e- passports Erik Poll Digital Security Group Radboud University Nijmegen

Similar documents
Implementation of biometrics, issues to be solved

Keep Out of My Passport: Access Control Mechanisms in E-passports

Preventing fraud in epassports and eids

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Joeri de Ruiter Sicco Verwer

A Note on the Relay Attacks on e-passports

Full page passport/document reader Regula model 70X4M

Moving to the third generation of electronic passports

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

Electronic Passports in a Nutshell

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

Operational and Technical security of Electronic Passports

AN1305. MIFARE Classic as NFC Type MIFARE Classic Tag. Application note COMPANY PUBLIC. Rev October Document information

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs

Gemalto Mifare 1K Datasheet

Best Solutions for Biometrics and eid

Statewatch Briefing ID Cards in the EU: Current state of play

Formal analysis of EMV

FAQs - New German ID Card. General

CASQUE SNR Presentation 16 th April 2015

50 ways to break RFID privacy

Efficient Implementation of Electronic Passport Scheme Using Cryptographic Security Along With Multiple Biometrics

FAQs Electronic residence permit

Modular biometric architecture with secunet biomiddle

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP Version 1.01 (15 th April 2010)

PUF Physical Unclonable Functions

Authentication Types. Password-based Authentication. Off-Line Password Guessing

E- Encryption in Unix

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Using etoken for SSL Web Authentication. SSL V3.0 Overview

MOBILE IDENTIFICATION:

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

More effective protection for your access control system with end-to-end security

Biometrics for Public Sector Applications

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Key & Data Storage on Mobile Devices

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

MACHINE READABLE TRAVEL DOCUMENTS

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Sicherheitsaspekte des neuen deutschen Personalausweises

Caught in the Maze of Security Standards

Mobile Driver s License Solution

Entrust Smartcard & USB Authentication

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Banking. Extending Value to Customers. KONA Banking product matrix. is leading the next generation of payment solutions.

Hacking Mifare Classic Cards. Márcio Almeida

What s wrong with FIDO?


Position Paper European Citizen Card: One Pillar of Interoperable eid Success

E-Passport Testing. Ensuring Global Acceptance. Jos Chehin Date: 17 November 2006 Location: ASML

MIFARE ISO/IEC PICC

Software security specification and verification

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Secure Sockets Layer

39 myths about e-passports

White Paper PalmSecure truedentity

Security in Near Field Communication (NFC)

Smartcards and RFID. IPA Security Course Lejla Batina & Erik Poll. Digital Security University of Nijmegen

Biometrics, Tokens, & Public Key Certificates

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

IDRBT Working Paper No. 11 Authentication factors for Internet banking

5. Biometric data-leakage: Among other data, e- passports will include biometric images. In accordance

Information about the European Union is available on the Internet. It can be accessed through the Europa server (

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

AN1304. NFC Type MIFARE Classic Tag Operation. Application note PUBLIC. Rev October Document information

Multi-factor authentication

Securing Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015

Three attacks in SSL protocol and their solutions

October 2014 Issue No: 2.0. Good Practice Guide No. 44 Authentication and Credentials for use with HMG Online Services

Facts about the new identity card

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

Discover Germany s Electronic Passport

Using RFID Techniques for a Universal Identification Device

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Malicious Code on Java Card Smartcards: Attacks and Countermeasures

Risks of Offline Verify PIN on Contactless Cards

Protection Profile for UK Dual-Interface Authentication Card

Test plan for eid and esign compliant terminal software with EACv2

We Must Comply with International Requirements! Introducing Biometric ID Cards in France

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

ID Document Scanning and Biometric Solutions

MIFARE CONTACTLESS CARD TECHNOLOLGY AN HID WHITE PAPER

Moving to Multi-factor Authentication. Kevin Unthank

Common Criteria Protection Profile

Web Security. Mahalingam Ramkumar

CS 356 Lecture 28 Internet Authentication. Spring 2013

Allwin Initiative for Corporate Citizenship Dartmouth Center for the Advancement of Learning Dickey Center Ethics Institute Institute for Security

The ID card with eid function at a glance

Authentication in WLAN

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Secure application programming in the presence of side channel attacks. Marc Witteman & Harko Robroch Riscure 04/09/08 Session Code: RR-203

