Security and Privacy Issues in E-passports
Ari Juels, David Molnar, and David Wagner
Outline Radio Frequency identification (RFID) Security and Privacy Threats Cryptography in E-passports Strengthening Today’s E-passport
Future Issues in E-passport
Introduction New Generation of Identity cards.
Same as traditional passport with addition of an integrated chip.
Introduction Combination of RFID and Biometric Technology. The chip will store the same data visually displayed on the data page of the passport
Biometric identifier in the form of the digital image of the passport photograph.
Unique chip identification number and digital signatures to protect the stored data from alteration.
Introduction “ The data stored on the chip is protected from alteration by the latest digital signature technology. As the Department of State implements this new technology, it will include passport features that will protect the security and privacy of passport bearers. We will share more information about these measures once testing is completed. The Department of State will not issue passports incorporating integrated circuits until privacy-related concerns have been addressed. The Department of State is currently coordinating testing of components for possible use in the new passport. Once testing has ended and a final passport configuration that meets the security and privacy needs of our citizens has been completed, electronic passports will be phased in at all 16 passport issuance locations in the domestic United States.”
-- US Department of State
US-VISIT US-VISIT mandated adoption of biometrically enabled passports by October 2006 by 27 nations in its Visa-Waiver Program (VWP). US-VISIT program requires visitors traveling to US must have two index fingers scanned and digital photograph taken to match and authenticate their travel documents at the port of entry.
These passports are based on the guidelines issued by International Civil Aviation Organization (ICAO). ICAO is responsible for setting international passport standards.
ICAO Guidelines Call for incorporation of RFID chips. RFID chips are used to store and retrieve data in a wireless manner. Biometric identity verification (face recognition).
Additionally specifies fingerprints and iris data as optional biometrics.
Malaysia has already deployed e-passports. E-passports generated in 1998 included a chip containing an image of the thumbprint of the passport holder. Second generation e-passports rolled out in 2003 contained extracted fingerprint information.
Today 5,000,000 first generation and 125,000 second generation e-passports in circulation.
What is RFID? Radio Frequency Identification: automatic identification method that relies on storing and retrieving data remotely using devices called RFID tags or transponders.
An object which can be applied to incorporated into animal, product or a person for the purpose of identification using radiowaves.
RFID Two types of tags: Active and passive
E-passports use passive tags .
Passive tags Obtain operating power generated from the reader. Small in size, lighter and less expensive.
Embedded in a sticker or under the skin
Active tags Powered by internal battery More reliable than passive tags due to the ability for active tags to conduct a "session" with a reader More memory size upto 1 MB.
Bigger size, more expensive and limited operational lifetime.
Supply chain vs Passport tags no support for cryptography,
shorter intended read range,
Biometric Biometric authentication is the verification of human identity through measurement of biological characteristics. Mechanism by which human beings authenticate each other. Three Biometrics favored in e-passport deployment:
Face recognition: automated analog of the ordinary human process of face recognition.
File structure of ICAO E-passport
Biometric Authentication An authenticated user enrolls by presenting an initial, high quality biometric image to the sensor. The system stores information extracted during enrollment in a data structure known as a template. To prove identity during authentication session the user again presents the biometric to a sensor.
The verifying entity compares the freshly presented biometric information with that contained in the template for the user.
E-Passport Security and Privacy Threats
Security And Privacy Threats The ICAO guidelines do not require authenticated or encrypted communications between passports and readers.
An unprotected e-passport chip is subject to short-range illegal scanning with leakage of sensitive personal information.
Security And Privacy Threats The standard for e-passport RFID chips stipulates the emission without authentication of a chip ID on protocol initiation.
If this ID is different for every passport it could enable tracking the movements of the passport holder by unauthorized parties.
Security And Privacy Threats Baseline ICAO regulations require digital signatures on e-passport data. These signatures allow the reader to verify that the data came from the correct passport-issuing authority.
No defense against cloning since the digital signatures do not bind the data to a particular passport or chip.
Security And Privacy Threats Faraday cages do not prevent eavesdropping on legitimate passport-to-reader communications. Eavesdropping problematic for three reasons: Function Creep : e-passports will be used in new areas like e-commerce. Feasibility: maybe feasible at longer distance.
Detection Difficulty: it is purely passive and does not involve powered signal emission.
Security And Privacy Threats Baseline ICAO regulations require digitized headshots (Secrecy needed for authentication).
Automation required with e-passports and physical environment is not strictly controlled.
Security And Privacy Threats Cryptographic weaknesses: ICAO guidelines include an optional mechanism for authenticating and encrypting passport-to-reader communications.
