Presenting

3M Security Systems

Blackhat Europe 2010

Verifying eMRTD Security Controls Raoul D’Costa

1

© 3M 2010. All Rights Reserved.

3M Security Systems

Agenda


Overview of ICAO / EU Specifications
eMRTDs decomposed
eMRTD Infrastructure (PKI)
Inspecting eMRTD
User Interface Design
Conclusion

2

© 3M 2010. All Rights Reserved.

3M Security Systems

Introduction


Section 1: Overview of eMRTD Specifications

3

© 3M 2010. All Rights Reserved.

3M Security Systems

eMRTD Specifications


ICAO Travel Document - Doc 9303
Core Specifications set by the International Civil Aviation Organisation (ICAO) NTWG / SC17 collaboration
Supplemented by BSI ASM for eMRTDs (EAC)
Authenticated eMRTDs provide identity verification of eMRTD holder
Issuing Authorities in nation states or Int’l bodies e.g. INTERPOL as enhanced identity security documents
Commonly issued eMRTDs include national ePassports and eID Cards but also Seafarers documents, Biometric Residence Permits use same specifications

4

© 3M 2010. All Rights Reserved.

3M Security Systems

5

© 3M 2010. All Rights Reserved.

eMRTD Types

3M Security Systems

6

© 3M 2010. All Rights Reserved.

eMRTD – RFID Integrated Circuit Card

3M Security Systems

7

© 3M 2010. All Rights Reserved.

Symbol denoting Chipped eMRTD

3M Security Systems

8

© 3M 2010. All Rights Reserved.

Nation States that issue MRTDs (2009)

3M Security Systems

eMRTD Decomposed


Section 2: eMRTDs Decomposed

9

© 3M 2010. All Rights Reserved.

3M Security Systems

10

© 3M 2010. All Rights Reserved.

eMRTD Decomposed

3M Security Systems

11

© 3M 2010. All Rights Reserved.

eMRTD Decomposed

3M Security Systems

eMRTD Decomposed - Chip

Master Files

USER APPLICATION …

12

© 3M 2010. All Rights Reserved.

3M Security Systems

Datagroup 1


Contains the following information • • •

Date of Birth Passport Number Expiry Date


Access to the file is protected by Basic Access Control

13

© 3M 2010. All Rights Reserved.

3M Security Systems

Datagroup 2


Encoded photograph to ISO Standard to ensure quality of data image
Access is protected by Basic Access Control
Images encoded in JPEG or JPEG2000 formats
Photographs are standardised to ensure visual comparison and automated biometric verification
Images to overcome interoperability challenges (different biometric verification algorithms)

14

© 3M 2010. All Rights Reserved.

3M Security Systems

15

© 3M 2010. All Rights Reserved.

eMRTD Verification

3M Security Systems

16

© 3M 2010. All Rights Reserved.

eMRTD Decomposed - EF.COM

3M Security Systems

Datagroup 3


Fingerprints and Iris are a second generation feature of eMRTDs
Sensitive Data protected by EAC as an enhancement to BAC
Access is protected by Extended Access Control (separate PKI authorisation scheme)
Images encoded in JPEG or JPEG2000 formats to overcome biometric interoperability problems
No International Standard yet

17

© 3M 2010. All Rights Reserved.

3M Security Systems

EF.COM Data


Contains a map of the tags, lengths values present in the file
Is not protected (digitally signed) by issuing authority
Cannot be trusted unless authenticated to EF.SOD

18

© 3M 2010. All Rights Reserved.

3M Security Systems

eMRTD Decomposed – EF.SOD


Contains the hash values of all the data groups
Hash values signed by a document signing authority with private key (SOD = Digital Signature)
May contain the Document Signer Certificate (DSC) that corresponds public key element used the create the SOD or reference to DSC.
Can be trusted provided the Document Signer Certificate is validated

19

© 3M 2010. All Rights Reserved.

3M Security Systems

20

© 3M 2010. All Rights Reserved.

EF.SOD

3M Security Systems

eMRTD Deconstructed - EF.SOD

SIGNATURE

21

© 3M 2010. All Rights Reserved.

3M Security Systems

22

© 3M 2010. All Rights Reserved.

Presenting the results

3M Security Systems

Verifying EF.SOD


Part of the Passive Authentication process
Verify the ASN.1 Structure
Verify the hash values present
Verify the signature against the public key element contained in related Document Signer Certificate
Authenticate the Document Signer Certificate • •

23

Verify the certificate chain of the DSC against the CSCA Certificate dynamically Pre-validated DSCs in protected Certificate Cache Store

© 3M 2010. All Rights Reserved.

