How To Secure Electronic Passports Marc Witteman & Harko Robroch - - PowerPoint PPT Presentation

how to secure electronic passports
SMART_READER_LITE
LIVE PREVIEW

How To Secure Electronic Passports Marc Witteman & Harko Robroch - - PowerPoint PPT Presentation

Mar 26, 2023 376 likes •707 views

How To Secure Electronic Passports Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201 Other personal info on chip Other less common data fields that may be in your passport Custody Information Travel Record

slide-1
SLIDE 1

How To Secure Electronic Passports

Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

slide-2
SLIDE 2

Other personal info on chip

Other less common data fields that may be in your passport

Custody Information

Travel Record Detail(s)

Endorsements/Observations

Tax/Exit Requirements

Contact Details of Person(s) to Notify

Visa

slide-3
SLIDE 3
slide-4
SLIDE 4

Our involvement in electronic passports

  • Published weakness in BAC static key in July 2005
  • Performed security testing
  • n electronic passport

technology

  • Security Test Lab

— smart cards — embedded devices

slide-5
SLIDE 5

Overview

  • Passport threats and protection mechanisms
  • Security challenges and solutions

— Inspection terminal configuration — Access control to personal data — Contactless chip

  • Conclusion
slide-6
SLIDE 6

What to protect against?

  • 1. Passport forgery
  • Criminal organization makes a false passport
  • High-tech and more difficult
  • 2. Look-alike fraud
  • Criminal organization steals many passports
  • Look for the best match
  • Low-tech and relatively easy
slide-7
SLIDE 7

Available protection mechanisms under ICAO

  • 1. To address passport forgery

Store a certificate with passport holder data Store a private key on a smart card Active Authentication offers this under ICAO

  • 2. To address look-alike fraud

Add personal biometric data Biometric software should reduce false accepts

slide-8
SLIDE 8

Overview of protection mechanisms in ICAO

  • A passport implements one valid combination
  • A terminal implements each of these

Authentication (Passive, Active, Biometrics) Access Control (None, Basic or Extended) Who can access my data? Does this passport belong to this person?

slide-9
SLIDE 9

Test your own passport at Amsterdam Airport

  • Public access to a terminal
  • Displays personal info from chip
slide-10
SLIDE 10

Overview

  • Passport threats and protection mechanisms
  • Security challenges and solutions

— Inspection terminal configuration — Access control to personal data — Contactless chip

  • Conclusion
slide-11
SLIDE 11

Inspection terminal configuration

Risk

  • Complex standard with many options; how well will terminals do?
  • Most attention is on the passport, not the terminal

Challenges and solutions

  • Implementation errors form a risk
  • Let’s discuss two specific implementation challenges
  • 1. Many options to be supported by the terminal
  • 2. Proper RSA certificate verification not trivial

How would you detect a false acceptance?

slide-12
SLIDE 12
  • 1. Many options to be supported by the terminal
  • Typical standardization compromise
  • Protocol options

— Basic Access Control — Active Authentication — Extended Access Control — Document signer key on passport — Biometrics

  • Cryptographic options

— Passive Authentication: RSA (PSS / PKCS1), DSA, ECDSA — Hashing: SHA-1, 224, 256, 384, 512

slide-13
SLIDE 13
  • 2. Proper RSA verification not trivial

An example in Passive Authentication

  • Passport may use PKCS1
  • Last year, Daniel Bleichenbacher discovered vulnerability in some

PKCS1 implementations (with exponent 3) Exploit prerequisites

  • Inspection system with this vulnerability
  • Country that uses PKCS1 with RSA exponent 3

Then, you may fool a terminal with a self-made PKCS1 RSA certificate

slide-14
SLIDE 14

Overview

  • Passport threats and protection mechanisms
  • Security challenges and solutions

— Inspection terminal configuration — Access control to personal data — Contactless chip

  • Conclusion
slide-15
SLIDE 15

Access control to personal data

Risks to protect against

  • Rogue terminal
  • Eavesdropping by a 3rd party
  • Tracking individuals
  • Recognition of citizenship

Challenges and solutions

  • How strong is BAC?
  • Using the UID to track individuals
  • Extended Access Control is underway
slide-16
SLIDE 16

Weakness in Basic Access Control

Static access key is derived from MRZ data

  • Date of birth
  • Date of expiry
  • Passport number

Predictability & dependency reduce entropy to 35 bits

50000000 100000000 150000000 200000000 250000000 7/24/1998 12/6/1999 4/19/2001 9/1/2002 1/14/2004 5/28/2005 10/10/2006 2/22/2008 7/6/2009 11/18/2010 4/1/2012

