Title: Security and Privacy Issues in Epassport
1- Security and Privacy Issues in E-passport
- Ari Juels, David Molnar, and David Wagner
- Presented by
- Vivian Bates and Pano Elenis
2Outline
- Key Words
- Introduction
- Radio Frequency identification (RFID)
- Biometrics
- Related Work
- Security and Privacy Threats
- Cryptography in E-passports
- Strengthening Todays E-passport
- Future Issues in E-passport
- Conclusion
3Key Words
- US-VISIT
- United States Visitor and Immigrant Status
Indicator Technology program - ISO
- International Organization for
Standardization - ICAO
- International Civil Aviation
Organization, the issuer of the biometric
passport standard currently being applied. The
ISO 7501-12005 is a short form of the ICAO
standard - RFID
- Radio Frequency Identification is an
automatic identification method that rely on
storing and remotely retrieving data using
devices called RFID tags or transponders - RFID (chip)
- Radio Frequency IDentifier (chip) a
family of small chips that are capable of
permanently and/or temporarily store information
and duplex communication with a reader using
radio waves - MRTD
- Machine-Readable Travel Documents, an
abbreviation used by the ICAO, means machine can
read passports, visas and official travel
documents - Faraday Cage
- A capsule of radio wave blocking material
(example aluminum) used to protect the RFID-chip
in biometric passports from being read at other
times than when reading is expected - Biometric
- The verification of a human identity
through the measurement of biological or
behavioral characteristics. A unique, measurable
characteristic or trait of a human being for
automatically recognizing or verifying identity
4 Introduction New Generation
of Identity Cards Combination
of RFID and Biometric TechnologyPurpose Reduce
Fraud Identity Check Enhance security
- ICAO guidelines
- RFID chips to store and transmit data in a
wireless manner - biometric identity verification (face
recognition) - ISO 14443 specifications
- radio frequency of 13.56MHZ
- small passive chip
- no on-board source of power
- power derived indirectly from signal of a reader
- intended read range 10 centimeters
5 US-VISIT US-VISIT is a first step in a
multi-layered approach to enhance border security
mandated adoption by October 2006 of
Biometrically enabled passports by twenty-seven
nations in its Visa-Waiver Program (VMP)
- Foreign visitors traveling to the United States
must have their two index fingers scanned and a
digital photograph taken to match and
authenticate their travel documents at the port
of entry - The US-VISIT requirements do not replace visa
requirements for entering the United States - For more information on visas, please visit the
U.S. Department of State's
6Passports
-
- RFID tags are being embedded in passports issued
by many countries - First E-passports issued by Malaysia in 1998
- information
- visual data page
- record the travel history (time, date, and place)
of entries and exits from the country - 5,000,000 1st generation in circulation, image of
thumbprint - 125,000 2nd generation in circulation, extracted
fingerprint only - Standards for RFID Passports
- International Civil Aviation Organization (ICAO)
- ICAO Document 9303, Part 1, Volumes 1 and 2 (6th
edition, 2006) - ICAO refers to the ISO 14443 RFID chips in
e-passports as "contactless
integrated circuits - ICAO standards provide for e-passports to be
identifiable by a standard e-passport logo on the
front cover.