Smart Card Technology Capabilities

Information Security Basic Concepts

CODE SIGNING. Why Developers Need to Digitally Sign Code and Applications entrust.com

Machine Readable Travel Documents

Transcription:

e- passports Erik Poll Digital Security Group Radboud University Nijmegen

Overview e-passports functionality and security mechanisms problems, so far 2

e-passports e-passport contains RFID chip / contactless smartcard in Dutch passports, a Java Card chip stores digitally signed information: initially just facial images (photos) also fingerprints later maybe iris aka biometric passport or MRTD with ICC/chip introduction pushed by US in the wake of 9/11 to solve what problem?? e-passport logo 3

machine-readable passport e-passport NB possible confusion! MRTD = Machine-Readable Travel Document just has Machine Readable Zone, the MRZ, which is readable with OCR MRZ 4

Similar & related e-id initiatives Nederlandse Identiteitskaart (NIK) conforms to e-passport specs original plan was to also have digital signature functionality; eg Belgian & German e-id cards have such functionality New Dutch driving license conforms to the very similar ISO15018 spec for for electronic driving licenses German npa neuer PersonalAusweis adds privacy-friendly age verification by private keys shared on a batch of cards having 5

Very different e-id initiatives US Passport Cards and US Enhanced Drivers License (EDL) Contain simple RFID tag that simple broadcasts a fixed ID number readable at larger distances than ISO14443 passport tags 6

Apps & software for e-passports NFC apps to read out passport eclown app by Jeroen van Beek https://play.google.com/store/apps/details?id=dexlab.ecl0wn ReadID app by Innovalor https://www.readid.com/demo https://play.google.com/store/apps/details?id=nl.innovalor.nfciddocshowcase Open source for terminal & JavaCard passport applet: http://jmrtd.org 7

Protocols & standards ISO 14443 defines physical communication for RFIDs ISO 7816 defines standard APDU commands & responses ICAO standard for e-passports defines specific IS0 7816 commands & responses for passports additional EU standards standardise optional parts of ICAO specs define some additional advanced security mechanisms on top of ICAO specs 8

European Electronic Passport Facial images: deadline 28 August 2006 Fingerprints: deadline 28 June 2009 protected by additional security mechanism, extended access control Participants: all members except UK, IRL, NOR 9

e-passports & authentication authentication of data authentication of the chip authentication of the terminal why? how? authentication of the passport holder how? passport data: age, height, gender,... facial image, fingerprint, iris signature 10

Biometrics of passport holder Facial image (DG2, ISO 19794-5) JPEG or JPEG2000 image Optional feature points (e.g. eyes) Fingerprint (DG3, ISO 19794-1) as WSQ, PNG, JPEG or JPEG2000 How to indicate the fingerprint cannot be enrolled? Iris image (DG4, ISO 19794-6) NB one would prefer not to store the raw biometrics, but some (hash of) derived info (aka template). Why? How? 11

Security mechanisms Passive Authentication (PA) digital signed data on passport chip Basic Authentication Control (BAC) access control to chip, to prevent unauthorised access & eavesdropping Active Authentication (AA) chip authentication, with challenge response, to prevent cloning Extended Access Control (EAC) chip and terminal authentication ICAO mandatory ICAO optional, EU mandatory ICAO optional EU only, mandatory for 'advanced' biometrics, ie. fingerprint & iris 12

Passive Authentication passport chip consists of 16 data groups (DGs) DG1 MRZ DG2 face DG3 finger DG4 iris... DG15 Active Authentication... and a security object SO, signed hash values of the data groups To check the signatures, terminal needs country signing certificates Passive Authentication mandatory on all e-passports 13

Basic Access Control (BAC) Contactless interface is both advantage and disadvantage BAC allows to read the data only after reader authentication: reader proves knowledge of the MRZ of the passport The authentication key is derived from document nr, date of birth, date of expiry BAC is ICAO optional (recommended) feature, in EU mandatory Interoperability issue How to find out the passport is BAC-protected? try & you find out 14

Basic Access Control (BAC) protects against unauthorised access and eavesdropping optically read MRZ Machine Readable Zone send MRZ receive additional info encrypted & MACed 15

