Security of electronic passports
Many countries have been issuing electronic passports for about a year, and the introduction
of electronic passports started some controversial discussions. Let us consider some of the
security features of electronic passports.
Worldwide standardization of the passports falls under the competence of the International
Civil Aviation Organization (ICAO), a UN agency. Passports are described in the ICAO
document 9303. The sixth edition of Doc 9303 introduces also electronic passports. Although
the electronic part of the passport remains optional at the worldwide level, US have asked all
its Visa Waiver Program partners to introduce electronic passports and the European Council
decided that the introduction of electronic passports will be mandatory in EU member states
(to be exact, this decision is not mandatory for the UK and Ireland and two non-EU countries
– Norway and Iceland – decided to participate).
The difference between a traditional passport and an electronic passport (ePassport) is an
embedded contactless chip (and the electronic passport logo on the front cover). The chip with
an antenna is integrated into the cover or a page of the passport. The chip is a contactless
smart card compliant to the ISO 14443 standard (both variants – A and B – are allowed).
Technology based on ISO 14443 is able to communicate over distance of 0-10cm and
supports also relatively complex cryptographic cards and permanent memory of kilobytes to
megabytes. Herewith it differs from other RFID technologies that are capable to communicate
over longer distances, but do not support more complicated operations other than sending a
simple identification string. Higher communication layer is based on classical smart card
protocol ISO 7816-4 (i.e., SELECT AID, SELECT FILE a READ BINARY).
The data in electronic passports are stored as files (elementary files in the smart card
terminology) in a single folder (dedicated file). Up to 16 data files named as DG1 to DG16
(DG for Data Group) can hold the data. DG1 contains the data from the machine-readable
zone (i.e. nationality, first name, surname, passport number, issuing state, sex, birth date,
validity date, and optional data – for example a personal ID number), DG2 contains the photo
of the passport holder (in JPEG or JPEG2000 and some additional metadata). DG3 is
dedicated for fingerprints, DG4 may contain iris image. Remaining data groups contain
information about the holder, issuing institution or passport itself. Two additional files with
metadata are also present. The file EF.COM contains list of available data groups (and the
information about versions used) and file the EF:SOD contains the digital signature of the
passport data. The files EF.COM, EF.SOD, DG1 and DG2 are mandatory for all electronic
passports. The data group DG3 will be mandatory in the EU states (see above) after 28th
June
2009 (and will be protected by an additional mechanism). All other data groups are optional.
Data integrity (passive authentication)
The stored data integrity is protected by a digital signature stored in the file EF.SOD. The file
structure is the usual SignedData of the CMS (Cryptographic Message Syntax) standard. The
PKI hierarchy has a single level. Each country establishes its own CSCA (Country Signing
CA), which certifies bodies responsible for issuing the passports (e.g. the state printers,
embassies etc.). These bodies are called Document Signers. Data in the passport are then
signed by one of these Document Signers.
To verify signatures, the CSCA certificates of the issuing country must be available and their
integrity must be guaranteed. The certificate of the Document Signer is either directly stored
in the passport (in the certificates part of the SignedData structure – and this is mandatory in
the EU) or must be obtained from other sources (the issuing country, the ICAO public key
directory, etc.).
The signed data is a special structure containing hashes of all present datagroups in the
passport. Integrity of each file can be verified separately (i.e., first the digital signature in
EF.SOD is verified and then integrity of each file is checked by verifying its hash with the
hash stored in the EF.SOD file).
The digital signature is one of the key security mechanisms of electronic passports – if not the
most important one. Every country can choose a signature scheme (allowed schemes are RSA
PKCS#1 v1.5, RSA PSS, DSA and ECDSA in combination with SHA-1 or any of the SHA-2
hash functions), that best fits its needs from the implementation and security perspective.
Every inspection system (InS – a system that is able to retrieve information from the
electronic passport and check/display/use the data) must naturally support all these schemes to
be able to verify any valid passport. The signature verification is a relatively simple process,
yet complications may arise due to a relatively high number of signature schemes that have to
be supported, retrieval of the correct root certificates (CSCA) from all countries and CRLs
(each country must issues one at least every 90 days).