Publication in July 2005

slide-17
SLIDE 17

Improve Basic Access Control

Solution

  • Country can use unpredictable passport numbers
  • But, protection remains limited due to static key that is

visible for any person who had access to the passport Example: In Aug 2006, Dutch passport moved to unpredictable numbers to reach entropy of 66 bits Is 35 bit sufficient to protect personal data?

slide-18
SLIDE 18

UID is another challenge

  • UID is a low-level RF identification number (32 bit)
  • UID threatens privacy in two ways
  • Solution: Randomize the UID
  • Performance challenge

— UID very shortly after power up — On-board random generator

Broadcast 2A73B9F0

slide-19
SLIDE 19

Extended Access Control

  • To access most sensitive data on chip (e.g. biometric data)
  • Implements mutual authentication

Access Control (Extended) Who can access my data?

slide-20
SLIDE 20

Certificate infrastructure

Short validity period

  • Time

Foreign country Your country Inspection terminal Document Verifier Country CA signed verify issued But a chip does not know what time it is

slide-21
SLIDE 21

Certificate validation problem

Two solutions can be used for lost or stolen terminals

  • 1. The terminal verifies itself
  • Is this a sound security principle?
  • 2. Compare with previous date
  • What is a risk here?
slide-22
SLIDE 22

Overview

  • Passport threats and protection mechanisms
  • Security challenges and solutions

— Inspection terminal configuration — Access control to personal data — Contactless chip

  • Conclusion
slide-23
SLIDE 23

Contactless chip

Use of contactless technology appropriate?

  • Introduces access and eavesdropping issues
  • Shielding is applied (e.g. USA)
  • Contact-based chip technology eliminates several

issues

slide-24
SLIDE 24

Overview

  • Passport threats and protection mechanisms
  • Security challenges and solutions

— Inspection terminal configuration — Access control to personal data — Contactless chip

  • Conclusion
slide-25
SLIDE 25

Conclusion (1)

  • Inspection terminal implementation is complex
  • Country can improve privacy protection by

— Maximize passport number entropy — Randomize UID

  • Extended Access Control is promising but also has a small

inherent weakness

  • Moving to a contact smart card would eliminate several issues
slide-26
SLIDE 26

Conclusion (2) – The electronic passport ...

  • Improves forgery protection when

— Each passport has a chip — Inspecting officer knows it should have a chip

  • Does not address look-alike fraud until

— Reliable biometrics are added to passports

  • Introduces privacy concerns

— Contactless (RF) is used — Easy way to fill a country’s database — Adding biometrics also challenges privacy requirements

slide-27
SLIDE 27

Thank you. Questions?

Marc Witteman Chief Technology Officer witteman@riscure.com Harko Robroch Managing Director robroch@riscure.com

Riscure B.V. Rotterdamseweg 183c 2629 HD Delft The Netherlands Phone: +31 (0)15 2682664 Http://www.riscure.com

Visit us at the smart card pavilion booth 1742

slide-28
SLIDE 28

References

  • International Cival Aviation Organisation web site on MRTDs: www.icao.int/mrtd/
  • Riscure, publication of BAC weakness, July 2005:

http://www.riscure.com/2_news/passport.html

  • FIDIS Budapest Declaration, Sep 2006:

http://www.fidis.net/press-events/press-releases/budapest-declaration/

  • Bleichenbacher attack on RSA implementations:

http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html

  • BSI Technical Guideline - Extended Access Control, Feb 2006:

http://www.bsi.bund.de/fachthem/epass/EACTR03110_v101.pdf

  • Security Document World on Extended Access Control:

http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf

slide-29
SLIDE 29

Appendix A: protection mechanisms & shortcomings

Mechanism Protection Shortcoming None

  • -

Personal data readable BAC Privacy info Can be cracked EAC + BAC Most sensitive info Certificate validation Passive Auth Content OK Can make clone of chip Active Auth Passport OK Minor: abuse of signing feature + Biometrics Passp holder OK Mass deployment?

slide-30
SLIDE 30

Appendix B: Bleichenbacher’s PKCS-1 attack

  • Normal RSA payload structure: padding || Length || Hash
  • Verifier skips padding, decodes length and reads Hash
  • Modified RSA payload structure: padding || Length || Hash || Tail
  • Manufacture signature whose cube value matches modified structure
  • Inspection system that does not check absence of Tail and uses Length to read

the Hash will not detect the forgery

slide-31
SLIDE 31

Appendix C: false passport detection