icao rfi authentication 05182005pak - ibm...icao could establish its own certificate authority, but...
TRANSCRIPT
Thomas J. Watson Research Center
24 May 2005 | ICAO RFI - Authentication © 2005 IBM Corporation
ICAO RFI Response:Privacy-Preserving Two-Way Authentication Protocol
Paul A. [email protected]
2
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Assumptions
IBM is presenting two different responses to the ICAO New Technologies Working Group RFI issued in the fall of 2004
– Privacy Preserving Two-Way Authentication Protocol– Caernarvon Operating System
Each response will be presented as a separate talk with 5 minutes for questions after each talk – total time for both talks is 1 hourAudience is familiar with ICAO cryptographic proposals for MRTDs, using contactless smart cardsWe will be available after the talk for more detailed questions
3
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Improving the Security of MRTDsWe want to thank ICAO for inviting us to present our technologies
We agree that there is a major need for improving the security of travel documents in general and passports in particular
Our presentations are aimed at ensuring that the security of MRTDs is genuinely improved during the transition from paper to contactless smart cards
In particular, we will present the privacy-presevingCaernarvon Authentication Protocol that IBM has already been adopted as a CEN standard, with no proprietary restrictions of any kind.
4
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Levels of Authentication Specified by ICAO
Passive Authentication– Digital signing of the various data elements by the issuing State
– Detects attempts to tamper with the stored data
Active Authentication– Optional challenge-response protocol to prevent chip substitution
5
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Levels of Access Control Specified by ICAONone
– It is permitted to have no access control over the information
Basic Access Control– Optional encryption mechanism to protect against skimming of
data from the over-the-air interface– Cryptographic key is derived from information printed on the
passport
Extended Access Control– Optional additional encryption mechanism to provide additional
protection for biometrics– Unspecified at this time
6
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Challenges with Current Access Control ApproachesNo encryption required – passive authentication only
– A variety of studies (including one by NIST) have shown that it is possible to read contactless smart cards from distances greater than a few centimeters, particularly when the card is currently communicating with a legitimate reader
– At least one passport authority has changed its policy recently to require the use of Basic Access Control
– In theory, ICAO should require Basic Access Control as a minimum for all countries, as the issues affect all passport holders in all countries
Issue – Basic Access Control has weaknesses that make protecting sensitive information (i.e.: fingerprints or social security numbers) difficultOur goal is to make sure that anyone trying to read data off the chip is legitimately authorized to read that data
7
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Basic Access Control Overview and Entropy ProblemBasic Access Control derives a cryptographic key from the data printed on the passport
– Key is derived from a hash of the document number, the date of birth, and the date of expiry
– Key is used for secure messaging between the passport and the reader
– This stops simple skimming attacks where the adversary attempts to read passports of people passing by
– ICAO PKI report (Section G) points out that this is insufficiententropy
– Brute force attacks might be possible if the attacker is close to the passport for a long period of time (such as on an extended traintrip)
But this is not the most serious issue
8
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Basic Access Control – Unauthorized Access
Anyone who can see the information page of the passport can access the data in the chip
– Immigration officers are OK, but this also includes
– Hotel desk clerks
– Anyone cashing a traveler’s check for the passport holder
– If the passport is used as a National ID card– Clerks at rental car counters– Pharmacists– Librarians– Etc.
In general, these people need to see the passport, but do NOT need to have access to the biometrics
9
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
What if the biometrics are compromised?
Photographs are not a big issue – your face is always out there, although having the precise digital photograph might help a bad guy
Fingerprints are a big issue – having the digital copy of the fingerprint will make it easier to deceive fingerprint readers
– See Matsumoto’s papers and Thalheim, Krissler, and Ziegler’s paper on deceiving fingerprint readers
Could be a serious problem for unattended immigration stations
Could be used to attack other security systems (not immigration) that have unattended fingerprint readers
10
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Summary of Basic Access Control RisksSome countries are only storing a photograph and basic identification information on the passport chip
– No fingerprints or social security numbers– Only name, date of birth, citizenship (basic MRZ data)– Basic Access Control can protect this information from
skimmers, although the entropy should be increased with a random nonce added to the MRZ data and to the hash.
