Abstract
Electronic passports (ePassports) have known a wide and fast deployment all around the world since the International Civil Aviation Organization published their specifications in 2004. Based on an integrated circuit, ePassports are significantly more secure than their predecessors. Forging an ePassport is definitely thwarted by the use of cryptographic means. In spite of their undeniable benefit, ePassports have raised questions about personal data protection, since attacks on the basic access control mechanism came into sight. Keys used for that purpose derive from the nothing but predictable machine readable zone data, and so suffer from weak entropy. We provide an in-depth evaluation of the basic access key entropy, and prove that Belgian passport, recipient of Interpol “World’s most secure passport” award in 2003, provides the worst basic access key entropy one has ever seen. We also state that two-thirds of Belgian ePassports in circulation do not implement any data protection mechanism. We demonstrate our claims by means of practical attacks. We then provide recommendations to amend the ePassport security, and directions for further work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Avoine, G.: Cryptography in Radio Frequency Identification and Fair Exchange Protocols. PhD thesis, EPFL, Lausanne, Switzerland (December 2005)
Avoine, G.: Bibliography on security and privacy in RFID systems (2007)
Carluccio, D., Lemke-Rust, K., Paar, C., Sadeghi, A.-R.: E-Passport: The Global Traceability Or How to Feel Like a UPS Package. In: Workshop on RFID Security (July 2006)
Davida, G., Desmedt, Y.: Passports and Visas Versus IDs. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 183–188. Springer, Heidelberg (1988)
Friedrich, E.: The Introduction of German Electronic Passports. In: Second Symposium on ICAO-Standard, MRTDs, Biometrics and Security (September 2006)
Gemalto. e-Passport AXSEAL CC V2 36K – Common Criteria / ISO15408 EAL4+ – Security Target. Technical report, Gemalto (2004)
Grunwald, L.: New Attacks against RFID-Systems. GmbH Germany
Gucht, K.D.: Chambre des représentants de Belgique, compte rendu intégral avec compte rendu analytique traduit des interventions. Commission des relations extérieures (2007)
Guillou, L., Quisquater, J.-J.: A Paradoxical Indentity-Based Signature Scheme Resulting from Zero-Knowledge. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293. Springer, Heidelberg (1988)
Guillou, L., Quisquater, J.-J.: A Practical Zero-Knowledge Protocol Fitted to Security Microprocessor Minimizing Both Trasmission and Memory. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 123–128. Springer, Heidelberg (1988)
Halváč, M., Rosa, T.: A Note on the Relay Attacks on e-passports: The Case of Czech e-passports. Cryptology ePrint Archive, Report 2007/244 (2007)
Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Schreur, R.W.: Crossing Borders: Security and Privacy Issues of the European e-Passport. In: Advances in Information and Computer Security. LNCS. Springer, Heidelberg (2006)
ICAO. Machine Readable Travel Documents. Technical report, ICAO, Doc 9303 Part 1, 10th Draft, 6 ed. vol.1 (July 20, 2005)
ICAO. Machine Readable Travel Documents. Technical report, ICAO, Doc 9303 Part 1, 9th Draft, vol. 2 (July 20, 2005)
ICAO. Request For Information (RFI) 2007/2008. Technical report, Technical Advisory Group on Machine Readable Travel Documents, Canada (March 2007)
ISO/IEC 14443. Proximity cards (PICCs) http://www.iso.org
Juels, A., Molnar, D., Wagner, D.: Security and Privacy Issues in E-Passports. In: Conference on Security and Privacy for Emerging Areas in Communication Networks – SecureComm, Greece (2005)
Kc, G., Karger, P.: Preventing Attacks on Machine Readable Travel Documents (MRTDs). Technical report, IBM Research Division, NY, USA (2006)
Laurie, A.: RFIDIOt (May 2007), http://www.rfidiot.org/
Lehtonen, M., Michahelles, F., Staake, T., Fleisch, E.: Strengthening the Security of Machine Readable Documents by Combining RFID and Optical Memory Devices. In: Int. Conf. on Ambient Intelligence Development – Amid 2006 (2006)
Monnerat, J., Vaudenay, S., Vuagnoux, M.: About Machine-Readable Travel Documents: Privacy Enhacement Using (Weakly) Non-Transferable Data Authentication. In: Int. Conf. on RFID Security 2007. RFID Security (July 2007)
Ortiz-Yepes, D.: ePassports: Authentication and Access Control Mechanisms. Technical report, Technische Univ. Eindhoven TU/e, Netherland (June 2007)
Robroch, H.: ePassport Privacy Attack (2006), http://www.riscure.com
Technical Guideline TR-03110. Advanced Security Mechanisms for Machine Readable Travel Documents, Extended Access Control (EAC), Version 1.00. Technical report, Bundesamt für Sicherheit in der Informationstechnik, Germany (2006)
Vaudenay, S., Vuagnoux, M.: About Machine-Readable Travel Documents. Journal of Physics Conference Series 77 (July 2007)
Wing, B.: e-Passport/MRTD Observations. In: Second Symposium on ICAO-Standard MRTDs, Biometrics and Security
Witteman, M.: Attacks on Digital Passports. Riscure (July 2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Avoine, G., Kalach, K., Quisquater, JJ. (2008). ePassport: Securing International Contacts with Contactless Chips. In: Tsudik, G. (eds) Financial Cryptography and Data Security. FC 2008. Lecture Notes in Computer Science, vol 5143. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85230-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-540-85230-8_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85229-2
Online ISBN: 978-3-540-85230-8
eBook Packages: Computer ScienceComputer Science (R0)