modification final 1/8 SECTION 1 AUTHORITY These Regulations are issued by ICAO on the basis of Paragraph 3 b) of the Memorandum of Understanding (MoU)

More information

LEGIC advant transponder chips. For flexible and secure ID systems at MHz

LEGIC advant transponder chips. For flexible and secure ID systems at MHz LEGIC advant transponder chips For flexible and secure ID systems at 13.56 MHz advant the right decision Free choice of medium With advant, you have a free choice of smartcard, key fob, watch, credit card,

More information

I N F O R M A T I O N S E C U R I T Y

I N F O R M A T I O N S E C U R I T Y NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y

More information

5. Biometric data-leakage: Among other data, e- passports will include biometric images. In accordance

5. Biometric data-leakage: Among other data, e- passports will include biometric images. In accordance Security and Privacy Issues in E-passports Ari Juels, David Molnar, and David Wagner Abstract Within the next year, travelers from dozens of nations may be carrying a new form of passport in response to

More information

Gemalto Mifare 4K Datasheet

Gemalto Mifare 4K Datasheet Gemalto Mifare 4K Datasheet Contents 1. Overview...3 1.1 User convenience and speed...3 1.2 Security...3 1.3 Anticollision...3 2. Gemalto Mifare 4K Features...4 2.1 Compatibility with norms...4 2.2 Electrical...4

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption Journal of Computer Science 6 (7): 723-727, 2010 ISSN 1549-3636 2010 Science Publications E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption Najlaa A. Abuadhmah,

More information

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany New Attacks against RFID-Systems Lukas Grunwald DN-Systems GmbH Germany Agenda What is RFID? How to exploit and attack RFID systems Attacks against the middleware Reader-emulation, soft-tags Unexpected

More information

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1 Encryption, Data Integrity, Digital Certificates, and SSL Developed by Jerry Scott 2002 SSL Primer-1-1 Ideas Behind Encryption When information is transmitted across intranets or the Internet, others can

More information

Evidence of Identity: Breeder Documents and Beyond Barry J. Kefauver International national Standards ds Organization ation Why Care? A false passport in the hands of a terrorist is as dangerous as a bomb

More information

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:

More information

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services October 2014 Issue No: 2.0 Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

More information

FAQs - New German ID Card. General

FAQs - New German ID Card. General FAQs - New German ID Card General 1) How to change from the old ID card to the new one? The new Law on Identification Cards came into effect on 1 November 2010. Since then, citizens can apply for the new

More information

Common Criteria Protection Profile

Common Criteria Protection Profile Machine Readable Travel Document using Standard Inspection Procedure with PACE (PACE PP) Version 1.01, 22th July 2014 Foreword This Protection Profile Electronic Passport using Standard Inspection procedure

More information

Biometrics, Tokens, & Public Key Certificates

Biometrics, Tokens, & Public Key Certificates Biometrics, Tokens, & Public Key Certificates The Merging of Technologies TOKENEER Workstations WS CA WS WS Certificate Authority (CA) L. Reinert S. Luther Information Systems Security Organization Biometrics,

More information

Sicherheitsaspekte des neuen deutschen Personalausweises

Sicherheitsaspekte des neuen deutschen Personalausweises Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government Rethinking

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

Integration of the New German ID- Card (npa) in Enterprise Environments

Integration of the New German ID- Card (npa) in Enterprise Environments Integration of the New German ID- Card (npa) in Enterprise Environments Technics Prospects Costs - Threats Troopers 2011 By Friedwart Kuhn & Michael Thumann Agenda Introduction The New German ID-Card (npa)

More information

biometric authentication

biometric authentication biometric authentication Homeland Security Suite Your business technologists. Powering progress Homeland Security Suite The use of fingerprint biometrics to identify human beings has a long history. Today,

More information

3 rd Generation Electronic Passport Supplemental Access Control (SAC) for future-proof security and privacy

