SlideShare a Scribd company logo

An Online secure ePassport Protocol

1 of 34
Download to read offline
An On-line Secure
E-Passport Protocol
Vijayakrishnan Pasupathinathan
with, Josef Pieprzyk and Huaxiong Wang
Centre for Advanced Computing - Algorithms and Cryptography (ACAC)
Macquarie University, Australia

1
Outline
•
•
•
•

Overview of E-passport
First Generation - some known weaknesses
Second Generation

•

Working and Problems

An Online E-passport Proposal

2
E-passport Overview
•

Integration of a biometric enabled contact-less smart
card microchip.

•

E-passport guideline (DOC 9303) developed by
International Civil Aviation Organisation (ICAO).

•

Describes communication protocol

•

•

Provides details on establishing a secure
communication channel between an e-passport and
an e-passport reader

•

Authentication mechanisms.

Uses existing approved standard such as ISO14443,
ISO11770, ISO/IEC 7816, ISO 9796.
3
E-passport Overview

4
E-passport Overview
•

Yesterday: Machine
readable passport with
MRZ

Image courtesy of DFAT Australia

4
E-passport Overview
•

Yesterday: Machine
readable passport with
MRZ

•

Today: Electronic Passport
with digital Image

4

Recommended

Digital signature & eSign overview
Digital signature & eSign overviewDigital signature & eSign overview
Digital signature & eSign overviewRishi Pathak
 
Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Wi-Fi security – WEP, WPA and WPA2
Wi-Fi security – WEP, WPA and WPA2Fábio Afonso
 
Introduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationIntroduction to Dynamic Analysis of Android Application
Introduction to Dynamic Analysis of Android ApplicationKelwin Yang
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
E Signature Presentation
E Signature PresentationE Signature Presentation
E Signature Presentationbrettlieberman
 

More Related Content

What's hot

Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Akash Thakur
 
Wireshark
WiresharkWireshark
Wiresharkbtohara
 
SECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptographySECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptographyALIN BABU
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewChristine MacDonald
 
Cyber laws and patents
Cyber laws and patentsCyber laws and patents
Cyber laws and patentsravijain90
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Sophan Nhean
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Indian Cyber laws
Indian Cyber lawsIndian Cyber laws
Indian Cyber lawsmulikaa
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusDashamir Hoxha
 
Arduino eğitimleri 1 - giriş
Arduino eğitimleri   1 - girişArduino eğitimleri   1 - giriş
Arduino eğitimleri 1 - girişCoşkun Taşdemir
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
2) VRP Basic Configuration.pdf
2) VRP Basic Configuration.pdf2) VRP Basic Configuration.pdf
2) VRP Basic Configuration.pdfRandyDookheran2
 

What's hot (20)

Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266Deauthentication Attack with Node MCU & Esp8266
Deauthentication Attack with Node MCU & Esp8266
 
Wireshark
WiresharkWireshark
Wireshark
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
 
SECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptographySECRY - Secure file storage on cloud using hybrid cryptography
SECRY - Secure file storage on cloud using hybrid cryptography
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
Firewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration ReviewFirewall, Router and Switch Configuration Review
Firewall, Router and Switch Configuration Review
 
Cyber laws and patents
Cyber laws and patentsCyber laws and patents
Cyber laws and patents
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3
 
Wireless hacking
Wireless hackingWireless hacking
Wireless hacking
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 
Authentication
AuthenticationAuthentication
Authentication
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Indian Cyber laws
Indian Cyber lawsIndian Cyber laws
Indian Cyber laws
 
PPPoE With Mikrotik and Radius
PPPoE With Mikrotik and RadiusPPPoE With Mikrotik and Radius
PPPoE With Mikrotik and Radius
 
Arduino eğitimleri 1 - giriş
Arduino eğitimleri   1 - girişArduino eğitimleri   1 - giriş
Arduino eğitimleri 1 - giriş
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
It act ppt ( 1111)
It act ppt ( 1111)It act ppt ( 1111)
It act ppt ( 1111)
 
2) VRP Basic Configuration.pdf
2) VRP Basic Configuration.pdf2) VRP Basic Configuration.pdf
2) VRP Basic Configuration.pdf
 

