3m security systems blackhateurope 2010...4 ©3m 2010. all rights reserved. 3m security systems...

1

3M Security Systems

© 3M 2010. All Rights Reserved.

Blackhat Europe 2010

Verifying eMRTD Security ControlsRaoul D’Costa

2 © 3M 2010. All Rights Reserved.

3M Security Systems Agenda

� Overview of ICAO / EU Specifications

� eMRTDs decomposed

� eMRTD Infrastructure (PKI)

� Inspecting eMRTD

� User Interface Design

� Conclusion

3 © 3M 2010. All Rights Reserved.

3M Security Systems Introduction

� Section 1: Overview of eMRTD Specifications

4 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Specifications

� ICAO Travel Document - Doc 9303

� Core Specifications set by the International Civil Aviation

Organisation (ICAO) NTWG / SC17 collaboration

� Supplemented by BSI ASM for eMRTDs (EAC)

� Authenticated eMRTDs provide identity verification of eMRTD holder

� Issuing Authorities in nation states or Int’l bodies e.g. INTERPOL as

enhanced identity security documents

� Commonly issued eMRTDs include national ePassports and eID

Cards but also Seafarers documents, Biometric Residence Permits

use same specifications

5 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Types

6 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD – RFID Integrated Circuit Card

7 © 3M 2010. All Rights Reserved.

3M Security Systems Symbol denoting Chipped eMRTD

8 © 3M 2010. All Rights Reserved.

3M Security Systems Nation States that issue MRTDs (2009)

9 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed

� Section 2: eMRTDs Decomposed

10 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed

11 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed

12 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed - Chip

Master Files

…

USER APPLICATION

13 © 3M 2010. All Rights Reserved.

3M Security Systems Datagroup 1

� Contains the following information

• Date of Birth

• Passport Number

• Expiry Date

� Access to the file is protected by Basic Access Control

14 © 3M 2010. All Rights Reserved.

3M Security Systems Datagroup 2

� Encoded photograph to ISO Standard to ensure quality of

data image

� Access is protected by Basic Access Control

� Images encoded in JPEG or JPEG2000 formats

� Photographs are standardised to ensure visual comparison

and automated biometric verification

� Images to overcome interoperability challenges (different

biometric verification algorithms)

15 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Verification

16 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed - EF.COM

17 © 3M 2010. All Rights Reserved.

3M Security Systems Datagroup 3

� Fingerprints and Iris are a second generation feature of eMRTDs

� Sensitive Data protected by EAC as an enhancement to BAC

� Access is protected by Extended Access Control (separate PKI authorisation scheme)

� Images encoded in JPEG or JPEG2000 formats to overcome biometric interoperability problems

� No International Standard yet

18 © 3M 2010. All Rights Reserved.

3M Security Systems EF.COM Data

� Contains a map of the tags, lengths values present in the

file

� Is not protected (digitally signed) by issuing authority

� Cannot be trusted unless authenticated to EF.SOD

19 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Decomposed – EF.SOD

� Contains the hash values of all the data groups

� Hash values signed by a document signing authority with

private key (SOD = Digital Signature)

� May contain the Document Signer Certificate (DSC) that

corresponds public key element used the create the SOD

or reference to DSC.

� Can be trusted provided the Document Signer Certificate is

validated

20 © 3M 2010. All Rights Reserved.

3M Security Systems EF.SOD

21 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Deconstructed - EF.SOD

SIGNATURE

22 © 3M 2010. All Rights Reserved.

3M Security Systems Presenting the results

23 © 3M 2010. All Rights Reserved.

3M Security Systems Verifying EF.SOD

� Part of the Passive Authentication process

� Verify the ASN.1 Structure

� Verify the hash values present

� Verify the signature against the public key element contained in related Document Signer Certificate

� Authenticate the Document Signer Certificate

• Verify the certificate chain of the DSC against the CSCA Certificate dynamically

• Pre-validated DSCs in protected Certificate Cache Store

24 © 3M 2010. All Rights Reserved.

3M Security Systems Reliance on genuine passport numbers

25 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Infrastructure (PKI)

� Section 3: eMRTD Infrastructure (PKI)

26 © 3M 2010. All Rights Reserved.

3M Security Systems ePassport Infrastructure – 1st Generation

CSCA Authority

Document Signer Service

ICAO PKD

Registration Authority Inspection System

Issuance Verification

National Infrastructure

27 © 3M 2010. All Rights Reserved.