3M Security Systems

24

© 3M 2010. All Rights Reserved.

Reliance on genuine passport numbers

3M Security Systems

eMRTD Infrastructure (PKI)


Section 3: eMRTD Infrastructure (PKI)

25

© 3M 2010. All Rights Reserved.

3M Security Systems

ePassport Infrastructure – 1st Generation

ICAO PKD

CSCA Authority National Infrastructure

Document Signer Service

Registration Authority

Issuance

26

© 3M 2010. All Rights Reserved.

Inspection System

Verification

Second Generation Extensions

3M Security Systems

SPOC

CVCA DVCA

Issuance

Registration Authority

Inspection System

Issuance Verification

27

© 3M 2010. All Rights Reserved.

3M Security Systems

28

© 3M 2010. All Rights Reserved.

ePassport Infrastructure – 2nd Generation

3M Security Systems

ICAO Public Key Directory


Global repository of certificates used to validate eMRTDs
Relies on Issuing Authority subscribers uploading data to the PKD
Regularly updated with • • • •

Document Signer Certificates CRLs Null CRLs MasterLists


Serves as a trust anchor on eMRTDs 29

© 3M 2010. All Rights Reserved.

3M Security Systems

ICAO PKD

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp

30

© 3M 2010. All Rights Reserved.

3M Security Systems

31

© 3M 2010. All Rights Reserved.

eMRTD Verification

3M Security Systems

Inspecting eMRTD Effectively


Section 4: Inspecting eMRTD Effectively

32

© 3M 2010. All Rights Reserved.

3M Security Systems

33

© 3M 2010. All Rights Reserved.

Inspection Terminals – RFID Readers

3M Security Systems

eMRTD Verification Process MRTD to Be Inspected

Holder provides eMRTD

Perform Physical Checks

Physical Check

Y

Extract MRZ

Validate MRZ

MRZ Valid

Y

Record Result

Query against whitelist

Y

Record Result

N N Perform BAC using MRZ

Record Result

Perform Facial Checks

Extract Data

Record Result

Perform AA

BAC Sucessful

N

Y

AA Present

Y

Perform PA Checks

Record Result

N

Record Result

Perform EAC

Contains 2nd Gen Features

Y

EAC Sucessful

Perform Fingerprint matching

34

© 3M 2010. All Rights Reserved.

Y

N

Produce Result

N

3M Security Systems

35

© 3M 2010. All Rights Reserved.

Physical Checks: Reliance on experts?

3M Security Systems

Physical Checks
Check that the document has not been tampered with
Check the document under various wavelengths of light
Check that the document has not expired

36

© 3M 2010. All Rights Reserved.

3M Security Systems

Limitations of Physical Checks


Difficult to automate
Not standardised
Can be subjective
Physical inspection is not always logged

37

© 3M 2010. All Rights Reserved.

3M Security Systems

Validate MRZ
Validate that the contents of the MRZ are valid
Validate the checksum
Validate that they match the contents of the passport

38

© 3M 2010. All Rights Reserved.

3M Security Systems

Validation of MRZ

Checksum 39

© 3M 2010. All Rights Reserved.

3M Security Systems

BAC
Extract the following fields • • •

Date of Birth Document Number Expiry Date


Send these to the chip
These should match DG1

40

© 3M 2010. All Rights Reserved.

3M Security Systems

Facial Biometrics
Match the holder to the DG2 using facial biometrics
DG2 is required to meet certain standards
Used in some countries including • • •

41

© 3M 2010. All Rights Reserved.

Portugal Australia UK (Trial)

3M Security Systems

42

© 3M 2010. All Rights Reserved.

Biometric Facial Checking

3M Security Systems

Passive Authentication
Check the validity of EF.SOD
Check the hash values of the datagroups
Check the signature of SOD
Check the chain of the document signer certificate
Check against null and non null CRLs
ICAO PKD Maintains Certificates for subscribers

43

© 3M 2010. All Rights Reserved.

3M Security Systems

Active Authentication
Ensures the eMRTD is not cloned
Challenge response between the terminal and the eMRTD

44

© 3M 2010. All Rights Reserved.

3M Security Systems

Passive Authentication


CSCAs can be exchanged • •

By diplomatic channels Using CSCA MasterLists


A CSCA is a trust anchor and can identify the eMRTD Issuing Authority
Inspection System Integrity and Performance
Security controls must ensure that bogus CSCAs cannot be inserted during the verification process
Inspection System Architecture designed to requirements (not one fits all) – depends upon operating environment, devices, key management strategy, network reliability

45

© 3M 2010. All Rights Reserved.

