security and privacy issues in e-passport ari juels, david molnar, and david wagner presented by...
TRANSCRIPT
Security and Privacy Issues in E-passport
Ari Juels, David Molnar, and David Wagner
Presented by
Vivian Bates and Pano Elenis
2
OutlineI. Key Words
II. Introduction
III. Radio Frequency identification (RFID)
IV. Biometrics
V. Related Work
VI. Security and Privacy Threats
VII. Cryptography in E-passports
VIII. Strengthening Today’s E-passport
IX. Future Issues in E-passport
X. Conclusion
3
Key WordsUS-VISIT
United States Visitor and Immigrant Status Indicator Technology programISO International Organization for StandardizationICAO International Civil Aviation Organization, the issuer of the biometric passport standard
currently being applied. The ISO 7501-1:2005 is a short form of the ICAO standardRFID Radio Frequency Identification is an automatic identification method that rely on storing
and remotely retrieving data using devices called RFID tags or transponders RFID (chip) Radio Frequency IDentifier (chip) a family of small chips that are capable of permanently
and/or temporarily store information and duplex communication with a reader using radio waves
MRTD Machine-Readable Travel Documents, an abbreviation used by the ICAO, means
machine can read passports, visas and official travel documents Faraday Cage A capsule of radio wave blocking material (example aluminum) used to protect the RFID-
chip in biometric passports from being read at other times than when reading is expected
Biometric The verification of a human identity through the measurement of biological or behavioral
characteristics. A unique, measurable characteristic or trait of a human being for automatically recognizing or verifying identity
4
Introduction New Generation of Identity Cards Combination of RFID and Biometric Technology
Purpose: Reduce Fraud Identity Check Enhance security
ICAO guidelines: RFID chips to store and transmit data in a wireless manner biometric identity verification (face recognition)
ISO 14443 specifications: radio frequency of 13.56MHZ small passive chip no on-board source of power power derived indirectly from signal of a reader intended read range 10 centimeters
5
US-VISITUS-VISIT is a first step in a multi-layered approach to enhance border security
mandated adoption by October 2006 of Biometrically enabled passports by twenty-seven nations in its Visa-Waiver Program (VMP)
Foreign visitors traveling to the United States must have their two index fingers scanned and a digital photograph taken to match and authenticate their travel documents at the port of entry
The US-VISIT requirements do not replace visa requirements for entering the United States
For more information on visas, please visit the U.S. Department of State's
6
Passports RFID tags are being embedded in passports issued by many countries
First E-passports issued by Malaysia in 1998 information visual data page record the travel history (time, date, and place) of entries and exits from the
country 5,000,000 1st generation in circulation, image of thumbprint 125,000 2nd generation in circulation, extracted fingerprint only
Standards for RFID Passports International Civil Aviation Organization (ICAO) ICAO Document 9303, Part 1, Volumes 1 and 2 (6th edition, 2006) ICAO refers to the ISO 14443 RFID chips in e-passports as "contactless
integrated circuits“ ICAO standards provide for e-passports to be identifiable by a standard e-
passport logo on the front cover.
7
Passports
RFID tags are included in new UK and some new US passports beginning in 2006
The US produced 10 million passports in 2005
Estimated that 13 million will be produced in 2006
The chips will store the same information that is printed within the passport
Include a digital picture of the owner
The passports will incorporate a thin metal lining to make it more difficult for unauthorized readers to "skim" information when the passport is closed
8
Radio waves have the longest wavelengths in the electromagnetic spectrum
These waves can be longer than a football field or as short as a football
http://imagers.gsfc.nasa.gov/ems/radio.html
9
History of RFIDRadio Frequency Identification: automatic identification method that rely on storing and
remotely retrieving data using devices called RFID tags or transponders
1946 Leon Theremin invented an espionage tool for the Soviet government which retransmitted incident radio waves with audio information
1939 The British IFF transponder invented by the British used by the allies in World War II to identify airplanes as friend or foe
1948 Harry Stockman’s paper "Communication by Means of Reflected Power" (Proceedings of the IRE, pp 1196–1204, October predicted that "...considerable research and development work has to be done before the remaining basic problems in reflected-power communication are solved, and before the field of useful applications is explored.“
Mario Cardullo U.S. Patent 3,713,148 in 1973 was the first true ancestor of modern RFID (a passive radio transponder with memory)
1973 The first demonstration of today's reflected power passive and active (backscatter) RFID tags done at the Los Alamos Scientific Laboratory
10
General RFID Data transmitted by a mobile device called a tag
Tag read by an RFID reader
RFID process according to the needs of a particular application
Data transmitted by the tag may provide identification location information product tag specifics
price color date of purchase
Two Types of Tags Passive Active
11
Passive RFID Tags
Internal power supply
Electrical current induced in the antenna by the incoming radio frequency signal
CMOS integrated circuit tag to power up and transmit a response
Most passive tags signal by backscattering the carrier signal from the reader
Response not necessarily just an ID number
Tag chip can contain non-volatile EEPROM for storing data.
