• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Security and Privacy Issues in E-passports
Ari Juels
, David Molnar
, and David Wagner
Abstract
Within the next year, travelers from dozens of nationsmay be carrying a new form of passport in response to amandate by the United States government. The
e-passport
 ,as it is sometimes called, represents a bold initiative inthe deployment of two new technologies: Radio-Frequency Identification (RFID) and biometrics. Important in their own right, e-passports are also the harbinger of a waveof next-generation ID cards: several national governments plan to deploy identity cards integrating RFID and biomet-rics for domestic use. We explore the privacy and secu-rity implications of this impending worldwide experiment in next-generation authentication technology. We describe privacy and security issues that apply to e-passports, thenanalyze these issues in the context of the International Civil Aviation Organization (ICAO) standard for e-passports.
1 Introduction
Major initiatives by the United States and other govern-ments aim to fuse Radio Frequency Identification (RFID)and biometric technologies in a new generation of identitycards. Together, RFID and biometric technologies promiseto reduce fraud, ease identity checks, and enhance security.At the same time, these technologies raise new risks. Weexplore the privacy and security implications of this world-wide experiment with a new type of authentication plat-form, with particular attention to its deployment in pass-ports.As part of its US-VISIT program, the United Statesgovernment has mandated adoption by October 2006 of biometrically-enabled passports by the twenty-seven na-tions in its Visa-Waiver Program (VWP), among themJapan, most of the nations of Western Europe, and a hand-ful of others
1
. By the end of 2005, all passports produced inthe U.S. will carry biometric information. These passports
RSA Laboratories, ajuels@rsasecurity.com
UC-Berkeley, dmolnar@eecs.berkeley.edu
UC-Berkeley, daw@eecs.berkeley.edu
1
The deadline was originally October 2005, but it was extended afterEuropean nations protested [32].
are based on guidelines issued by the International CivilAviation Organization (ICAO), a body run by the UnitedNations with a mandate for setting international passportstandards [19]. The ICAO guidelines, detailed in ICAODocument 9303, call for incorporation of RFID chips, mi-crochips capable of storing data and transmitting it in awireless manner, into passports. (In this paper we refer tothe ICAO guidelines as a ‘standard.’ They are certainly ade facto standard but not a ratified standard.) Such chipswill be present in initial deployments of biometrically en-abled United States passports, and in the biometrically en-abled passports of other nations as well. Next-generationpassports, sometimes called
e-passports
, will be a promi-nent and widespread form of identification within a coupleof years.The ICAO standard specifies face recognition as theglobally interoperable biometric for identity verification intravel documents. Thus e-passports will contain digitizedphotographic images of the faces of their bearers. Thestandard additionally specifies fingerprints and iris data asoptional biometrics. The US-VISIT program in fact re-quires visitors to provide two fingerprint images in addi-tion to a headshot. The ICAO standard also envisions thate-passports will someday include a write capability for stor-age of information like digital visas.Interestingly, one nation has already deployed e-passports in a project pre-dating the ICAO standard. Since1998, Malaysian passports have included a chip containingan image of a thumbprint of the passport holder; a secondgeneration of e-passports rolled out in 2003 that containsextracted fingerprint information only. When flying throughKuala Lumpur International Airport, a Malaysian citizenpasses through an automated gate that reads the thumbprintfrom the chip and compares it to the thumb pressed on ascanner. Today, over 5,000,000 first generation and 125,000second generation e-passports are in circulation.While e-passports are important in their own right, theyalso merit scrutiny as the harbinger of a wave of a fusionof RFID and biometrics in identity documents. Anothernext-generation ID card slated for deployment in the nearfuture in the United States, for example, is the PersonalIdentity Verification (PIV) card. PIV cards will serve as IDbadges and access cards for employees and contractors of 1
 
the federal government in the United States. A standard forgovernment ID cards (FIPS 201) is seeing rapid develop-ment by the National Institute of Standards and Technology(NIST). We expect PIV cards will include the same blendof technical mechanisms as e-passports: a combination of RFID and biometrics. The biometric of choice for PIVcards, however, will probably be fingerprint recognition. Atthe time of writing, the U.S. House of Representatives re-cently passed a bill called the Real ID Act; this seems alikely impetus for states to issue identity cards containingbiometrics, and probably RFID tags as well [29].The goal of the ICAO and PIV projects is the same:strongauthenticationthroughdocumentsthatunequivocallyidentify their bearers. Data integrity and physical integrityare vital to the security of ID cards as authenticators. Forauthorities to establish the identity of John Doe with cer-tainty, for example, Doe’s passport must carry a photographof irrefutable pedigree, with a guarantee that no substitutionor tampering has taken place. Without this guarantee, pass-ports can be forged, enabling unauthorized persons to entera country.Strong authentication requires more than resistance totampering.
