Abstract
Different countries issue an electronic passport embedding a contactless chip that stores the holder data (ePassport). To prevent unauthorized reading of the sensitive information present on such chip an access control mechanism based on symmetric cryptography, the Basic Access Control (BAC), has been introduced. In this work we present the flaws we have found out in some implementations of the software hosted on ePassport chips and how BAC is affected. In particular we show how it is possible to discern the different software versions used on the chip over time through some their peculiar fingerprints. This information can be used to shrink the BAC keys space making the protocol weaker. In addition, we show the presence of a defective function to exchange random material during the BAC procedure that opens a door for a hypothetical MITM attack. The results of this paper could be exploited as a first guide for reviewing and refining existing ePassport implementations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
International Civil Aviation Organization: Machine Readable Travel Documents, Part 1, 6th edn., vol. 1 (2006)
International Civil Aviation Organization: Machine Readable Travel Documents, Part 1, 6th edn., vol. 2 (2006)
Juels, A., Molnar, D., Wagner, D.: Security and privacy issues in e-passports. In: Proceedings of the IEEE First International Conference on Security and Privacy for Emerging Areas in Communications Networks, pp. 74–88 (2005)
Rankl, W., Effing, W.: Smart Card Handbook, 3rd edn. Wiley (2003)
BSI: Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE) and Restricted Identification (RI), Ver. 2.05 (2010)
ISO/IEC 7816: Identification Cards – Integrated Circuit Cards – Part 4: Organization, Security and Commands for Interchange (2005)
Avoine, G., Kalach, K., Quisquater, J.J.: ePassport: Securing International Contacts with Contactless Chips. In: Proceedings of the 12th International Conference on Financial Cryptograpy and Data Security, pp, pp. 141–155 (2008)
Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Schreur, R.W.: Crossing Borders: Security and Privacy Issues of the European e-Passport. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-I. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 152–167. Springer, Heidelberg (2006)
Liu, Y., Kasper, T., Lemke-Rust, K., Paar, C.: E-Passport: Cracking Basic Access Control Keys. In: Meersman, R., Tari, Z. (eds.) OTM 2007, Part II. LNCS, vol. 4804, pp. 1531–1547. Springer, Heidelberg (2007)
Polizia di Stato: Il Passaporto per Entrare negli Stati Uniti d’America (2012), http://poliziadistato.it/articolo/1090/
Polizia di Stato: Note Tecniche Nuovo Passaporto (2012), http://img.poliziadistato.it/docs/note_tecniche.pdf
Richter, H., Mostowski, W., Poll, E.: Fingerprinting passports. In: NLUUG Spring Conference on Security, pp, pp. 21–30 (2008)
Laurie, A.: RFIDIOt (2012), http://rfidiot.org/
Carluccio, D., Lemke-Rust, K., Paar, C., Sadeghi, A.-R.: E-Passport: The Global Traceability Or How to Feel Like a UPS Package. In: Lee, J.K., Yi, O., Yung, M. (eds.) WISA 2006. LNCS, vol. 4298, pp. 391–404. Springer, Heidelberg (2007)
NIST: Random Number Generation (2012), http://csrc.nist.gov/groups/ST/toolkit/rng/index.html
Auletta, V., Blundo, C., De Caro, A., De Cristofaro, E., Persiano, G., Visconti, I.: Increasing Privacy Threats in the Cyberspace: the Case of Italian e-Passports. In: Proceedings of the 14th International Conference on Financial Cryptograpy and Data Security, pp. 94–104 (2010)
Mostowski, W., Poll, E., Schmaltz, J., Tretmans, J., Wichers Schreur, R.: Model-Based Testing of Electronic Passports. In: Alpuente, M., Cook, B., Joubert, C. (eds.) FMICS 2009. LNCS, vol. 5825, pp. 207–209. Springer, Heidelberg (2009)
ISO/IEC: Information Technology – Personal Identification – ISO-Compliant Driving Licence – Part 3: Access Control, Authentication and Integrity Validation (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sportiello, L. (2013). Weakening ePassports through Bad Implementations. In: Hoepman, JH., Verbauwhede, I. (eds) Radio Frequency Identification. Security and Privacy Issues. RFIDSec 2012. Lecture Notes in Computer Science, vol 7739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36140-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-36140-1_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36139-5
Online ISBN: 978-3-642-36140-1
eBook Packages: Computer ScienceComputer Science (R0)