It is clear that a digital signature cannot prevent making identical copies (including EF.SOD
file with digital signature, so-called cloning). Therefore it is not possible to rely only on the
data stored in passport, but it is necessary to inspect also the classical security features
(security printing, watermarks, holograms, etc.) and namely the correspondence between the
printed data and the data stored on the chip.
Active authentication (AA)
Cloning of passports can be prevented using a combination of cryptographic techniques and
reasonable tamper resistance. A passport-specific asymmetric key pair is stored in the chip.
Whereas the public key is freely readable (stored in DG15 and its hash digitally signed), the
private key is not readable from the chip and its presence can be only verified using a
challenge-response algorithm (based on ISO 9796-2). This process is called active
authentication and it is an optional security feature of electronic passports (also for EU
countries it only remains an optional feature).
The point of the active authentication is to verify whether the chip in the passport is authentic.
The inspection system generates an 8-byte random challenge and using the INTERNAL
AUTHENTICATE command asks the chip to authenticate. The chip generates its own
random string and cryptographically hashes both parts together. The chip’s random string and
the hash of both parts (together with a header and a tail) are then signed by the private key.
The result is sent back to the inspection system, which verifies the digital signature. If the
digital signature is correct the chip is considered authentic. Possible attacks might try to focus
on the tamper resistance of the chip or the analysis of side-channels.
An interesting privacy attack exists against the active authentication. If the challenge sent to
the chip is not completely random, but rather specifically structured (for example encoding
place and time), the inspection systems can store the challenge and response pair as a proof
that the passport in question was at the given place at the given moment. In reality, such a
proof would have to face the fact that the passport signs any arbitrary challenge at any place
and the evidence value is therefore very limited. Even so some countries decided not to
implement the active authentication in their passports because of this privacy threat.
Passport holders will soon realize that the passport is in fact a powerful smart card. The use of
the chip for digital signatures of documents is apparently insecure as the passport will sign
anything without additional authentication, e.g., via PIN (moreover the challenge-response
protocol is definitely not a suitable signature scheme). The utilization of the active
authentication for user authentication (e.g., a computer logon) can be much more promising.
Basic Access Control (BAC)
Basic access control is a mechanism that prevents reading of the passport data before the
authentication of the inspection system. The authentication keys are derived from data printed
in the machine-readable zone. In particular, the document number, the holder birth date and
the passport expiration date is used. All these items are printed in the second row of the
machine readable zone and are protected with a check digit (OCR characters recognition is
not error-free; hence the preference of fields with check digits). These three entries are
concatenated in an ASCII form (including their respective check digits) and are hashed using
the SHA-1 function. The hash value is then used to derive two (112-bit 3DES) keys for
encryption and MAC authentication. The command GET CHALLENGE is consequently used
to obtain the challenge from the chip. Then the inspection system and the chip mutually
authenticate using the MUTUAL AUTHENTICATE command. A session key is established
and further communication is secured using Secure Messaging.
BAC is based on a standard mutual authentication technique, which is considered to be secure
as long as the keys are kept secret. In the case of electronic passports the keys are not secret in
the classical sense as they are derivable from the data printed in the passport, but even so
could prevent the random guess of the key. This is, however, slightly problematic as the data
used to derive the key do not have enough entropy. Although the theoretical maximum is 58
bits and in case of alphanumerical document number even 74 bits, real values are significantly
lower. Let us inspect the particular entries in more details:
• Holder’s birth date: one year has 365 or 366 days, theoretical maximum is 100 years,
i.e. around 36524 days total (15.16 bits of entropy). But the holder’s age can be
realistically estimated, say with a precision of 10 years (3652 days, 11.83 bits
entropy), but often even more accurately.
• Day of expiry: maximal validity of passports is 10 years (therefore approximately
3652 days, 11.83 bits entropy). Passports of children can have a shorter validity
(typically 5 years). In the nearest future we can exploit the fact that electronic
passports have been being issued only for a very short period of time. To reduce the
space we can also use the fact that passports are issued only on working days and the
expiration date is directly connected with the day of issue.