Embedded in a sticker or under the skin
12
Passive RFID Tags Smallest devices measured 0.15 mm × 0.15 mm
Thinner than a sheet of paper 7.5 micrometers
Lowest cost EPC RFID tags (used by Wal-Mart, Target, Tesco in UK and Metro AG in Germany) for 5 cents
Antenna tag size of a postage stamp to the size of a post card
Passive tags practical read distances ranging from about 10 cm (4 in.) to a few meters
Non-silicon tags made from polymer semiconductors are currently being developed by several companies globally
Less expensive than silicon-based tags
13
Active RFID Tags
Own internal power source which is used to power any ICs that generate the outgoing signal
More reliable than passive tags due to the ability for active tags to conduct a "session" with a reader
Onboard power supply transmit at higher power levels than passive tags, allowing them to be more effective in "RF challenged" environments like water (including humans/cattle, which are mostly water) metal (shipping containers, vehicles) longer distances
14
Active RFID Tags Ranges hundreds of meters
Battery life of up to 10 years
Include sensors such as temperature logging concrete maturity monitoring monitor the temperature of perishable goods humidity, shock/vibration light, radiation, temperature and atmospherics like ethylene
Range 300 feet
Larger memories than passive tags
Store additional information sent by the transceiver
The United States Department of Defense reduce logistics costs improve supply chain visibility for more than 15 years
The smallest active tags are about the size of a coin and sell for a few dollars.
15
Supply Chain vs. Passport RFID
Supply Chain RFID simple cheap no support for cryptography single identifier
(kill command-render
tag inoperable) frequency 915 MHz range read 5 meters
Passport RFID shorter intended read range tamper resistance cryptography
16
Biometrics
A unique, measurable characteristic or trait of a human being for automatically recognizing or verifying identity
Practical biometrics for e-passport deployment
Face recognition-automated analog of the ordinary human process of recognition
Fingerprint- determines that two friction ridge impressions originated from the same finger or palm
Imaging and automation fingerprint matching Fingerprint scanners optical or silicon-sensor forms
Iris- uses pattern recognition techniques based on high resolution images of the iris of an individual's eye
17
Related Work
Pattinson Points out the need for direct link between optically scanned card data
and secret keys embedded in e-passports Outlines the privacy problems with-passports readable by anyone
Jacob Discusses issues in e-passport deployment in the Netherlands Highlights the importance of basic access control Investigates the issues surrounding a national database of biometrics
identifiers
Smart Card Research Group at IBM Zurich Demonstrates a Javacard application running on a Philips chip that
performs basic access control and active access control in under 2 seconds
18
E-Passports Security and Privacy Threats
Clandestine scanning
Clandestine tracking
Skimming and cloning
Eavesdropping
Biometric data-leakage
Cryptographic weaknesses
19
Secrecy and Privacy ThreatsClandestine scanning Problem: Baseline ICAO guidelines do not require encryption or authentication between passports and readers
An unprotected chip is subject to short range illegal scanning
Clandestine tracking Problem: The standard for e-passport RFID chips (ISO 14443)
stipulates the emission (without authentication) of a chip ID on protocol initiation
A different ID on every passport (even if data can not be read) could enable tracking the movement of passport holder by unauthorized parties
Skimming and cloning Problem: Baseline ICAO regulations require digital signatures on e-
