Date post: | 07-Apr-2018 |
Category: |
Documents |
Upload: | aichberger |
View: | 229 times |
Download: | 0 times |
of 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
1/88
The Biometric Passport StandardWhats all this Mess About?
Serge Vaudenay
COLE POLYTECHNIQUEFDRALE DE LAUSANNE
http://lasecwww.epfl.ch/
SV 2008 e-passport EPFL 1 / 88
http://lasecwww.epfl.ch/8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
2/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 2 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
3/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
4/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 4 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
5/88
Arrete Federal2008, June 13
SV 2008 e-passport EPFL 5 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
6/88
Referendum (October 2)Rfrendum contre le prlvement obligatoire
de donnes biomtriques et d'empreintes digitalespour tous les nouveaux passeports et cartes d'identit
Voulez-vous que vos empreintes digitales soient centralises ?
Voulez-vous que votre carte d'identit ou votre passeport contienneune puce permettant la localisation ?
NON? Alors agissez pendantqu'il est encore temps!
NON la collecte force de donnes biomtriques pour tous les nouveaux passeports et cartes d'identit! NON la sauvegarde de vos donnes personnelles biomtriques dans une base de donnes centrale.
NON l'accs de gouvernements trangers et d'entreprises prives vos donnes biomtriques! NON l'instauration de puces de radio-identification (RFID) dans tous les nouveaux passeports suisses
et cartes d'identit!
NON la centralisation bureaucratique et au dmantlement des bureaux de contrles des habitants! NON l'extension du contrle de l'Etat sur les citoyens!
Chaque citoyen suisse doit pouvoir dcider s'il veut d'un passeport suisse et d'une carte d'identit, avecou sans donnes biomtriques et puce RFID.
Les citoyennes et citoyens suisses soussigns ayant le droit de vote demandent, en vertu de lart. 141 de la constitution fdrale du 18avril 1999 et conformment la loi fdrale du 17 dcembre 1976 sur les droits politiques (art. 59s.), que l'arrt fdral du 13 juin2008 portant approbation et mise en oeuvre de lchange de notes entre la Suisse et la Communaut europenne concernant lareprise du Rglement (CE) 2252/2004 relatif aux passeports biomtriques et aux documents de voyage (Dveloppement de lAcquis deSchengen) soit soumis au vote du peuple.
Seuls les lectrices et lecteurs rsidant dans la commune indique en tte de la liste peuvent y apposer leur signature. Les citoyenneset les citoyens qui appuient la demande doivent la signer de leur main. Celui qui se rend coupable de corruption active ou passiverelativement une rcolte de signatures ou celui qui falsifie le rsultat dune rcolte de signatures effectue lappui dun rfrendumest punissable selon larticle 281 respectivement larticle 282 du code pnal.
Canton: No postal: Commune politique:
Nom( la main et enmajuscules)
Prnom( la main et enmajuscules)
Date denaissance(jour/mois/anne)
Adresse exacte(rue et numro)
Signaturemanuscrite
Contrle(laisser enblanc)
1
2
3
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
7/88
TSR Show2008, October 9
in many newspapers since last week
on TV broadcast tonight
SV 2008 e-passport EPFL 7 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
8/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
6
Non-Transferable Authentication
SV 2008 e-passport EPFL 8 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
9/88
Cryptographic Primitives
conventional crypto public-key crypto
symmetric encryption public-key cryptosystem
message authentication code digital signaturehash function key agreement protocol
SV 2008 e-passport EPFL 9 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
10/88
Symmetric Encryption
Generator
6KeyKey6 CONFIDENTIALAUTHENTICATEDINTEGER
-Message Enc - - Dec -Message
Adversary
SV 2008 e-passport EPFL 10 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
11/88
Message Authentication Code
Generator
6KeyKey6 CONFIDENTIALAUTHENTICATEDINTEGER
-Message MAC - - Check-
ok?
-Message
Adversary
SV 2008 e-passport EPFL 11 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
12/88
Hash Function
La cigale ayant
chante tout lete
se trouva fort
depourvue quand
la bise fut venue
pas un seul petitmorceau de mouche
ou de vermisseau
elle alla trouver
famine chez la
fourmie sa voisine ...
- Hash - 928652983652
SV 2008 e-passport EPFL 12 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
13/88
Integrity by Hash Function
-Message
Hash
?