• Document number: 9 characters are dedicated for the document number. Shorter
document numbers must be padded with padding (<) characters and longer document
numbers must be truncated. Document numbers consisting of digits only (and the
padding character <) allow for the total number of 119
combinations (31.13 bits of
entropy); if numbers can be alphanumerical then the maximum number is 379
combinations (thus 46.88 bits of entropy). These values can be accomplished only
when the passport number is completely random. And that is often not the case. If
certain information about the numbering policy of the particular country is known, the
number of combinations and thus the entropy will decrease. Many countries assign
sequential numbers to their passports. If we know the date of issue (or expiration
date), the number of possible passport numbers is small. For example a country with
10 million inhabitants issues around a million of passport a year. If the year of the
issue and the range of the passport numbers are known, then the entropy drops to 20
bits. If the month of issue and its range of numbers are known, then the entropy further
drops to 17 bits. We could go on to single days, but so detailed information probably
will not be available to an average attacker. However, not only insiders but also
hoteliers and doorkeepers may know a lot about the numbering policy (and such
information will eventually be published on the Internet). The guess is a bit more
complicated in practice, as we must first guess the issuing country and eventually also
the passport type as different types may have separate numbering sequences.
• Every entry is followed by the check digit. The algorithm is publicly known and the
check digit des not introduce any new information.
For estimation of the total entropy, we might sum the entropies of entries listed above. But
that is correct only when entries are independent. We may debate about the expiration date vs.
birth date as the people apply for the document at their 15th year and then almost regularly
renew. This holds for personal identification cards, but does not have to be case for passports
and thus we omit this influence. The same holds for the relationship between the birth date
and the document number. But dependency between the document number and the expiration
date typically will be present. There is no dependency only for completely random document
numbers and then we can sum the entropies. Otherwise some dependency will be present and
it is only the question of how much information about the numbering policy is known to the
attacker. When the attacker has a significant knowledge, the total entropy can remarkably
decrease. In theory, for sequential document numbers, country with the size of around 10
million people, uniformly distributed passports over whole year and detailed knowledge of the
document numbers issued on particular day the entropy of document number can decrease
only to 12 bits. Total entropy then decrease from 58 respectively 74 bits to approximately 32
bits. The brute-force key search can be then mounted against significantly smaller number of
possible keys.
We can distinct two types of brute-force attack. Either the complete successful
communication is eavesdropped and we try to decrypt it or we try to authenticate against the
chip and then communicate with it. The advantage of eavesdropping relates to the possibility
to store the captured data and then perform a quick off-line analysis. If the whole
communication is eavesdropped, we can eventually obtain all transmitted data. The
disadvantage is the difficulty of eavesdropping (i.e. the communication must actually be in
progress and we must be able to eavesdrop on it).
The derivation of a single key from the authentication data, data decryption and the check of
challenge take around 1 microsecond on a common PC. The brute-force search of the space of
authentication data with a size of 232
thus takes slightly more then one hour. The practical
demonstration of such attack against Dutch passports was published by Marc Witteman in [5].
His attack utilized an additional knowledge about the dependency between document number
and the expiration date and the knowledge of a next check digit within the document number.
Similarly in UK the postmen who deliver electronic passports could remotely read the content
of the electronic passport in an closed envelope as they might know the birthday of the
recipient and can easily guess the document number and expiry day (because the passport is
new).
As we already mentioned, eavesdropping of the ongoing communication is not an easy task.
Intended communication range of devices compliant with ISO 14443 is 0-10cm. This does not
necessary mean that an eavesdropping on longer ranges is not possible, but an attacker soon
encounters a problem with low signal to noise ratio. Whereas the signal from the inspection
system (reader) is strong and detectable on longer distances, eavesdropping of the data sent
from the chip (transmitted using load modulation) gets harder with every foot of distance.
An on-line attack against the chip can search the key space in the same way, but a single
verification of the authentication data is significantly slower – we must communicate with the
smart card first and then we have to compute the MAC key and MAC code as well. A single
verification then takes approximately 20 milliseconds for commercially available contactless
readers and thus the attack is about 10 000x slower than an off-line attack.
While the entropy of keys’ derivation data is significantly lower than the length of resulting
keys, practical attacks are restricted by the difficulty of eavesdropping the data for off-line
attacks and by the slow speed of the communication for on-line attacks.
It is necessary to realize that BAC does not restrict access to anybody who is able to read the
machine readable zone. If you leave your passport at a hotel reception desk, BAC will not
protect your data. On the other hand, at the moment there is not much additional information
stored in chip than printed in the passport.