7Passports
- RFID tags are included in new UK and some new US
passports beginning in 2006 - The US produced 10 million passports in 2005
- Estimated that 13 million will be produced in
2006 - The chips will store the same information that is
printed within the passport - Include a digital picture of the owner
- The passports will incorporate a thin metal
lining to make it more difficult for unauthorized
readers to "skim" information when the passport
is closed
8Radio waves have the longest wavelengths in the
electromagnetic spectrum These waves can be
longer than a football field or as short as a
football
http//imagers.gsfc.nasa.gov/ems/radio.html
9History of RFID
- Radio Frequency Identification automatic
identification method that rely on storing and - remotely retrieving data using devices called
RFID tags or transponders - 1946 Leon Theremin invented an espionage tool for
the Soviet government which retransmitted
incident radio waves with audio information - 1939 The British IFF transponder invented by the
British used by the allies in World War II to
identify airplanes as friend or foe - 1948 Harry Stockmans paper "Communication by
Means of Reflected Power" (Proceedings of the
IRE, pp 11961204, October predicted that
"...considerable research and development work
has to be done before the remaining basic
problems in reflected-power communication are
solved, and before the field of useful
applications is explored. - Mario Cardullo U.S. Patent 3,713,148 in 1973 was
the first true ancestor of modern RFID (a passive
radio transponder with memory) - 1973 The first demonstration of today's reflected
power passive and active (backscatter) RFID tags
done at the Los Alamos Scientific Laboratory
10General RFID
- Data transmitted by a mobile device called a tag
- Tag read by an RFID reader
- RFID process according to the needs of a
particular application - Data transmitted by the tag may provide
- identification
- location information
- product tag specifics
- price
- color
- date of purchase
- Two Types of Tags
- Passive
- Active
11 Passive RFID Tags
- Internal power supply
- Electrical current induced in the antenna by the
incoming radio frequency signal - CMOS integrated circuit tag to power up and
transmit a response - Most passive tags signal by backscattering the
carrier signal from the reader - Response not necessarily just an ID number
- Tag chip can contain non-volatile EEPROM for
storing data. - Embedded in a sticker or under the skin
12 Passive RFID Tags
- Smallest devices measured 0.15 mm 0.15 mm
- Thinner than a sheet of paper 7.5 micrometers
- Lowest cost EPC RFID tags (used by Wal-Mart,
Target, Tesco in UK and Metro AG in Germany) for
5 cents - Antenna tag size of a postage stamp to the size
of a post card - Passive tags practical read distances ranging
from about 10 cm (4 in.) to a few meters - Non-silicon tags made from polymer semiconductors
are currently being developed by several
companies globally - Less expensive than silicon-based tags
13 Active RFID Tags
- Own internal power source which is used to power
any ICs that generate the outgoing signal - More reliable than passive tags due to the
ability for active tags to conduct a "session"
with a reader - Onboard power supply transmit at higher power
levels than passive tags, allowing them to be
more effective in "RF challenged" environments - like water (including humans/cattle, which are
mostly water) - metal (shipping containers, vehicles)
- longer distances
14 Active RFID Tags
- Ranges hundreds of meters
- Battery life of up to 10 years
- Include sensors such as temperature logging
- concrete maturity monitoring
- monitor the temperature of perishable goods
- humidity, shock/vibration
- light, radiation, temperature and atmospherics
like ethylene -
- Range 300 feet
- Larger memories than passive tags
- Store additional information sent by the
transceiver - The United States Department of Defense
- reduce logistics costs
- improve supply chain visibility for more than 15
years
15 Supply Chain vs. Passport RFID
- Passport RFID
- shorter intended read range
- tamper resistance
- cryptography
- Supply Chain RFID
- simple
- cheap
- no support for cryptography
- single identifier
- (kill command-render
- tag inoperable)
- frequency 915 MHz
- range read 5 meters
16BiometricsA unique, measurable characteristic
or trait of a human being for automatically
recognizing or verifying identity
- Practical biometrics for e-passport deployment
- Face recognition-automated analog of the ordinary
human process of recognition - Fingerprint- determines that two friction ridge
impressions originated from the same finger or
palm - Imaging and automation fingerprint matching
- Fingerprint scanners optical or silicon-sensor
forms - Iris- uses pattern recognition techniques based
on high resolution images of the iris of an
individual's eye
17Related Work
- Pattinson
- Points out the need for direct link between
optically scanned card data and secret keys