3M Security Systems

Extended Access Control
Consists of the following • •

Chip Authentication Terminal Authentication


Provides the following •

•

•

46

© 3M 2010. All Rights Reserved.

Mutual authentication between the chip and the terminal Some indication of the issuer of the eMRTD Privacy of the fingerprints on the passport

3M Security Systems

Second Generation Features


EAC requires the implementation of the EAC infrastructure to ensure verification
EAC Protects the privacy of the fingerprints on the ePassport
EAC proves the issuer of the ePassport
EAC Ensures that only authorised terminals can read fingerprints

47

© 3M 2010. All Rights Reserved.

3M Security Systems

Fingerprint matching
DG3 Contains the fingerprint
0 – 10 digits can be stored depending on the country where fingerprints are captured
Fingerprint image contained (not a template)

48

© 3M 2010. All Rights Reserved.

3M Security Systems

49

© 3M 2010. All Rights Reserved.

Registration: A link in the chain

3M Security Systems

Consolidating Checks

VALID

Physical

MRZ

Expiry Check

BAC

TA

AA

Facial Biometric

Fingerprint Biometric

50

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

Use Case 1: Valid 2nd Gen eMRTD

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric

Fingerprint Biometric

51

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: 1st Gen Fake Passport

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric

Fingerprint Biometric

52

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Cloned 2nd Gen eMRTD

3M Security Systems

VALID Physcial MRZ Expiry Check BAC PA TA

AA Facial Biometric Fingerprint Biometric

53

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Possible Fake Passport

3M Security Systems

VALID

Physcial

MRZ

Expiry Check

BAC

PA

TA

AA

Facial Biometric

Fingerprint Biometric

54

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

An expired eMRTD

3M Security Systems

VALID Physcial MRZ

Expiry Check BAC

PA TA

AA

Facial Biometric Fingerprint Biometric

55

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

Use Case: Fake Passport

3M Security Systems

VALID Physcial MRZ

Expiry Check BAC PA TA

AA Facial Biometric Fingerprint Biometric

56

© 3M 2010. All Rights Reserved.

INVALID

NOT PRESENT

NOT IMPLEMENTED

3M Security Systems

Usability of eMRTD Inspection Systems


Section 5: Usability of eMRTD Inspection Systems

57

© 3M 2010. All Rights Reserved.

3M Security Systems

Usability Challenges


Use their terminology • • • •

Counterfeit (not PA has failed) Falsified (not Digital Signature is not verified) Cloned (not Active Authentication has been subverted) Access denied (Terminal Authentication does not have appropriate CV chains)


Simplicity by design • • •

User Interface design aligns with tasks Clear feedback on processing State of device (security)


Case Studies •

58

Engage with Users

© 3M 2010. All Rights Reserved.

3M Security Systems

Conclusion


Section 6: Conclusion

59

© 3M 2010. All Rights Reserved.

3M Security Systems

Conclusion


eMRTDs are complex documents and need to be verified appropriately
Partial checking of some features is not enough to guarantee that the document is authentic
Various designs and physical layouts of documents from various countries can easily lead to confusion although the electronic features are standardised and the same
User interface design for eMRTD verification apps should provide a result in a clear and concise manner

60

© 3M 2010. All Rights Reserved.

3M Security Systems

Questions?


Raoul D’Costa
redcosta AT mmm DOT com
uk.linkedin.com/in/raouldcosta
00441635264104

61

© 3M 2010. All Rights Reserved.

3M Security Systems

62

References




Myths about ePassports http://www.gemalto.com/myths_about_epassports/myths_2.html




ICAO 9303 Passport Standards - http://www2.icao.int/en/MRTD/Pages/Doc9393.aspx




Wikipedia entry on biometric passports - http://en.wikipedia.org/wiki/Biometric_passport




http://www.en.bmi.bund.de/nn_1176866/Internet/Content/Themen/Travel__ID__Documen ts/Electronic__Passport/Datenschutz__en.html




ICAO eMRTD Report Volume 203 Number 202 http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.% 203%20No.%202,%202008.pdf




UK ID Card http://www.ips.gov.uk/cps/files/ips/live/assets/documents/id_card_security_guide_low.pdf




EAC Specification version 3.1.1 https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR03110_v202_pdf




Golden Reader Tool for Reading eMRTDs https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/Projekte/projekteGRT/GRT_ node.html

© 3M 2010. All Rights Reserved.