Академический Документы
Профессиональный Документы
Культура Документы
http://lasecwww.epfl.ch/
SV 2008
e-passport
EPFL
1 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
2 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
4 / 88
Arrete Federal
2008, June 13
SV 2008
e-passport
EPFL
5 / 88
Referendum (October 2)
Rfrendum contre le prlvement obligatoire de donnes biomtriques et d'empreintes digitales pour tous les nouveaux passeports et cartes d'identit
Voulez-vous que vos empreintes digitales soient centralises ? Voulez-vous que votre carte d'identit ou votre passeport contienne une puce permettant la localisation ?
Chaque citoyen suisse doit pouvoir dcider s'il veut d'un passeport suisse et d'une carte d'identit, avec ou sans donnes biomtriques et puce RFID.
Les citoyennes et citoyens suisses soussigns ayant le droit de vote demandent, en vertu de lart. 141 de la constitution fdrale du 18 avril 1999 et conformment la loi fdrale du 17 dcembre 1976 sur les droits politiques (art. 59s.), que l'arrt fdral du 13 juin 2008 portant approbation et mise en oeuvre de lchange de notes entre la Suisse et la Communaut europenne concernant la reprise du Rglement (CE) 2252/2004 relatif aux passeports biomtriques et aux documents de voyage (Dveloppement de lAcquis de Schengen) soit soumis au vote du peuple. Seuls les lectrices et lecteurs rsidant dans la commune indique en tte de la liste peuvent y apposer leur signature. Les citoyennes et les citoyens qui appuient la demande doivent la signer de leur main. Celui qui se rend coupable de corruption active ou passive relativement une rcolte de signatures ou celui qui falsifie le rsultat dune rcolte de signatures effectue lappui dun rfrendum est punissable selon larticle 281 respectivement larticle 282 du code pnal. Canton: Nom
( la main et en majuscules)
N postal: Prnom
( la main et en majuscules)
Adresse exacte
(rue et numro)
Signature manuscrite
Contrle
(laisser en blanc)
1 2 3
TSR Show
2008, October 9
SV 2008
e-passport
EPFL
7 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
8 / 88
Cryptographic Primitives
SV 2008
e-passport
EPFL
9 / 88
Symmetric Encryption
Adversary Message -
Enc Key 6
Dec Message -
6 Key
Generator
SV 2008
e-passport
EPFL
10 / 88
Adversary Message -
MAC Key 6
Check
Message -
6 Key
Generator
SV 2008
e-passport
EPFL
11 / 88
Hash Function
La cigale ayant chante tout lete se trouva fort depourvue quand la bise fut venue pas un seul petit morceau de mouche ou de vermisseau elle alla trouver famine chez la fourmie sa voisine ...
Hash
- 928652983652
SV 2008
e-passport
EPFL
12 / 88
Adversary Message
?
Hash
Message -
?
Hash
Digest INTEGER
?
Compare ok?
SV 2008
e-passport
EPFL
13 / 88
Adversary Message -
Enc/MAC Key 6
- Dec/Check 6 Key
Message -
ok?
ProtoAlice
AUTHENTICATED INTEGER
ProtoBob
SV 2008
e-passport
EPFL
14 / 88
Enc
Public Key 6
AUTHENTICATED INTEGER
6 Key Secret
Generator
SV 2008
e-passport
EPFL
15 / 88
Adversary Message -
(Certicate)
Sign
Verify
(Certicate) ok?
Message -
AUTHENTICATED INTEGER
6 Key Public
SV 2008
e-passport
EPFL
16 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
17 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 19 / 88
Objectives
SV 2008
e-passport
EPFL
20 / 88
MRTD History
1968: ICAO starts working on MRTD 1980: rst standard (OCR-B Machine Readable Zone (MRZ)) 1997: ICAO-NTWG (New Tech. WG) starts working on biometrics 2001 9/11: US want to speed up the process 2002 resolution: ICAO adopts facial recognition (+ optional ngerprint and iris recognition) 2003 resolution: ICAO adopts MRTD with contactless IC media (instead of e.g. 2D barcode) 2004: version 1.1 of standard with ICC 2005: deployment of epassports in several countries 2006: extended access control under development in the EU 2007: deployment of extended access control (+ more biometrics)
SV 2008
e-passport
EPFL
21 / 88
SV 2008
e-passport
EPFL
22 / 88
SV 2008
e-passport
EPFL
24 / 88
MRTD in a Nutshell
MRTD
MRZ
LDS
optical access
radio access
?? ?? ?
