- The BAC key is individual but static, and is computed and used for each access. An adversary needs to get hold of this key only once and will from then on always be able to get access to a passport’s data. A passport holder may perceive this as a disadvantage considering the possibility that a passport contains dynamic data.
- The BAC key is derived from data that may lack sufficient entropy: the date of expiry is always in a window of less than ten years, the date of birth can often be estimated and the document number may be related to the expiry date.
An associated privacy problem comes with the UID (Unique Identification) number emitted by an RFID immediately after startup. This number, if static, allows an easy way of tracking a passport holder. In the context of e-passports it is important that this number is dynamically randomized and that it cannot be used to identify or track the e-passport holder. The reader should note that these privacy issues originate from the decision to use RFID instead of contact card technology. Had this decision been otherwise the privacy debate would have been different as it would be the passport holder who implicitly decides who can read his passport by inserting it into a terminal.
Inspection system security issues
The use of electronic passports requires inspection systems to verify the passport and the passport holder. These inspection systems are primarily intended for immigration authorities at border control. Obviously the inspection systems need to support the security mechanisms implemented in an e-passport. This appears to be a major challenge due to the diversity of options that may be supported by individual passports. In terms of security protocols and information retrieval the following basic options are allowed:
- Use of Basic Access Control (including OCR scanning of MRZ data)
- Use of Active Authentication
- Amount of personal data included
- Number of certificates (additional PKI certificates in the validation chain)
- Inclusion of dynamic data (for example visa)
- Use of biometrics
- Choice of biometrics (e.g. finger prints, facial scan, iris patterns, etc)
- Biometric verification methods
- Extended Access Control (enhanced privacy protection mechanism).
- Triple DES
- RSA (PSS or PKCS1)
- SHA-1, 224, 256, 384, 512
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.