Similar to An Online secure ePassport Protocol

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)Torsten Lodderstedt
 
Digital certificates
Digital certificates Digital certificates
Digital certificates Sheetal Verma
 
Eurosmart presentation on the eidas regulation
Eurosmart presentation on the eidas regulationEurosmart presentation on the eidas regulation
Eurosmart presentation on the eidas regulationStefane Mouille
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36Torsten Lodderstedt
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportTariq Tauheed
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passportsRiscure
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010SC Leung
 
How to Easily Upgrade to a Next-Generation Transit Payment System
How to Easily Upgrade to a Next-Generation Transit Payment SystemHow to Easily Upgrade to a Next-Generation Transit Payment System
How to Easily Upgrade to a Next-Generation Transit Payment SystemFEIG Electronics
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
 

Similar to An Online secure ePassport Protocol (20)

OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
 
Digital certificates
Digital certificates Digital certificates
Digital certificates
 
Eurosmart presentation on the eidas regulation
Eurosmart presentation on the eidas regulationEurosmart presentation on the eidas regulation
Eurosmart presentation on the eidas regulation
 
Session 1. e-ID_esign
Session 1. e-ID_esignSession 1. e-ID_esign
Session 1. e-ID_esign
 
OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36OpenID for Verifiable Credentials @ IIW 36
OpenID for Verifiable Credentials @ IIW 36
 
Machine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric PassportMachine Readable Travel Documents (MRTD) - Biometric Passport
Machine Readable Travel Documents (MRTD) - Biometric Passport
 
How to secure electronic passports
How to secure electronic passportsHow to secure electronic passports
How to secure electronic passports
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
Fiduciary Documents
Fiduciary DocumentsFiduciary Documents
Fiduciary Documents
 
The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010The Hong Kong Public Key Infrastruture 2010
The Hong Kong Public Key Infrastruture 2010
 
karsof systems e-visa
karsof systems e-visakarsof systems e-visa
karsof systems e-visa
 
Blockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and DegreesBlockchain Poc for Certificates and Degrees
Blockchain Poc for Certificates and Degrees
 
Key Management
Key Management Key Management
Key Management
 
globalsign-131113043043-phpapp01
globalsign-131113043043-phpapp01globalsign-131113043043-phpapp01
globalsign-131113043043-phpapp01
 
How to Easily Upgrade to a Next-Generation Transit Payment System
How to Easily Upgrade to a Next-Generation Transit Payment SystemHow to Easily Upgrade to a Next-Generation Transit Payment System
How to Easily Upgrade to a Next-Generation Transit Payment System
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)
 

Recently uploaded

How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoRevolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoProduct School
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Product School
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
Utilising Energy Modelling for LCSF and PSDS Funding Applications
Utilising Energy Modelling for LCSF and PSDS Funding ApplicationsUtilising Energy Modelling for LCSF and PSDS Funding Applications
Utilising Energy Modelling for LCSF and PSDS Funding ApplicationsIES VE
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...DianaGray10
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Product School
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31shyamraj55
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, GoogleISPMAIndia
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxNeo4j
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfMostafa Higazy
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfinfogdgmi
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Product School
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, TripadvisorProduct School
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...Neo4j
 

Recently uploaded (20)

How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, MonzoRevolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
Revolutionizing The Banking Industry: The Monzo Way by CPO, Monzo
 
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
Cultivating Entrepreneurial Mindset in Product Management: Strategies for Suc...
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
Utilising Energy Modelling for LCSF and PSDS Funding Applications
Utilising Energy Modelling for LCSF and PSDS Funding ApplicationsUtilising Energy Modelling for LCSF and PSDS Funding Applications
Utilising Energy Modelling for LCSF and PSDS Funding Applications
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...Building Bridges:  Merging RPA Processes, UiPath Apps, and Data Service to bu...
Building Bridges: Merging RPA Processes, UiPath Apps, and Data Service to bu...
 
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...Relationship Counselling: From Disjointed Features to Product-First Thinking ...
Relationship Counselling: From Disjointed Features to Product-First Thinking ...
 