passport data
Digital signatures allow the reader to verify that data came from the correct passport issuing authority
No defense against cloning because the digital signatures do not bind the data to a particular passport or chip
20
Secrecy and Privacy ThreatsEavesdropping
Problem: Faraday cages do not prevent eavesdropping on legitimate passport to reader communications
Function creep e-passports will be used in new areas like e-commercefeasibility may be feasible at a longer distance
Detection difficulty in passive do not involve powered signal emission
Faraday cages (a metallic material in the cover or holder ) prevent penetration of RFID signals
Biometric data –leakageProblem: Baseline ICAO regulations require digitized headshots (Secrecy needed for
authentication)
Automation required with e-passports and physical environment is not strictly controlled
Cryptographic weaknessProblem: ICAO guidelines include an optional mechanism for authenticating and encrypting
pass-port-to-reader communications
No mechanism to revoke access once a reader knows the k key K key allows passport to talk to legitimate reader before releasing RFID tag
informationK key used to encrypt all data transmitted between the passport and the reader
21
E-passport Threats Data leakage threats: skimming-covert reading of contents
Installation of RFID readers in doorways Security checkpoint
airport sporting event concerts
Clandestine readers : resemble anti-theft gates shops entrances to buildings
Identity Theft: new identity or fake documents photograph, name, birthday, social security card
Tracking and Hotlisting: Tracking: static identifier track movement of RFID device Hotlistings: target specific individuals
RFID enabled bomb keyed on collision avoidance UID Unattended triggering Comprehensive targeting
22
Biometric Threats
Automation Human oversight Opportunity for spoofing authentication system
Spillover Compromised data one system threaten integrity of unrelated ones
Special properties Passport photos Image Quality
Higher quality than the image an attacker may produce Forgery
Spoof face-recognition systems
24
The ICAO Specifications
• One mandatory cryptographic feature:
• Passive authentication– Data on e-passport signed by issuing nation– Permitted algorithms: RSA, DSA and ECDSA– Only demonstrates that data is authentic– Does not prove that container for data is
authentic (i.e. the passport)
25
The ICAO Specifications
• Two optional cryptographic features for improved security:
• Basic Access Control and Secure Messaging– Ensures that data is only ready by authorized RFID
readers– Stores a pair of secret cryptographic keys (KENC, KMAC)
• Active Authentication– Anti-cloning feature– Relies on public-key cryptography
26
Basic Access Control
• When a reader attempts to scan, a challenge-response protocol is engaged
• Proves knowledge of (KENC, KMAC) keys Upon successful authentication, a session key is derived and the passport releases its data
• KENC and KMAC are derived from optically scannable data printed on the passport– The passport number, the date of birth of the bearer, the
date of expiration of the passport and three check, one for each of the three preceding values.
27
Key Establishment Mechanism 6
• Keying and Nonce
• Concatenation
• Encrypt
• Checksum
• Random nonce
• Checks MAC and decrypts
• Keying material
• Concatenation
• Encrypt
• Checksum
28
Encryption and Decryption
• Two key 3DES in CBC mode with:
• Zero IV (i.e. 0x00 00 00 00 00 00 00 00) according to ISO 11568-2
29
Retail Message Authentication Code
• Cryptographic checksums are calculated using ISO/IEC 9797-1 MAC algorithm 3 with:
• Block cipher DES• Zero IV (8 bytes)• ISO9797-1
padding method 2.