data authentication by digital signature + PKI aka passive authentication access control + key agreement based on MRZ info aka basic access control (BAC) chip authentication by public-key cryptgraphy aka active authentication (AA)
SV 2008 e-passport EPFL 25 / 88
MRZ Example
PMFRADUPONT<<<<JEAN<<<<<<<<<<<<<<<<<<<<<<<<< 74HK8215<6CHE7304017M0705121<<<<<<<<<<<<<<03
document type issuing country holder name doc. number + CRC nationality date of birth + CRC gender date of expiry + CRC options + CRC
SV 2008
e-passport
EPFL
26 / 88
LDS Example
- PMFRADUPONT<<<<JEAN<<<<<<<<<<<<<<<<<<<<<<<<<
74HK8215<6CHE7304017M0705121<<<<<<<<<<<<<<03
DG1: same as MRZ DG2: encoded face DG3: encoded nger SOD
6 ?
SV 2008
e-passport
EPFL
27 / 88
Underlying Cryptography
RSA signatures (ISO/IEC 9796, PKCS#1), DSA, ECDSA X.509 SHA1 and sisters DES, triple-DES, CBC encryption mode one of the ISO/IEC 9797-1 MAC (next slide)
SV 2008
e-passport
EPFL
28 / 88
ISO/IEC 9797-1
(MAC algorithm 3 based on DES with padding method 2)
(concatenate message with bit 1 and enough 0 to reach a length multiple of the block size)
x1
x2
x3
xn
?
DESK1
? - ?
DESK1
? - ?
DESK1
? - ?
DESK1
?
DES21 K
?
DESK1
?
SV 2008 e-passport EPFL 29 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 30 / 88
LDS Structure
KENC , KMAC , KPrAA COM: present data groups DG1: same as MRZ DG2: encoded face DG3: encoded nger(s) DG4: encoded eye(s) DG5: displayed portrait DG6: (reserved) DG7: displayed signature DG8: data feature(s) DG9: structure feature(s) DG10: substance feature(s) DG11: add. personal detail(s) DG12: add. document detail(s) DG13: optional detail(s) DG14: (reserved) DG15: KPuAA DG16: person(s) to notify DG17: autom. border clearance DG18: electronic visa DG19: travel record(s) SOD
SV 2008
e-passport
EPFL
31 / 88
SOD Structure
list of hash for data groups DG1DG15 formatted signature by DS (include: information about DS) (optional) CDS
SV 2008
e-passport
EPFL
32 / 88
Passive Authentication
goal authenticate LDS after getting SOD , check the included certicate CDS and the signature when loading a data group from LDS, check its hash with what is in SOD
stamp by DS on LDS
SV 2008
e-passport
EPFL
33 / 88
(Country-wise) PKI
CSCA CDS + revocation protocol DS1 DS2 SOD LDS21 LDS22 h(DG2) DG1 DG2 CCSCA
- visited country
one CSCA (Country Signing Certicate Authority) several DS (Document Signer) per country SOD : signature of LDS ngerprint of a DG
SV 2008 e-passport EPFL 34 / 88
Revocation
incident must be reported within 48 hours to all other countries (and ICAO) routine CRL to be distributed every 3 months to all other countries (and ICAO)
SV 2008
e-passport
EPFL
35 / 88
ICAO Server
collection of CCSCA s (not available online) online public-key directory of CDS s (primary directory) online CRL of CDS s (secondary directory)
SV 2008
e-passport
EPFL
36 / 88
MRZ vs LDS
LDS does not replace MRZ (interoperability) MRZ must still be used in identication MRZ used by access control to LDS
SV 2008
e-passport
EPFL
37 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 38 / 88
none: anyone can query the ICC, communication in clear basic: uses secure channel with authenticated key establishment from MRZ extended: up to bilateral agreements (no ICAO standard) EU common criteria: now being implemented
SV 2008
e-passport
EPFL
39 / 88
?
resolve collisions to ICC
?
access denied? no
yes -
passive authentication
?
MRZ matches?
