3M Security Systems BlackhatEurope 2010 ... 4 ¢©3M 2010. All Rights Reserved. 3M Security Systems eMRTD

  • View
    1

  • Download
    1

Embed Size (px)

Text of 3M Security Systems BlackhatEurope 2010 ... 4 ¢©3M 2010. All Rights Reserved. 3M Security...

  • 1

    3M Security Systems

    © 3M 2010. All Rights Reserved.

    Blackhat Europe 2010

    Verifying eMRTD Security Controls Raoul D’Costa

  • 2 © 3M 2010. All Rights Reserved.

    3M Security Systems Agenda

    � Overview of ICAO / EU Specifications

    � eMRTDs decomposed

    � eMRTD Infrastructure (PKI)

    � Inspecting eMRTD

    � User Interface Design

    � Conclusion

  • 3 © 3M 2010. All Rights Reserved.

    3M Security Systems Introduction

    � Section 1: Overview of eMRTD Specifications

  • 4 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Specifications

    � ICAO Travel Document - Doc 9303

    � Core Specifications set by the International Civil Aviation

    Organisation (ICAO) NTWG / SC17 collaboration

    � Supplemented by BSI ASM for eMRTDs (EAC)

    � Authenticated eMRTDs provide identity verification of eMRTD holder

    � Issuing Authorities in nation states or Int’l bodies e.g. INTERPOL as

    enhanced identity security documents

    � Commonly issued eMRTDs include national ePassports and eID

    Cards but also Seafarers documents, Biometric Residence Permits

    use same specifications

  • 5 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Types

  • 6 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD – RFID Integrated Circuit Card

  • 7 © 3M 2010. All Rights Reserved.

    3M Security Systems Symbol denoting Chipped eMRTD

  • 8 © 3M 2010. All Rights Reserved.

    3M Security Systems Nation States that issue MRTDs (2009)

  • 9 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed

    � Section 2: eMRTDs Decomposed

  • 10 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed

  • 11 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed

  • 12 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed - Chip

    Master Files

    USER APPLICATION

  • 13 © 3M 2010. All Rights Reserved.

    3M Security Systems Datagroup 1

    � Contains the following information

    • Date of Birth

    • Passport Number

    • Expiry Date

    � Access to the file is protected by Basic Access Control

  • 14 © 3M 2010. All Rights Reserved.

    3M Security Systems Datagroup 2

    � Encoded photograph to ISO Standard to ensure quality of

    data image

    � Access is protected by Basic Access Control

    � Images encoded in JPEG or JPEG2000 formats

    � Photographs are standardised to ensure visual comparison

    and automated biometric verification

    � Images to overcome interoperability challenges (different

    biometric verification algorithms)

  • 15 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Verification

  • 16 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed - EF.COM

  • 17 © 3M 2010. All Rights Reserved.

    3M Security Systems Datagroup 3

    � Fingerprints and Iris are a second generation feature of eMRTDs

    � Sensitive Data protected by EAC as an enhancement to BAC

    � Access is protected by Extended Access Control (separate PKI authorisation scheme)

    � Images encoded in JPEG or JPEG2000 formats to overcome biometric interoperability problems

    � No International Standard yet

  • 18 © 3M 2010. All Rights Reserved.

    3M Security Systems EF.COM Data

    � Contains a map of the tags, lengths values present in the

    file

    � Is not protected (digitally signed) by issuing authority

    � Cannot be trusted unless authenticated to EF.SOD

  • 19 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Decomposed – EF.SOD

    � Contains the hash values of all the data groups

    � Hash values signed by a document signing authority with

    private key (SOD = Digital Signature)

    � May contain the Document Signer Certificate (DSC) that

    corresponds public key element used the create the SOD

    or reference to DSC.

    � Can be trusted provided the Document Signer Certificate is

    validated

  • 20 © 3M 2010. All Rights Reserved.

    3M Security Systems EF.SOD

  • 21 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Deconstructed - EF.SOD

    SIGNATURE

  • 22 © 3M 2010. All Rights Reserved.