30
Basic Access Control Shortcomings
• Entropy of key is too small– ICAO PKI Technical Report warns that entropy key is at
most 56 bits– Some of these bits may be guessable in some
circumstances• A single fixed key is used for the lifetime of the e-
passport– Impossible to revoke a reader’s access to the e-passport
once it has been read– Databases of keys may be inadvertently compromised
• Basic Access Control is still better than no encryption at all
31
Active Authentication
• Anti-cloning feature• Does not prevent unauthorized parties
from reading e-passport contents• Relies on public-key cryptography• Proves that e-passport has possession of a
private key• The corresponding public key is stored as
a part of the signed data on the passport
32
Active Authentication Mechanism
• Random nonce
• Verifies signed message with passport’s public key
• Random nonce
• Concatenation
• Signs X with private key with ISO 9796-2 padding
ISO/IEC 7816 Internal Authenticate mechanism
33
Active Authentication
• Public-key must be tied to specific e-passport and biometric data to avoid man-in-the-middle attacks
• Every reader capable of Active Authentication and is compliant with the ICAO specifications must also have hardware capability for Basic Access Control
• Deployments that neglect this part will open themselves to a risk of cloned e-passports
34
Active Authentication Issues
• The certificate required for verifying Active Authentication also contains enough information to derive a key for Basic Access Control
• When used with RSA or Rabin-Williams signatures, responses can be distinguished
• As a result, tracking and hotlisting attacks are possible even if Basic Access Control is in use
• It is recommended that Active Authentication be carried out only over a secure session after Basic Access Control has been employed and session keys derived.
35
Cryptographic measures in planned deployments
• A Federal Register notice dated February 18, 2005 provides a number of details on U.S. e-passport plans
• The Federal notice offers three reasons for the decision not to implement Basic Access Control– The data stored in the chip is identical to the data printed in the
passport
– Encrypted data would slow entry processing time
– Encryption would impose more difficult technical coordination requirements among nations implementing the e-passport system
• Faraday cages will enough to prevent eavesdropping
36
Flaw in Federal notice reasoning
• Reason 3 is flawed because all the data required to derive keys for Basic Access Control on the data page, no coordination amongst nations is required
• Faraday cages are not sufficient to protected against unauthorized eavesdropping
• Lack of Basic Access Control means that any ISO 14443 compliant reader can easily read data from the e-passport
• Original deployment choices of the U.S. puts e-passport holder at risk for tracking, hotlisting and biometric leakage
37
Planned Deployments
• Malaysian identity cards/passports are not compliant as it predates ICAO standards
• Other nations may or may not meet the United Stats mandate for deployment in 2005
• Due to complaints from several countries, the deadline as been extended from October 2005 to October 2006
38
Strengthening Today’s E-passports
• Faraday cages– Simple measure to prevent unauthorized readings (skimmings)
– Materials such as aluminum fiber can block RF signals
– Does not prevent an eavesdropper from snooping on a legitimate reading
– Faraday cages were deprecated in favor of Basic Access Control because they do not prevent eavesdropping.
39
Strengthening Today’s E-passports
• Larger secrets for Basic Access Control– Long term keys only contain 52 bits of entropy
– Brute-force attack
– The addition of a 128-bit secret, unique to each passport, would strengthen the resistance to brute-force attacks
• Private collision avoidance– The collision avoidance protocol in ISO 14443 uses an UID
– Care must be taken that each UID read is different and that UIDs are unlinkable across sessions
– A countermeasure would be to pick a new random identifier on every tag read
40
Strengthening Today’s E-passports
• Beyond optically readable keys– Current ICAO approach ties neatly together with
physical presence and the ability to read biometric data
– Might not be possible for next-generation ID cards
– Important to create a keying mechanism that limits a reader’s power to reuse secret keys and a matching authorization infrastructure for e-passport readers
41
Future Issues in E-passports
• Visas and writeable e-passports– Upon the acceptance of e-passports, there will be the
desire to support visas and other endorsements
– Being that multiple RFID chips may interfere with each other, the feasibility to include a new RFID tag with each visa stamp may not be possible
– Instead, all the data would have to be stored on the same chip as the passport data
– Requires the ability to write data after issuance
42
Future Issues in E-passports
• A simple first attempt at visas on e-passports:– An area specified as append-only memory for visas