There are also other issues related to contactless communication technology where BAC
cannot help. First of all it is possible to remotely detect the presence of passive contactless
chips. Second even before the BAC it is possible to communicate with the chip (e.g. to start
the BAC). Anti-collision algorithms need unique chip IDs to address the chips. These chip
IDs are typically randomly generated each time the chip is powered, but some chips of type A
use fixed chip IDs, which makes their tracking very simple. Similarly some error codes may
leak information about the chip manufacturer and/or model, which might also increase the
chances to guess the issuing state.
Extended Access Control (EAC)
EU passports will also store fingerprints (in DG3) at the latest after 28th
June 2009.
Fingerprints will be stored as images in the WSQ format (lossy compression optimized for
images of fingerprints). As fingerprints are considered to be more sensitive data than facial
images (their recognition capabilities are much better), reading of DG3 will be protected by
an additional mechanism. This mechanism is called the Extended Access Control and its
details have been recently finalized, but let us now look on possible theoretical principles of
protecting sensitive biometric data in passports to better understand how the European EAC
was designed.
Methods based on symmetric cryptography
If access control is based on symmetric cryptography then the data in passport can be either
stored unencrypted and the access would be protected by authentication based on symmetric
cryptography or the data could be stored encrypted and not protected by any additional access
control mechanism.
A symmetric key would have to be different for each passport (to avoid problems when one of
passports leaks the key). Keys can be either completely random or derived from a master key
by a suitable diversification algorithm (e.g., the passport-specific key could be obtained by
encryption of the document number with the master key). We need at least one master key per
country, more probably one key for each passport issuer (i.e., region, embassy, etc.) and the
key has to be regularly (e.g., monthly, annually) updated (for the passports being issued). An
inspection system then would need access to all keys necessary to access all valid passports
(i.e., up to 10 years) for a number of countries. In case of off-line systems that would mean
that a large number of highly sensitive keys would have to be stored in each inspection system
(InS) and the compromise of a single InS would imply the current and future access to
biometric data in all passports valid at time of the compromise. This situation is easier to
manage with on-line systems. The keys would be physically secure; instead we would have to
protect the access to central system. In case of unauthorized access to central server the
recovery is relatively easy – it is sufficient to stop the unauthorized access.
The advantage of symmetric based authentication or encryption is low required computation
power of the chip. Basic access control (BAC) is based on shared symmetric keys, we could
design a similar protocol based on truly secret keys. When the data on the chip is stored in the
encrypted form, there are no computational requirements on chip as the stored data is
transparent for the chip and there is no need for any additional access control mechanism.
This solution is secure if the secret keys are kept in secrecy (which is not trivial).
The disadvantage of symmetric methods is the high number of keys that have to be kept secret
(and in the case of off-line systems even on each InS). Moreover, the secret keys have a long
validity period and cannot be revoked. Gaining access to such keys would result in having
access to all valid passports which have been issued so far (naturally only for those countries
the compromised InS would be able to access). A clear security weakness of encrypting the
data, but otherwise not protecting the access is the possibility of off-line brute force (possibly
even parallel) attacks. This would be a significantly stronger weapon than an on-line guessing.
However, this should still remain a theoretical threat only for a solid the key length and
encryption algorithm.
Methods based on asymmetric cryptography
Another way to authenticate the InS is the use of the PKI. The goal is to reduce the number of
secret (private) keys on inspection system side and to limit the possibility of misuse in the
case of its compromise. Although there could be several alternatives how to implement the
Extended Access Control with the help of asymmetric cryptography and PKI, we will follow
the proposal of German BSI [8], which became the European EAC protocol.
Each country establishes a CV (Country Verifying) certification authority that decides which
other countries will have the access to sensitive biometric data in their passports. A certificate
of this authority is stored in passports and it forms the starting trust point (root certificate) for
the access control. Other countries wishing to access sensitive biometric data (no matter if in
their own passports or in passports of other countries), must establish a DV (Document
Verifier) certification authority. This authority will obtain the certificate from all countries
willing to grant access to the data in their own passports. This DV CA will then issue the
certificates to end-point entities actually accessing the biometric data – the inspection
systems.