?
check AA (if supplied)
SV 2008
e-passport
check biometrics
EPFL 40 / 88
goal prevent from unauthorized access by the holder (privacy) read MRZ (OCR-B) extract MRZ info run an authenticated key exchange based on MRZ info open secure messaging based on the exchanged symmetric key
SV 2008
e-passport
EPFL
41 / 88
MRZ info
PMFRADUPONT<<<<JEAN<<<<<<<<<<<<<<<<<<<<<<<<< 74HK8215<6CHE7304017M0705121<<<<<<<<<<<<<<03
document type issuing country holder name doc. number + CRC nationality date of birth + CRC gender date of expiry + CRC options + CRC
SV 2008
e-passport
EPFL
42 / 88
set Kseed = trunc16 (SHA1(MRZ info)) set D = Kseed 00 00 00 01 compute H = SHA1(D ) rst 16 bytes of H are set to the 2-key triple-DES KENC set D = Kseed 00 00 00 02 compute H = SHA1(D ) rst 16 bytes of H are set to the 2-key triple-DES KMAC adjust the parity bits of the all DES keys
SV 2008
e-passport
EPFL
43 / 88
ICC
pick RND.IFD, K.IFD S RND.IFD RND.ICC K.IFD
[R ]KENC ,KMAC [S ]KENC ,KMAC
check RND.ICC
R RND.ICC RND.IFD K.ICC
check RND.IFD
SV 2008
e-passport
EPFL
44 / 88
compute KENC and KMAC from MRZ info run a protocol to compute Kseed set D = Kseed 00 00 00 01 compute H = SHA1(D ) rst 16 bytes of H are set to the 2-key triple-DES KSENC set D = Kseed 00 00 00 02 compute H = SHA1(D ) rst 16 bytes of H are set to the 2-key triple-DES KSMAC adjust the parity bits of the all DES keys
SV 2008
e-passport
EPFL
45 / 88
Secure Messaging
? ? Enc ? - MAC ? ?
Adversary
6 ? Dec 6
KSENC
KSMAC ? - MAC- = 6
SV 2008
e-passport
EPFL
46 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 47 / 88
Active Authentication
goal authenticate the chip proves that ICC knows some secret key KPrAA linked to a public key KPuAA by a challenge-response protocol (KPuAA in LDS authenticated by passive authentication)
SV 2008
e-passport
EPFL
48 / 88
ICC
RND.IFD
F nonce RND.IFD
SignKPrAA (F )
SV 2008
e-passport
EPFL
49 / 88
SV 2008
e-passport
EPFL
50 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 51 / 88
for each new singulation protocol ICC introduces himself with a pseudo (32-bit number) singulation to establish a communication link between reader and ICC of given pseudo pseudo is either a constant or a random number starting with 08
SV 2008
e-passport
EPFL
52 / 88
Metalic Cover document must be opened to access to ICC more expensive not fully effective rings at security gates
SV 2008
e-passport
EPFL
53 / 88
Political Context Primer on Cryptography ICAO-MRTD ICAO-MRTD Overview Passive Authentication Basic Access Control Active Authentication RFID Access ...in Practice Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008 e-passport EPFL 54 / 88
Implementation Discrepencies
Switzerland United Kingdom France Australia New Zealand USA Italy Belgium Czech Republic
singulation random 08xxxxxx random 08xxxxxx random 08xxxxxx random xxxxxxxx constant ? constant ? random 08xxxxxx
SV 2008
e-passport
EPFL
55 / 88
Algorithms
Switzerland United Kingdom Czech Republic Belgium Germany Italy New-Zealand USA
certicate ecdsa with sha1 824b sha256withRSA 4096b rsaPSS (sha1) 3072b sha1withRSA 4096b ecdsa with sha1 560b sha1withRSA 4096b sha256withRSA 4096b sha256withRSA 4096b
SOD ecdsa 512b RSA 2048b RSA 2048b RSA 2048b ecdsa 464b RSA 2048b RSA 2048b RSA 2048b
SV 2008
e-passport
EPFL
56 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
57 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Security and Privacy Issues (More Important) Privacy Issues Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
58 / 88
JPEG2000 Format
many metadata: hackers learn about which software/OS (+bug) used in government agencies lack of software diversity: hackers introduce viruses in border control systems from JPEG2000 metadata
SV 2008
e-passport
EPFL
59 / 88
when prompted by a reader, the ICC answers with a 32-bit random number (temporary device identity) ISO 14443B of format
08xxxxxx
some countries: constant number information leakage: 08xxxxxx tags likely to be e-passports some countries: random number not necessarily of format
08xxxxxx
the protocol and radio signature (pattern) leaks
SV 2008
e-passport
EPFL
60 / 88
SV 2008
e-passport
EPFL
61 / 88
Radius: easy at a distance less than 5cm experiment reported at a distance of 1.5m claimed to be possible at a distance up to 10m Threat: (if MRZ info is known): tracing people (if MRZ info is unknown): identifying people by bruteforce in any case: collecting valuable people proles