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
Unleash the Solace Pub Sub connector | Banaglore MuleSoft Meetup #31
 
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
"The Transformative Power of AI and Open Challenges" by Dr. Manish Gupta, Google
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptxGraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
GraphSummit London Feb 2024 - ABK - Neo4j Product Vision and Roadmap.pptx
 
Roundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdfRoundtable_-_API_Research__Testing_Tools.pdf
Roundtable_-_API_Research__Testing_Tools.pdf
 
Pragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdfPragmatic UI testing with Compose Semantics.pdf
Pragmatic UI testing with Compose Semantics.pdf
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner,  Challenge Like a VC by former CPO, TripadvisorAct Like an Owner,  Challenge Like a VC by former CPO, Tripadvisor
Act Like an Owner, Challenge Like a VC by former CPO, Tripadvisor
 
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
ASTRAZENECA. Knowledge Graphs Powering a Fast-moving Global Life Sciences Org...
 

An Online secure ePassport Protocol

  • 1. An On-line Secure E-Passport Protocol Vijayakrishnan Pasupathinathan with, Josef Pieprzyk and Huaxiong Wang Centre for Advanced Computing - Algorithms and Cryptography (ACAC) Macquarie University, Australia 1
  • 2. Outline • • • • Overview of E-passport First Generation - some known weaknesses Second Generation • Working and Problems An Online E-passport Proposal 2
  • 3. E-passport Overview • Integration of a biometric enabled contact-less smart card microchip. • E-passport guideline (DOC 9303) developed by International Civil Aviation Organisation (ICAO). • Describes communication protocol • • Provides details on establishing a secure communication channel between an e-passport and an e-passport reader • Authentication mechanisms. Uses existing approved standard such as ISO14443, ISO11770, ISO/IEC 7816, ISO 9796. 3
  • 5. E-passport Overview • Yesterday: Machine readable passport with MRZ Image courtesy of DFAT Australia 4
  • 6. E-passport Overview • Yesterday: Machine readable passport with MRZ • Today: Electronic Passport with digital Image 4
  • 7. E-passport Overview • Yesterday: Machine readable passport with MRZ • Today: Electronic Passport with digital Image • Tomorrow: Passports with secondary biometric information 4
  • 8. E-passport Operation First Generation • Basic Access Control - enables encrypted communication. • Passive Authentication - provides integrity of epassport data. • Active Authentication - provides authentication of chip contents. E-passport Holder Border Security Visits a check point Scan MRZ BAC Passive Auth Active Auth 5
  • 9. First generation PKI Country CSCA Country CSCA PKD (ICAO) DS ... DS . . . Country CSCA E-passport As of Dec. 2007 - 4 countries are actively upload to PKD. (Australia, Japan, New Zealand and Singapore) By early 2009, 20 countries are expected to join PKD
  • 10. Known Attacks (Problems) in First Generation E-passports • • BAC is optional! So, encryption is optional. Low entropy (3DES, max. 112b, BAC max 56/74b, in practice 30-50b)[Jules et. al. 2005] • • The authentication key is derived from document#, DoB, DoE. No protection against cloning. [G S. Kc et. al. 2005] 7
  • 11. Known Attacks (Problems) in First Generation E-passports • Formal verification of the complete protocol [V. Pasupathinathan et. al 2008] • • • No data origin authentication. • Can be exploited because of weakness in facial biometric. Subject to replay and Grand master attacks. Vulnerable to Certificate Manipulation. And there are others too! 8
  • 12. Second Take! Second Generation E-passports • • • Proposed by BSI Germany [Kluger 2005] • Adds extra biometric identifiers - finger prints (optionally, Iris scan). • June 2009 all EU members will implement. Adopted by EU in June 2006 New protocols to enhance security for Extended Access Control (EAC). 9
  • 13. EAC Mechanisms • Based on Diffie-Hellman Key Pair (PKCS #3 or ISO 15946) • Chip Authentication - replaces active authentication • Terminal Authentication E-passport Holder Visits a check point Border Security Scan MRZ BAC Chip Auth Passive Auth Terminal Auth 10
  • 14. EAC Mechanisms Chip Authentication Chip PKI Structure IS PKc SKc Dc Send PKc Generate ephemeral key-pair Send PK’ K= KA(Pk’ SKc) PK’ SK’ K = KA(PKc SK’) Terminal Authentication Chip RNDc IS Send RNDc z = IDc || RNDc || H(PK’) S = SIGN{ z } Verify {S} Send S Photo Courtesy ICAO MRTD Report November 2007