No mechanism to revoke access once a reader knows the k key. K key allows passport to talk to legitimate reader before releasing RFID tag information. K key used to encrypt all data transmitted between the passport and the reader.
E-Passport Threats Vulnerable to surreptitious reading. RFID readers installed in doorway could be read from anyone passing through the doorway. Could be set up as a part of security checkpoints at airports, sporting events or concerts. Could be placed in shops or entrances of the buildings. Problematic since the RFID chip contains sensitive information like passport holder’s name, date of birth, passport number.
RFID protocols executed by e-passport may also leak information. It uses a special UID value which is fixed and different for each e-passport, it acts as a static identifier for tracking the movement of e-passports.
E-Passport Threats photograph, name, birthday, social security number necessary ingredients to build a new identity or create fake document. static identifier allows for tracking the movements of RFID device.
Hotlisting: targeting specific individuals.
Biometric Threat Opportunity for spoofing authentication system Compromised data in one system threaten integrity of unrelated ones Special properties Passport photos Higher quality than the image an attacker may produce
Spoof face-recognition systems
Cryptography in E-passports ICAO specification: specifies mandatory cryptographic feature for e-passports. Data on e-passport signed by issuing nation Permitted signature algorithms: RSA, DSA and ECDSA Only demonstrates that data is authentic
Does not prove that container for data is authentic (i.e. the passport)
ICAO specifications Optional cryptographic features for improved security. Basic Access Control and Secure Messaging: -Confidentiality feature. - Stores a pair of secret cryptographic keys (K ENC ,K MAC ). Data contents released only if the authentication is successful. - Ensures data is read by authorized RFID reader.
Relies on public key cryptography
Basic Access Control When a reader attempts to scan the passport, it engages in challenge response protocol that proves the knowledge of the pair of keys and derives a session key. Data contents are released only if the authentication is successful. The keys derive from optically scannable data printed on the passport Date of expiration of the passport
Three check digits, one for each of the three preceding values.
E-passports use the ISO 1170-2 Key Establishment Mechanism 6.
Encryption and Decryption Two key 3DES CBC mode with zero IV Cryptographic checksums are calculated using ISO/IEC 9797-1 MAC algorithm 3 with Block cipher DES
ISO9797-1 padding method 2
Shortcomings of Basic Access Control The entropy key is too small. Single key is used for lifetime of the e-passport.
Despite of the shortcomings Basic Access Control is better than no encryption at all.
Active Authentication Does not prevent unauthorized parties from reading e-passport contents. Relies on public key cryptography. Works by having e-passport prove possession of a private key.
Corresponding public key is stored as part of the signed data on the passport.
Active Authentication The ICAO guidelines specify an integer factorization based signature such as RSA. To authenticate the passport receives an 8-byte challenge from the reader. It digitally signs this value using its private key and returns the result. The reader can verify the correctness of the response against the public key for the passport.
The ICAO guidelines specify use of the ISO/IEC 7816 Internal Authenticate Mechanism with ISO 9796-2 Signature Scheme 1 padding.
Active Authentication Mechanism Random nonce Verifies signed message with passport’s public key Random nonce Concatenation Signs X with private key with ISO 9796-2 padding
Active Authentication Mechanism The public key must be tied to the specific e-passport and biometric data presented to avoid man-in-the-middle attack. Every reader capable of Active Authentication and compliant with the ICAO specification also has the hardware capability necessary for Basic Access Control to avoid the risk of clones e-passport.
The private key used in Active Authentication must never leave a particular e-passport.
Active Authentication Issues The certificate required for verifying Active Authentication also contains enough information to derive a key for Basic Access Control as a result the certificate must be kept secret. When used with RSA or Rabin-Williams signatures responses with different moduli and hence from different e-passports can be distinguished.
It enables tracking and hotlisting attacks even if Basic Access Control has been employed and session keys derived.
Related Work Points out the need for direct link between optically scanned card data and secret keys embedded in e-passports Outlines the privacy problems with passports readable by anyone Discusses issues in e-passport deployment in the Netherlands Highlights the importance of basic access control
Investigates the issues surrounding a national database of biometrics identifiers
Related Work Smart Card Research Group at IBM Zurich
Demonstrates a Javacard application running on a Philips chip that performs basic access control and active access control in under 2 seconds
Cryptographic measures in planned deployments Federal Register notice dated 18 February 2005 provides a number of details on U.S. e-passport plans. The Federal notice offers three reasons for the decision not to implement Basic Access Control: The data stored in the chip are identical to those printed in the passport. Encrypted data would slow entry processing time. Encryption would impose more difficult technical coordination requirements among nations implementing the e-passport system.