Each passport stores a CVCA certificate of issuing country (e.g., the Czech Republic). If the
inspection system (e.g., a Spanish one) needs to convince the passport that it is authorized to
access sensitive biometric data, it must provide the DV certificate (the Spanish one in our
case) signed by the proper issuing CVCA (Czech) and its own InS certificate (for that
particular InS) signed by the DV certification authority (i.e., Spanish in this case). After the
passport verifies the whole certification chain it has to check whether the inspection system
can access the corresponding private key. That is performed using a common challengeresponse
protocol. If the protocol runs well, the inspection system can access sensitive
biometric data (the DG3 and/or DG4 files). This part of the EAC is called the Terminal
Authentication (TA).
The above mentioned process can be slightly more complicated as the CVCA certificates are
updated from time to time (by link certificates) and the bridging link certificates have to be
provided (and verified by the passport) at first. The terminal authentication can be based on
RSA (the PSS as well as PKCS#1 v1.5 padding is possible) or ECDSA, both in combination
with SHA-1 or one of SHA-2.
In addition to the terminal authentication, the European EAC also introduces the Chip
Authentication (CA) protocol, which eliminates the low entropy of the BAC key and also
replaces active authentication, as access to the private key on the chip is checked (the public
key is stored in DG14 and is part of the passive authentication). Let us have a look at these
protocols in more detail.
Chip authentication
An inspection system reads the public part of the Diffie-Hellman (DH) key pair from the
passport (supported are the classic DH described in PKCS #3 and DH based on elliptic curves
(ECDSA) according to ISO 15946), together with the domain parameters (stored in DG14).
Then the inspection system generates its own ephemeral DH key pair (valid only for a single
session) using the same domain parameters as the chip key and sends it to the chip (using the
command Manage Security Environment – Set for Computation – Key Agreement Template).
The chip as well as the InS can then derive the shared secret based on available information.
This secret is used to construct two session keys (one for encryption and the other one for
MAC) that will secure the subsequent communication by Secure Messaging (and SSC (Send
Sequence Counter – the message counter value utilized for protection against replay attack) is
reset to zero). Whether the chip authentication ran successfully or not is only clear after
sending and receiving the next command protected with the new session keys.
The result of chip authentication is the establishment of a new secure channel (low entropy
BAC keys are no longer used) and check of the chip authenticity (active authentication does
not have to be performed, but even so it can be supported by the passport to allow the
verification of the chip authenticity to inspection systems that are not EAC specific and only
recognize worldwide ICAO standards).
Terminal authentication
The InS must convince the chip at the terminal authentication that it is authorized to access
sensitive biometric data on the chip. The starting point is the CVCA certificate, which is
uploaded to the passport chip in the phase of (pre-)personalization. During the terminal
authentication, the inspection system must provide a certificate chain starting with CVCA
stored in passport and ending with a certificate of the InS (sent by commands Manage
Security Environment – Set for verification – Digital Signature Template and Perform
Security Operation – Verify Certificate). This certificate chain may contain also the linking
certificates if necessary and (after their verification) the passport updates the CVCA
certificate with a new one (due to a possible overlap of the validity periods of the CVCA
certificates, there can be up to two certificates valid at the same time – in such case both are
stored in the passport). Remaining certificates (the DV certificate issued by the CVCA and the
DVCA certificate issued for InS) are stored temporarily and serve only for the verification of
the whole certificate chain. Once the chain verification succeeds, the passport obtains the
public key of the InS and its access rights. Only two access rights are specified at the moment,
these are reading access to DG3 (fingerprints) and to DG4 (iris scan).
After obtaining the public key of an InS it has to be verified if the InS has also the access to
the corresponding private key. This is done using a challenge-response protocol. At first, the
inspection system gets an 8-byte long random challenge (using the GET CHALLENGE
command), signs it (in fact the concatenation of the passport number, random challenge and
the hash of the ephemeral DH key of the inspection system (from the previous chip
authentication) is signed). The signature is then sent to the chip for verification using the
EXTERNAL AUTHENTICATE command. If the verification runs correctly, the inspection
system is authenticated and may access DG3 or DG4 according to the assigned rights.
Terminal authentication is not a mandatory part of the communication with the electronic
passport. One can skip the terminal authentication if there is not intent to read the biometric
data from the chip.