3 rd Generation Electronic Passport Supplemental Access Control (SAC) for future-proof security and privacy 3 rd Generation Electronic Passport Supplemental Access Control (SAC) for future-proof security and privacy Gemalto Verna Heino ICAO MRTD Symposium Montreal ICAO MRTD Symposium, Montreal September 12 th

More information

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors

Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Frequently Asked Questions About the Standard for Personal Identity Verification (PIV) of Federal Employees and Contractors Background On Aug. 27, 2004, the President issued a Homeland Security Presidential

More information

Gemalto Mifare 1K Datasheet

Gemalto Mifare 1K Datasheet Gemalto Mifare 1K Datasheet Contents 1. Overview...3 1.1 User convenience and speed...3 1.2 Security...3 1.3 Anticollision...3 2. Gemalto Mifare Features...4 2.1 Compatibility with norms...4 2.2 Electrical...4

More information

We Must Comply with International Requirements! Introducing Biometric ID Cards in France

We Must Comply with International Requirements! Introducing Biometric ID Cards in France We Must Comply with International Requirements! Introducing Biometric ID Cards in France Meryem Marzouki CNRS - LIP6/PolyTIC / IRIS Meryem.Marzouki@iris.sgdg.org www.iris.sgdg.org Terrorizing Privacy?

More information

Smart Card Technology Capabilities

Smart Card Technology Capabilities Smart Card Technology Capabilities Won J. Jun Giesecke & Devrient (G&D) July 8, 2003 Smart Card Technology Capabilities 1 Table of Contents Smart Card Basics Current Technology Requirements and Standards

More information

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent

More information

addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from

addressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from Preface In the last decade biometrics has emerged as a valuable means to automatically recognize people, on the base is of their either physiological or behavioral characteristics, due to several inherent

More information

Biometrics for Public Sector Applications

Biometrics for Public Sector Applications Technical Guideline TR-03121-2 Biometrics for Public Sector Applications Part 2: Software Architecture and Application Profiles Version 2.3 Bundesamt für Sicherheit in der Informationstechnik Postfach

More information

FAQs Electronic residence permit

FAQs Electronic residence permit FAQs Electronic residence permit General 1) When was the electronic residence permit introduced? Since 1 September 2011, foreigners in Germany have been issued with the new electronic residence permit

More information

Security Analysis of Australian and E.U. E-passport Implementation

Security Analysis of Australian and E.U. E-passport Implementation Security Analysis of Australian and E.U. E-passport Implementation Vijayakrishnan Pasupathinathan and Josef Pieprzyk Department of Computing, Macquarie University New South Wales, Australia 2109 {krishnan,josef}@ics.mq.edu.au

More information

Sub- Regional Workshop and Consulta;ons on Capacity- Building in Travel Document Security: Colombia, 2013

Sub- Regional Workshop and Consulta;ons on Capacity- Building in Travel Document Security: Colombia, 2013 Sub- Regional Workshop and Consulta;ons on Capacity- Building in Travel Document Security: Colombia, 2013 Carlos Gómez Head of R&D and Innova.on, FNMT- RCM, Spain ICAO TRIP: Building Trust in Travel Document

More information

Position Paper European Citizen Card: One Pillar of Interoperable eid Success

Position Paper European Citizen Card: One Pillar of Interoperable eid Success Position Paper European Citizen Card: One Pillar of Interoperable eid Success October 2008 Disclaimer Eurosmart takes reasonable measures to ensure the quality of the information contained in this document.

