A Note on the Relay Attacks on e-passports



Similar documents
Implementation of biometrics, issues to be solved

MIFARE ISO/IEC PICC

RFID Penetration Tests when the truth is stranger than fiction

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Keep Out of My Passport: Access Control Mechanisms in E-passports

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

50 ways to break RFID privacy

Gemalto Mifare 1K Datasheet

Preventing fraud in epassports and eids

Using RFID Techniques for a Universal Identification Device

Risks of Offline Verify PIN on Contactless Cards

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Moving to the third generation of electronic passports

E-Passport Testing. Ensuring Global Acceptance. Jos Chehin Date: 17 November 2006 Location: ASML

PUF Physical Unclonable Functions

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

AN1305. MIFARE Classic as NFC Type MIFARE Classic Tag. Application note COMPANY PUBLIC. Rev October Document information

Localization System for Roulette and other Table Games

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

A Survey on Untransferable Anonymous Credentials

Measurement and Analysis Introduction of ISO7816 (Smart Card)

Modular biometric architecture with secunet biomiddle

How To Hack An Rdi Credit Card

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Relay attacks on card payment: vulnerabilities and defences

Discover Germany s Electronic Passport

Establishing and Managing the Schengen Masterlist of CSCAs

Mobile Electronic Payments

Security in Near Field Communication (NFC)

Full page passport/document reader Regula model 70X4M

CETECOM ICT Services GmbH Untertürkheimer Straße 6-10, D Saarbrücken Phone: +49 (0) Fax:-9075

Statewatch Briefing ID Cards in the EU: Current state of play

AN1304. NFC Type MIFARE Classic Tag Operation. Application note PUBLIC. Rev October Document information

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP Version 1.01 (15 th April 2010)

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

How To Attack A Key Card With A Keycard With A Car Key (For A Car)

Operational and Technical security of Electronic Passports

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

Smart Card Application Standard Draft

Cryptography: Authentication, Blind Signatures, and Digital Cash

Location Aware Selective Unlocking for Enhancing RFID Security

Hacking Mifare Classic Cards. Márcio Almeida

Mobile Driver s License Solution

Strengthen RFID Tags Security Using New Data Structure

More effective protection for your access control system with end-to-end security

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

NFC Test Challenges for Mobile Device Developers Presented by: Miguel Angel Guijarro

ON IDENTITY CARDS. Based on Article 65 (1) of the Constitution of the Republic of Kosovo, LAW ON IDENTITY CARDS CHAPTER I GENERAL PROVISIONS

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

E-passport testing equipment

Defending the Internet of Things

Best Solutions for Biometrics and eid

Frequently Asked Questions

Implementation Vulnerabilities in SSL/TLS

Exercise 1: Set up the Environment

Chapter 5. Simple Ad hoc Key Management. 5.1 Introduction

SECURE IDENTITY MANAGEMENT. Globally recognised identity management expertise

A DATA AUTHENTICATION SOLUTION OF ADS-B SYSTEM BASED ON X.509 CERTIFICATE

Landscape of eid in Europe in 2013

Sub- Regional Workshop and Consulta;ons on Capacity- Building in Travel Document Security: Colombia, 2013

Introducing etoken. What is etoken?

Mobile and Contactless Payment Security

European Electronic Identity Practices Country Update of Portugal

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Requirements for an EMVCo Common Contactless Application (CCA)

MOBILE IDENTIFICATION:

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CS 758: Cryptography / Network Security

International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

Security in RFID Networks and Protocols

An Overview of Approaches to Privacy Protection in RFID

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

THREAT MODELLING FOR SECURITY TOKENS IN WEB APPLICATIONS

Security/Privacy Models for "Internet of things": What should be studied from RFID schemes? Daisuke Moriyama and Shin ichiro Matsuo NICT, Japan

MF1 IC S General description. Functional specification. 1.1 Contactless Energy and Data Transfer. 1.2 Anticollision. Energy

RFID and Privacy Impact Assessment (PIA)

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

COMPUTING SCIENCE. Risks of Offline Verify PIN on Contactless Cards. Martin Emms, Budi Arief, Nicholas Little and Aad van Moorsel

Chip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world

Software Card Emulation in NFC-enabled Mobile Phones: Great Advantage or Security Nightmare?