Driving license chip uses similar trick, but with a QR code instead of MRZ 16

Alternative: Faraday Cage protects against unauthorised access, but not eavesdropping used in US passports, initially instead of BAC 17

Active Authentication (AA) protects against passport cloning (which BAC & PA don't) ie authentication of the passport chip public key, signed by government (DG15) send challenge prove knowledge of corresponding private key encrypted & MACed, using BAC channel 18

Possible drawback of AA: challenge semantics Passport chip that supports AA will sign any challenge Terminal could choose challenge c with some semantics eg. c = Sign(SK terminal, ID passport ++ date ++ location) card replies Sign(SK passport, c) Can be useful eg. unfakeable log of entry to the country but do we want it? Reason for German passport not to support AA NB AA should be protected by BAC, to mitigate this issue This can be prevented by not using a challenge signed by an asymmetric key, but using asymmetric crypto to establish a shared secret symmetric key that is used for MACs, as EAC uses 19

Different ways to do authentication 1. Fixed shared key (symmetric or assymmetric, possibly diversified) A -> B : Encrypt(K, random id A ) B -> A : Encrypt(K, random id B ) 2. Shared key echange via asymm. crypto A chooses random key K A -> B : Encrypt(PublicKey B, K) B -> A : MAC(K, id A id B ) 3. Signature-based authentication A -> B : challenge B -> A : Encrypt(SecretKey B, challenge id A id B ) Challenge semantics only possible with 3, because signature in 3 requires assym. SK B key that only B has 20

Extended Access Control (EAC) includes authentication of terminal by passport why would we want this? protect acces to privacy-sensitive information, esp. fingerprint, eg at hotel check-in how would we do this? some terminal certificate and a PKI ISO 7816 Card Verifiable (CV) certificates used rather than X.509 public key certificates. 21

Extended Access Control (EAC) Practical problems Certificate issuance is a hassle Each country has to issue certificates to every other country to let them read passports of its citizens Certificate expiry is tricky Passport does not know date to check certificate expiry Solution: passport uses the issuance date of trusted terminal certificates to approximate the current date Certificate revocation is essentially impossible How do you revoke a terminal certificate on all passports? Solution: short-lived certificates for terminals 22

Extended Access Control (EAC) Two phases Chip Authentication replaces AA; starts Secure Messaging (SM) with stronger keys using PACE protocol (Password Authenticated Connection Establishment) Terminal Authentication uses traditional challenge-response: terminal sends certificate chain to chip chip sends challenge terminal replies with signed challenge 23

Extended Access Control Chip Authentication chip -> terminal: PK passport terminal chooses ephemeral DH key pair (SK temp, PK temp ) terminal -> chip: PK temp chip and terminal compute shared symmetric key K K = KA(SK passport,pk temp ) = KA(SK temp,pk passport ) and derive session keys for encryption K enc and for MACing K mac 24

DG Content read/write mandatory / optional acccess control DG1 MRZ R m BAC DG2 Face R m BAC DG3 Finger R o BAC+EAC DG4 Iris R o BAC+EAC.. R DG14 SecurityInfo* R o BAC DG15 AA public key R o BAC DG16 SO Security Object R m BAC R *ANS.1 data structure indicating support for Chip and Terminal Authentication, and defining. Chip Authentication Public Key 25

problems with passports, so far...

Recall: passive vs active attacks on RFID passive attacks eavesdropping on communication between passport & reader possible from several meters active attacks unauthorised access to passport without owner's knowledge possible up to 50 cm activating RFID tag requires powerful field! 27

Possible problem: fixed UIDs Normal ISO14443 tags sent a fixed UID as part of the anticollision protocol. This would allow tracking of individual passports ISO14443 also allows random UIDs, which start with 0x08 Some countries still used fixed UIDs (eg Italy) First batch of Dutch passports did not have truly random UIDs, as 2 bits in the random UIDs are always the same... 28