Data confidentiality
, i.e., secrecy of data storedon ID cards, is also critical. Protecting biometric and bio-graphical data is essential to the value and integrity of anauthentication system. In particular, data secrecy affords animportant form of protection against forgery and spoofingattacks. Therefore protecting e-passport data against unau-thorized access is a crucial part of the security of the entiresystem.Confidentiality protection for stored data is importantfor other reasons as well. Both RFID and biometrics arehighly privacy-sensitive technologies. Sensitive data, suchas birthdate or nationality, are carried on passports. Theprivacy, physical safety, and psychological comfort of theusers of next-generation passports and ID cards will dependon the quality of data-protection mechanisms and support-ing architecture.We identify security and privacy threats to e-passportsgenerally, then evaluate emerging and impending e-passporttypes with respect to these threats. We primarily analyzethe ICAO standard and the specific deployment choices of early adopter nations. Where appropriate, we also discussthe Malaysian e-passport. Here is a summary of the majorpoints we touch on:1.
Clandestine scanning
: It is well known that RFIDtags are subject to clandestine scanning. BaselineICAO guidelines do not require authenticated or en-crypted communications between passports and read-ers. Consequently, an unprotected e-passport chip issubject to short-range clandestine scanning (up to afew feet), with attendant leakage of sensitive personalinformation including date of birth and place of birth.2.
Clandestine tracking:
The standard for e-passportRFID chips (ISO 14443) stipulates the emission (with-out authentication) of a chip ID on protocol initiation.If this ID is different for every passport, it could en-able tracking the movements of the passport holder byunauthorized parties. Tracking is possible even if thedata on the chip cannot be read. We also show that theICAO Active Authentication feature enables trackingwhen used with RSA or Rabin-Williams signatures.3.
Skimming and cloning:
Baseline ICAO regulationsrequire digital signatures on e-passport data. In princi-ple, such signatures allow the reader to verify that thedata came from the correct passport-issuing authority.
2
Digital signatures do not, however, bind the data to aparticular passport or chip, so they offer no defenseagainst passport cloning.4.
Eavesdropping
: “Faraday cages” are an oft-discussedcountermeasuretoclandestineRFIDscanning. Inane-passport, a Faraday cage would take the form of metal-lic material in the cover or holder that prevents thepenetration of RFID signals. Passports equipped withFaraday cages would be subject to scanning only whenexpressly presented by their holders, and would seemon first blush to allay most privacy concerns.Faraday cages, however, do not prevent eavesdroppingon legitimate passport-to-reader communications, likethose taking place in airports. Eavesdropping is partic-ularly problematic for three reasons.
Function creep:
As envisioned in the ICAOguidelines, e-passports will likely see use not justin airports, but in new areas like e-commerce;thus eavesdropping will be possible in a varietyof circumstances.
Feasibility:
Unlike clandestine scanning, eaves-dropping may be feasible at a longer distance—given that eavesdropping is a passive opera-tion [39].
Detection difficulty:
As it is purely passive anddoes not involve powered signal emission, eaves-dropping is difficult to detect (unlike clandestinescanning).5.
Biometric data-leakage
: Among other data, e-passportswillincludebiometricimages. Inaccordance
2
Digital signatures and indeed, e-passports and secure ID cards in gen-eral do not solve the problem of validating
enrollment 
. Depending on hownew users are validated, it may be possible to obtain an authentic ID bypresenting inauthentic credentials or through circumventing issuing guide-lines. Indeed, the 9/11 hijackers had perfectly authentic drivers’ licenses.Digital signatures would merely have confirmed their validity. We do nottreat the issue of enrollment here, but note that it is pivotal in any ID sys-tem.
