Monday, April 13, 2009

E-Passport Security Issues and an e-SMART solution:

The realization that paper-based passports can be too easily altered or falsified is driving a worldwide move to electronic passports. The large number of lost or stolen passports—more than 300,000 in the United States alone in recent years—meant there was a huge pool of paper-based passports potentially available to counterfeiters.
After the destructions of WTC on the United States on September 11, 2001, Congress legislated that all countries participating in the Visa Waiver Program with the United States must issue passports with integrated circuits (chips) to add digital security features that prevent counterfeiting and positively confirm the bearer of the passport with a biometric, such as a digital copy of the photograph printed on the cover.
An e-passport contains a chip that implements the ICAO standard for Machine Readable Travel Documents (MRTD's). The only personal information stored on the chip is the same information that is printed on the data page of the passport, including a digital version of the photograph.
However, having Chip does not mean passport holder is the right person and impossible to prove it.
Because there is no direct relationship between Chip and passport holder. .It is NOT clone proof, hack proof, fake proof or not temper proof. The most important requirement is clone proof and fake proof. That means there is no technology to identify individual by the passport by itself, we can say all of current passports, maybe little bit better than paper, are old fashioned, legacy, stone age architect but not meaningful or effective modality to identify invividual at all. There are already so many proved fake or weakness there as below. We can say 9-11 tirggerd some business or benifit to low teck companies or related entities, but MicroChip can not prevent any tragedy like 9-11. We need to figure out WHO IS RESPONSBLE for implementing NON SECURED PASSPORT.

e-Passports Security:
The e-passports are protected by a digital signature which, when altered, are supposed to be rejected by the reader. The validation of the signatures on e-passports requires the exchange of PKI certificates between the authorities of the issuing countries or the use of ICAO's PKD (Public Key Directory) system.
The ICAO standard chip contains following files (“Elementary Files”, EFs):
– EF.DG1: personal information (required)
– EF.DG2: picture, JPG/JPG2000 (required)
– EF.DG[3-14,16]: finger prints, iris scans and other files for future use (optional)
– EF.DG15: anti-cloning crypto (optional)
– EF.SOD: safeguarding integrity of DGs (required)
– EF.COM: index of available files (required)

The ICAO standard requirements comprises of two authentication features (passive authentication and active authentication) and one confidentiality feature (Basic Access Code).

Here information stored on the e-passport’s contactless smart card chip is digitally signed by the issuing country and the digital signature is checked before use. Passive authentication safeguard integrity of data stored in the chip. EF.SOD stores hashes of EF.DG[1-16] and a public key The hashes are digitally signed with a private key. If the attacker tried to change the hash to assume false identity, then the digital signature verification would fail, and the attack would be detected.

Flaws in Passive Authentication:
Unfortunately passive authentication is not highly reliable because it has the following drawbacks:
1. Passive authentication verifies data integrity but not chip integrity, which means no way to verify if chip data was stolen and cloned.

2. For passive authentication an inspection system must check the public key in the chip (part of EF.SOD) against a list of trusted certificates. This list comprises of "Country Signing CA Certificates (CCSCA)” and “ICAO Public Key Directory (PKD)”. Only ten of the forty-five countries with e-passports have signed up to the ICAO PKD code system (not all of them are currently using it) and the remaining can use their own CCSCA codes. Since there is no universally accepted key code system for authentication, criminals could always use fake e-passports from countries that do not share the ICAO PKD codes, which would then go undetected at passport control.

3. Passive authentication there is no protection against skimming or eavesdropping attack by outsiders.
A skimming attack is when someone attempts to read the passport chip simply by beaming power at the passport. At normal power ranges, contactless smart card readers must be relatively close to the card within a few inches or at most a few feet. However, that range can be extended if the reader broadcasts power at illegally high levels. A skimming attack could be done to facilitate identity theft or to trace the movements of an individual.
An eavesdropping attack can occur, if the contactless smart card is actively communicating with a legitimate reader. RF emanations from both the smart card and the reader have been shown in tests to be readable at distances up to 30 feet (9 meters).
Thus, the attacker could also clone e-passport of a country that implements the ICAO PKD if he managed to steal chip data information through skimming or eavesdropping. So, countries (including USA) that are just relying on passive authentication for e-passport verification are putting the identity of their e-passport holders in a great risk.

