Upload
vijay-pasupathinathan
View
81
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
Formal Security Analysis of Australian E-passportImplementation
Vijayakrishnan PWith: Prof. Josef Pieperzyk and
A/Prof. Huaxiong Wang
Centre for Advanced Computing - Algorithms and Cryptography (ACAC)Macquarie University
January 23, 2008
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 1/17
1 IntroductionFirst Generation Electronic Passports
2 E-passport Operation
3 AnalysisRelated WorkSecurity GoalsFormal MethodOutcomes
4 Conclusion
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 2/17
Electronic Passports - Overview
Integration of a biometric enabled contactless smartcard microchip.
E-passport guideline developed by International Civil AviationOrganisation (ICAO).
Describes communication protocol and provides details onestablishing a secure communication channel between an e-passportand an e-passport reader and authentication mechanisms.
Uses existing approved standard such as ISO14443, ISO11770,ISO/IEC 7816, ISO 9796.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 3/17
Passports Evolution
Yesterday: Machinereadable passport withMRZ
Today: Electronicpassport with digitalimage
Tomorrow: From 2009passport with secondarybiometric information
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 4/17
Passports Evolution
Yesterday: Machinereadable passport withMRZ
Today: Electronicpassport with digitalimage
Tomorrow: From 2009passport with secondarybiometric information
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 4/17
Passports Evolution
Yesterday: Machinereadable passport withMRZ
Today: Electronicpassport with digitalimage
Tomorrow: From 2009passport with secondarybiometric information
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 4/17
E-passport Operation
Protocols Involved
Basic Access Control (BAC ) - designed for encrypted communication
Passive Authentication (PA) - provides integrity of e-passport data
Active Authentication (AA) - provides authentication of chip contents
E-passport Holder Border Security
E-Passport. −→ Scan MRZExecute BAC protocolPerform PA protocolPerform AA protocol
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 5/17
Related Work and Weaknesses Identified
ProblemsBAC is optional!!
The authentication key is derived from document#, DoB, DoE
Low entropy (3DES max 112b, BAC max 56/74b, in practice 30-50b) [AJuels et al. 2005]
Interoperability issues - Modification of the derivation of the static keyrejected by ICAO in order not to break interoperability
Security Object contains a certificate signed by national governments andverification through PKI
No protection against cloning! [G S. Kc et al. 2005]
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 6/17
Our Contribution
Our Work
Define security requirements for E-passport system.
Formalise the protocol for verification.
Analyse which security goal are met (or not met).
Verify if weaknesses mentioned earlier exist?
How they affect further communications in the system.
How Australian SmartGate system is integrated into the system.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 7/17
Security Analysis Goal
1 Data Confidentiality : Protect secrecy and privacy of e-passportdetails. The communication channel between the reader and the chipshould be secure.
2 Data Integrity : Protects against tampering with the chip’s contentsi.e., any data tampering should be easily detectable by the bordersecurity centre.
3 Data Origin Authentication : The data on the chip should bebound to information on MRZ and to the data that appears in thee-passport bio-data page currently being examined by a bordersecurity officer.
4 Non Repudiation : Obtain a undeniable digital data from thee-passport for future processing, e.g, in case of an aftermath of aterrorist attack.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 8/17
Security Analysis Goal
1 Mutual Authentication : Important for the reader to authenticate thee-passport, but it is also important for the e-passport chip to authenticatethe reader before divulging any personal information to the reader. (toprevent an unauthorised e-passport reader from obtaining biometric details).
2 Certificate Manipulation : The reader should have a guarantee thatcertificates presented by the e-passport are valid and match the data on thee-passport.
3 Key Freshness and Key Integrity : The reader and e-passport must havesatisfactory proof that, nonce generated during both AA and BAC protocolsare fresh and the integrity of the derived session key is preserved. (Explicitkey authentication)
4 Forward Secrecy : Loss of session key or key used to generate a session key(KENC and KMAC ) should not compromise any future communication.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 9/17
Using CASPER/CSP/FDR
FDR2 is a model checking tool developed by Formal Systems(Europe).
Input to FDR2 software is a CSP script which includes statementsmaking assertions about refinement properties.
We use CASPER developed by Gavid Lowe to generates refinementassertions to check for all specifications.
Example
Secret(B, message, [A])specifies that, at the end of a protocol run, entity B expects the value ofmessage to be known only to entity A. Assertion generated for the abovespecification is:SECRET M::SECRET SPEC[T=SECRET M::SYSTEM S
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 10/17
Using CASPER/CSP/FDR
After 30 States and 135 transitions.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 11/17
Using CASPER/CSP/FDR
send.Reader.Chip.(Msg1,GETC,<>)INTRUDER_M::hear.GETCsend.Reader.Chip.(Msg3,Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>,<>)INTRUDER_M::hear.Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>INTRUDER_M::say.Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 12/17
Using CASPER/CSP/FDR
which can be interpreted as:
Reader -> I_Chip : GETCI_Chip -> Reader : KMReader -> I_Chip : {RNDR2, KM, KR}{KEYE},=> {RNDR2, KM, KR}{KEYM}I_Chip -> Reader : {RNDR2, KM, KR}{KEYE},=> {RNDR2, KM, KR}{KEYM}
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 13/17
Formal Analysis using CASPER/CSP/FDR
WeaknessThe e-passport protocols does not satisfy our goal for data originauthentication as it can be subject to replay and grandmaster chess attacks,and the weakness can be exploited in cases where problems with facialbiometric exists.
Data confidentiality is also compromised when an attacker is able to obtainencryption and MAC keys stored in the e-passport chip using informationpresented in MRZ.
We were able to prove that this further affects the security goals for activeauthentication protocol, namely, mutual authentication, key freshness andkey integrity.
An informal analysis of the e-passport system reveals that it may also bevulnerable to certificate manipulation as they are dependent on PKI, whichis prone to DOS attacks.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 14/17
Formal Analysis - E-passports
Weakness - contd. . .
Data security techniques deployed does not adequately protect ane-passport bearer (as keys have a very low entropy and are vulnerableto brute force attacks).
Makes it vulnerable to skimming.
The risk of identity theft or illegal entries into a country are furtherincreased when e-passports can be used as in SMARTGATE, that arecurrently on trial in Australia.
Unattended border control check-ins increase the risk of fraudulentfacial biometric verifications being undetected and also eavesdroppingon communication.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 15/17
A note on the future of E-passport
ICAO has proposed second generation of E-passports.
New protocols to enhance security.
Germany is the first country to fully implement second generation(Early 2008).
Adds extra biometric identifiers (finger prints and iris scan).
Our analysis is under review.
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 16/17
Thank you
Questions ?
contact information: [email protected]
Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 17/17