Presenting

3M Security Systems

Blackhat Europe 2010

Verifying eMRTD Security Controls Raoul D’Costa

1

© 3M 2010. All Rights Reserved.

3M Security Systems

Agenda

Overview of ICAO / EU Specifications eMRTDs decomposed eMRTD Infrastructure (PKI) Inspecting eMRTD User Interface Design Conclusion

2


3M Security Systems

Introduction

Section 1: Overview of eMRTD Specifications

3


3M Security Systems

eMRTD Specifications

ICAO Travel Document - Doc 9303 Core Specifications set by the International Civil Aviation Organisation (ICAO) NTWG / SC17 collaboration Supplemented by BSI ASM for eMRTDs (EAC) Authenticated eMRTDs provide identity verification of eMRTD holder Issuing Authorities in nation states or Int’l bodies e.g. INTERPOL as enhanced identity security documents Commonly issued eMRTDs include national ePassports and eID Cards but also Seafarers documents, Biometric Residence Permits use same specifications

4


3M Security Systems

5


eMRTD Types

3M Security Systems

6


eMRTD – RFID Integrated Circuit Card

3M Security Systems

7


Symbol denoting Chipped eMRTD

3M Security Systems

8


Nation States that issue MRTDs (2009)

3M Security Systems

eMRTD Decomposed

Section 2: eMRTDs Decomposed

9


3M Security Systems

10


eMRTD Decomposed

3M Security Systems

11


eMRTD Decomposed

3M Security Systems

eMRTD Decomposed - Chip

Master Files

USER APPLICATION …

12


3M Security Systems

Datagroup 1

Contains the following information • • •

Date of Birth Passport Number Expiry Date

Access to the file is protected by Basic Access Control

13


3M Security Systems

Datagroup 2

Encoded photograph to ISO Standard to ensure quality of data image Access is protected by Basic Access Control Images encoded in JPEG or JPEG2000 formats Photographs are standardised to ensure visual comparison and automated biometric verification Images to overcome interoperability challenges (different biometric verification algorithms)

14


3M Security Systems

15


eMRTD Verification

3M Security Systems

16


eMRTD Decomposed - EF.COM

3M Security Systems

Datagroup 3

Fingerprints and Iris are a second generation feature of eMRTDs Sensitive Data protected by EAC as an enhancement to BAC Access is protected by Extended Access Control (separate PKI authorisation scheme) Images encoded in JPEG or JPEG2000 formats to overcome biometric interoperability problems No International Standard yet

17


3M Security Systems

EF.COM Data

Contains a map of the tags, lengths values present in the file Is not protected (digitally signed) by issuing authority Cannot be trusted unless authenticated to EF.SOD

18


3M Security Systems

eMRTD Decomposed – EF.SOD

Contains the hash values of all the data groups Hash values signed by a document signing authority with private key (SOD = Digital Signature) May contain the Document Signer Certificate (DSC) that corresponds public key element used the create the SOD or reference to DSC. Can be trusted provided the Document Signer Certificate is validated

19


3M Security Systems

20


EF.SOD

3M Security Systems

eMRTD Deconstructed - EF.SOD

SIGNATURE

21


3M Security Systems

22


Presenting the results

3M Security Systems

Verifying EF.SOD

Part of the Passive Authentication process Verify the ASN.1 Structure Verify the hash values present Verify the signature against the public key element contained in related Document Signer Certificate Authenticate the Document Signer Certificate • •

23

Verify the certificate chain of the DSC against the CSCA Certificate dynamically Pre-validated DSCs in protected Certificate Cache Store


3M Security Systems

24


Reliance on genuine passport numbers

3M Security Systems

eMRTD Infrastructure (PKI)

Section 3: eMRTD Infrastructure (PKI)

25


3M Security Systems

ePassport Infrastructure – 1st Generation

ICAO PKD

CSCA Authority National Infrastructure

Document Signer Service

Registration Authority

Issuance

26


Inspection System

Verification

Second Generation Extensions

3M Security Systems

SPOC

CVCA DVCA

Issuance

Registration Authority

Inspection System

Issuance Verification

27


3M Security Systems

28


ePassport Infrastructure – 2nd Generation

3M Security Systems

ICAO Public Key Directory

Global repository of certificates used to validate eMRTDs Relies on Issuing Authority subscribers uploading data to the PKD Regularly updated with • • • •

Document Signer Certificates CRLs Null CRLs MasterLists

Serves as a trust anchor on eMRTDs 29


3M Security Systems

ICAO PKD

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp

30


3M Security Systems

31


eMRTD Verification

3M Security Systems

Inspecting eMRTD Effectively

Section 4: Inspecting eMRTD Effectively

32


3M Security Systems

33


Inspection Terminals – RFID Readers

3M Security Systems

eMRTD Verification Process MRTD to Be Inspected

Holder provides eMRTD

Perform Physical Checks

Physical Check

Y

Extract MRZ

Validate MRZ

MRZ Valid

Y

Record Result

Query against whitelist

Y

Record Result

N N Perform BAC using MRZ

Record Result

Perform Facial Checks

Extract Data

Record Result

Perform AA

BAC Sucessful

N

Y

AA Present

Y

Perform PA Checks

Record Result

N

Record Result

Perform EAC

Contains 2nd Gen Features

Y

EAC Sucessful

Perform Fingerprint matching

34


Y

N

Produce Result

N

3M Security Systems

35


Physical Checks: Reliance on experts?