embedded in e-passports - Outlines the privacy problems with-passports
readable by anyone - Jacob
- Discusses issues in e-passport deployment in the
Netherlands - Highlights the importance of basic access control
- Investigates the issues surrounding a national
database of biometrics identifiers - Smart Card Research Group at IBM Zurich
- Demonstrates a Javacard application running on a
Philips chip that performs basic access control
and active access control in under 2 seconds
18E-Passports Security and Privacy Threats
- Clandestine scanning
- Clandestine tracking
- Skimming and cloning
- Eavesdropping
- Biometric data-leakage
- Cryptographic weaknesses
19 Secrecy and Privacy Threats
- Clandestine scanning
- Problem Baseline ICAO guidelines do not require
encryption or - authentication between passports
and readers - An unprotected chip is subject to
short range illegal scanning - Clandestine tracking
- Problem The standard for e-passport RFID chips
(ISO 14443) stipulates the emission (without
authentication) - of a chip ID on protocol initiation
- A different ID on every passport (even if data
can not be read) could enable tracking the
movement of passport holder by unauthorized
parties - Skimming and cloning
- Problem Baseline ICAO regulations require
digital signatures on e- passport data -
- Digital signatures allow the reader to verify
that data came from the correct passport
issuing authority - No defense against cloning because the digital
signatures do not bind the data to a particular
passport or chip
20 Secrecy and Privacy Threats
- Eavesdropping
- Problem Faraday cages do not prevent
eavesdropping on legitimate passport to reader
communications -
- Function creep e-passports will be used in new
areas like e-commerce - feasibility may be feasible at a longer
distance - Detection difficulty in passive do not involve
powered signal emission - Faraday cages (a metallic material in the cover
or holder ) prevent penetration of RFID signals -
- Biometric data leakage
- Problem Baseline ICAO regulations require
digitized headshots (Secrecy needed for
authentication) - Automation required with e-passports and
physical environment is not strictly controlled
-
- Cryptographic weakness
- Problem ICAO guidelines include an optional
mechanism for authenticating and encrypting
pass-port-to-reader communications -
- No mechanism to revoke access once a reader
knows the k key
21E-passport Threats
- Data leakage threats skimming-covert reading of
contents - Installation of RFID readers in doorways
- Security checkpoint
- airport
- sporting event
- concerts
- Clandestine readers resemble anti-theft gates
- shops
- entrances to buildings
- Identity Theft new identity or fake documents
- photograph, name, birthday, social security card
- Tracking and Hotlisting
- Tracking static identifier track movement of
RFID device - Hotlistings target specific individuals
- RFID enabled bomb keyed on collision avoidance
UID - Unattended triggering
- Comprehensive targeting
22Biometric Threats
- Automation
- Human oversight
- Opportunity for spoofing authentication system
- Spillover
- Compromised data one system threaten integrity of
unrelated ones - Special properties Passport photos
- Image Quality
- Higher quality than the image an attacker may
produce - Forgery
- Spoof face-recognition systems
23Cryptography in E-passports
- Pano Elenis
- ICAO Specifications
24The ICAO Specifications
- One mandatory cryptographic feature
- Passive authentication
- Data on e-passport signed by issuing nation
- Permitted algorithms RSA, DSA and ECDSA
- Only demonstrates that data is authentic
- Does not prove that container for data is
authentic (i.e. the passport)
25The ICAO Specifications
- Two optional cryptographic features for improved
security - Basic Access Control and Secure Messaging
- Ensures that data is only ready by authorized
RFID readers - Stores a pair of secret cryptographic keys (KENC,
KMAC) - Active Authentication
- Anti-cloning feature
- Relies on public-key cryptography
26Basic Access Control
- When a reader attempts to scan, a
challenge-response protocol is engaged - Proves knowledge of (KENC, KMAC) keys Upon
successful authentication, a session key is
derived and the passport releases its data - KENC and KMAC are derived from optically
scannable data printed on the passport - The passport number, the date of birth of the
bearer, the date of expiration of the passport
and three check, one for each of the three
preceding values.
27Key Establishment Mechanism 6
- Random nonce
- Checks MAC and decrypts
- Keying material
- Concatenation
- Encrypt
- Checksum
- Keying and Nonce
- Concatenation
- Encrypt
- Checksum
28Encryption and Decryption
- Two key 3DES in CBC mode with
- Zero IV (i.e. 0x00 00 00 00 00 00 00 00)
according to ISO 11568-2
29Retail Message Authentication Code
- Cryptographic checksums are calculated using
ISO/IEC 9797-1 MAC algorithm 3 with - Block cipher DES
- Zero IV (8 bytes)
- ISO9797-1 padding method 2.