Some countries are including fingerprints or other more sensitive information now
– Basic Access Control is insufficient for this more sensitive information
– An internationally agreed-upon Extended Access Control solution is needed now for these countries
11
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Extended Access Control is Needed
IBM has developed a privacy-preserving authentication protocol for smart cards
Called Caernarvon authentication protocol
Due to the weaknesses of Basic Access Control, we feel that ALL passports should use this protocol to control access the information on the passport
– Defeats brute force attacks on the entropy
– Simplifies readers – only one protocol to implement
– Essential for National ID cards
12
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Goals of Caernarvon Authentication Protocol
Privacy protection for the smart card holder– Existing standards for smart card authentication unnecessarily
expose card holders identity
Protocol proven correct
Submitted to standards groups– Adopted by CEN - Application Interface for smart cards used as
Secure Signature Creation Devices - Part 1: Basic requirements -CWA 14890-1
– Global Platform
13
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Privacy Preserving ProtocolBased on SIGMA (SIGn and Mac) family of protocols, including IKE
– Part of IPSEC – standards based– Formally proven
SIGMA protocols better protect privacy– Key is negotiated before any identities are exchanged– Once key is agreed upon, all further communications are encrypted
Caernarvon protocol– Requires that the reader authenticate first, then the card
– Underlying protocol is symmetric, but someone has to go first– Needs for privacy are NOT symmetric – an immigration station
does not move around – passport holders do– Once the reader has authenticated, the card can make a security
policy determination of whether to reveal the card holder’s identify
14
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Privacy-Preserving Protocol
1. Starts with a Diffie-Hellman key exchange to establish a session key– Protects the remainder of the protocol from eavesdroppers
2. Reader proves identity to the passport chip
3. Smart card makes a policy decision about whether the reader is authorized
4. If the reader is authorized, then and only then does the passport chip prove its identity to the reader
15
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Access Control Policy Decisions
What the policy should be needs to be determined by the issuing country
– Immigration officials
– Law enforcement officials
– Commercial entities
– Etc.
16
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Centralized PKI is not requiredICAO could establish its own certificate authority, but this is undesirable for many reasons
Several other options exist– Each country could submit its authentication public key to ICAO,
and each passport-issuing country would sign the certificate and return the signed certificate to ICAO (or the originating country). The reader would know which certificate to send to the passport from country information in the OCR data
– Order n2 problem, but n will never be greater than 200 and more likely will be around 30-50 (Visa waiver countries)
– Immigration stations could be online and make a network connection back to the passport issuing country that would verify and sign the certificate
– More sophisticated options are in the next talk
17
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
Standards
IBM has not kept the authentication protocol proprietary– Based on IKE that is already a standard part of IPSEC
We have submitted it to – eSign (adopted as CEN standard)
– Global Platform
Could be implemented on any smart card with suitable public key cryptographic hardware
18
IBM Research Division
ICAO RFI - Authentication © 2005 IBM Corporation
ReferencesKc, G.S. and P.A. Karger, Security and Privacy Issues in Machine Readable Travel Documents (MRTDs), RC23575 (W0504-003), 1 April 2005, IBM Corporation, Thomas J. Watson Research Center: Yorktown Heights, NY. URL: http://www.research.ibm.com/resources/paper_search.html Submitted to ESORICS 2005
Scherzer, H., R. Canetti, P.A. Karger, H. Krawczyk, T. Rabin, and D.C. Toll. Authenticating Mandatory Access Controls and Preserving Privacy for a High-Assurance Smart Card. in 8th European Symposium on Research in Computer Security (ESORICS 2003). 13-15 October 2003, Gjøvik, Norway:Lecture Notes in Computer Science Vol. 2808. Springer Verlag. p. 181-200.
Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic requirements, CWA 14890-1, March 2004, ComitéEuropéen de Normalisation (CEN): Brussels, Belgium. URL: ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/cwa14890-01-2004-Mar.pdf