About
The new biometric passport is supposed to be more secure and "even more unforgeable" than the old one, say those responsible for it. But its muddle of standards, the complex architecture and a seemingly premature Concept are everything but inspiring confidence.
News: Response to Mr. Barry Kefauver on security
This is an open response to an interview that Mr. Barry Kefauver gave on the MRTD report by ICAO Vol.2, No2.
In this interview Mr. Kefauver makes incorrect claims, ignores a number of facts and simply tries to blame me. With this open letter I
would like to clarify some facts from a security and RFID expert.s point of view.
Mr. Kefauver attended my presentation at the Document ID World where he rejected most of the facts I presented. There he pointed out that we had to look at it solely as a security document. His argument that my following claims are all unfounded, are pure politics. His claim that experts designed a secure passport is just wrong if we look at the following facts.
First, the MRTD uses only TLV (http://en.wikipedia.org/wiki/Type-length-value)
and the whole parsing, encoding and decoding of information has to be done with code written for this specific purpose. Every IT expert or system designer would use a standard ASN.1 (http://en.wikipedia.org/wiki/ASN.1) encoder and decoder, which would enable every inspection system or reader to formally verify the contents of the MRTD.
This would help prevent software bugs from being introduced by custom hand-written code.
One of the golden rules for secure systems is "keep it simple and
stupid" (KISS). The ePassport applies useless meta-formats and the whole
system of reading the passport is immensely complex. A complex system is harder
to implement than a simple one, this in itself raises the level of potential
vulnerabilities exponentially.
Another example is the Extended Access Control. To give certain biometric data a higher level of protection, a cryptographic certificate which is only valid for a limited amount of time is required. Obviously, a reliable clock is
necessary to facilitate the time limitation.
However, the only trusted system, which is the RFID chip inside the passport
itself, has no time source at its disposal. So how can this process work
without a time source inside the RFID ePassport? It can.t.
The biometric data is stored as a complete data set and not as a hashed data
set. Mr. Kefauver claims, if the biometric data is hashed, it would "make
it useless in a globally-interoperable environment such as border control."
The fact is, if for example the fingerprint is not hashed, a duplicate physical
fingerprint could be easily built from the image stored on the ePassport. A
hashed value of this sensitive data would protect the biometric data against
physical replications. Mr. Kefauver is not telling us why we should not be
concerned about this.
His next argument is that all the scenarios we presented are based on
us seeing "these chip-based passports as a toy to be brought into the
laboratory and made sport with on the basis of impractical and questionable
scenarios, [...]".
However, this is the standard approach followed by well-established companies in the security industry for many years when auditing any system.
A specific scenario may be impractical or questionable
today, but it might be realistic tomorrow and it is simply wrong to handle
security issues this way. In essence, the history of IT security and systems
teaches us, there is no impractical or questionable scenario. Just the opposite
is true:
Typically there are more scenarios to be found in the real world that will
break a given system than could ever be detected or anticipated in a laboratory
environment.
In the interesting part of the interview, where Mr. Kefauver is asked about the
security features of the chip, his statements avoid the core of the problem.
Instead he repeatedly points out that the print features will protect the chip.
From our point of view, Mr. Kefauver does not understand that the use of the
ePassport opens a public channel into the inspection system including the
computer systems at border control. Thus, malicious data injected into an
official passport could find its way into those systems when the passport is
presented there.
"The fact is that the genre of chip used for inventory control and the
14443 chip used in passports are completely different technologies [...]".
This quote shows the lack of technical expertise Mr. Kefauver has in the RFID
field. The same RFID reader used to read ISO 14443 chips can read ISO 15693
chips (the chips used for inventory control), with the same antenna. If ISO
14443 and 15693 were completely different technologies why is RFDump (http://www.rfdump.org) able to read both types
using the exact same program code?
.Cloning a chip is basically the electronic version of photocopying someone else.s passport data page. Imagine going up to a passport inspector and attempting to present a photocopied data page of somebody else.s passport, and essentially you have the security-threat equivalent of cloning a chip. You.d be laughed out of border control and escorted to the door, maybe by security officials, maybe by the nice men in white coats. Again, the rigour to be applied with cloning is the .so what. test.
Cloning a chip has no impact on a passport.s security or the bearer.s privacy it is a non-issue..
This is incorrect in two ways. A digital copy of data is always identical to
the original (this is the very nature of digital versus analog) and thus can.t
be distinguished from the original. A photocopy of the data page is clearly
distinguishable from the original and
would of course be detected by a human inspector. Furthermore, since the
ultimate goal is to have automatic gates at border control, we should assume
that in the long run we will lose the human element as an additional layer of
protection to make sure the documents presented at border control .make sense..
To compare this with Mr. Kefauver.s example, here is ours:
An illegitimate passenger with a cloned (valid) data chip
embedded in his passport approaches the automated inspection system. Before his
trip he prepared his original passport. He destroyed the original RFID Chip in
his microwave oven and taped the new forged RFID chip into his passport. The
cloned chip is a copy of his destroyed original chip but extended with a
software exploit that gives him full control of the
computer inside the inspection system. After checking the physical
security functions the RFID reader tries to read the data in the passport.
While reading the forged data, the exploited takes over the IT system. No human
is able to see anything suspicious, but the changed software now allows him to
pass the border control.
So, Mr. Kefauver, how do you deal with this scenario? And please don.t tell me
that your systems are 100% secure, evaluated systems. We all know this is not
the truth.
IT security is much more complex. Not a single piece of software in the world
is 100% secure. Two examples are the Apple iPhone or the Microsoft license
validation in Windows Vista. Both are cracked, although Apple and Microsoft
employed their best and brightest developers to protect their assets. Why does
the ICAO think they can do better in the software field than the two largest
software companies in the world?
Another example where we are only told half of the truth:
"The bottom line is that yes, you can skim, but this
is extremely impractical with Basic Access Control and other measures that
States are now implementing using state-of-the-art cryptographic technology.."
So why is the key for the Basic Access Control printed on top of the
passport data page?
How secure is the "state-of-the-art", or better
3DES, if the key space is very limited, and the key can be inferred using the
personal data of the passports owner. In theory it would be sufficient to look
over the shoulder of somebody who is filling out his US immigration form on an
airplane to obtain all information necessary to deduct the key.
When you check into a hotel in Europe, the first thing the receptionist
typically does is making a copy of your passport's data page, so the hotel
employees can register you. Again, gone is your key for Basic Access Control.
.[...] nor does it matter that someone can get far more useful information
from a trash-can in your driveway, nor does it matter that many hotels, for
instance, regularly ask for your passport and photocopy it for their
verification and records, thereby duplicating exactly the same sort of
information that a skimmer might find from a chip with much more expense and
effort [...]".
But all this gives access to tracking and tracing the holder of the passport.
Most citizens can decide what to dump into their trashcans. However, if you
need to travel and have to use an ePassport, you cannot do this any longer -
except if you are from Switzerland where you can choose if you want a RFID chip
embedded into your new passport or not.