  • 15. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier 12
  • 16. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc NOT Useful CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier E-passports DONT have an internal clock!! How does it now if the certificate is valid? 12
  • 17. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier 12
  • 18. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System How Many?? DV ..... DV Visiting Country’s Document Verifier What is the Limit? Vulnerable to Denial of Service when combined with first generation weaknesses! 12
  • 19. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier 12
  • 20. Problems with EAC - PKI Certify{PKc} E-passport Document Signer Certify{PKds} E-passport’s Home Country (CSCA) How Long is this valid? Send Public Key Check ALL Certificates Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier Passports are normally valid for 5 or 10 years!!! Document Issuer need to be around 15 years CSCA around 20 years! We can have passport with expired certificates!! 12
  • 21. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier 12
  • 22. Problems with EAC - PKI Certify{PKc} E-passport Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Identity Revealed Send Public Key Check ALL Certificates Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier Identity of the Passport revealed before terminal is authenticated! 12
  • 23. Problems with EAC - PKI Certify{PKc} E-passport Send Public Key Check ALL Certificates Document Signer Certify{PKds} E-passport’s Home Country (CSCA) Certify ALL IS systems Chip Auth - PKc CERT{IS}{DV}{VCSCA} Visiting Country Inspection System DV ..... DV Visiting Country’s Document Verifier 12
  • 24. EAC other Problems • • • • IS requires write access to E-passports. • Border Control terminal need to update CSCA certificates when they pass through. Terminal Authentication is weak. • Can authenticate who is writing to e-passport. Only semi-forward secrecy [Monnerat et al 2007] Leakage of Digest [Monnerat et al 2007] • Security objects in the chip 13
  • 25. Online Secure E-passport Protocol • • Why Online? • • Use the same PKI as in First Generation. Eliminate the need to send long certificate chains. Provide security guarantees for • Identification and authentication of both epassport and inspection systems. (i.e. Mutual) • • Privacy protection to e-passport holders. Confidentiality of information (session-key security and e-passport data) 14
  • 26. Online Secure E-passport Protocol E-passport Visiting Country Inspection System 15 DV
  • 27. Online Secure E-passport Protocol E-passport Visiting Country Inspection System create and send session key part 15 DV
  • 28. Online Secure E-passport Protocol Visiting Country E-passport Inspection System create and send session key part Read MRZ and send signed message to DV 15 DV
  • 29. Online Secure E-passport Protocol Visiting Country E-passport Inspection System DV create and send session key part Read MRZ and send signed message to DV DV may choose to send e-passport ID 15 Verify IS Sign session key and IS public key
  • 30. Online Secure E-passport Protocol Visiting Country E-passport Inspection System DV create and send session key part Read MRZ and send signed message All Message from hereon isto DV encrypted Send Information back from DV encrypted using session key formed Verify signature Only DV public key 15 Verify IS Sign session key and IS public key
  • 31. Online Secure E-passport Protocol Visiting Country E-passport Inspection System DV create and send session key part Read MRZ and send signed message to DV Send Information back from DV encrypted using session key formed Verify signature Only DV public key Send Certificate and ID Verify ID and certificate Compare with DV information 15 Verify IS Sign session key and IS public key
  • 32. OSEP Characteristics • • • The protocol is SK-secure. [Canetti 2001] • Tamper detectable integrity check protects against passport forgery. (data in e-passport is hashed and signed by document signer • Same PKI as first generation. Minimal computation by e-passport. Passport identity is released only to authenticated Inspection Systems. 16
  • 33. What needs to be done? • • • Online nature can induce delays. • Fallback to off-line authentication. But current passport systems use online communication. Integrate with SMART GATE system. (An automated processing system) 17