an online secure epassport protocol
DESCRIPTION
TRANSCRIPT
An On-line Secure E-Passport Protocol
Vijayakrishnan Pasupathinathanwith, Josef Pieprzyk and Huaxiong Wang
Centre for Advanced Computing - Algorithms and Cryptography (ACAC)Macquarie University, Australia
1
Outline
• Overview of E-passport
• First Generation - some known weaknesses
• Second Generation
• Working and Problems
• An Online E-passport Proposal
2
E-passport Overview• Integration of a biometric enabled contact-less smart
card microchip.
• E-passport guideline (DOC 9303) developed by International Civil Aviation Organisation (ICAO).
• Describes communication protocol
• Provides details on establishing a secure communication channel between an e-passport and an e-passport reader
• Authentication mechanisms.
• Uses existing approved standard such as ISO14443, ISO11770, ISO/IEC 7816, ISO 9796.
3
E-passport Overview
4
E-passport Overview
• Yesterday: Machine readable passport with MRZ
4
Image courtesy of DFAT Australia
E-passport Overview
• Yesterday: Machine readable passport with MRZ
4
• Today: Electronic Passport with digital Image
E-passport Overview
• Yesterday: Machine readable passport with MRZ
4
• Today: Electronic Passport with digital Image
• Tomorrow: Passports with secondary biometric information
E-passport Operation First Generation
• Basic Access Control - enables encrypted communication.
• Passive Authentication - provides integrity of e-passport data.
• Active Authentication - provides authentication of chip contents.
5
E-passport Holder Border Security
Visits a check point Scan MRZ
BAC
Passive Auth
Active Auth
First generation PKI
PKD(ICAO)
Country CSCA
DS DS
E-passport
...
Country CSCA
Country CSCA
.
.
.
As of Dec. 2007 - 4 countries are actively upload to PKD. (Australia, Japan, New Zealand and Singapore)By early 2009, 20 countries are expected to join PKD
Known Attacks (Problems) in First Generation E-passports
• BAC is optional! So, encryption is optional.
• Low entropy (3DES, max. 112b, BAC max 56/74b, in practice 30-50b)[Jules et. al. 2005]
• The authentication key is derived from document\#, DoB, DoE.
• No protection against cloning. [G S. Kc et. al. 2005]
7
Known Attacks (Problems) in First Generation E-passports
• Formal verification of the complete protocol [V. Pasupathinathan et. al 2008]
• No data origin authentication.
• Can be exploited because of weakness in facial biometric.
• Subject to replay and Grand master attacks.
• Vulnerable to Certificate Manipulation.
And there are others too!
8
Second Take!Second Generation E-passports
• Proposed by BSI Germany [Kluger 2005]
• Adopted by EU in June 2006
• New protocols to enhance security for Extended Access Control (EAC).
• Adds extra biometric identifiers - finger prints (optionally, Iris scan).
• June 2009 all EU members will implement.
9
EAC Mechanisms
• Based on Diffie-Hellman Key Pair (PKCS #3 or ISO 15946)
• Chip Authentication - replaces active authentication
• Terminal Authentication
E-passport Holder Border SecurityVisits a check point Scan MRZ
BAC
Chip Auth
Passive Auth
Terminal Auth
10
EAC Mechanisms
Photo Courtesy ICAO MRTD Report November 2007
Chip Authentication
Terminal Authentication
PKI Structure
Chip ISPKc SKc Dc Send PKc
Generate ephemeral key-pair
Send PK’ PK’ SK’
K= KA(Pk’ SKc) K = KA(PKc SK’)
Chip ISRNDc Send RNDc
z = IDc || RNDc || H(PK’)
S = SIGN{ z }
Verify {S} Send S
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
E-passports DONT have an internal clock!! How does it now if the certificate is valid?
Document Signer
Chip Auth - PKc
Certify{PKds}
NOT Useful
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
How Many??
What is the Limit? Vulnerable to Denial of Service when combined
with first generation weaknesses!
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Passports are normally valid for 5 or 10 years!!! Document Issuer need to be around 15 years CSCA around 20 years!
We can have passport with expired certificates!!
Document Signer
How Long is this valid?
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Identity Revealed
Identity of the Passport revealed before terminal is authenticated!
Send Public Key
Problems with EAC - PKI
12
E-passport
Visiting CountryInspection System
E-passport’s Home Country (CSCA)
DV
Certify{PKc}
DV.....
Certify ALL IS systems
Visiting Country’s Document Verifier
Check ALL Certificates
CERT{IS}{DV}{VCSCA}
Document Signer
Chip Auth - PKc
Certify{PKds}
Send Public Key
EAC other Problems
• IS requires write access to E-passports.
• Border Control terminal need to update CSCA certificates when they pass through.
• Terminal Authentication is weak.
• Can authenticate who is writing to e-passport.
• Only semi-forward secrecy [Monnerat et al 2007]
• Leakage of Digest [Monnerat et al 2007]
• Security objects in the chip
13
Online Secure E-passport Protocol
• Why Online?
• Use the same PKI as in First Generation.
• Eliminate the need to send long certificate chains.
• Provide security guarantees for
• Identification and authentication of both e-passport and inspection systems. (i.e. Mutual)
• Privacy protection to e-passport holders.
• Confidentiality of information (session-key security and e-passport data)
14
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
15
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
create and send session key part
15
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
create and send session key part
Read MRZ and send signed message to DV
15
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
create and send session key part
Read MRZ and send signed message to DV
Verify ISSign session key and IS public key
DV may choose to send e-passport ID
15
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
create and send session key part
Read MRZ and send signed message to DV
Verify ISSign session key and IS public keySend Information back from DV
encrypted using session key formed
All Message from hereon is encrypted
Verify signatureOnly DV public key
15
Online Secure E-passport Protocol
E-passport Visiting CountryInspection System
DV
create and send session key part
Read MRZ and send signed message to DV
Verify ISSign session key and IS public keySend Information back from DV
encrypted using session key formed
Send Certificate and ID Verify ID and certificate
Compare with DV information
Verify signatureOnly DV public key
15
OSEP Characteristics
• The protocol is SK-secure. [Canetti 2001]
• Minimal computation by e-passport.
• Passport identity is released only to authenticated Inspection Systems.
• Tamper detectable integrity check protects against passport forgery. (data in e-passport is hashed and signed by document signer
• Same PKI as first generation.
16
What needs to be done?
• Online nature can induce delays.
• Fallback to off-line authentication.
• But current passport systems use online communication.
• Integrate with SMART GATE system. (An automated processing system)
17