More information

IDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region

IDENTITY MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region IDENTITY MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

CSC 474 -- Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity CSC 474 -- Network Security Topic 6.2 User Authentication CSC 474 Dr. Peng Ning 1 User Authentication Basics CSC 474 Dr. Peng Ning 2 Authentication and Identity What is identity? which characteristics

More information

IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

More information

39 myths about e-passports

39 myths about e-passports 14 39 myths about e-passports The facts behind e-passports and RFID technology by Mike Ellis The International Civil Aviation Organisation () - and the NTWG 1 in particular - first started work on what

More information

MOBILE IDENTIFICATION:

MOBILE IDENTIFICATION: MOBILE IDENTIFICATION: FROM FUNCTIONAL REQUIREMENTS, TO TESTING FOR INTEROPERABILITY AND SECURITY Antonia Rana*, Alessandro Alessandroni** *Joint Research Centre, **DigitPA EUR 25037 EN - 2011 The mission

More information

End-to-end security with advanced biometrics technology

End-to-end security with advanced biometrics technology www.thalesgroup.com Identity Management End-to-end security with advanced biometrics technology Challenges and opportunities With the explosion in personal mobility and growing migratory flows, governments

More information

End-to-end security with advanced biometrics technology

End-to-end security with advanced biometrics technology www.thalesgroup.com Identity Management End-to-end security with advanced biometrics technology Challenges and opportunities New environment With the explosion in personal mobility and growing migratory

More information

Biometric Passport Validation Scheme using Radio Frequency Identification

Biometric Passport Validation Scheme using Radio Frequency Identification I. J. Computer Network and Information Security, 2013, 5, 30-39 Published Online April 2013 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2013.05.04 Biometric Passport Validation Scheme using

More information

Smart Card & E-passport

Smart Card & E-passport Smart Card & E-passport Bingsheng Zhang 1,2 1 Cybernetica AS, Estonia 2 University of Tartu, Estonia MTAT.07.017 applied crypto, 2009s Table of content Introduction of Smart Cards Types of Smart Cards

More information

Mobile Driver s License Solution

Mobile Driver s License Solution Mobile Driver s License Solution Secure, convenient and more efficient Improved identity protection through secure mobile driver s licenses The introduction of a mobile driver s license is a huge opportunity

More information

ADVANCE AUTHENTICATION TECHNIQUES

ADVANCE AUTHENTICATION TECHNIQUES ADVANCE AUTHENTICATION TECHNIQUES Introduction 1. Computer systems and the information they store and process are valuable resources which need to be protected. With the current trend toward networking,

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs 1 GOVERNMENTS ADOPTING DIGITAL STRATEGIES Governments designing/operating digital ecosystems to create, transform and optimize

More information

Introducing etoken. What is etoken?

Introducing etoken. What is etoken? Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant

More information

How to use your new card. Tomorrow s Queensland: strong, green, smart, healthy and fair

How to use your new card. Tomorrow s Queensland: strong, green, smart, healthy and fair How to use your new card Tomorrow s Queensland: strong, green, smart, healthy and fair Safer, stronger cards for Queenslanders The Queensland Government has used the latest technology to make new Queensland

More information

Landscape of eid in Europe in 2013

Landscape of eid in Europe in 2013 Landscape of eid in Europe in 2013 July 2013 Eurosmart White Paper Contents Executive Summary 3 1. Purpose of the document 3 2. EU regulation 3 3. EU Member States identification policies 4 3.1. National

More information

SSL Protect your users, start with yourself

SSL Protect your users, start with yourself SSL Protect your users, start with yourself Kulsysmn 14 december 2006 Philip Brusten Overview Introduction Cryptographic algorithms Secure Socket Layer Certificate signing service

More information

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...