3M Security Systems Second Generation Extensions

CVCA

Issuance

Registration Authority Inspection System

Issuance

Verification

DVCA

SPOC

28 © 3M 2010. All Rights Reserved.

3M Security Systems ePassport Infrastructure – 2nd Generation

29 © 3M 2010. All Rights Reserved.

3M Security Systems ICAO Public Key Directory

� Global repository of certificates used to validate eMRTDs

� Relies on Issuing Authority subscribers uploading data to

the PKD

� Regularly updated with

• Document Signer Certificates

• CRLs

• Null CRLs

• MasterLists

� Serves as a trust anchor on eMRTDs

30 © 3M 2010. All Rights Reserved.

3M Security Systems ICAO PKD

https://pkddownloadsg.icao.int/ICAO/pkdLDIFDownload.jsp

31 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Verification

32 © 3M 2010. All Rights Reserved.

3M Security Systems Inspecting eMRTD Effectively

� Section 4: Inspecting eMRTD Effectively

33 © 3M 2010. All Rights Reserved.

3M Security Systems Inspection Terminals – RFID Readers

34 © 3M 2010. All Rights Reserved.

3M Security Systems eMRTD Verification Process

MRTD to Be Inspected

Physical Check

Extract MRZ

MRZ Valid

Query against

whitelist

Perform

Physical

Checks

Validate MRZ

Perform BAC

using MRZ

Perform

Facial

Checks

Perform PA

Checks

Record ResultY

Record ResultY

Perform EACContains 2

nd

Gen FeaturesY

Record Result

Record Result

N

BAC Sucessful

Extract Data

Record Result

Perform

Fingerprint

matching

Produce Result

EAC Sucessful

Y

AA Present

Perform AA

Record Result

Y

Y

N

Holder provides

eMRTD

N

N

N

N

Y

35 © 3M 2010. All Rights Reserved.

3M Security Systems Physical Checks: Reliance on experts?

36 © 3M 2010. All Rights Reserved.

3M Security Systems Physical Checks

� Check that the document has

not been tampered with

� Check the document under

various wavelengths of light

� Check that the document has

not expired

37 © 3M 2010. All Rights Reserved.

3M Security Systems Limitations of Physical Checks

� Difficult to automate

� Not standardised

� Can be subjective

� Physical inspection is not always logged

38 © 3M 2010. All Rights Reserved.

3M Security Systems Validate MRZ

� Validate that the contents of the

MRZ are valid

� Validate the checksum

� Validate that they match the

contents of the passport

39 © 3M 2010. All Rights Reserved.

3M Security Systems Validation of MRZ

Checksum

40 © 3M 2010. All Rights Reserved.

3M Security Systems BAC

� Extract the following fields

• Date of Birth

• Document Number

• Expiry Date

� Send these to the chip

� These should match DG1

41 © 3M 2010. All Rights Reserved.

3M Security Systems Facial Biometrics

� Match the holder to the DG2

using facial biometrics

� DG2 is required to meet certain

standards

� Used in some countries

including

• Portugal

• Australia

• UK (Trial)

42 © 3M 2010. All Rights Reserved.

3M Security Systems Biometric Facial Checking

43 © 3M 2010. All Rights Reserved.

3M Security Systems Passive Authentication

� Check the validity of EF.SOD

� Check the hash values of the

datagroups

� Check the signature of SOD

� Check the chain of the

document signer certificate

� Check against null and non null

CRLs

� ICAO PKD Maintains

Certificates for subscribers

44 © 3M 2010. All Rights Reserved.

3M Security Systems Active Authentication

� Ensures the eMRTD is not

cloned

� Challenge response between

the terminal and the eMRTD

45 © 3M 2010. All Rights Reserved.

3M Security Systems Passive Authentication

� CSCAs can be exchanged

• By diplomatic channels

• Using CSCA MasterLists

� A CSCA is a trust anchor and can identify the eMRTD Issuing Authority

� Inspection System Integrity and Performance

� Security controls must ensure that bogus CSCAs cannot be inserted during the verification process

� Inspection System Architecture designed to requirements (not onefits all) – depends upon operating environment, devices, key management strategy, network reliability

46 © 3M 2010. All Rights Reserved.

3M Security Systems Extended Access Control

� Consists of the following

• Chip Authentication

• Terminal Authentication

� Provides the following

• Mutual authentication between the

chip and the terminal

• Some indication of the issuer of the

eMRTD

• Privacy of the fingerprints on the

passport

47 © 3M 2010. All Rights Reserved.