-INTEGER
Digest
-
Hash
?
Message
?
Compare-
ok?
Adversary
SV 2008 e-passport EPFL 13 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
14/88
Key Agreement Protocol
ProtoBobProtoAlice
6KeyKey
- AUTHENTICATEDINTEGER
6
-Message Enc/MAC - - Dec/Check-
ok?
-Message
Adversary
SV 2008 e-passport EPFL 14 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
15/88
Public-Key Cryptosystem (Key Transfer)
Generator
6Secret KeyPublic Key6 AUTHENTICATEDINTEGER
-Message(Key)
Enc - - Dec -Message
(Key)
Adversary
SV 2008 e-passport EPFL 15 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
16/88
Digital Signature (Public-Key Certificate)
Generator
6Secret Key Public Key6AUTHENTICATEDINTEGER
-Message(Certificate)
Sign - - Verify-
ok?
-Message(Certificate)
Adversary
SV 2008 e-passport EPFL 16 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
17/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 17 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
18/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
19/88
Obj ti
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
20/88
Objectives
more secure identification of visitors at border control
biometrics
contactless IC chip digital signature + PKI
maintained by UN/ICAO (International Civil Aviation Organization)
SV 2008 e-passport EPFL 20 / 88
MRTD Hi t
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
21/88
MRTD History
1968: ICAO starts working on MRTD
1980: first standard (OCR-B Machine Readable Zone (MRZ))
1997: ICAO-NTWG (New Tech. WG) starts working on biometrics
2001 9/11: US want to speed up the process
2002 resolution: ICAO adopts facial recognition
(+ optional fingerprint and iris recognition)
2003 resolution: ICAO adopts MRTD with contactless IC media
(instead of e.g. 2D barcode)
2004: version 1.1 of standard with ICC
2005: deployment of epassports in several countries
2006: extended access control under development in the EU
2007: deployment of extended access control (+ more biometrics)
SV 2008 e-passport EPFL 21 / 88
Why Face Recognition?
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
22/88
Why Face Recognition?
disclose no information that people does not routinely disclose
facial image is already socially and culturally accepted
already collected and verified in passports
people already aware of capture and use for ID verification
purpose
non-intrusive: no need for physical contactrequires no new enrolment procedure
feasability of fast deployment
many states already have database of people images
can be captured from an endorsed photograph only
children need not be present for capture
human verification is feasible and easy
SV 2008 e-passport EPFL 22 / 88
Why Contactless IC Chip?
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
23/88
Why Contactless IC Chip?
useability: no need for swiping or sensing, requires no contact
(= magnetic strip, optical memory, contact IC chip)data storage: can store over 15 kilobytes
(= 2D barcodes)
performance: random access feasible as information will grow
Recommendation:on-board operating system (ISO/IEC 78164)
ISO 14443 type A or B compliance
very high (>64K) capacity (minimum: 32K, recommended: 512K)
minimum set of commands
data stored in LDS format with encryption, hashing, and signature
high speed retrieval (50K in
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
24/88
How to Distinguish a Compliant MRTD
SV 2008 e-passport EPFL 24 / 88
MRTD in a Nutshell
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
25/88
MRTD in a Nutshell
MRTD
MRZ LDS
? ?????optical access radio access
data authentication by digital signature + PKI
aka passive authentication
access control + key agreement based on MRZ info
aka basic access control (BAC)
chip authentication by public-key cryptgraphy
aka active authentication (AA)SV 2008 e-passport EPFL 25 / 88
MRZ Example
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
26/88
MRZ Example
PMFRADUPONT
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
27/88
LDS Example
- PMFRADUPONT
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
28/88
Underlying Cryptography
RSA signatures (ISO/IEC 9796, PKCS#1), DSA, ECDSA
X.509
SHA1 and sistersDES, triple-DES, CBC encryption mode
one of the ISO/IEC 9797-1 MAC (next slide)
SV 2008 e-passport EPFL 28 / 88
ISO/IEC 9797-1
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
29/88
ISO/IEC 9797 1(MAC algorithm 3 based on DES with padding method 2)
(concatenate message with bit 1 and enough 0 to reach a length multiple of the block size)
DESK1 DESK1 DESK1
?
?
?
-?
?
- -
DESK1
?
?
?
x1
x2
x3
xn
DES1K2
?
DESK1
?
