On the Security of E-Passports
by Marc Witteman - CTO of Riscure - Monday, 3 December 2007.
The BAC mechanism does provide some additional privacy protection, but there are two limitations that limit the strength of this mechanism:
  • The BAC key is individual but static, and is computed and used for each access. An adversary needs to get hold of this key only once and will from then on always be able to get access to a passportís data. A passport holder may perceive this as a disadvantage considering the possibility that a passport contains dynamic data.
  • The BAC key is derived from data that may lack sufficient entropy: the date of expiry is always in a window of less than ten years, the date of birth can often be estimated and the document number may be related to the expiry date.
The author of this article discovered BAC security issues in July 2005 and showed that the key entropy that could reach 66 bits may drop below 35 bits due to internal data dependencies. When passport numbers are for instance allocated sequentially they have a strong correlation with the expiry date, effectively reducing the key entropy. An eavesdropper would then be able to compute the BAC key in a few hours and decode all confidential data exchanged with an inspection system. The Netherlands, and maybe other countries, have changed their issuance procedures since this report to strengthen the BAC key.

An associated privacy problem comes with the UID (Unique Identification) number emitted by an RFID immediately after startup. This number, if static, allows an easy way of tracking a passport holder. In the context of e-passports it is important that this number is dynamically randomized and that it cannot be used to identify or track the e-passport holder. The reader should note that these privacy issues originate from the decision to use RFID instead of contact card technology. Had this decision been otherwise the privacy debate would have been different as it would be the passport holder who implicitly decides who can read his passport by inserting it into a terminal.

Inspection system security issues

The use of electronic passports requires inspection systems to verify the passport and the passport holder. These inspection systems are primarily intended for immigration authorities at border control. Obviously the inspection systems need to support the security mechanisms implemented in an e-passport. This appears to be a major challenge due to the diversity of options that may be supported by individual passports. In terms of security protocols and information retrieval the following basic options are allowed:
  • Use of Basic Access Control (including OCR scanning of MRZ data)
  • Use of Active Authentication
  • Amount of personal data included
  • Number of certificates (additional PKI certificates in the validation chain)
  • Inclusion of dynamic data (for example visa)
Future generations of the technology will also allow the following options:
  • Use of biometrics
  • Choice of biometrics (e.g. finger prints, facial scan, iris patterns, etc)
  • Biometric verification methods
  • Extended Access Control (enhanced privacy protection mechanism).
In terms of cryptography a variety of algorithms and various key lengths are (or will be) involved:
  • Triple DES
  • RSA (PSS or PKCS1)
  • DSA
  • SHA-1, 224, 256, 384, 512
The problem with all these options is that a passport can select a set of preferred options, but an inspection system should support all of them! An associated problem in the introduction of the passport technology is that testing inspection systems becomes very cumbersome. To be sure that false passports are rejected the full range of options should be verified for invalid (combinations of) values. Finally, a secure implementation of the various cryptographic schemes is not trivial. Only recently a vulnerability was discovered by Daniel Bleichenbacher that appeared to impact several major PKCS-1 implementations. PKCS-1 also happens to be one of the allowed signing schemes for passive authentication in e-passports. This means that inspection systems should accept passports using this scheme. Passport forgery becomes a risk for inspection systems that have this vulnerability. Immigration authorities can defend themselves against this attack, and other hidden weaknesses, by proper evaluation of the inspection terminals to make sure that these weaknesses cannot be exploited.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th