Examples of attacking Passive Authentication:
Example1: Osama technically becomes a citizen of Britain.
Jeroen van Beek, a computer researcher at the University of Amsterdam, has shown in some tests conducted for The Times that the new micro-chipped passports, introduced in UK to protect against terrorism and organized crime, can be easily cloned. Jeroen cloned the chips on two British passports and implanted digital images of Osama bin Laden and a suicide bomber.
The cloned chips were regarded as genuine by the Golden Reader, which is the standard passport reader software used by the UN agency setting standards for e-passports and which is also recommended for use at airports. The cloning operation took less than an hour.
Related Articles:

Example 2: US Homeland Security passports successfully cloned.
The current EPC Gen 2 RFID tags used in the wallet-sized Homeland Security passports use no encryption, and are unable to selectively transmit any data. Instead, the RFID tags broadcast sensitive information, enabling anyone with the proper equipment to collect information that could potentially be used for identity theft, or other nefarious purposes.
An intrepid data security researcher named Chris Paget devised a simple method of collecting and absorbing RFID passport information for the illumination of his peers at the ShmooCon hacker convention (held in Washington, D.C.). Chris devised a fairly inexpensive method of tracking and reading the passports. He bought a $250 RFID scanner on eBay to do the actual card-reading. Then he purchased a cheap, simple antenna to boost his range of the scanner. Then, he went driving in San Fransisco. Chris said that the passport card is a real radio broadcast, so there is no real limit to the read range. It's conceivable that these things can be tracked from 100 meters -- a couple of miles. Chris had no trouble collecting -- and copying -- information from the RFID passports of six people, in a half-hour of driving around.
Related Article:

Basic Access Control is an optional confidentiality feature that could be used to overcome the drawback of passive authentication, i.e. skimming and eavesdropping, however it has drawbacks of its own.
Basic Access Control requires that the initial interaction between the embedded microchip in the passport and the border control reader include protocols for setting up the secure communication channel. The reader first acquires the MRZ information from the data page of the passport, generally via a connected OCR scanner. This MRZ information is used for computing the encryption and message authentication keys used for the “secure” exchange of the session keys. After authentication data is encrypted (3DES).

Basic Access Control Process

The MRZ information used for basic authentication is the passport serial number, the holder’s date of birth and the expiration date of the passport. Basic access control should be effective against simple skimming attacks. However with a little effort the key biometric passport is relatively easy to identify/crack since it is not random, but consists of passport number, the passport holder's date of birth and the passport expiry date. For example birth date for 10 year time period has 10*365 = 3650 values, expiry date within 5 years: 5*365 = 1825 values and passport numbers are typically issued in sequence, so low entropy, and strongly correlated with expiry date
Flaws in Basic Access Code:
i. Weak authentication key since it is based on passport issue date, passport expiry date and passport number.
ii. Does not detect cloned passport.

Example of Basic Access Control Authentication Attack:
Example: Cloning of biometric e-passports while they are still in the mail bag
For example there is an article that talks about successful attack on e-passports when they were in the mail sent by the passport office to the applicant. Perhaps more easier to crack in mail as the issue date of new passport would be within a few days and expiry date would be 10 years from the issue date. It relatively easy to identify the holder's date of birth. The passport number consists of a number of predictable elements, including an identifier for the issuing office, so effectively a significant part of the key can be reconstructed from the envelope and its address label. No proof of identity was required when the passport was delivered. Because it's feasible to steal the data without detection in the mail, it's perfectly possible that insiders could intercept large numbers of the millions of new passports delivered every year.
Related Article:

Basic Access Code substituted by Faraday’s cage in US e-passports:
As a substitute to Basic Access Code, Faradays cage protects US e-passports. This cage is setup by covering the passport with an aluminum foil. However creating a Faraday’s cage can prevent skimming (when passport is closed) but not eavesdropping.

The optional active authentication feature further strengthens the Basic Access Code confidentiality feature. Active authentication lets the inspecting system know if the e-passport is genuine or a clone. For active authentication an asymmetric key pair is stored in the chip, one public key and one private. The public key is accessible in DG15 (i.e. integrity protected by PA). The private key does not leave the chip, no way to read the key, but possible to verify whether the chip can access the private key. RSA is used for active authentication. The steps involved in active authentication are as follows:
Step1: Reader reads signed passport public key
Step2: Reader sends challenge to passport
Step3: Passport encrypts challenge with secret RSA key
Step4: Reader gets encrypted response from passport
Step5: Reader verifies response using the public key from DG15

Active Authentication

Thus, the optional active authentication together with the mandatory passive authentication feature together should provide both data integrity and chip integrity.