SV 2008 e-passport EPFL 29 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
30/88
LDS Structure
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
31/88
LDS Structure
KENC, KMAC, KPrAA
COM: present data groupsDG1: same as MRZ
DG2: encoded face
DG3: encoded finger(s)
DG4: encoded eye(s)
DG5: displayed portrait
DG6: (reserved)
DG7: displayed signature
DG8: data feature(s)
DG9: structure feature(s)
DG10: substance feature(s)
DG11: add. personal detail(s)DG12: add. document detail(s)
DG13: optional detail(s)
DG14: (reserved)
DG15: KPuAA
DG16: person(s) to notify
DG17: autom. border clearance
DG18: electronic visa
DG19: travel record(s)
SOD
SV 2008 e-passport EPFL 31 / 88
SOD Structure
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
32/88
SOD St uctu e
list of hash for data groups DG1DG15
formatted signature by DS (include: information about DS)
(optional) CDS
SV 2008 e-passport EPFL 32 / 88
Passive Authentication
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
33/88
goal authenticate LDS
after getting SOD, check the included certificate CDS and the
signature
when loading a data group from LDS, check its hash with what is
in SOD
stamp by DS on LDS
SV 2008 e-passport EPFL 33 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
34/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
35/88
ICAO Server
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
36/88
collection of CCSCAs (not available online)
online public-key directory of CDSs (primary directory)
online CRL of CDSs (secondary directory)
SV 2008 e-passport EPFL 36 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
37/88
1 Political Context
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
38/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
ICAO-MRTD Overview
Passive Authentication
Basic Access Control
Active AuthenticationRFID Access
...in Practice
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 38 / 88
Access Control Options
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
39/88
none: anyone can query the ICC, communication in clear
basic: uses secure channel with authenticated key establishment
from MRZ
extended: up to bilateral agreements (no ICAO standard)
EU common criteria: now being implemented
SV 2008 e-passport EPFL 39 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
40/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
41/88
MRZ info
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
42/88
PMFRADUPONT
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
43/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
44/88
Session Key Derivation (Basic Access Control)
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
45/88
compute KENC and KMAC from MRZ inforun a protocol to compute Kseed
set D= Kseed00000001
compute H= SHA1(D)
first 16 bytes of H are set to the 2-key triple-DES KSENC
set D= Kseed00000002
compute H= SHA1(D)
first 16 bytes of H are set to the 2-key triple-DES KSMAC
adjust the parity bits of the all DES keys
SV 2008 e-passport EPFL 45 / 88
Secure Messaging
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
46/88
goal authentication, integrity, confidentiality of communication
message
?Enc
?
?KSENC
- MAC
?
?KSMAC
6
Adversary
- MAC- =6
? KSMAC
Dec
6
6
message
? KSENC
SV 2008 e-passport EPFL 46 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
47/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
48/88
Active Authentication Protocol
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
49/88
IFD ICC
pick RND.IFD
RND.IFD
F nonceRND.IFDcheck
SignKPrAA(F)
SV 2008 e-passport EPFL 49 / 88
With vs Without Active Authentication
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
50/88
No Active Authentication
ICC can be cloned
simple computations to
perform
Active Authentication
protection against clones
requires public-key
cryptography in ICC
SV 2008 e-passport EPFL 50 / 88
1 Political Context
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
51/88
2 Primer on Cryptography
3 ICAO-MRTD
ICAO-MRTD Overview
Passive Authentication
Basic Access Control
Active AuthenticationRFID Access
...in Practice
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 51 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
52/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
53/88
1 Political Context
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
54/88
2 Primer on Cryptography
3 ICAO-MRTD
ICAO-MRTD Overview
Passive Authentication
Basic Access Control
Active AuthenticationRFID Access
...in Practice
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 54 / 88
Implementation Discrepencies
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
55/88
shield singulation BAC AA
Switzerland none random 08xxxxxx used not implemented
United Kingdom none random 08xxxxxx used not implemented
France none random 08xxxxxx ? ?
Australia none random xxxxxxxx used ?New Zealand none constant used ?
USA yes ? ? ?
Italy ? constant ? ?
