Post on 31-Dec-2015
description
Nikita MariaDepartment of Applied InformaticsUniversity of Macedonia - Greece
e-Passport Layoute-Passport Technologiese-Passport Generationse-Passport VulnerabilitiesProposed MeasuresLegal EffortsConclusions and Proposals
5th International Conference on Information Law 2
The layout
5th International Conference on Information Law 3
Biometric Data powerful identifiers used for authentication and stored on a
RFID chip
R.F.I.D. contactless IC chip meets all three considerations of
usability, data capacity and performance [ICAO Technical Report, 2004]
embedded in the paper passport and communicates wirelessly with
the passport reader using an antenna
5th International Conference on Information Law 4
The International Civil Aviation Organization (ICAO) is a specialized agency that issues passport standards as recommendations to the national governments
Introduced the biometrics and the technology of contactless chips (RFID) and the communication protocols
The 3 e-Passport generations..
5th International Conference on Information Law 5
1st generation Passive Authentication Protocol (mandatory)▪ proves to the reader authenticity of the data ▪ cannot detect cloning
Active Authentication Protocol (optional)▪ chip authentication▪ Prevents cloning
What about the reader? Is he authentic?Is anyone else “listening” through the
communication channel?5th International Conference on Information Law 6
Skimming attacks occur from distance when an
unauthorized reader gains access to the stored data
the attacker communicates directly with the RFID chip (reader authentication needed)
5th International Conference on Information Law 7
Eavesdropping occurs when the attacker intercepts
the communication between the RFID chip and the border control reader (secure messaging)
5th International Conference on Information Law 8
1st generation Basic Access Control (optional)▪ Reader authentication▪ Secure messaging
5th International Conference on Information Law 9
The reader optically reads the MRZ and derives an access key
The RFID chip also knows this key
Cryptographic Session Key derived (Secure messaging)
Mutual authentication
2nd generation Extended Access Control Protocol
(optional)▪ Chip and Terminal authentication▪ Stronger encryption
Its disadvantage is that it depends on BAC!
BAC turned out to be a very successful protocol because of its simplicity
Now is implemented in almost every e-passport
BUT the security that it provides is limited by the design of the protocol - the keys are cryptographically weak
5th International Conference on Information Law 10
3rd generation Supplemental Access Control
(replace BAC)▪ implements asymmetric cryptography▪ data encryption is based on a shared key, unlike BAC which generates the key based on the MRZ
Data is protected both when stored on the chip and when transmitted to the reader
Higher level of protection is succeeded
5th International Conference on Information Law 11
Faraday cage is a metal jacket prevents any electric or
magnetic fields to pass through
A metal surface on an adjacent page
Both are vulnerable to eavesdropping when they are expressly presented by their holders!
5th International Conference on Information Law 12
ICAO In 1980 issued the first edition of the
Doc 9303 as a guideline for issuing machine-readable passports
Introduced the biometrics and the technology of contactless chips (RFID) and the communication protocols
The Doc 9303 evolved through time and separate volumes were published
Doc 9303 part 1 volume 2 (2006)▪ specifications for electronically enabled
passports with biometric identification capability were presented5th International Conference on Information Law 13
European Level E-passports introduced with Council
Regulation (EC) No 2252/2004 standards for security features and
biometrics in passports issued by Member States, taking into account the specifications of ICAO
the data subject’s right of verification is recognized access, rectify, erase
Commission Decision C(2005) 409issue passports with a digital facial image
stored in the RFID chip by 2006 fingerprints by 2008implement the BAC communication
protocol5th International Conference on Information Law 14
The widespread of privacy concerns used to originate mainly in the fields of law
Now has obviosly expanded into the information technologies
Since biometric data was stored on the RFID chip… Privacy Threats arose
The RFID technology’s infrastructure is responsible for these problems
The EU Commission suggested to enhance RFID with privacy enhancing technologies (PETs) (anonymisation, coding, encryption and authentication)
5th International Conference on Information Law 15
Intensive proposed methods to enhance protection of privacy are vital
Fundamental changes are required even to the physical design of the RFID
Or second thoughts should be done about replacing the RFID technology with another that follows data protection principles and applies privacy by design
Cooperation between computer and law scientists is vital for implementing a privacy enhancing technology for e-passports that entails the advantages of the RFID. 5th International Conference on Information Law 16
Thank you for your attention!
Any questions?
5th International Conference on Information Law 17