More information

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory Procedures for the ICAO Public Key Directory last modification final 1/13 SECTION 1 INTRODUCTION 1.1 As part of the MRTD initiative by ICAO, the Participants will upload to and download from the PKD, their

More information

NIST Test Personal Identity Verification (PIV) Cards

NIST Test Personal Identity Verification (PIV) Cards NISTIR 7870 NIST Test Personal Identity Verification (PIV) Cards David A. Cooper http://dx.doi.org/10.6028/nist.ir.7870 NISTIR 7870 NIST Text Personal Identity Verification (PIV) Cards David A. Cooper

More information

CERTIFICATION REPORT

CERTIFICATION REPORT REF: 2011-11-INF-837 v1 Target: Público Date: 17.04.2012 Created by: CERT8 Revised by: CALIDAD Approved by: TECNICO CERTIFICATION REPORT File: 2011-11 KONA 102J1 epassport EAC v1.1 Applicant: KEBTechnology

More information

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES BSI TR-03139 Version 2.1 27 May 2013 Foreword The present document

More information

Understanding Digital Signature And Public Key Infrastructure

Understanding Digital Signature And Public Key Infrastructure Understanding Digital Signature And Public Key Infrastructure Overview The use of networked personnel computers (PC s) in enterprise environments and on the Internet is rapidly approaching the point where

More information

Preventing Attacks on Machine Readable Travel Documents (MRTDs)

Preventing Attacks on Machine Readable Travel Documents (MRTDs) Preventing Attacks on Machine Readable Travel Documents (MRTDs) Gaurav S. Kc 1 and Paul A. Karger 2 1 Columbia University 450 Computer Science, 1214 Amsterdam Ave., MC 0401, New York, NY 10027, USA gskc@cs.columbia.edu

More information

Multi-Factor Authentication of Online Transactions

Multi-Factor Authentication of Online Transactions Multi-Factor Authentication of Online Transactions Shelli Wobken-Plagge May 7, 2009 Agenda How are economic and fraud trends evolving? What tools are available to secure online transactions? What are best

More information

Contactless Reader. Technical Specifications. Subject to change without prior notice

Contactless Reader. Technical Specifications.  Subject to change without prior notice ACR1281U npa Contactless Reader Technical Specifications Subject to change without prior notice Table of Contents 1.0. Introduction... 3 2.0. Features... 4 3.0. Typical Applications... 5 4.0. Technical

More information

TÜBİTAK BİLGEM ULUSAL ELEKTRONİK & KRİPTOLOJİ ARAŞTIRMA ENSTİTÜSÜ AKİS PROJESİ AKİS V1.4N

TÜBİTAK BİLGEM ULUSAL ELEKTRONİK & KRİPTOLOJİ ARAŞTIRMA ENSTİTÜSÜ AKİS PROJESİ AKİS V1.4N The contents of this document are the property of TÜBİTAK TÜBİTAK BİLGEM ULUSAL ELEKTRONİK & KRİPTOLOJİ ARAŞTIRMA ENSTİTÜSÜ AKİS PROJESİ AKİS-PASAPORT SECURITY TARGET LITE AKİS V1.4N Revision No 06 Revision

More information

50 ways to break RFID privacy

50 ways to break RFID privacy 50 ways to break RFID privacy Ton van Deursen 1 University of Luxembourg ton.vandeursen@uni.lu 1 Financial support received from the Fonds National de la Recherche (Luxembourg). RFID privacy 1 / 40 Outline

More information

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT Dmitry Barinov SecureKey Technologies Inc. Session ID: MBS-W09 Session Classification: Advanced Session goals Appreciate the superior

More information

Strengthen RFID Tags Security Using New Data Structure

Strengthen RFID Tags Security Using New Data Structure International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University

More information

PRIME IDENTITY MANAGEMENT CORE

PRIME IDENTITY MANAGEMENT CORE PRIME IDENTITY MANAGEMENT CORE For secure enrollment applications processing and workflow management. PRIME Identity Management Core provides the foundation for any biometric identification platform. It

More information

Description of the Technical Component:

Description of the Technical Component: Confirmation concerning Products for Qualified Electronic Signatures according to 15 Sec. 7 S. 1, 17 Sec. 4 German Electronic Signature Act 1 and 11 Sec. 2 and 15 German Electronic Signature Ordinance

