1
3M Security Systems
© 3M 2010. All Rights Reserved.
Blackhat Europe 2010
Verifying eMRTD Security ControlsRaoul D’Costa
2 © 3M 2010. All Rights Reserved.
3M Security Systems Agenda
� Overview of ICAO / EU Specifications
� eMRTDs decomposed
� eMRTD Infrastructure (PKI)
� Inspecting eMRTD
� User Interface Design
� Conclusion
3 © 3M 2010. All Rights Reserved.
3M Security Systems Introduction
� Section 1: Overview of eMRTD Specifications
4 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Specifications
� ICAO Travel Document - Doc 9303
� Core Specifications set by the International Civil Aviation
Organisation (ICAO) NTWG / SC17 collaboration
� Supplemented by BSI ASM for eMRTDs (EAC)
� Authenticated eMRTDs provide identity verification of eMRTD holder
� Issuing Authorities in nation states or Int’l bodies e.g. INTERPOL as
enhanced identity security documents
� Commonly issued eMRTDs include national ePassports and eID
Cards but also Seafarers documents, Biometric Residence Permits
use same specifications
5 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Types
6 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD – RFID Integrated Circuit Card
7 © 3M 2010. All Rights Reserved.
3M Security Systems Symbol denoting Chipped eMRTD
8 © 3M 2010. All Rights Reserved.
3M Security Systems Nation States that issue MRTDs (2009)
9 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed
� Section 2: eMRTDs Decomposed
10 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed
11 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed
12 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed - Chip
Master Files
…
USER APPLICATION
13 © 3M 2010. All Rights Reserved.
3M Security Systems Datagroup 1
� Contains the following information
• Date of Birth
• Passport Number
• Expiry Date
� Access to the file is protected by Basic Access Control
14 © 3M 2010. All Rights Reserved.
3M Security Systems Datagroup 2
� Encoded photograph to ISO Standard to ensure quality of
data image
� Access is protected by Basic Access Control
� Images encoded in JPEG or JPEG2000 formats
� Photographs are standardised to ensure visual comparison
and automated biometric verification
� Images to overcome interoperability challenges (different
biometric verification algorithms)
15 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Verification
16 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed - EF.COM
17 © 3M 2010. All Rights Reserved.
3M Security Systems Datagroup 3
� Fingerprints and Iris are a second generation feature of eMRTDs
� Sensitive Data protected by EAC as an enhancement to BAC
� Access is protected by Extended Access Control (separate PKI authorisation scheme)
� Images encoded in JPEG or JPEG2000 formats to overcome biometric interoperability problems
� No International Standard yet
18 © 3M 2010. All Rights Reserved.
3M Security Systems EF.COM Data
� Contains a map of the tags, lengths values present in the
file
� Is not protected (digitally signed) by issuing authority
� Cannot be trusted unless authenticated to EF.SOD
19 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Decomposed – EF.SOD
� Contains the hash values of all the data groups
� Hash values signed by a document signing authority with
private key (SOD = Digital Signature)
� May contain the Document Signer Certificate (DSC) that
corresponds public key element used the create the SOD
or reference to DSC.
� Can be trusted provided the Document Signer Certificate is
validated
20 © 3M 2010. All Rights Reserved.
3M Security Systems EF.SOD
21 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Deconstructed - EF.SOD
SIGNATURE
22 © 3M 2010. All Rights Reserved.
3M Security Systems Presenting the results
23 © 3M 2010. All Rights Reserved.
3M Security Systems Verifying EF.SOD
� Part of the Passive Authentication process
� Verify the ASN.1 Structure
� Verify the hash values present
� Verify the signature against the public key element contained in related Document Signer Certificate
� Authenticate the Document Signer Certificate
• Verify the certificate chain of the DSC against the CSCA Certificate dynamically
• Pre-validated DSCs in protected Certificate Cache Store
24 © 3M 2010. All Rights Reserved.
3M Security Systems Reliance on genuine passport numbers
25 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Infrastructure (PKI)
� Section 3: eMRTD Infrastructure (PKI)
26 © 3M 2010. All Rights Reserved.
3M Security Systems ePassport Infrastructure – 1st Generation
CSCA Authority
Document Signer Service
ICAO PKD
Registration Authority Inspection System
Issuance Verification
National Infrastructure
27 © 3M 2010. All Rights Reserved.