As the computational power of smart cards is limited, simplified certificates (card verifiable
(CV) certificates) are used instead of common X.509 certificates. An interesting point is the
verification of certificate validity. As the chip has no internal clock, the only available timerelated
information is the certificate issue date. If the chip successfully verifies the validity of
given certificate issued on a particular day, then it knows that this date has already passed (or
is today) and can update its own internal time estimate (if the value is newer than the one
already stored). It is clear that if some CV CA or DV CA issues (either by a mistake,
intentionally or as a result of an attack) a certificate with the issue date in a distant future, the
passport will then reject valid certificates and will become practically unusable. For that
reason, only the CVCA, DV and domestic InS certificates are used to update the internal time
estimate.
Worldwide interoperability is not necessary for the extended access control as the sensitive
data should be accessible only when agreements between countries exist. Then it is up to the
countries to agree on technical details (naturally within boundaries given by the ICAO
standards). The current leader in area of EAC is the EU, which designed (actually it was the
German Federal Office for Information Security) a protocol for the EAC. EU discussions on
technical details finished just recently, and the final version of the protocol was released in
[X].
It is assumed that the protected biometric data will be initially accessible only among the EU
member states. There have already been some speculations about involvement of countries
like United States of America, Canada and Australia in the European extended access control
system. Looking at the PKI structure of the EAC, it is clear that is up to each member state to
decide what other countries will have the access to data in the member state passports.
While the chip authentication substitutes active authentication and also improves the security
of Secure Messaging, the chip and terminal authentication protocols are not standardized by
ICAO. Hence the protocols will be used only when both the passport and inspection systems
support these protocols. If the passport (e.g., first generation passport) or inspection system
(e.g., non-EU or even some older EU systems) are not supporting the protocol, then it is
necessary to fall back and utilize common protocols standardized by ICAO in Doc 9303 (i.e.,
BAC and AA). It is also possible that some other countries (outside EU) will not consider the
fingerprints and iris scans as a sensitive data and thus the data groups DG3 and DG4 in their
passports will not be additionally protected.
Electronic passports introduce new problems with the means they address some issues, but we
know quite well that no technology is completely perfect. It is necessary to take into account
that the passport security is not based only on the electronic part, but also on the classical
security features (secure printing and other protection techniques). The digital signature of the
stored data certainly increases the security of these travel documents, but should not lead to
complacency and to overlooking the need to check on other relevant aspects and issues.
Comment
The presented opinions are the private views of the authors and cannot be considered as the
official position of European Commission, where one of the authors is currently working in
Joint Research Centre (JRC) in Ispra, Italy.
References
[1] ICAO TAG MRTD/NTWG: Biometrics Deployment of Machine Readable Travel
Documents, version 2.0. Including appendix A-J,
http://www.icao.int/mrtd/download/documents/
[2] ICAO TAG MRTD/NTWG: PKI for Machine Readable Travel Documents offering ICC
read-only access v1.1, http://www.icao.int/mrtd/download/documents/
[3] Kirschenbaum, I., Wool, A. How to Build a Low-Cost, Extended-Range RFID Skimmer,
http://www.eng.tau.ac.il/~yash/kw-usenix06/index.html
[4] MiniMe (pseudonym), Mahajivana (pseudonym): RFID-Zapper,
http://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN)
[5] Witteman, M. Attacks on Digital Passports, WhatTheHack,
http://wiki.whatthehack.org/images/2/28/WTH-slides-Attacks-on-Digital-Passports-Marc-
Witteman.pdf
[6] ICAO NTWG: PKI for Machine Readable Travel Documents
Offering ICC Read-Only Access V1.1, http://www.icao.int/mrtd/download/technical.cfm.
[7] ICAO NTWG: Development of a Logical Data Structure – LDS for Optional Capacity
Expansion Technologies, V 1.7, http://www.icao.int/mrtd/download/technical.cfm.
[8] BSI: Advanced Security Mechanisms for Machine Readable Travel Documents –
Extended Access Control (EAC), Version 1.0, TR-03110, http://www.befreite-
dokumente.de/eingereichte-akten/tr-03110-eac-1.0/.
[X] Expected to be published in the nearest future