More information

SSLPost Electronic Document Signing

SSLPost Electronic Document Signing SSLPost Electronic Document Signing Overview What is a Qualifying Advanced Electronic Signature (QAES)? A Qualifying Advanced Electronic Signature, is a specific type of digital electronic signature, that

More information

A c o n c i s e g u i d e t o t h e G e r m a n e Pa s s p o r t s y s t e m 2 0 0 7

A c o n c i s e g u i d e t o t h e G e r m a n e Pa s s p o r t s y s t e m 2 0 0 7 10/2007 A c o n c i s e g u i d e t o t h e G e r m a n e Pa s s p o r t s y s t e m 2 0 0 7 www.bundesdruckerei.de A c o n c i s e g u i d e t o t h e G e r m a n e Pa s s p o r t s y s t e m 2 0 0 7

More information

ON IDENTITY CARDS. Based on Article 65 (1) of the Constitution of the Republic of Kosovo, LAW ON IDENTITY CARDS CHAPTER I GENERAL PROVISIONS

ON IDENTITY CARDS. Based on Article 65 (1) of the Constitution of the Republic of Kosovo, LAW ON IDENTITY CARDS CHAPTER I GENERAL PROVISIONS LAW Nо. 05/L-015 ON IDENTITY CARDS The Assembly of the Republic of Kosovo, Based on Article 65 (1) of the Constitution of the Republic of Kosovo, Approves LAW ON IDENTITY CARDS CHAPTER I GENERAL PROVISIONS

More information

Banking. Extending Value to Customers. KONA Banking product matrix. KONA@I is leading the next generation of payment solutions.

Banking. Extending Value to Customers. KONA Banking product matrix. KONA@I is leading the next generation of payment solutions. Smart IC Banking Banking Extending Value to Customers KONA Banking product matrix Contact - SDA Product EEPROM Java Card Type KONA Products KONA@I is leading the next generation of payment solutions Banks,

More information

Protection Profile for UK Dual-Interface Authentication Card

Protection Profile for UK Dual-Interface Authentication Card Protection Profile for UK Dual-Interface Authentication Card Version 1-0 10 th July 2009 Reference: UNKT-DO-0002 Introduction This document defines a Protection Profile to express security, evaluation

More information

esign Online Digital Signature Service

esign Online Digital Signature Service esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities

More information

Machine Readable Travel Documents

Machine Readable Travel Documents Doc 9303 Machine Readable Travel Documents Part 3 Machine Readable Official Travel Documents Volume 2 Specifications for Electronically Enabled MRtds with Biometric Identification Capability Approved by

More information

Mécanismes de Restauration de. Privacy pour les Systèmes. RFID Offlines. Gildas AVOINE, Iwen COISEL, Tania MARTIN. Journées C2 Octobre 2012

Mécanismes de Restauration de. Privacy pour les Systèmes. RFID Offlines. Gildas AVOINE, Iwen COISEL, Tania MARTIN. Journées C2 Octobre 2012 Mécanismes de Restauration de Privacy pour les Systèmes RFID Offlines Gildas AVOINE, Iwen COISEL, Tania MARTIN Journées C2 Octobre 2012 Microelectronics Laboratory Privacy-Restoring Mechanism - Journées

More information

Common Criteria Protection Profile. Machine Readable Travel Document with ICAO Application, Basic Access Control BSI-CC-PP-0055

Common Criteria Protection Profile. Machine Readable Travel Document with ICAO Application, Basic Access Control BSI-CC-PP-0055 Common Criteria Protection Profile Machine Readable Travel Document with ICAO Application, Basic Access Control BSI-CC-PP-0055 Common Criteria Protection Profile Version 1.10, 25 th March 2009 Foreword

More information

Veda: Fraud Focus Group Forum

Veda: Fraud Focus Group Forum Veda: Fraud Focus Group Forum Identity Crime Trends, Risks and Solutions Dr Russell G Smith Principal Criminologist Outline Identity crime concepts The scope of identity crime Identity crime taxonomies

More information