Problem with BAC: low entropy in MRZ MRZ key based on passport number, expiry & birth dates Passport numbers typically issued in sequence, so low entropy, and strongly correlated with expiry date 3DES max 112bit, BAC max 56/74bit, in practice 30-50 Hence: off-line brute force attack on eavesdropped traffic is possible [Marc Witteman & Harko Robroch, 2006] First discovered for Dutch passport, but other countries had the same problem Solutions: changing the key derivation procedure was rejected by ICAO for compatibility issues not handing out passport no's in sequence; note this introduces organisational & operational complications 29

Throttling BAC attempts Additional measure to beak BAC by brute-forcing MRZ: slowing the card down after incorrect BAC run waiting for 1 second after a wrong BAC session means a bute force attack takes years Flaw in test version of one country s passport: 29 seconds delay which is effectively a Denial-of-Service... Is brute-forcing the MRZ online a realistic attack scenario anyway? 30

Problems with first Belgian passports First generation of Belgian passports (2004-2006) did not support BAC MRZ (DG1) skimmable in fraction of a second; all passport info in about 10 secs These passports also provide additional info not required by ICAO, incl. place of birth digital version of handwritten signature Also, same problem with low entropy of MRZ as Dutch passports 31

Problem with test version of Dutch passport Dutch passports contain a JavaCard JCOP chip, produced by NXP, which can provide MIFARE Classic emulation Chips used in test-batch of the passport did provide this MIFARE functionality, using the default factory keys! So ov-chipcard or RU access card can be cloned onto such chips In the real passport, MIFARE emulation was switched off 32

Implementation flaw in Italian passport BAC starts with the terminal requesting an 8 byte random number GET_CHALLENGE instruction with argument P1 equal to 8 What if the terminal requests fewer bytes of random data? Passport will supply shorter random N, and run protocol for N padded with all zeroes This allows a MitM attack... [Luigi Sportiello, Weakening epassports through Bad Implementations, RFIDSec 20123] Not a practical attack scenario, but it shows how easy implementation mistakes are! 33

Another problem: Spot the security flaw BAC protocol 1. terminal -> passport: GET_CHALLENGE 2. passort -> terminal : nonce 3. terminal -> passport: (m, MAC MRZ-key (m)) with m = encrypt MRZ-key (nonce) 4. passport checks MAC, decrypts m, checks nonce Possible implementation mutualauthenticate(apdu apdu) { } if (!checkmac(apdu, K)) N = decrypt(apdu, K); if (myn!= N)... // return OK ISOException.throwIt(SW_WRONG_MAC); ISOException.throwIt(SW_WRONG_CHALLENGE); 34

Information leak/timing attack mutualauthenticate(apdu apdu) { if (!checkmac(apdu, K)) ISOException.throwIt(SW_WRONG_MAC); N = decrypt(apdu, K); if (myn!= N) ISOException.throwIt(SW_WRONG_CHALLENGE);... Possible information leakage through different responses for wrong MAC and wrong nonce different response times for wrong MAC and wrong nonce After having eavesdropped one successful BAC session for a passport, attacker can replay it to detect that unique passport: because the MAC will be correct, but the nonce will be wrong, for that unique passport 35

Problems with terminals Lukas Greenwald reported some terminals crashing with a buffer overflow on malformed JPEG missing input validation, as usual... Jeroen van Beek (UvA) reported some terminals failing to check digital signatures correctly ICAO specs somewhat tricky eg will terminal spot a clone of a passport that says it does not support AA? 36

bla 37

Problem: determining passport origin Error messages of the card provide a fingerprint that is unique to the manufacture BSc thesis by Henning Richter in Nijmegen 38

Errors can leak information An Error Has Occurred. Error Message: System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username ''' and password = 'g''. System.Data.OleDb.OleDbCommand.ExecuteCommandText ErrorHandling (Int32 hr) at System.Data.OleDb.OleDbCommand.ExecuteCommandText ForSingleResult (tagdbparams dbparams, Object& executeresult) at 39

Fingerprinting passports All e-passports react the same to correct protocol runs... But what about incorrect ones? Eg commands out of sequence eg B0 (READ BINARY) before completing BAC commands not in the ICAO specs at all eg 44 (REHABILITATE CHV) commands with silly parameters 40

