an online secure epassport protocol

An On-line Secure E-Passport Protocol

Vijayakrishnan Pasupathinathanwith, Josef Pieprzyk and Huaxiong Wang

Centre for Advanced Computing - Algorithms and Cryptography (ACAC)Macquarie University, Australia

1

Outline

• Overview of E-passport

• First Generation - some known weaknesses

• Second Generation

• Working and Problems

• An Online E-passport Proposal

2

E-passport Overview• Integration of a biometric enabled contact-less smart

card microchip.

• E-passport guideline (DOC 9303) developed by International Civil Aviation Organisation (ICAO).

• Describes communication protocol

• Provides details on establishing a secure communication channel between an e-passport and an e-passport reader

• Authentication mechanisms.

• Uses existing approved standard such as ISO14443, ISO11770, ISO/IEC 7816, ISO 9796.

3

E-passport Overview

4

E-passport Overview

• Yesterday: Machine readable passport with MRZ

4

Image courtesy of DFAT Australia

E-passport Overview


4

• Today: Electronic Passport with digital Image

E-passport Overview


4

• Today: Electronic Passport with digital Image

• Tomorrow: Passports with secondary biometric information

E-passport Operation First Generation

• Basic Access Control - enables encrypted communication.

• Passive Authentication - provides integrity of e-passport data.

• Active Authentication - provides authentication of chip contents.

5

E-passport Holder Border Security

Visits a check point Scan MRZ

BAC

Passive Auth

Active Auth

First generation PKI

PKD(ICAO)

Country CSCA

DS DS

E-passport

...

Country CSCA

Country CSCA

.

.

.

As of Dec. 2007 - 4 countries are actively upload to PKD. (Australia, Japan, New Zealand and Singapore)By early 2009, 20 countries are expected to join PKD

Known Attacks (Problems) in First Generation E-passports

• BAC is optional! So, encryption is optional.

• Low entropy (3DES, max. 112b, BAC max 56/74b, in practice 30-50b)[Jules et. al. 2005]

• The authentication key is derived from document\#, DoB, DoE.

• No protection against cloning. [G S. Kc et. al. 2005]

7

Known Attacks (Problems) in First Generation E-passports

• Formal verification of the complete protocol [V. Pasupathinathan et. al 2008]

• No data origin authentication.

• Can be exploited because of weakness in facial biometric.

• Subject to replay and Grand master attacks.

• Vulnerable to Certificate Manipulation.

And there are others too!

8

Second Take!Second Generation E-passports

• Proposed by BSI Germany [Kluger 2005]

• Adopted by EU in June 2006

• New protocols to enhance security for Extended Access Control (EAC).

• Adds extra biometric identifiers - finger prints (optionally, Iris scan).

• June 2009 all EU members will implement.

9

EAC Mechanisms

• Based on Diffie-Hellman Key Pair (PKCS #3 or ISO 15946)

• Chip Authentication - replaces active authentication

• Terminal Authentication

E-passport Holder Border SecurityVisits a check point Scan MRZ

BAC

Chip Auth

Passive Auth

Terminal Auth

10

EAC Mechanisms

Photo Courtesy ICAO MRTD Report November 2007

Chip Authentication

Terminal Authentication

PKI Structure

Chip ISPKc SKc Dc Send PKc

Generate ephemeral key-pair

Send PK’ PK’ SK’

K= KA(Pk’ SKc) K = KA(PKc SK’)

Chip ISRNDc Send RNDc

z = IDc || RNDc || H(PK’)

S = SIGN{ z }

Verify {S} Send S

Problems with EAC - PKI

12

E-passport

Visiting CountryInspection System

E-passport’s Home Country (CSCA)

DV

Certify{PKc}

DV.....

Certify ALL IS systems

Visiting Country’s Document Verifier

Check ALL Certificates

CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

E-passports DONT have an internal clock!! How does it now if the certificate is valid?

Document Signer

Chip Auth - PKc

Certify{PKds}

NOT Useful

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

How Many??

What is the Limit? Vulnerable to Denial of Service when combined

with first generation weaknesses!

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Passports are normally valid for 5 or 10 years!!! Document Issuer need to be around 15 years CSCA around 20 years!

We can have passport with expired certificates!!

Document Signer

How Long is this valid?

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Identity Revealed

Identity of the Passport revealed before terminal is authenticated!

Send Public Key


12

E-passport



DV

Certify{PKc}

DV.....




CERT{IS}{DV}{VCSCA}

Document Signer

Chip Auth - PKc

Certify{PKds}

Send Public Key

EAC other Problems

• IS requires write access to E-passports.

• Border Control terminal need to update CSCA certificates when they pass through.

• Terminal Authentication is weak.

• Can authenticate who is writing to e-passport.

• Only semi-forward secrecy [Monnerat et al 2007]

• Leakage of Digest [Monnerat et al 2007]

• Security objects in the chip

13

Online Secure E-passport Protocol

• Why Online?

• Use the same PKI as in First Generation.

• Eliminate the need to send long certificate chains.

• Provide security guarantees for

• Identification and authentication of both e-passport and inspection systems. (i.e. Mutual)

• Privacy protection to e-passport holders.

• Confidentiality of information (session-key security and e-passport data)

14


E-passport Visiting CountryInspection System

DV

15



DV

create and send session key part

15



DV


Read MRZ and send signed message to DV

15



DV



Verify ISSign session key and IS public key

DV may choose to send e-passport ID

15



DV



Verify ISSign session key and IS public keySend Information back from DV

encrypted using session key formed

All Message from hereon is encrypted

Verify signatureOnly DV public key

15



DV



Verify ISSign session key and IS public keySend Information back from DV

encrypted using session key formed

Send Certificate and ID Verify ID and certificate

Compare with DV information

Verify signatureOnly DV public key

15

OSEP Characteristics

• The protocol is SK-secure. [Canetti 2001]

• Minimal computation by e-passport.

• Passport identity is released only to authenticated Inspection Systems.

• Tamper detectable integrity check protects against passport forgery. (data in e-passport is hashed and signed by document signer

• Same PKI as first generation.

16

What needs to be done?

• Online nature can induce delays.

• Fallback to off-line authentication.

• But current passport systems use online communication.

• Integrate with SMART GATE system. (An automated processing system)

17

Thank [email protected]

18

mailto:[email protected]

mailto:[email protected]

an online secure epassport protocol

Technology