Belgium none ? used implemented
Czech Republic none random 08xxxxxx used implemented
SV 2008 e-passport EPFL 55 / 88
Algorithms
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
56/88
certificate SOD AA
Switzerland ecdsa with sha1 824b ecdsa 512b n/a
United Kingdom sha256withRSA 4096b RSA 2048b n/a
Czech Republic rsaPSS (sha1) 3072b RSA 2048b RSA 1024b
Belgium sha1withRSA 4096b RSA 2048b ?
Germany ecdsa with sha1 560b ecdsa 464b n/a
Italy sha1withRSA 4096b RSA 2048b ?
New-Zealand sha256withRSA 4096b RSA 2048b ?
USA sha256withRSA 4096b RSA 2048b ?
SV 2008 e-passport EPFL 56 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
57/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
58/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
59/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
60/88
Issues in Basic Access Control
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
61/88
MRZ info entropy:
ideally, log2((10+26)93651003655) 70in practice, log2(2010
6365103655) 47at this time, log2(10
4365103655) 36
online bruteforce attack
guess MRZ info and try it with MRTD until it works
one experiment reported: it took 4h(would make sense in a long haul flight)
offline bruteforce
infer MRZ info from some (x,MACKMAC(x)) pair
decrypt BAC protocol to get KSENCdecrypt passive authentication to get LDS
SV 2008 e-passport EPFL 61 / 88
Unauthorized Wireless Access
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
62/88
Radius:easy at a distance less than 5cm
experiment reported at a distance of 1.5m
claimed to be possible at a distance up to 10m
Threat:
(if MRZ info is known): tracing people
(if MRZ info is unknown): identifying people by bruteforce
in any case: collecting valuable people profiles
SV 2008 e-passport EPFL 62 / 88
Passive Skimming
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
63/88
Radius:
experiment reported at a distance of 4m
claimed to be possible at a distance up to 10m
Threat:
offline bruteforce: identifying people, collecting profiles
SV 2008 e-passport EPFL 63 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
64/88
Detecting Passports
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
65/88
can check if there is an MRTD in the neighborhood
(if leakage) can detect if there is an MRTD issued by a given
country
SV 2008 e-passport EPFL 65 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
66/88
Denial of Service
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
67/88
e-bombing: destroy chips
hammer: destroy your own chip
SV 2008 e-passport EPFL 67 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
68/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
69/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
70/88
Collecting Digital Evidences
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
71/88
challenge semantics in AA:
RND.IFD = H(social(t1))
evidence = timestampt(social(t1)LDS)
evidence that MRTD did sign a challenge given by IFD at time t
LDS is an evidence by its own (got from passive authentication)
SV 2008 e-passport EPFL 71 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
72/88
1 Political Context
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
73/88
1 Political Context
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 73 / 88
1 Political Context
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
74/88
2 Primer on Cryptography
3 ICAO-MRTD
4 Security and Privacy
5 Extended Access Control in EU
EAC Protocols
Security Issues
6 Non-Transferable Authentication
SV 2008 e-passport EPFL 74 / 88
Basic Idea
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
75/88
use more biometrics after a stronger access controlreader authentication
better protocol (chip authentication) based on Diffie-Hellman
access to private data requires chip AND terminal authenticationchip authentication could be used alone
(e.g. to replace AA or to have a better key agreement)
BUT: terminal authentication requires a heavy PKI for readers
SV 2008 e-passport EPFL 75 / 88
Chip Authentication
chip has a static Diffie-Hellman key (authenticated by SOD)
semi-static ECDH with domain parameters DICC
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
76/88
semi static ECDH with domain parameters DICC
replace the secure messaging keys
resists skimming
key with large entropy
IFD ICC
input: m secret key: SKICC(g DICC) pub key: PKICC = g
SKICC,DICC
pick x at randomPKICC,DICC
X= gxX
K= KDF(PKxICC) K= KDF(X
SKICC)
output: K output: K
SV 2008 e-passport EPFL 76 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
77/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
78/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
79/88
Terminal Authentication: Revocation
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
80/88
MRTD are not online!
MRTD have no reliable clock
MRTD must trust readers to revoke themselves
SV 2008 e-passport EPFL 80 / 88
Information Leakage
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
81/88
SOD leaks the digest of protected DGs before passing EAC
could be used to recover missing parts from exhaustively search
could be used to get a proof if DG is known
SV 2008 e-passport EPFL 81 / 88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
82/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
83/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
84/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
85/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
86/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
87/88
8/6/2019 The Biometric Passport Standard - Mrtd-cs08prt
88/88