Flaws in Active Authentication:
However the active and passive authentication combination is not impenetratable and can be cracked.
a). Manipulating the index file:
Any system (or security feature) is as strong as its weakest link. Even with active authentication enabled e-passports the attacker can manipulate the index file (EF.COM) such that Active Authentication check might be skipped.

Manipulation of the Index File

If the inspecting system is made to think that the DG15 file is not there then it will not check for active authentication, in other words not check for cloning. This attack strategy is also applicable to all other optional security features.
Related Article:

b.) Side-channel attacks:
Side-channels provide unintended means to analyze or manipulate the behavior of cryptographic implementations. Common side channel analysis methods are:

i. Time analysis:
Here process duration is used to reveal secrets. After analyzing RSA trace, and noting the distance variations between higher and lower parts, the key can be derived from a single observation.

Time-Power Analysis of RSA

ii. Power Analysis:
Here power consumption pattern to reveal secrets. Collect many (>1000) RSA power traces and compute average energy per modular operation. Small variations reveal key bits. More advanced correlation analysis is also possible.

Statistical power analysis of RSA (2)

iii. Electro-Magnetic analysis:
Here EM radiation is used to reveal secrets

iv. Power glitching:
This involves the use power interruptions to inject computational faults.

Steps involved in cloning passport through side-channel attack:
Step1: Read personal data (Cloning requires physical access to victim passport)
Step2: Perform multiple active authentications (RSA)
Step3: Retrieve private key by (statistical) analysis
Step4: Load new chip with personal data and RSA keys
Step5: Attach chip to passport document with same identity
! Cloned e-passport chip ready to use!

Related Article:

Extended Access Control is confidentiality feature defined by the European Union to allow authorized Inspection system (system used to read e-passport) to read sensitive biometric data such as fingerprints from e-passports. Extended Access Control is not a part of the ICAO standard.
In Extended Access Control the passport reader is required to obtain a digital certificate from the issuing country before it could access the fingerprint file on the passport chip. The certificate is supposed to be valid for only a short period of time so that no reader can access the fingerprint on a passport chip once that time period has expired.

Extended Access Authentication facilitates chip authentication and terminal authentication.
Chip Authentication by Extended Access Control:
replaces the active authentication feature to authenticate the chip and prove that the chip is genuine (not cloned);
establishes strongly secured communication channel (stronger than the one established by Basic Access Code mechanism)

Terminal Authentication by Extended Access Control:
· extra PKI for reader is used to determine whether the Inspection System is allowed to read the sensitive data from the e-passport.

Flaws in Extended Access Control:
i. Though the digital certificate obtained by the reader is supposed to be of short duration the passport chip contains no clock so that it can't know when the time period has passed and determine if a certificate is no longer valid. If the reader equipped with valid electronic certificate is stolen then the passport data can be accessed later and thief can access all biometric information of the person

ii. Another challenge for chips is to maintain an up-to-date list of PKIs belonging to those countries that have signed the appropriate agreement to access privacy-sensitive data. So far, readers must help e-passports figure out whether their countries have been granted access through an as-yet-unspecified protocol.

iii. The reader can read the SOD without passing through Extended Access Control. Someone who, say, knows most of the content of data group can try to access the chip data by brute force.

Related Links:

Key features of e-Smart technology to overcome current e-passport security issues:

The key features of e-Smart powered Biometric e-passport are:

· e-Smarts proprietary match-on-card technology can be used to verify legitimacy of the person carrying the e-passport even if the passport is subjected only to passive authentication (lowest but mandatory requirement for authentication by ICAO).
· Fingerprint of the individual is used to reliably authenticate person. In e-Smart match-on-card system the biometric fingerprint information would not leave the card/e-passport but is matched within card/e-passport. So the hacker will not get access to to biometric fingerprint data.
· only the biometric template or co-ordinates of the fingerprint is stored within chip from which finger information cannot be extract. Thus, no risk of theft of person’s fingerprint data.

Wireless Fingerprint Matching Passport
Only when fingerprint matches to the passport holder, passport can communicate with passport reader. Passport get power wirelessly and no battery. Fingerprint encripted data of card holder resides inthe passport.

OTHER REFERENCES:[347]=x-347-180779$File/RC23575.pdf