30Basic Access Control Shortcomings
- Entropy of key is too small
- ICAO PKI Technical Report warns that entropy key
is at most 56 bits - Some of these bits may be guessable in some
circumstances - A single fixed key is used for the lifetime of
the e-passport - Impossible to revoke a readers access to the
e-passport once it has been read - Databases of keys may be inadvertently
compromised - Basic Access Control is still better than no
encryption at all
31Active Authentication
- Anti-cloning feature
- Does not prevent unauthorized parties from
reading e-passport contents - Relies on public-key cryptography
- Proves that e-passport has possession of a
private key - The corresponding public key is stored as a part
of the signed data on the passport
32Active Authentication Mechanism
ISO/IEC 7816 Internal Authenticate mechanism
- Random nonce
- Verifies signed message with passports public key
- Random nonce
- Concatenation
- Signs X with private key with ISO 9796-2 padding
33Active Authentication
- Public-key must be tied to specific e-passport
and biometric data to avoid man-in-the-middle
attacks - Every reader capable of Active Authentication and
is compliant with the ICAO specifications must
also have hardware capability for Basic Access
Control - Deployments that neglect this part will open
themselves to a risk of cloned e-passports
34Active Authentication Issues
- The certificate required for verifying Active
Authentication also contains enough information
to derive a key for Basic Access Control - When used with RSA or Rabin-Williams signatures,
responses can be distinguished - As a result, tracking and hotlisting attacks are
possible even if Basic Access Control is in use - It is recommended that Active Authentication be
carried out only over a secure session after
Basic Access Control has been employed and
session keys derived.
35Cryptographic measures in planned deployments
- A Federal Register notice dated February 18, 2005
provides a number of details on U.S. e-passport
plans - The Federal notice offers three reasons for the
decision not to implement Basic Access Control - The data stored in the chip is identical to the
data printed in the passport - Encrypted data would slow entry processing time
- Encryption would impose more difficult technical
coordination requirements among nations
implementing the e-passport system - Faraday cages will enough to prevent
eavesdropping
36Flaw in Federal notice reasoning
- Reason 3 is flawed because all the data required
to derive keys for Basic Access Control on the
data page, no coordination amongst nations is
required - Faraday cages are not sufficient to protected
against unauthorized eavesdropping - Lack of Basic Access Control means that any ISO
14443 compliant reader can easily read data from
the e-passport - Original deployment choices of the U.S. puts
e-passport holder at risk for tracking,
hotlisting and biometric leakage
37Planned Deployments
- Malaysian identity cards/passports are not
compliant as it predates ICAO standards - Other nations may or may not meet the United
Stats mandate for deployment in 2005 - Due to complaints from several countries, the
deadline as been extended from October 2005 to
October 2006
38Strengthening Todays E-passports
- Faraday cages
- Simple measure to prevent unauthorized readings
(skimmings) - Materials such as aluminum fiber can block RF
signals - Does not prevent an eavesdropper from snooping on
a legitimate reading - Faraday cages were deprecated in favor of Basic
Access Control because they do not prevent
eavesdropping.
39Strengthening Todays E-passports
- Larger secrets for Basic Access Control
- Long term keys only contain 52 bits of entropy
- Brute-force attack
- The addition of a 128-bit secret, unique to each
passport, would strengthen the resistance to
brute-force attacks - Private collision avoidance
- The collision avoidance protocol in ISO 14443
uses an UID - Care must be taken that each UID read is
different and that UIDs are unlinkable across
sessions - A countermeasure would be to pick a new random
identifier on every tag read
40Strengthening Todays E-passports
- Beyond optically readable keys
- Current ICAO approach ties neatly together with
physical presence and the ability to read
biometric data - Might not be possible for next-generation ID
cards - Important to create a keying mechanism that
limits a readers power to reuse secret keys and
a matching authorization infrastructure for
e-passport readers
41Future Issues in E-passports
- Visas and writeable e-passports
- Upon the acceptance of e-passports, there will be
the desire to support visas and other
endorsements - Being that multiple RFID chips may interfere with
each other, the feasibility to include a new RFID
tag with each visa stamp may not be possible - Instead, all the data would have to be stored on
the same chip as the passport data - Requires the ability to write data after issuance
42Future Issues in E-passports
- A simple first attempt at visas on e-passports
- An area specified as append-only memory for visas
- Visa would be named by e-passport and signed by
issuing government - Could possibly include sanity checks to ensure
a visa is properly signed and names the correct
e-passport before committing it to the visa
memory area
43Future Issues in E-passports
- Another thing to consider is that some travelers
do not want border control to know where theyve
traveled - For example, most Arab countries will refuse
entry to holders of passports which bear Israeli
visas - The previous example is considered a legitimate
reason, but someone entering the United States
from Canada may be harboring terrorists - It may be hard in the future to determine the
legitimate reasons from the illegitimate, but
preventing illegitimate visa removals will become
a goal of future visa-enabled e-passports
44Future Issues in E-passports
- Function creep
- Passports might some day come to serve as
authenticators for consumer payments or mass
transit passes - Has the ability to undermine data protection
features as it will spread bearer data more
widely among divergent systems - May lead to consumer convenience (i.e. removal of
optical scanning and faraday-cage use) - Unless new privacy features are added, it is
conceivable that an e-passport can reveal a great
deal of private information - For example, an age check at a bar can also leak
information about their passport number, place of
birth, and possibly elements of their travel
history - Web cookies are an instructive example of
function creep
45Conclusion
- The secrecy requirements for biometric data imply
that unauthorized reading of e-passport data is a
security risk as well as a privacy risk - At a minimum, a Faraday Cage and Basic Access
Control should be used in ICAE deployments to
prevent unauthorized remote reading of
e-passports. - Because the U.S. deployment uses Active
Authentication, readers are required to include
the capability to optically scan e-passports.