3M Security Systems

Physical Checks Check that the document has not been tampered with Check the document under various wavelengths of light Check that the document has not expired

36


3M Security Systems

Limitations of Physical Checks

Difficult to automate Not standardised Can be subjective Physical inspection is not always logged

37


3M Security Systems

Validate MRZ Validate that the contents of the MRZ are valid Validate the checksum Validate that they match the contents of the passport

38


3M Security Systems

Validation of MRZ

Checksum 39


3M Security Systems

BAC Extract the following fields • • •

Date of Birth Document Number Expiry Date

Send these to the chip These should match DG1

40


3M Security Systems

Facial Biometrics Match the holder to the DG2 using facial biometrics DG2 is required to meet certain standards Used in some countries including • • •

41


Portugal Australia UK (Trial)

3M Security Systems

42


Biometric Facial Checking

3M Security Systems

Passive Authentication Check the validity of EF.SOD Check the hash values of the datagroups Check the signature of SOD Check the chain of the document signer certificate Check against null and non null CRLs ICAO PKD Maintains Certificates for subscribers

43


3M Security Systems

Active Authentication Ensures the eMRTD is not cloned Challenge response between the terminal and the eMRTD

44


3M Security Systems

Passive Authentication

CSCAs can be exchanged • •

By diplomatic channels Using CSCA MasterLists

A CSCA is a trust anchor and can identify the eMRTD Issuing Authority Inspection System Integrity and Performance Security controls must ensure that bogus CSCAs cannot be inserted during the verification process Inspection System Architecture designed to requirements (not one fits all) – depends upon operating environment, devices, key management strategy, network reliability

45


3M Security Systems

Extended Access Control Consists of the following • •

Chip Authentication Terminal Authentication

Provides the following •

•

•

46


Mutual authentication between the chip and the terminal Some indication of the issuer of the eMRTD Privacy of the fingerprints on the passport

3M Security Systems

Second Generation Features

EAC requires the implementation of the EAC infrastructure to ensure verification EAC Protects the privacy of the fingerprints on the ePassport EAC proves the issuer of the ePassport EAC Ensures that only authorised terminals can read fingerprints

47


3M Security Systems

Fingerprint matching DG3 Contains the fingerprint 0 – 10 digits can be stored depending on the country where fingerprints are captured Fingerprint image contained (not a template)

48


3M Security Systems

49


Registration: A link in the chain

3M Security Systems

Consolidating Checks

VALID

Physical

MRZ

Expiry Check

BAC

TA

AA

Facial Biometric

Fingerprint Biometric

50


INVALID

NOT PRESENT

Use Case 1: Valid 2nd Gen eMRTD

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric


51


INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: 1st Gen Fake Passport

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric


52


INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Cloned 2nd Gen eMRTD

3M Security Systems

VALID Physcial MRZ Expiry Check BAC PA TA

AA Facial Biometric Fingerprint Biometric

53


INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Possible Fake Passport

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric


54


INVALID

NOT PRESENT

NOT IMPLEMENTED

An expired eMRTD

3M Security Systems

VALID Physcial MRZ

Expiry Check BAC

PA TA

AA

Facial Biometric Fingerprint Biometric

55


INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Fake Passport

3M Security Systems

VALID Physcial MRZ

Expiry Check BAC PA TA

AA Facial Biometric Fingerprint Biometric

56


INVALID

NOT PRESENT

NOT IMPLEMENTED

3M Security Systems

Usability of eMRTD Inspection Systems

Section 5: Usability of eMRTD Inspection Systems

57


3M Security Systems

Usability Challenges

Use their terminology • • • •

Counterfeit (not PA has failed) Falsified (not Digital Signature is not verified) Cloned (not Active Authentication has been subverted) Access denied (Terminal Authentication does not have appropriate CV chains)

Simplicity by design • • •

User Interface design aligns with tasks Clear feedback on processing State of device (security)

Case Studies •

58

Engage with Users


3M Security Systems

Conclusion

Section 6: Conclusion

59


3M Security Systems

Conclusion

eMRTDs are complex documents and need to be verified appropriately Partial checking of some features is not enough to guarantee that the document is authentic Various designs and physical layouts of documents from various countries can easily lead to confusion although the electronic features are standardised and the same User interface design for eMRTD verification apps should provide a result in a clear and concise manner

60


3M Security Systems

Questions?

Raoul D’Costa redcosta AT mmm DOT com uk.linkedin.com/in/raouldcosta 00441635264104

61


3M Security Systems

62

References

Myths about ePassports http://www.gemalto.com/myths_about_epassports/myths_2.html

ICAO 9303 Passport Standards - http://www2.icao.int/en/MRTD/Pages/Doc9393.aspx

Wikipedia entry on biometric passports - http://en.wikipedia.org/wiki/Biometric_passport

http://www.en.bmi.bund.de/nn_1176866/Internet/Content/Themen/Travel__ID__Documen ts/Electronic__Passport/Datenschutz__en.html

ICAO eMRTD Report Volume 203 Number 202 http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.% 203%20No.%202,%202008.pdf

UK ID Card http://www.ips.gov.uk/cps/files/ips/live/assets/documents/id_card_security_guide_low.pdf

EAC Specification version 3.1.1 https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR03110_v202_pdf

Golden Reader Tool for Reading eMRTDs https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/Projekte/projekteGRT/GRT_ node.html