3M Security Systems Second Generation Features

� EAC requires the implementation of the EAC infrastructure

to ensure verification

� EAC Protects the privacy of the fingerprints on the

ePassport

� EAC proves the issuer of the ePassport

� EAC Ensures that only authorised terminals can read

fingerprints

48 © 3M 2010. All Rights Reserved.

3M Security Systems Fingerprint matching

� DG3 Contains the fingerprint

� 0 – 10 digits can be stored

depending on the country

where fingerprints are captured

� Fingerprint image contained

(not a template)

49 © 3M 2010. All Rights Reserved.

3M Security Systems Registration: A link in the chain

50 © 3M 2010. All Rights Reserved.

3M Security Systems Consolidating Checks

Fingerprint Biometric

Facial Biometric

AA

TA

BAC

Expiry Check

MRZ

Physical

NOT PRESENTINVALIDVALID

51 © 3M 2010. All Rights Reserved.

3M Security Systems Use Case 1: Valid 2nd Gen eMRTD

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

52 © 3M 2010. All Rights Reserved.

3M Security Systems Use Case: 1st Gen Fake Passport

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

53 © 3M 2010. All Rights Reserved.

3M Security Systems Use Case: Cloned 2nd Gen eMRTD

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

54 © 3M 2010. All Rights Reserved.

3M Security Systems Use Case: Possible Fake Passport

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

55 © 3M 2010. All Rights Reserved.

3M Security Systems An expired eMRTD

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

56 © 3M 2010. All Rights Reserved.

3M Security Systems Use Case: Fake Passport

Fingerprint Biometric

Facial Biometric

AA

TA

PA

BAC

Expiry Check

MRZ

Physcial

NOT IMPLEMENTEDNOT PRESENTINVALIDVALID

57 © 3M 2010. All Rights Reserved.

3M Security Systems Usability of eMRTD Inspection Systems

� Section 5: Usability of eMRTD Inspection Systems

58 © 3M 2010. All Rights Reserved.

3M Security Systems Usability Challenges

� Use their terminology

• Counterfeit (not PA has failed)

• Falsified (not Digital Signature is not verified)

• Cloned (not Active Authentication has been subverted)

• Access denied (Terminal Authentication does not have appropriate CV chains)

� Simplicity by design

• User Interface design aligns with tasks

• Clear feedback on processing

• State of device (security)

� Case Studies

• Engage with Users

59 © 3M 2010. All Rights Reserved.

3M Security Systems Conclusion

� Section 6: Conclusion

60 © 3M 2010. All Rights Reserved.

3M Security Systems Conclusion

� eMRTDs are complex documents and need to be verified

appropriately

� Partial checking of some features is not enough to

guarantee that the document is authentic

� Various designs and physical layouts of documents from

various countries can easily lead to confusion although the

electronic features are standardised and the same

� User interface design for eMRTD verification apps should

provide a result in a clear and concise manner

61 © 3M 2010. All Rights Reserved.

3M Security Systems Questions?

� Raoul D’Costa

� redcosta AT mmm DOT com

� uk.linkedin.com/in/raouldcosta

� 00441635264104

62 © 3M 2010. All Rights Reserved.

3M Security Systems References

� Myths about ePassports -http://www.gemalto.com/myths_about_epassports/myths_2.html

� ICAO 9303 Passport Standards - http://www2.icao.int/en/MRTD/Pages/Doc9393.aspx

� Wikipedia entry on biometric passports - http://en.wikipedia.org/wiki/Biometric_passport

� http://www.en.bmi.bund.de/nn_1176866/Internet/Content/Themen/Travel__ID__Documents/Electronic__Passport/Datenschutz__en.html

� ICAO eMRTD Report Volume 203 Number 202 http://www2.icao.int/en/MRTD2/ReportsPastIssues/ICAO%20MRTD%20Report%20Vol.%203%20No.%202,%202008.pdf

� UK ID Card -http://www.ips.gov.uk/cps/files/ips/live/assets/documents/id_card_security_guide_low.pdf

� EAC Specification version 3.1.1 -https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR-03110_v202_pdf

� Golden Reader Tool for Reading eMRTDs -https://www.bsi.bund.de/DE/Themen/ElektronischeAusweise/Projekte/projekteGRT/GRT_node.html