Preventing Fraud in Epassports and Eids: Security Protocols For Today and Tomorrow
Preventing Fraud in Epassports and Eids: Security Protocols For Today and Tomorrow
Preventing Fraud in Epassports and Eids: Security Protocols For Today and Tomorrow
Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001, in the wake of the terrorist attacks of September 11 in the US, that development of ePassports really shifted into high gear. Today, there are more than 100 countries with ePassport systems in place or in the works, and the contactless technology they use is also being introduced to other types of government-issued ID documents.
One of the main advantages of ePassports is their high level of security, which makes them hard to counterfeit and thereby reduces the risk of fraud. But identity thieves and other criminals are determined and cunning, so security is always an evolving standard. At the same time, ePassports are becoming more sophisticated. They can store more information and can even work with biometric data such as fingerprints and iris scans. This higher level of sophistication also adds to the demand for better security. These factors have lead to the creation of multiple security mechanisms, each with its own set of features and advantages.
Having different security mechanisms in use worldwide can create a challenge for the ID infrastructure, especially since government-issued IDs are typically valid for many years. The average lifespan of an ePassport, for example, is five to ten years. That means the infrastructure has to keep current with the latest standards but also support legacy standards while the cards that use them are still in circulation. This paper looks at the security mechanisms currently in use or on the immediate horizon, and summarizes the design considerations for each.
ePassports are equipped with a standardized logical data structure (LDS) that is used to program the chip and store data. The simplest LDS stores a facial image and very basic data. As the LDS has evolved over time, it has grown more sophisticated, and today can store a range of items, from biometric data like fingerprints and iris scans, to card-reader data and other travel information.
for mutual authentication, then a session key is generated out of the MRZ. The terminal uses an optical character recognition (OCR) reader to read the MRZ and derive the keys. The session key is used to encrypt the data exchange between passport and reader. BAC does not secure the chip against cloning. Another limitation of this technology is that the entropy of the key source (MRZ) is low, and it does not change. No PKI infrastructure is required for BAC. Passive Authentication (mandatory in ICAO) This step verifies the authenticity of the data stored in the security IC. The data is digitally signed by the issuing country. This mechanism does not prevent cloning of the chip. A PKI infrastructure is required. However, asymmetric cryptography is not required on the ePassport itself. Digital signature verification is done by the background system of the inspection device. Active Authentication (optional in ICAO) Protects the data against cloning. Each chip has stored a diversified key which is not accessible by the reader. The security IC contains a public key. The chip signs the challenge with its secret key which is then verified by the terminal by using the public key of the chip. No PKI infrastructure is required since the public key is accessible by the reader and the secret key is stored in a secure area which cannot be cloned. Combination of measures for data transaction: Basic Access Control - generates keys for secure messaging Secure Messaging Passive Authentication checks if data of passport has been manipulated Active Authentication (optional) checks authenticity of passport Reading of data groups terminal is enabled to access to data groups
trustworthy to the chip. The terminal certificate is a certificate which is provided by the Document Verifier Certification Authority (DVCA). To ensure that the certificate sent by the reader is genuine, the chip sends a random number to the terminal. The terminal signs the number and returns it to the chip. With the public key of the terminal (which is part of the terminal certificate), the chip can check the signature over the random number to prove that the terminal certificate belongs to the terminal with the corresponding private key. This complex mechanism requires a PKI infrastructure.
Figure 2 shows the example of a PKI infrastructure to support EAC. The CVCA certificate of the issuing country A is stored in the chip of all passports of country A during personalization. This certificate is used to verify the terminal during authentication. Country A permits country B to access the fingerprint data of the passport issued by country A. The DVCA of country B provides the suitable terminal certificate (e.g. a certificate signed by the CVCA of country A), to the inspection system of country B. Country B is now enabled to read passports from country A. Combination of measures for data transaction: Basic Access Control - generates keys for secure messaging Secure Messaging Terminal Authentication proves to the security IC that the terminal is allowed to access the IC Passive Authentication checks if data of the passport has been manipulated Chip Authentication proves authenticity of security IC (same mechanism as active authentication as defined in ICAO) Secure Messaging - uses session key generated during chip authentication Reading of data groups enables terminal to access data
EACv2: EACv2 ensures that only authorized terminals can access the ICAO-mandatory data groups (DG1 personal data text, DG2 encoded face, SOD). ICAO-mandatory data groups must be readable by countries that are not implementing EAC. Therefore, EACv2 is not used for ePassports due to compatibility reasons. EACv2 is primarily used for eID (electronic identification) cards.