3M Security Systems Second Generation Extensions
CVCA
Issuance
Registration Authority Inspection System
Issuance
Verification
DVCA
SPOC
28 © 3M 2010. All Rights Reserved.
3M Security Systems ePassport Infrastructure – 2nd Generation
29 © 3M 2010. All Rights Reserved.
3M Security Systems ICAO Public Key Directory
� Global repository of certificates used to validate eMRTDs
� Relies on Issuing Authority subscribers uploading data to
the PKD
� Regularly updated with
• Document Signer Certificates
• CRLs
• Null CRLs
• MasterLists
� Serves as a trust anchor on eMRTDs
30 © 3M 2010. All Rights Reserved.
3M Security Systems ICAO PKD
https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp
31 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Verification
32 © 3M 2010. All Rights Reserved.
3M Security Systems Inspecting eMRTD Effectively
� Section 4: Inspecting eMRTD Effectively
33 © 3M 2010. All Rights Reserved.
3M Security Systems Inspection Terminals – RFID Readers
34 © 3M 2010. All Rights Reserved.
3M Security Systems eMRTD Verification Process
MRTD to Be Inspected
Physical Check
Extract MRZ
MRZ Valid
Query against
whitelist
Perform
Physical
Checks
Validate MRZ
Perform BAC
using MRZ
Perform
Facial
Checks
Perform PA
Checks
Record ResultY
Record ResultY
Perform EACContains 2
nd
Gen FeaturesY
Record Result
Record Result
N
BAC Sucessful
Extract Data
Record Result
Perform
Fingerprint
matching
Produce Result
EAC Sucessful
Y
AA Present
Perform AA
Record Result
Y
Y
N
Holder provides
eMRTD
N
N
N
N
Y
35 © 3M 2010. All Rights Reserved.
3M Security Systems Physical Checks: Reliance on experts?
36 © 3M 2010. All Rights Reserved.
3M Security Systems Physical Checks
� Check that the document has
not been tampered with
� Check the document under
various wavelengths of light
� Check that the document has
not expired
37 © 3M 2010. All Rights Reserved.
3M Security Systems Limitations of Physical Checks
� Difficult to automate
� Not standardised
� Can be subjective
� Physical inspection is not always logged
38 © 3M 2010. All Rights Reserved.
3M Security Systems Validate MRZ
� Validate that the contents of the
MRZ are valid
� Validate the checksum
� Validate that they match the
contents of the passport
39 © 3M 2010. All Rights Reserved.
3M Security Systems Validation of MRZ
Checksum
40 © 3M 2010. All Rights Reserved.
3M Security Systems BAC
� Extract the following fields
• Date of Birth
• Document Number
• Expiry Date
� Send these to the chip
� These should match DG1
41 © 3M 2010. All Rights Reserved.
3M Security Systems Facial Biometrics
� Match the holder to the DG2
using facial biometrics
� DG2 is required to meet certain
standards
� Used in some countries
including
• Portugal
• Australia
• UK (Trial)
42 © 3M 2010. All Rights Reserved.
3M Security Systems Biometric Facial Checking
43 © 3M 2010. All Rights Reserved.
3M Security Systems Passive Authentication
� Check the validity of EF.SOD
� Check the hash values of the
datagroups
� Check the signature of SOD
� Check the chain of the
document signer certificate
� Check against null and non null
CRLs
� ICAO PKD Maintains
Certificates for subscribers
44 © 3M 2010. All Rights Reserved.
3M Security Systems Active Authentication
� Ensures the eMRTD is not
cloned
� Challenge response between
the terminal and the eMRTD
45 © 3M 2010. All Rights Reserved.
3M Security Systems Passive Authentication
� CSCAs can be exchanged
• By diplomatic channels
• Using CSCA MasterLists
� A CSCA is a trust anchor and can identify the eMRTD Issuing Authority
� Inspection System Integrity and Performance
� Security controls must ensure that bogus CSCAs cannot be inserted during the verification process
� Inspection System Architecture designed to requirements (not onefits all) – depends upon operating environment, devices, key management strategy, network reliability
46 © 3M 2010. All Rights Reserved.