E-passports will carry Faraday cages and readers will be shielded to prevent eavesdropping.
Flaw in Federal notice reasoning Reason 3 is flawed because : Active Authentication required an optical scan of a passport to provide the claimed anti-cloning benefit. This is why The ICAO spec mandates readers supporting Active Authentication be able to optically scan e-passports. This optical scan capability is also sufficient for Basic Access Control.
All the data required to derive keys for Basic Access Control is present on the data page of the e-passport, no coordination among nations is required.
Planned Deployments Malaysian identity cards/passports are not compliant as it predates ICAO standards Other nations may or may not meet the United Stats mandate for deployment in 2005
Due to complaints from several countries, the deadline as been extended from October 2005 to October 2006
Strengthening today’s E-passports Simple measures to prevent unauthorized reading of e-passports. Materials such as aluminum fiber are opaque to RF signals could be used to create a Faraday cage.
Deprecated because does not prevent eavesdropping on legitimate conversations between readers and tags.
Strengthening today’s E-passports Larger secrets for basic access control: Long term keys for Basic Access Control have 52 bits of entropy which is too low to resist a brute-force attack. A simple countermeasure would be to add a 128-bit secret unique to each passport to the key derivation algorithm.
The secret would be printed together with other passport information on the passport.
Strengthening today’s E-passports Such secret could take the form of a larger passport ID number or a separate field on an e-passport.
To aid mechanical reading the secret might be represented as a two dimensional bar code or written in an OCR font to the Machine Readable Zone of each passport.
Strengthening today’s E-passports Private Collision avoidance: Collision avoidance protocol in ISO 14443 uses a UID as part of its collision avoidance protocol. Care must be taken that UID is different on each reading and that UIDs are unlinkable across sessions.
Countermeasure is to pick a new random identifier on every tag read.
Strengthening today’s E-passports Beyond Optically readable keys: Current ICAO approach neatly ties together physical presence and the ability to read biometric data. Next generation ID cards cannot count on this kind of tight coupling.
Important to create a keying mechanism that limits a reader’s power to reuse secret keys and a matching authorization infrastructure for e-passport readers.
Future Issues in E-passports Visas and writeable e-passports: Once the e-passports are accepted there would be a push for e-passports that support visas and other endorsements. Because different RFID tags on the same passport can interfere with each other it may not be feasible to include a new RFID tag with each visa stamp. Instead we would like to keep visa information on the same chip as the standard passport data.
These features require writing new data to an e-passport after issuance.
Future Issues in E-passports A simple first attempt at visas on e-passports: An area specified as append-only memory for visas Visa would be named by e-passport and signed by issuing government
Could possibly include “sanity checks” to ensure a visa is properly signed and names the correct e-passport before committing it to the visa memory area
Future Issues in E-passports Another thing to consider is that some travelers do not want border control to know where they’ve traveled For example, most Arab countries will refuse entry to holders of passports which bear Israeli visas The previous example is considered a legitimate reason, but someone entering the United States from Canada may be harboring terrorists
It may be hard in the future to determine the legitimate reasons from the illegitimate, but preventing illegitimate visa removals will become a goal of future visa-enabled e-passports
Future Issues in E-passports Passports might some day come to serve as authenticators for consumer payments or mass transit passes Has the ability to undermine data protection features as it will spread bearer data more widely among divergent systems
May lead to consumer convenience (i.e. removal of optical scanning and faraday-cage use)
Future Issues in E-passport Unless new privacy features are added, it is conceivable that an e-passport can reveal a great deal of private information For example, an age check at a bar can also leak information about their passport number, place of birth, and possibly elements of their travel history
Web cookies are an instructive example of function creep
Conclusion The secrecy requirements for biometric data imply that unauthorized reading of e-passport data is a security risk as well as a privacy risk At a minimum, a Faraday Cage and Basic Access Control should be used in ICAE deployments to prevent unauthorized remote reading of e-passports. Because the U.S. deployment uses Active Authentication, readers are required to include the capability to optically scan e-passports. This capability is sufficient for Basic Access Control and would therefore require no change or coordination with other nations to implement it.
Today’s e-passports deployments are just the first wave of next-generation identification devices
References http://travel.state.gov/passport/eppt/eppt_2788.html http://www.state.gov/r/pa/prs/ps/2006/70433.htm http://en.wikipedia.org/wiki/RFID
Epassport.ppt presented by Vivian Bates and Pano Elenis