2
 
with the ICAO standard, these will initially be dig-itized headshots, while thumbprints are used for theMalaysian e-passport. These images would not need tobe secret to support authentication if the physical en-vironment were strictly controlled. However, existingand proposed deployments of e-passports will facili-tate automation, and therefore a weakening of humanoversight. This makes secrecy of biometric data im-portant.6.
Cryptographic weaknesses:
ICAO guidelines in-clude an optional mechanism for authenticating andencrypting passport-to-reader communications. Theidea is that a reader initially makes optical contact witha passport, and scans the name, date of birth, and pass-port number to derive a cryptographic key
with twofunctions:
It allows the passport to establish that it is talkingto a legitimate reader before releasing RFID taginformation
It is used to encrypt all data transmitted betweenthe passport and the reader.
3
Once a reader knows the key
, however, there isno mechanism for revoking access. A passport holdertraveling to a foreign country gives that country’s Cus-toms agents the ability to scan his or her passport inperpetuity. Further, we find that the cryptography re-lied upon by the ICAO standard itself has some minorflaws.
Related Work
Existing media stories, e.g., [34], have recognized thefirst three of the points enumerated above. The other issues,more technical in nature, have seen less exposition; the ma- jor previous effort we are aware of is Pattinson’s whitepaperthat outlines the privacy problems with e-passports that maybe readable by anyone and argues, as we do, for Basic Ac-cess Control [31]. Pattinson also points out the need for adirect link between optically scanned card data and secretkeys embedded in an e-passport. He does not, however,consider the issue of biometric data leakage or the cryp-tographic issues we address. Jacobs discusses issues in e-passportdeploymentintheNetherlandsandreportsonworwith a prototype Netherlands biometric passport; he high-lights the importance of Basic Access control and also in-vestigates the issues surrounding a national database of bio-metric identifiers [22]. Markus Kuhn suggested the incor-poration of a Faraday cage in e-passports at an ISO/ICAO
3
The need for optical scanning of passports seems to negate the bene-fits of wireless communication conferred by RFID. Our supposition is thatICAO guidelines favor RFID chips over contact chips because wirelessdata transmission causes less wear and tear than physical contact.
meeting in 2002, but the suggestion was overruled at thetime [26]. The smart card research group at IBM Zurich hasdemonstrated a Javacard application running on a Philipschip that performs Basic Access Control and Active Au-thentication in under 2 seconds, showing that these tech-nologies are feasible in practice [17]. Finally, Germany hasreleased an intermediate report from its biometric passportprogram, including results on biometric failure rates andtimes for completing Diffie-Hellman based “Extended Ac-cess Control. [12]”
Organization
In section 2, we provide some basic technical back-ground on RFID and biometrics. We turn in section 3 to adetailed discussion of the data contained in e-passports de-ployments and the risks posed by data exposure. We focuson the ICAO standard and the choices of specific countriesin implementing the standard, and also briefly describe theMalaysian program as an illustration of likely deploymentfeatures. We consider the cryptographic security measuresof the ICAO standard in section 4, illuminating some po-tential weaknesses and discussing the selection of featuresthe United States has made for its US-VISIT program. Insection 5, we sketch a few countermeasures to the secu-rity weaknesses we highlight. We discuss security issueslikely to arise in future e-passport and ID-card systems insection 6. We conclude in section 7 with summary recom-mendations for improved e-passport deployment and withpointers to ID projects with similar underpinnings.
2 Technical Background
2.1 RFID in brie
The term Radio Frequency Identification (RFID) hascome to stand for a family of technologies that communi-cate data wirelessly from a small chip, often called a “tag,”to a reading device. The ICAO specification for e-passportsrelies on the International Organization for Standardization(ISO) 14443 standard, which specifies a radio frequency of 13.56MHz. Tags in the ISO 14443 standard are
passive
,meaning that they carry no on-board source of power, andinstead derive power indirectly fromtheinterrogating signalof a reader. The intended read range of tags in this standardis about 10 centimeters.Because WalMart, the U.S. Department of Defense, andothers have received much attention for their RFID deploy-ments, we stress that the RFID used for e-passports is notthe same as the RFID used by WalMart and others for sup-ply chain management. Supply chain tags are designed tobe as simple and cheap as possible, with no support for3
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...