Keywords: German electronic ID card, e-government and e-business applications, identity management

Encrypting Network Traffic

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

INTEGRATED CIRCUITS I CODE SLI. Smart Label IC SL2 ICS20. Functional Specification. Product Specification Revision 3.1 Public. Philips Semiconductors

NFC APPLICATIONS IN THE TRACKING SYSTEMS

SECURITY IN LOW RESOURCE ENVIRONMENTS

Transcription:

A Note on the Relay Attacks on e-passports The Case of Czech e-passports Martin Hlaváč 1 and Tomáš Rosa 1,2 hlavm1am@artax.karlin.mff.cuni.cz and trosa@ebanka.cz 1 Department of Algebra, Charles University in Prague, Sokolovská 83, 186 75 Prague 8, Czech Republic, 2 ebanka, a.s., Na Příkopě 19, 117 19 Prague 1, Czech Republic Abstract. The threat of relay attacks on authentication protocols is often well recognized, especially for contactless applications like RFID chips. It is, therefore, a bit surprising to meet an implementation that actually encourages rather than eliminates these attacks. We present our experimental observations concerning Czech e-passports. These show clearly an inherent weakness rooted in lower layers of ISO 14443. As the behavior is unavoidable, it induces a question on whether the e- passport should not have used a different communication protocol or authentication scheme. Keywords : RFID, e-passport, relay attack Introduction Electronic passports based on a contactless proximity coupling smartcard technology (in short and a bit inaccurately called as RFID chips) according to ICAO standards [1] seem to be on an unstoppable rise. Long story short [2], these machine readable travel documents are equipped with an RF chip that stores a personal data of their owner. Access to this data shall be (at least in European Union countries) protected via a basic access control (BAC) mechanism to prevent their accidental skimming. The data are also digitally signed by an issuing authority to prevent their unauthorized change. This, of course, does not prevent copying these data into a cloned passport. Therefore, some countries decided to introduce so called active authentication (AA) protocol. Informally speaking, it is a challenge-response authentication based on RSA signature scheme with message recovery (ISO 9796-2). The RSA private key is protected by the chip, so it should be impossible to make a duplicate that passes AA verification. Obviously, the scheme of AA can hardly avoid a relay attack as described e.g. in [3]. The approach described there actually behaves similarly to a plain wireextender for a contact card. Using this technique, we can present an e-passport resting in somebody s pocket to a customs service without disturbing its holder The authors were supported by the grant from GAUK n. 7302/2007.

in any way. Therefore, the authentication scheme obviously does not assure the travel document authentication as was perhaps deemed by its architects. Unless we use distance bounding protocols [4], it is really hard to defeat these attacks. On the other hand, the distance for the attack seems to be limited physically as it is hard to imagine that it uses a TCP/IP or similar connection, since the relaying occurs on the link layer. Our contribution is to show that it is not necessary to follow as general approach as in [3] to bypass the authentication protocol of a certain e-passport. We did this observation for Czech passports, but it is reasonable to expect that it will work for many other e-passports equipped with AA as well. First, it is easy to observe that all the data that needs to be relayed is the challenge and the response of AA. Everything else can be stored in the cloned chip locally. The core of the attack is that, due to a certain protocol behavior, there is much more time left for the resting transfers that what we would recognize in the general bit-by-bit approach. The short note elaboration presented here is an extension of the idea sketched in [5]. In section 1, the particular part of the ISO 14443 protocol used in the attack is described. Its concrete realization in chips of Czech e-passports is shown in section 2. One possible attack scenario is then given in 3. Finally, we conclude in the last section. 1 Frame Waiting Time Extension The transmission protocol between the terminal (the reader) and the RFID chip (the e-passport) is described in ISO 14443-4. After the successful initialization and anticollision procedure, the reader determines a communication attribute denoted FWI (Frame Waiting time Integer). The value of FWI is an integer in the range 0 to 14 (15 is RFU). For ISO 14443-A, it is obtained by sending RATS command (Request for Answer To Select) to the e-passport. When present, the interface byte TB(1) included in the e-passport s response ATS (Answer To Select) contains 4-bit value FWI. When TB(1) is not present, the default value 4 is used. For ISO 14443-B, the value of FWI is obtained during the anticollision procedure via ATQB (Answer To request type B) response. The FWT (Frame Waiting Time) is the ordinary maximum time period within which the passport has to start its responses to the terminal s commands during the protocol flow. It is defined as FWT = (256 16/f c ) 2 FWI, where f c = 13.56 MHz is the carrier frequency. The allowable range for FWI yields the range for FWT, i.e. the minimal value is 302 µs and the maximal is 4.949 s. As written in the standard: When the PICC needs more time than the defined FWT to process the received block it shall use an S(WTX) request for a waiting time extension. This request contains 6-bit value WTXM (Waiting Time extension