    3M Security Systems Presenting the results

  • 23 © 3M 2010. All Rights Reserved.

    3M Security Systems Verifying EF.SOD

    � Part of the Passive Authentication process

    � Verify the ASN.1 Structure

    � Verify the hash values present

    � Verify the signature against the public key element contained in related Document Signer Certificate

    � Authenticate the Document Signer Certificate

    • Verify the certificate chain of the DSC against the CSCA Certificate dynamically

    • Pre-validated DSCs in protected Certificate Cache Store

  • 24 © 3M 2010. All Rights Reserved.

    3M Security Systems Reliance on genuine passport numbers

  • 25 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Infrastructure (PKI)

    � Section 3: eMRTD Infrastructure (PKI)

  • 26 © 3M 2010. All Rights Reserved.

    3M Security Systems ePassport Infrastructure – 1st Generation

    CSCA Authority

    Document Signer Service

    ICAO PKD

    Registration Authority Inspection System

    Issuance Verification

    National Infrastructure

  • 27 © 3M 2010. All Rights Reserved.

    3M Security Systems Second Generation Extensions

    CVCA

    Issuance

    Registration Authority Inspection System

    Issuance

    Verification

    DVCA

    SPOC

  • 28 © 3M 2010. All Rights Reserved.

    3M Security Systems ePassport Infrastructure – 2nd Generation

  • 29 © 3M 2010. All Rights Reserved.

    3M Security Systems ICAO Public Key Directory

    � Global repository of certificates used to validate eMRTDs

    � Relies on Issuing Authority subscribers uploading data to

    the PKD

    � Regularly updated with

    • Document Signer Certificates

    • CRLs

    • Null CRLs

    • MasterLists

    � Serves as a trust anchor on eMRTDs

  • 30 © 3M 2010. All Rights Reserved.

    3M Security Systems ICAO PKD

    https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp

  • 31 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Verification

  • 32 © 3M 2010. All Rights Reserved.

    3M Security Systems Inspecting eMRTD Effectively

    � Section 4: Inspecting eMRTD Effectively

  • 33 © 3M 2010. All Rights Reserved.

    3M Security Systems Inspection Terminals – RFID Readers

  • 34 © 3M 2010. All Rights Reserved.

    3M Security Systems eMRTD Verification Process

    MRTD to Be Inspected

    Physical Check

    Extract MRZ

    MRZ Valid

    Query against

    whitelist

    Perform

    Physical

    Checks

    Validate MRZ

    Perform BAC

    using MRZ

    Perform

    Facial

    Checks

    Perform PA

    Checks

    Record ResultY

    Record ResultY

    Perform EAC Contains 2

    nd

    Gen Features Y

    Record Result

    Record Result

    N

    BAC Sucessful

    Extract Data

    Record Result

    Perform

    Fingerprint

    matching

    Produce Result

    EAC Sucessful

    Y

    AA Present

    Perform AA

    Record Result

    Y

    Y

    N

    Holder provides

    eMRTD

    N

    N

    N

    N

    Y

  • 35 © 3M 2010. All Rights Reserved.

    3M Security Systems Physical Checks: Reliance on experts?

  • 36 © 3M 2010. All Rights Reserved.

    3M Security Systems Physical Checks

    � Check that the document has

    not been tampered with

    � Check the document under

    various wavelengths of light

    � Check that the document has

    not expired

  • 37 © 3M 2010. All Rights Reserved.

    3M Security Systems Limitations of Physical Checks

    � Difficult to automate

    � Not standardised

    � Can be subjective

    � Physical inspection is not always logged

  • 38 © 3M 2010. All Rights Reserved.

    3M Security Systems Validate MRZ

    � Validate that the contents of the

    MRZ are valid

    � Validate the checksum

    � Validate that they match the

    contents of the passport

  • 39 © 3M 2010. All Rights Reserved.

    3M Security Systems Validation of MRZ

    Checksum

  • 40 © 3M 2010. All Rights Reserved.

    3M Security Systems BAC

    � Extract the following fields

    • Date of Birth