Formal Security Analysis of Australian ePassport Implementation

Formal Security Analysis of Australian E-passportImplementation

Vijayakrishnan PWith: Prof. Josef Pieperzyk and

A/Prof. Huaxiong Wang

Centre for Advanced Computing - Algorithms and Cryptography (ACAC)Macquarie University

[email protected]

January 23, 2008

Vijayakrishnan P, et. al, ACAC Formal Security Analysis of Australian E-passport Implementation 1/17

1 IntroductionFirst Generation Electronic Passports

2 E-passport Operation

3 AnalysisRelated WorkSecurity GoalsFormal MethodOutcomes

4 Conclusion


Electronic Passports - Overview

Integration of a biometric enabled contactless smartcard microchip.

E-passport guideline developed by International Civil AviationOrganisation (ICAO).

Describes communication protocol and provides details onestablishing a secure communication channel between an e-passportand an e-passport reader and authentication mechanisms.

Uses existing approved standard such as ISO14443, ISO11770,ISO/IEC 7816, ISO 9796.


Passports Evolution

Yesterday: Machinereadable passport withMRZ

Today: Electronicpassport with digitalimage

Tomorrow: From 2009passport with secondarybiometric information


Passports Evolution





Passports Evolution





E-passport Operation

Protocols Involved

Basic Access Control (BAC ) - designed for encrypted communication

Passive Authentication (PA) - provides integrity of e-passport data

Active Authentication (AA) - provides authentication of chip contents

E-passport Holder Border Security

E-Passport. −→ Scan MRZExecute BAC protocolPerform PA protocolPerform AA protocol


Related Work and Weaknesses Identified

ProblemsBAC is optional!!

The authentication key is derived from document#, DoB, DoE

Low entropy (3DES max 112b, BAC max 56/74b, in practice 30-50b) [AJuels et al. 2005]

Interoperability issues - Modification of the derivation of the static keyrejected by ICAO in order not to break interoperability

Security Object contains a certificate signed by national governments andverification through PKI

No protection against cloning! [G S. Kc et al. 2005]


Our Contribution

Our Work

Define security requirements for E-passport system.

Formalise the protocol for verification.

Analyse which security goal are met (or not met).

Verify if weaknesses mentioned earlier exist?

How they affect further communications in the system.

How Australian SmartGate system is integrated into the system.


Security Analysis Goal

1 Data Confidentiality : Protect secrecy and privacy of e-passportdetails. The communication channel between the reader and the chipshould be secure.

2 Data Integrity : Protects against tampering with the chip’s contentsi.e., any data tampering should be easily detectable by the bordersecurity centre.

3 Data Origin Authentication : The data on the chip should bebound to information on MRZ and to the data that appears in thee-passport bio-data page currently being examined by a bordersecurity officer.

4 Non Repudiation : Obtain a undeniable digital data from thee-passport for future processing, e.g, in case of an aftermath of aterrorist attack.


Security Analysis Goal

1 Mutual Authentication : Important for the reader to authenticate thee-passport, but it is also important for the e-passport chip to authenticatethe reader before divulging any personal information to the reader. (toprevent an unauthorised e-passport reader from obtaining biometric details).

2 Certificate Manipulation : The reader should have a guarantee thatcertificates presented by the e-passport are valid and match the data on thee-passport.

3 Key Freshness and Key Integrity : The reader and e-passport must havesatisfactory proof that, nonce generated during both AA and BAC protocolsare fresh and the integrity of the derived session key is preserved. (Explicitkey authentication)

4 Forward Secrecy : Loss of session key or key used to generate a session key(KENC and KMAC ) should not compromise any future communication.


Using CASPER/CSP/FDR

FDR2 is a model checking tool developed by Formal Systems(Europe).

Input to FDR2 software is a CSP script which includes statementsmaking assertions about refinement properties.

We use CASPER developed by Gavid Lowe to generates refinementassertions to check for all specifications.

Example

Secret(B, message, [A])specifies that, at the end of a protocol run, entity B expects the value ofmessage to be known only to entity A. Assertion generated for the abovespecification is:SECRET M::SECRET SPEC[T=SECRET M::SYSTEM S



After 30 States and 135 transitions.



send.Reader.Chip.(Msg1,GETC,<>)INTRUDER_M::hear.GETCsend.Reader.Chip.(Msg3,Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>,<>)INTRUDER_M::hear.Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>INTRUDER_M::say.Sq.<=> Encrypt.(KEYE,<RNDR2,KM,KR>),=> Encrypt.(KEYM,<RNDR2,KM,KR>)>



which can be interpreted as:

Reader -> I_Chip : GETCI_Chip -> Reader : KMReader -> I_Chip : {RNDR2, KM, KR}{KEYE},=> {RNDR2, KM, KR}{KEYM}I_Chip -> Reader : {RNDR2, KM, KR}{KEYE},=> {RNDR2, KM, KR}{KEYM}


Formal Analysis using CASPER/CSP/FDR

WeaknessThe e-passport protocols does not satisfy our goal for data originauthentication as it can be subject to replay and grandmaster chess attacks,and the weakness can be exploited in cases where problems with facialbiometric exists.

Data confidentiality is also compromised when an attacker is able to obtainencryption and MAC keys stored in the e-passport chip using informationpresented in MRZ.

We were able to prove that this further affects the security goals for activeauthentication protocol, namely, mutual authentication, key freshness andkey integrity.

An informal analysis of the e-passport system reveals that it may also bevulnerable to certificate manipulation as they are dependent on PKI, whichis prone to DOS attacks.


Formal Analysis - E-passports

Weakness - contd. . .

Data security techniques deployed does not adequately protect ane-passport bearer (as keys have a very low entropy and are vulnerableto brute force attacks).

Makes it vulnerable to skimming.

The risk of identity theft or illegal entries into a country are furtherincreased when e-passports can be used as in SMARTGATE, that arecurrently on trial in Australia.

Unattended border control check-ins increase the risk of fraudulentfacial biometric verifications being undetected and also eavesdroppingon communication.


A note on the future of E-passport

ICAO has proposed second generation of E-passports.

New protocols to enhance security.

Germany is the first country to fully implement second generation(Early 2008).

Adds extra biometric identifiers (finger prints and iris scan).

Our analysis is under review.


Thank you

Questions ?

contact information: [email protected]


Technology

Formal Security Analysis of Australian ePassport Implementation