Example commands & responses Commands sent to card include 1 instruction byte, eg A4 SELECT FILE B0 READ BINARY 84 GET CHALLENGE 82 EXTERNAL AUTHENTICATE... Responses from card include 2 bytes status word, eg 9000 No error 6D00 Instruction not supported 6986 Command Not Allowed 6700 Wrong Length... Defined in ISO7816, re-used in ICAO specs 41

Example responses to B0 instruction B0 means "read binary", and is only allowed after BAC response (status word) meaning Belgian 6986 not allowed Dutch 6982 security status not satisfied French 6F00 no precise diagnosis Italian 6D00 not supported German 6700 wrong length 255 other instructions to try, and we can try different parameters... 42

Fingerprinting passports Response to strange inputs provides unique fingerprint for ten nationalities originally tested Australian, Belgian, Dutch, French, German, Greek, Italian, Polish, Spanish, Swedish The fingerprints depends on implementation choices in the software 4 commands suffices to distinguish between these nationalities. The response to instruction byte 82 identifies Australian, Belgian, French, and Greek A4 identifies Dutch and Italian 88 identifies Polish and Swedish 82 with different parameter identifies German and Spanish Code to do this is very simple & very fast 43

The small print in the specs "A MRTD chip that supports Basic Access Control must respond to unauthenticated read attempts (including selection of (protected) field in the LDS) with Security Status not satisfied (6982) [PKI for machine readable travel documents offering ICC readonly access, version 1.1. Technical report, ICAO, Oct 2004.] but what constitutes a "read attempt"? 44

More fingerprinting possibilities passport application operating system smartcard hardware Our approach fingerprints the passport application so upgrading hardware or OS won't affect it Fingerprinting may be possible at other levels, eg OS hardware 45

More fingerprinting possibilities ATS (Answer To Select) sent by RFID on activation to indicate eg supported data rate, but also operating system version (in "historical bytes") New Zealand passport sends "JCOP41V22", so it's an NXP JCOP card, version 4.1, running Java Card 2.2 Other OS behaviour first Dutch passport recognisable as Java Card, as it supports Global Platform Physical characteristics power consumption, response times,... 46

Countermeasures to fingerprinting Better specs clearly prescribing standard error responses or, all countries could simply use a common open source implementation eg our Java Card implemententation [http://jmrtd.sourceforge.net] but infeasible to do now, once specs & implementations exist Metal shielding in passport cover (Faraday cage) defence-in-depth 47

Abuse cases for fingerprinting? Passport bomb triggered by a specific nationality Selection of potential victims by passport thieves http://www.youtube.com/watch?v=-xxaqraf7pi Fortunately, limited range for active attacks reduces any serious threat Also, there may be easier ways to detect nationality... 48

Technical things that go wrong: defects Some issued passports have defects so that fail to meet the standard, eg Wrongly calculated hashes Encoding of certificate fields: printable string UTF8 Wrong identifiers in certificates Printed MRZ data not matching the one stored in the chip Truncated photos Some countries have warned others about passport batches with known defects International discussions about standard format for defect lists to report such defective batches so that terminals can be configured to supress the false warnings for these passports 49

Organisational hassle How reliable is the issuance process? Someone obtained a Dutch ID card with a picture of himself as the Joker from Batman Fingerprints not checked when you pick up your passport, because of hassle with false negatives Few countries bother to read the chip on a regular basis? Exchanging certificates (bilaterely via diplomatic post!) is a big hassle Fewer countries use fingerprint data is quality of fingerprints info really good enough? yet more certificate hassle, as terminal have to be equipped with a short-lived terminal certificate, one for every country Do personnel trust the chip, and can they interpret errors? 50

Conclusions

Questions What are the problem solved or the security benefits of the e-passport? passports harder to fake colour hi-res JPG makes look-alike fraud harder than the small B/W passport passport photo Potential problem/opportunity: function creep? Esp. recording fingerprints Lots of political discussion in the Netherlands on a national fingerprint database with data from all citizens 52

Was it just security theatre? The real motivation? Was the real motivation Automated Border Control? 53

Unplanned use for authentication? Active Authentication can be used for authentication in other settings, eg login to computer access to a website Remote (and hence unsupervised) biometric authentication using the passport is of course not secure 54

Questions? Code for passport terminal and passport available at http://jmrtd.sourceforge.net 55

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information