This capability is sufficient for Basic Access
Control and would therefore require no change or
coordination with other nations to implement it. - Todays e-passports deployments are just the
first wave of next-generation identification
devices
46Current News
- 27 countries participating in the Visa Waiver
Program - Andorra, Australia, Austria, Belgium, Brunei,
Denmark, Finland, France, Germany, Iceland,
Ireland, Italy, Japan, Liechtenstein, Luxembourg,
Monaco, the Netherlands, New Zealand, Norway,
Portugal, San Marino, Singapore, Slovenia, Spain,
Sweden, Switzerland and the United Kingdom.
47Current News
- According to a statement released by the
Department of State on August 14, 2006, the
issuance of e-passports to the public begins
today - Production has started at the Colorado Passport
Agency and will be expanded to other production
facilities over the next few months - Consistent with globally interoperable
specifications adopted by the International Civil
Aviation Organization (ICAO), this next
generation of the U.S. passport includes
biometric technology - A contactless chip in the rear cover of the
passport will contain the same data as that found
on the biographic data page of the passport
(name, date of birth, gender, place of birth,
dates of passport issuance and expiration,
passport number), and will also include a digital
image of the bearers photograph
48Current News
- The Department of State has employed a
multi-layered approach to protect the privacy of
the information - Metallic anti-skimming material incorporated into
the front cover and spine of the e-passport book
prevents the chip from being skimmed, or read,
when the book is fully closed - Basic Access Control (BAC) technology, which
requires that the data page be read
electronically to generate a key that unlocks the
chip, will prevent skimming and eavesdropping - A randomized unique identification (RUID) feature
will mitigate the risk that an e-passport holder
could be tracked. To prevent alteration or
modification of the data on the chip, and to
allow authorities to validate and authenticate
the data, the information on the chip will
include an electronic signature (PKI)
49Current News
- The Electronic Passport Logo
- Will be displayed at border inspection lanes and
transit ports equipped with special data readers
50Current News
- Hackers Clone E-Passports
- Successfully cloned to a blank RFID tag
- Not possible to change data on the chip without
being detected - Due to cryptographic hashes that authenticate
data
51Passport Front Cover
52 Inside Cover and First Page
53 Data and Signature Pages
54Visa Pages
55Visa Pages
56 Old and New Passport
57References
- http//travel.state.gov/passport/eppt/eppt_2788.ht
ml - http//www.state.gov/r/pa/prs/ps/2006/70433.htm
- http//travel.state.gov/passport/eppt/eppt_2502.ht
ml - http//www.infoworld.com/article/05/10/26/HNrfidpa
ssport_1.html - http//www.dhs.gov/xnews/releases/pr_1160497737875
.shtm - http//www.icao.int/mrtd/Home/Index.cfm
- http//www.wired.com/news/technology/0,71521-0.htm
l?twrss.index - http//http.cs.berkeley.edu/daw/papers/epassports
-sc05.pdf - http//en.wikipedia.org/wiki/RFID
- http//www.aware.com/products/compression/icaopack
_gg.html