– Visa would be named by e-passport and signed by issuing government
– Could possibly include “sanity checks” to ensure a visa is properly signed and names the correct e-passport before committing it to the visa memory area
43
Future Issues in E-passports
• Another thing to consider is that some travelers do not want border control to know where they’ve traveled– For example, most Arab countries will refuse entry to
holders of passports which bear Israeli visas– The previous example is considered a legitimate reason,
but someone entering the United States from Canada may be harboring terrorists
– It may be hard in the future to determine the legitimate reasons from the illegitimate, but preventing illegitimate visa removals will become a goal of future visa-enabled e-passports
44
Future Issues in E-passports• Function creep
– Passports might some day come to serve as authenticators for consumer payments or mass transit passes
– Has the ability to undermine data protection features as it will spread bearer data more widely among divergent systems
– May lead to consumer convenience (i.e. removal of optical scanning and faraday-cage use)
– Unless new privacy features are added, it is conceivable that an e-passport can reveal a great deal of private information
– For example, an age check at a bar can also leak information about their passport number, place of birth, and possibly elements of their travel history
– Web cookies are an instructive example of function creep
45
Conclusion
• The secrecy requirements for biometric data imply that unauthorized reading of e-passport data is a security risk as well as a privacy risk
• At a minimum, a Faraday Cage and Basic Access Control should be used in ICAE deployments to prevent unauthorized remote reading of e-passports.
• Because the U.S. deployment uses Active Authentication, readers are required to include the capability to optically scan e-passports. This capability is sufficient for Basic Access Control and would therefore require no change or coordination with other nations to implement it.
• Today’s e-passports deployments are just the first wave of next-generation identification devices
46
Current News
• 27 countries participating in the Visa Waiver Program:– Andorra, Australia, Austria, Belgium, Brunei,
Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Japan, Liechtenstein, Luxembourg, Monaco, the Netherlands, New Zealand, Norway, Portugal, San Marino, Singapore, Slovenia, Spain, Sweden, Switzerland and the United Kingdom.
47
Current News
• According to a statement released by the Department of State on August 14, 2006, the issuance of e-passports to the public begins today
• Production has started at the Colorado Passport Agency and will be expanded to other production facilities over the next few months
• Consistent with globally interoperable specifications adopted by the International Civil Aviation Organization (ICAO), this next generation of the U.S. passport includes biometric technology
• A contactless chip in the rear cover of the passport will contain the same data as that found on the biographic data page of the passport (name, date of birth, gender, place of birth, dates of passport issuance and expiration, passport number), and will also include a digital image of the bearer’s photograph
48
Current News
• The Department of State has employed a multi-layered approach to protect the privacy of the information – Metallic anti-skimming material incorporated into the front
cover and spine of the e-passport book prevents the chip from being skimmed, or read, when the book is fully closed
– Basic Access Control (BAC) technology, which requires that the data page be read electronically to generate a key that unlocks the chip, will prevent skimming and eavesdropping
– A randomized unique identification (RUID) feature will mitigate the risk that an e-passport holder could be tracked. To prevent alteration or modification of the data on the chip, and to allow authorities to validate and authenticate the data, the information on the chip will include an electronic signature (PKI)
49
Current News
• The Electronic Passport Logo– Will be displayed at border inspection lanes and
transit ports equipped with special data readers
50
Current News
• Hackers Clone E-Passports– Successfully cloned to a blank RFID tag– Not possible to change data on the chip without
being detected– Due to cryptographic hashes that authenticate
data
57
References
• http://travel.state.gov/passport/eppt/eppt_2788.html
• http://www.state.gov/r/pa/prs/ps/2006/70433.htm
• http://travel.state.gov/passport/eppt/eppt_2502.html
• http://www.infoworld.com/article/05/10/26/HNrfidpassport_1.html
• http://www.dhs.gov/xnews/releases/pr_1160497737875.shtm
• http://www.icao.int/mrtd/Home/Index.cfm
• http://www.wired.com/news/technology/0,71521-0.html?tw=rss.index
• http://http.cs.berkeley.edu/~daw/papers/epassports-sc05.pdf
• http://en.wikipedia.org/wiki/RFID
• http://www.aware.com/products/compression/icaopack_gg.html