SV 2008
e-passport
EPFL
62 / 88
Passive Skimming
Radius: experiment reported at a distance of 4m claimed to be possible at a distance up to 10m Threat: ofine bruteforce: identifying people, collecting proles
SV 2008
e-passport
EPFL
63 / 88
Identity Theft
feasible when only facial biometric is used stealing MRTD cloning MRTD
AA should be mandatory
SV 2008
e-passport
EPFL
64 / 88
Detecting Passports
can check if there is an MRTD in the neighborhood (if leakage) can detect if there is an MRTD issued by a given country
SV 2008
e-passport
EPFL
65 / 88
a fake reader and a fake tag can relay AA messages authenticate the fake tag to a genuine reader
SV 2008
e-passport
EPFL
66 / 88
Denial of Service
SV 2008
e-passport
EPFL
67 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Security and Privacy Issues (More Important) Privacy Issues Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
68 / 88
SV 2008
e-passport
EPFL
69 / 88
Cookies
some DGs reserved so that border clearance can store data space for extra application foreign ambassies can store an e-visa (undocumented so far)
SV 2008
e-passport
EPFL
70 / 88
evidence that MRTD did sign a challenge given by IFD at time t LDS is an evidence by its own (got from passive authentication)
SV 2008
e-passport
EPFL
71 / 88
signed personal data: transferable authentication proof can no longer hide ones name, age, etc when DG11 is used: more personal data (place of birth, telephone number, profession, etc) when DG12 is used: reference to kids personal proles can be sold!
SV 2008
e-passport
EPFL
72 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
73 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU EAC Protocols Security Issues Non-Transferable Authentication
SV 2008
e-passport
EPFL
74 / 88
Basic Idea
use more biometrics after a stronger access control reader authentication better protocol (chip authentication) based on Dife-Hellman access to private data requires chip AND terminal authentication chip authentication could be used alone (e.g. to replace AA or to have a better key agreement) BUT: terminal authentication requires a heavy PKI for readers
SV 2008
e-passport
EPFL
75 / 88
Chip Authentication
chip has a static Dife-Hellman key (authenticated by SOD) semi-static ECDH with domain parameters DICC replace the secure messaging keys
K = KDF(X SKICC ) output: K
EPFL 76 / 88
PKICC ,DICC X
Terminal Authentication
terminal sends a certicate to chip (ECDSA) terminal signs a challenge + the ECDH ephemeral key
r icc s IFD
certicate(PKIFD )
SV 2008
e-passport
EPFL
77 / 88
Overall Process
1 2
do as before with MRZ and facial image run chip authentication (replace the secure messaging keys) run terminal authentication load ngerprint, iris, ...
. . . .
3 4
SV 2008
e-passport
EPFL
78 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU EAC Protocols Security Issues Non-Transferable Authentication
SV 2008
e-passport
EPFL
79 / 88
SV 2008
e-passport
EPFL
80 / 88
Information Leakage
SOD leaks the digest of protected DGs before passing EAC could be used to recover missing parts from exhaustively search could be used to get a proof if DG is known
SV 2008
e-passport
EPFL
81 / 88
Political Context Primer on Cryptography ICAO-MRTD Security and Privacy Extended Access Control in EU Non-Transferable Authentication
SV 2008
e-passport
EPFL
82 / 88
proof of knowledge
SV 2008
e-passport
EPFL
83 / 88
Prover
- Verier
Prover
- Cheater
Simulator
Cheater
data of distribution D
- data of distribution D
SV 2008
e-passport
EPFL
84 / 88
z c , Y
H (c )
= H (c )
z yx c mod N
z e YX c (mod N )
does not work when only HVZK: c = F (Y ) transforms into signature full ZK with a prior commitment round
SV 2008
e-passport
EPFL
85 / 88
Conclusion
LDS: leaks to much private information passive authentication: leaks digital evidences of LDS need zero-knowledge proof of valid signature knowledge BAC: does a poor job need PAKE secure messaging: OK (old crypto from the 1980s) AA: leaks evidences, subject to MITM need zero-knowledge ID proof EAC: much better, but still leaks + revocation issue RFID: leaks need a privacy standard or an off/on switch biometrics: leaks patterns need onboard matching
SV 2008
e-passport
EPFL
86 / 88
Q&A