3M Security Systems Extended Access Control
� Consists of the following
• Chip Authentication
• Terminal Authentication
� Provides the following
• Mutual authentication between the
chip and the terminal
• Some indication of the issuer of the
eMRTD
• Privacy of the fingerprints on the
passport
47 © 3M 2010. All Rights Reserved.
3M Security Systems Second Generation Features
� EAC requires the implementation of the EAC infrastructure
to ensure verification
� EAC Protects the privacy of the fingerprints on the
ePassport
� EAC proves the issuer of the ePassport
� EAC Ensures that only authorised terminals can read
fingerprints
48 © 3M 2010. All Rights Reserved.
3M Security Systems Fingerprint matching
� DG3 Contains the fingerprint
� 0 – 10 digits can be stored
depending on the country
where fingerprints are captured
� Fingerprint image contained
(not a template)
49 © 3M 2010. All Rights Reserved.
3M Security Systems Registration: A link in the chain
50 © 3M 2010. All Rights Reserved.
3M Security Systems Consolidating Checks
Fingerprint Biometric
Facial Biometric
AA
TA
BAC
Expiry Check
MRZ
Physical
NOT PRESENTINVALIDVALID
51 © 3M 2010. All Rights Reserved.
3M Security Systems Use Case 1: Valid 2nd Gen eMRTD
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
52 © 3M 2010. All Rights Reserved.
3M Security Systems Use Case: 1st Gen Fake Passport
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
53 © 3M 2010. All Rights Reserved.
3M Security Systems Use Case: Cloned 2nd Gen eMRTD
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
54 © 3M 2010. All Rights Reserved.
3M Security Systems Use Case: Possible Fake Passport
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
55 © 3M 2010. All Rights Reserved.
3M Security Systems An expired eMRTD
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
56 © 3M 2010. All Rights Reserved.
3M Security Systems Use Case: Fake Passport
Fingerprint Biometric
Facial Biometric
AA
TA
PA
BAC
Expiry Check
MRZ
Physcial
NOT IMPLEMENTEDNOT PRESENTINVALIDVALID
57 © 3M 2010. All Rights Reserved.
3M Security Systems Usability of eMRTD Inspection Systems
� Section 5: Usability of eMRTD Inspection Systems
58 © 3M 2010. All Rights Reserved.
3M Security Systems Usability Challenges
� Use their terminology
• Counterfeit (not PA has failed)
• Falsified (not Digital Signature is not verified)
• Cloned (not Active Authentication has been subverted)
• Access denied (Terminal Authentication does not have appropriate CV chains)
� Simplicity by design
• User Interface design aligns with tasks
• Clear feedback on processing
• State of device (security)
� Case Studies
• Engage with Users
59 © 3M 2010. All Rights Reserved.
3M Security Systems Conclusion
� Section 6: Conclusion
60 © 3M 2010. All Rights Reserved.
3M Security Systems Conclusion
� eMRTDs are complex documents and need to be verified
appropriately
� Partial checking of some features is not enough to
guarantee that the document is authentic
� Various designs and physical layouts of documents from
various countries can easily lead to confusion although the
electronic features are standardised and the same
� User interface design for eMRTD verification apps should
provide a result in a clear and concise manner
61 © 3M 2010. All Rights Reserved.
3M Security Systems Questions?
� Raoul D’Costa
� redcosta AT mmm DOT com
� uk.linkedin.com/in/raouldcosta
� 00441635264104
62 © 3M 2010. All Rights Reserved.
3M Security Systems References
� Myths about ePassports -http://www.gemalto.com/myths_about_epassports/myths_2.html
� ICAO 9303 Passport Standards - http://www2.icao.int/en/MRTD/Pages/Doc9393.aspx
� Wikipedia entry on biometric passports - http://en.wikipedia.org/wiki/Biometric_passport
� http://www.en.bmi.bund.de/nn_1176866/Internet/Content/Themen/Travel__ID__Documents/Electronic__Passport/Datenschutz__en.html
� ICAO eMRTD Report Volume 203 Number 202 http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.%203%20No.%202,%202008.pdf
� UK ID Card -http://www.ips.gov.uk/cps/files/ips/live/assets/documents/id_card_security_guide_low.pdf
� EAC Specification version 3.1.1 -https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR-03110_v202_pdf
� Golden Reader Tool for Reading eMRTDs -https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/Projekte/projekteGRT/GRT_node.html