Main changes with SAC Like BAC, SAC ensures that the passport can only be read when there is physical access to the travel document and generates session keys used for communication between ePassport and terminal. The main difference between SAC and BAC is that SAC uses asymmetric cryptography (Diffie Hellman Key agreement) to generate the symmetric session keys. Using BAC is still a fairly safe way to secure the communication between electronic passport and inspection systems, but due to increasing computing power and BAC's relatively low entropy, it will become easier for eavesdroppers to hack the encrypted communication information. SAC improves the security of the communication interface so much that it eliminates the disadvantages compared to contactbased solutions. While BAC derives the session key directly from the MRZ of the passport, SAC uses a password with possibly low entropy (CAN Card Access Number, 6 bit) to generate the session keys. It uses a Diffie Hellman key agreement based on asymmetric cryptography technology. The quality of the session key of
SAC is independent on the entropy of the CAN, while BAC is dependent on the entropy of MRZ which is rather low. This is the main advantage of SAC. The 6-digit CAN can be derived from the MRZ or it can be printed separately on the holder page of the ePassport. Changes for OS implementation and personalization Overall, the changes required for SAC are marginal compared to the security improvements it delivers. The main change is the requirement to use Diffie Hellman key agreement according to the ICAO specification (ICAO, Technical Report, Supplemental Access Control for Machine Readable Travel Documents, 2010). During the migration phase, it is recommended to use BAC and SAC together, with SAC being the preferred option. During personalization, the CAN and SAC data need to be stored on the ePassport chip. The CAN data must also be printed on the security document. Combination of measures for data transaction: PACE - generates keys for secure messaging using asymmetric encryption Secure Messaging using key generated by PACE Terminal Authentication proves to the security IC that the terminal is allowed to access the IC Passive Authentication checks if passport data has been manipulated Chip Authentication proves authenticity of security IC (same mechanism as active authentication as defined in ICAO) Secure Messaging - uses session key generated during chip authentication Reading of Data Groups enables terminal to access to data
Certification
The ICAO does not require that ePassports be certified before use, but certification is a highly recommended practice. As shown in Figure 3, each security mechanism is supported by a protection profile for Common Criteria (CC) certification.
Protection Profile
PP0055b PP0056b PP0056 v2 PP0068 v2b
BAC
X X
EACv1
EACv2
PACE2
Comment
All the protection profiles can be found on the BSI website: https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/TRundSchutzprofile/trundschutzprofile_node.html
Conclusion
The infrastructure for ePassports has to be equipped to support evolving standards for security and new kinds of data, including biometrics. At the same time, the infrastructure has to retain its support for previous standards, since ePassports that were issued many years ago may still be in current use. This need to combine next-generation technology with legacy standards can be challenging. Having a clear understanding of security mechanisms those in use today and those scheduled to come online in the next few years -- is an important first step in meeting this challenge. Partnering with a technology leader, especially one with experience implementing ePassport schemes worldwide, is another way to ensure that the ePassport infrastructure meets short- and long-term needs.
Glossary
AA BAC BSI CAN EACv1 EACv2 EU IC ICAO MRZ OCD PACE SAC Active Authentication Basic Access Control Bundesamt fr Sicherheit und Informationstechnik (German Federal Office for Information Security) Card Access Number Extended Access Control version 1.11 Extended Access Control version 2 European Union Integrated Circuit International Civil Aviation Organization Machine Readable Zone Optical Character Recognition Password Authenticated Connection Establishment Supplemental Access Control
Bibliography
BSI. (March 2012). Advanced Security Mechanisms for Machine Readable Travel Documents Part 1 v2.1 eMRTDs with BAC/PACEv2 and EACv1. (p. 24). BSI. BSI. (March 2012). Advanced Security Mechanisms for Machine Readable Travel Documents Part 2 v2.1 Extended Access Control Version 2 (EACv2),Password Authenticated Connection Establishment (PACE),and Restricted Identification (RI). (p. 26). BSI. BSI. (March 2012). Advanced Security Mechanisms for Machine Readable Travel Documents Part 3 v2.1 Common Specifications. (p. 83). BSI. BSI. (n.d.). BSI Homepage. Retrieved from https://www.bsi.bund.de ICAO. (2005). DOC 9303 part 1- volume 2. ICAO (p. 131). ICAO. ICAO. (2010). Technical Report, Supplemental Access Control for Machine Readable Travel Documents. ICAO (p. 33). ICAO. Schmeh, K. (2009). Elektronische Ausweisdokumente. Munich: Hanser.
www.nxp.com
2013 NXP Semiconductors N.V. All rights reserved. Reproduction in whole or in part is prohibited without the prior written consent of the copyright owner. The information presented in this document does not form part of any quotation or contract, is believed to be accurate and reliable and may be changed without notice. No liability will be accepted by the publisher for any consequence of its use. Publication thereof does not convey nor imply any license under patent- or other industrial or intellectual property rights. Date of release: February 2013 Document order number: 9397 750 17377 Printed in the Netherlands