Abstract
The recent introduction of electronic passports (e-Passports) motivates the need of a thorough investigation on potential security and privacy issues. In this paper, we focus on the e-Passport implementation adopted in Italy. Leveraging previous attacks to e-Passports adopted in other countries, we analyze (in)security of Italian e-Passports and we investigate additional critical issues.
Our work makes several contributions.
-
1
We show that in some concrete scenarios, Italian e-Passports are prone to eavesdropping attacks, where one can unnoticeably obtain private data stored in the e-Passport using RF communication, while the passport is stored in a bag/pocket. Moreover, we show how to trace e-Passports by successfully linking two or more communication transcripts related to the same e-Passport.
-
1
We propose a set of open-source tools that build successful attacks to the security of Italian e-Passports. Among them, we provide a simulator that produces attacks without requiring physical passports and RFID equipment.
-
1
We show that the random number generator included in the RFID chips produces bits that are noticeably far from the uniform distribution, thus potentially exposing Italian e-Passports to several other attacks
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Advanced security mechanisms for Machine Readable Travel Documents - Extended Access Control, http://www.bsi.bund.de/fachthem/epass/EACTR03110_v110.pdf
BACK User Guide, http://rfid.dia.unisa.it/epass/UserGuide.pdf
Benefits of MRTD, http://mrtd.icao.int/content/view/28/203/
NIST Statistical Test Suite, http://csrc.nist.gov/groups/ST/toolkit/rng/documents/sts-2.0b.zip
NIST Statistical Test Suite Documentation, http://csrc.nist.gov/publications/nistpubs/800-22-rev1/SP800-22rev1.pdf
Privacy issues with new digital passport, http://www.riscure.com/news/passport.html
Random Number Generation Technical Working Group, http://csrc.nist.gov/groups/ST/toolkit/rng/index.html
Security features and biometrics in passports, http://www.europarl.europa.eu/sides/getDoc.do?language=EN&type=IM-PRESS&reference=20090114IPR46171
Avoine, G., Kalach, K., Quisquater, J.: E-Passport: Securing international contacts with contactless chips. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 141–155. Springer, Heidelberg (2008)
Avoine, G., Kalach, K., Quisquater, J.-J.: Belgian biometric passport does not get a pass...your personal data are in danger!, http://www.dice.ucl.ac.be/crypto/passport/index.html
Avoine, G., Kalach, K., Quisquater, J.-J.: epassport: Securing international contacts with contactless chips. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 141–155. Springer, Heidelberg (2008)
Blundo, C., Persiano, G., Sadeghi, A., Visconti, I.: Identification protocols revisited -episode i: E-passports. In: Secure Component and System Identification, SECSI 2008 (2008)
Blundo, C., Persiano, G., Sadeghi, A., Visconti, I.: Improved security notions and protocols for non-transferable identification. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 364–378. Springer, Heidelberg (2008)
Blundo, C., Persiano, G., Sadeghi, A., Visconti, I.: Resettable and non-transferable chip authentication for e-passports. In: Workshop on RFID Security (RFIDSec 2008) (2008)
Carluccio, D., Lemke-Rust, K., Paar, C., Sadeghi, A.-R.: E-passport: The global traceability or how to feel like an ups package. In: Lee, J.K., Yi, O., Yung, M. (eds.) WISA 2006. LNCS, vol. 4298, pp. 391–404. Springer, Heidelberg (2007)
Courses, E., Surveys, T.: E-Passport Threats. IEEE Security & Privacy Magazine 5(6), 61–64 (2007)
Avoine, G., Kalach, K., Quisquater, J.-J.: Belgian Biometric Passport does not get a pass... (2007), http://www.dice.ucl.ac.be/crypto/passport/index.html
Grunwald, L.: New attacks against RFID-Systems (2006), http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grunwald.pdf
Kc, G.S., Karger, P.A.: Security and Privacy Issues in Machine Readable Travel Documents (MRTDs). RC 23575, IBM T. J. Watson Research Labs (April 2005)
Halvac, M., Rosa, T.: A Note on the Relay Attacks on e-passports: The Case of Czech e-Passports. Cryptology ePrint Archive, Report 2007/244 (2007)
ICAO. Machine Readable Travel Documents, PKI for Machine Readable Travel Documents offering ICC Read-Only Access (2004), http://www.icao.int/mrtd
H. J.H., H. E., J. B., and O.M. S.R. W
Juels, A., Molnar, D., Wagner, D.: Security and Privacy Issues in E-passports. Technical report
Juels, A., Molnar, D., Wagner, D.: Security and Privacy issues in e-Passports. In: SecureComm (2005)
Juels, A., Molnar, D., Wagner, D.: Security and privacy issues in e-passports. In: SecureComm 2005, First International Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece (September 2005)
Kc, G., Karger, P.: Security and Privacy Issues in Machine Readable Travel Documents, MRTDs (2006)
Kumar, S., Paar, C., Pelzl, J., Pfeiffer, G., Rupp, A., Schimmler, M.: How to Break DES for 8,980. In: SHARCS 2006 – Special-purpose Hardware for Attacking Cryptographic Systems, pp. 17–35 (2006), http://www.hyperelliptic.org/tanja/SHARCS/talks06/copa_sharcs.pdf
Laurie, A.: RFIDIOt, http://www.rfidiot.org
Liu, Y., Kasper, T., Lemke-Rust, K., Paar, C.: E-passport: Cracking basic access control keys with copacobana. In: SHARCS 2007 (2007)
Lehtonen, M., Michahelles, F., Staake, T., Fleisch, E.: Strengthening the security of machine readable documents by combining rfid and optical memory devices. In: Proceedings of Int. Conf. on Ambient Intelligence Development (2006)
Monnerat, J., Vaudenay, S., Vuagnoux, M.: About machine-readable travel documents – privacy enhancement using (weakly) non-transferable data authentication. In: International Conference on RFID Security (2007)
Ortiz-Yepes, D.: ePassports: Authentication and Access Control Mechanisms (2007)
Robroch, H.: ePassport Privacy Attack, Presentation at Cards Asia Singapore (April 26, 2006), http://www.riscure.com
Vaudenay, S.: E-passport threats, vol. 5, pp. 61–64. IEEE Computer Society, Los Alamitos (2007)
Witteman, M.: Attacks on digital passports. What the Hack
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Auletta, V., Blundo, C., De Caro, A., De Cristofaro, E., Persiano, G., Visconti, I. (2010). Increasing Privacy Threats in the Cyberspace: The Case of Italian E-Passports. In: Sion, R., et al. Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6054. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14992-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-14992-4_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14991-7
Online ISBN: 978-3-642-14992-4
eBook Packages: Computer ScienceComputer Science (R0)