Professional Documents
Culture Documents
Epassport - SoftwareSecurity1 - 2
Epassport - SoftwareSecurity1 - 2
Epassport - SoftwareSecurity1 - 2
Erik Poll
• e-passports
• functionality and
security mechanisms
• problems, so far
• future
2
e-passports
ISO 14443
• defines physical communication for RFIDs
ISO 7816
• originally developed for contact smartcards
• defines standard APDU commands & responses,
ICAO standard for e-passports
• defines specific IS0 7816 commands and
responses for passports
additional EU standards
• standardise optional parts of ICAO specs
& fix timeline
• additional advanced secuity mechanisms on top of ICAO
4
National id-cards & terminology
NB possible confusion
• eNIK is a future extension of NIK,
with digital signature capability
• MRTD = Machine-Readable Travel Document
just has Machine (OCR) Readable Zone,
the MRZ, but need not contain a chip
ie. e-passport = MRTD + chip
MRZ
5
European Electronic Passport
6
e-passports & authentication
• authentication of data
• authentication of the chip
• authentication of the terminal
– why? how?
• authentication of the passport holder
– how?
• passport data: age, height, gender,...
• facial image, fingerprint, iris
• signature
7
Biometrics to authentication passport holder
8
Security mechanisms
9
Passive Authentication
10
Basic Access Control (BAC)
11
Basic Access Control (BAC)
send MRZ
encrypted
12
BAC details
13
BAC details
• IFD → ICC : GET_CHALLENGE
• ICC → IFD : RNDICC
• IFD → ICC : MUTUAL_AUTHENTICATE( EIFD || MIFD)
with S = RNDIFD|| RNDICC|| KIFD
EIFD= Enc (S,KENC), MIFD= MAC (EIFD,KENC)
• ICC checks MAC and computes S, and hence RNDIFDand KIFD
• ICC → IFD : EICC || MICC
with R = RNDIFD|| RNDICC || KICC
EICC = Enc (R,KENC), MICC = Enc (EICC ,KMAC)
• Both calculate new Kseed = KIFD KICC
and derive SKENC and SKMAC for secure messaging
14
Alternative: Faraday Cage
15
Active Authentication (AA)
send challenge
prove knowledge of
corresponding private key
16
similarity with EMV
17
possible drawback of AA: challenge semantics
18
Different ways to do authentication
19
Extended Access Control (EAC)
20
Extended Access Control (EAC)
Two phases
• Chip Authentication
– replaces AA
– starts Secure Messaging (SM) with stronger keys
• Terminal Authentication
– uses traditional challenge-response:
– terminal sends certificate chain to chip
– chip sends challenge
– terminal replies with signed challenge
21
Extended Access Control
Chip Authentication
• chip -> terminal: PKpassport
• terminal chooses ephemeral DH key pair (SKtemp, PKtemp)
• terminal -> chip: PKtemp
• chip and terminal compute shared symmetric key K
– K = KA(SKpassport,PKtemp)=KA(SKtemp,PKpassport)
with derived session keys for encryption Kenc and MAC Kmac
22
• Having the chip authenticate terminal opens up further
possibilities, eg
– updating data on chip
– uploading visa & travel records
but so far the passport does not support any writing of data
after personalisation
23
DG Content read/write mandatory / acccess control
optional
DG1 MRZ R m BAC
DG2 Face R m BAC
DG3 Finger R o BAC+EAC
DG4 Iris R o BAC+EAC
.. R
24
problems with passports,
so far...
passive vs active attacks on RFID
26
Problem with BAC: low entropy in MRZ
27
Problems with Belgian passports
28
Problem with ISO 14443: fixed UIDs
29
Problems with terminals
30
• bla
31
Problem: determining passport origin
32
Errors can leak information
33
Fingerprinting passports
34
Example commands & responses
35
Example responses to B0 instruction
B0 means "read binary", and is only allowed after BAC
response meaning
(status word)
Belgian 6986 not allowed
Dutch 6982 security status not satisfied
French 6F00 no precise diagnosis
Italian 6D00 not supported
German 6700 wrong length
37
Detecting & distinguishing passports
38
Fingerprinting passports
39
The small print in the specs
40
More fingerprinting possibilities
passport application
operating system
smartcard hardware
• Our approach fingerprints passport application
– so upgrading hardware or OS won't affect
fingerprint
• Fingerprinting may be possible at other levels, eg
– OS
– hardware
41
More fingerprinting possibilities
• better specs
– clearly prescribing standard error responses
– or, all countries could simply use a common open
source implementation
• eg our Java Card implemententation
[http://jmrtd.sourceforge.net]
– but infeasible to do now, once specs & implementations
exist
43
Abuse cases for fingerprinting?
44
Other risk: transferability
45
Conclusions
Questions
47
On-line authentication
48
Other existing & future e-ID initiatives
49
Questions?