Multiplier) that yields a temporary value of FWT defined as FWT TEMP = FWT WTXM. By the standard, the allowable values for WTXM are in the range 1 to 59. The reader has to acknowledge this temporary change by sending S(WTX) response containing the same value WTXM. 2 Czech e-passport and S(WTX) When communicating with a Czech e-passport, it sets FWI = 10 within its ATS which yields FWT = 309 ms. After the BAC authentication is completed based on knowledge of (a part of) the machine readable zone (MRZ) of the passport, the active authentication protocol can start. The reader generates a random 8 byte challenge and sends it (encapsulated via a secure messaging) to the passport. Almost instantly (< 36ms), the passport sends back S(WTX) request with WTXM = 16, i.e. asking the reader to wait nearly 5 seconds for the answer. In order to be compliant with the standard, the reader has to accept this value. In our experiments, the e-passport was usually able to start transmitting the AA response within 950 ms. When we provided it with limited field intensity, the response took less then 1250 ms (it probably saves energy by slowing down). One way or the other, there is roughly 4 s gap between the requested response period and actual response period opening the door to relay attacks. This issue is not an easy task to solve, as the readers have to be compatible with the existing e-passports. 3 Relay Attack Scenario To exploit the unnecessary gap of 4 seconds in active authentication procedure, we can think of following scenario. A Czech visitor in a hotel in a foreign country leaves her passport at the hotel s reception. Having physical access to the passport (and its MRZ), the receptionist can access and copy all of the public data, i.e. namely the files DG1 (copy of machine readable zone), DG2 (biometric photography of the holder), DG15 (public key for AA) and EF.SOD (digital signature of the DG files by national authority). Leaving the passport at the reception, one can cross the border identifying himself with the victim s passport in the following way. The attacker passes the BAC procedure simply by using the known MRZ data and provides the copy of DG files to the reader at the border. Consequently, he enters the AA protocol by receiving the AA challenge and relays it by a intermediate channel (e.g. TCP/IP) to a device at the reception which transmits it to the victim s passport. As the reader at the border has to be standard compliant and has to wait 5 seconds for the answer, there is enough time to relay the passport s answer back to it. We should also emphasize the possibility of using side band emulation technique to communicate with the passport reader [6]. That means that there does not have

to be any active chip in the document passed to customs. The communication can be established with a device held undisclosed in a handbag. Therefore, we can omit the demand that the cloned passport chip must fit into the cloned document itself. That, in turn, increases the chance of carrying out the whole attack in a practice considerably. Note that the only two relayed messages are AA challenge and response, contrary to the approach described in [3]. All of the other commands can be done off-line, i.e. without the communication with the victim s passport. terminal fake passport fake terminal passport RF channel 1 channel 2 RF channel 3 initialisation initialisation file reading AA challenge challenge relay AA challenge S(WTX) S(WTX) AA response response relay AA response Fig. 1. Relay attack on active authentication (AA) Conclusion If we forget side channel techniques for a moment, then there is no known cryptanalytic method allowing a practically feasible attack on the active authentication scheme of e-passports. On the other hand, the general relay attacks clearly show that the proof of private key possession does not imply a proof of the travel document originality. We showed that particular communication protocol properties can even make these attack considerably more dangerous. The question arises whether a protocol like ISO 14443 that was obviously designed with very little or no security concerns is the right choice for such applications. A tighter union of the protocol itself and the used cryptographic schemes would be perhaps desirable. References 1. International Civil Aviation Organization. http://www.icao.int/. 2. Gildas A. Security and Privacy in RFID Systems. http://lasecwww.epfl.ch/ gavoine/rfid/, 2007.

3. Hancke G. A Practical Relay Attack on ISO 14443 Proximity Cards. http://www.cl.cam.ac.uk/ gh275/relay.pdf, 2007. 4. Brands S. and Chaum D. Distance-bounding protocols. In EUROCRYPT 93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 344 359, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc. 5. Klíma V. and Rosa T. Elektronický cestovní pas: autentizace. Sdělovací Technika, (5), 2007. 6. Kfir Z. and Wool A. Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems. Cryptology eprint Archive, Report 2005/052, 2005. http://eprint.iacr.org/.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information