Skip to main content
SpringerLink
Log in

Weakening ePassports through Bad Implementations

  • Conference paper
Radio Frequency Identification. Security and Privacy Issues (RFIDSec 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7739))

Abstract

Different countries issue an electronic passport embedding a contactless chip that stores the holder data (ePassport). To prevent unauthorized reading of the sensitive information present on such chip an access control mechanism based on symmetric cryptography, the Basic Access Control (BAC), has been introduced. In this work we present the flaws we have found out in some implementations of the software hosted on ePassport chips and how BAC is affected. In particular we show how it is possible to discern the different software versions used on the chip over time through some their peculiar fingerprints. This information can be used to shrink the BAC keys space making the protocol weaker. In addition, we show the presence of a defective function to exchange random material during the BAC procedure that opens a door for a hypothetical MITM attack. The results of this paper could be exploited as a first guide for reviewing and refining existing ePassport implementations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. International Civil Aviation Organization: Machine Readable Travel Documents, Part 1, 6th edn., vol. 1 (2006)

    Google Scholar 

  2. International Civil Aviation Organization: Machine Readable Travel Documents, Part 1, 6th edn., vol. 2 (2006)

    Google Scholar 

  3. Juels, A., Molnar, D., Wagner, D.: Security and privacy issues in e-passports. In: Proceedings of the IEEE First International Conference on Security and Privacy for Emerging Areas in Communications Networks, pp. 74–88 (2005)

    Google Scholar 

  4. Rankl, W., Effing, W.: Smart Card Handbook, 3rd edn. Wiley (2003)

    Google Scholar 

  5. BSI: Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE) and Restricted Identification (RI), Ver. 2.05 (2010)

    Google Scholar 

  6. ISO/IEC 7816: Identification Cards – Integrated Circuit Cards – Part 4: Organization, Security and Commands for Interchange (2005)

    Google Scholar 

  7. Avoine, G., Kalach, K., Quisquater, J.J.: ePassport: Securing International Contacts with Contactless Chips. In: Proceedings of the 12th International Conference on Financial Cryptograpy and Data Security, pp, pp. 141–155 (2008)

    Google Scholar 

  8. Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Schreur, R.W.: Crossing Borders: Security and Privacy Issues of the European e-Passport. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-I. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 152–167. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  9. Liu, Y., Kasper, T., Lemke-Rust, K., Paar, C.: E-Passport: Cracking Basic Access Control Keys. In: Meersman, R., Tari, Z. (eds.) OTM 2007, Part II. LNCS, vol. 4804, pp. 1531–1547. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Polizia di Stato: Il Passaporto per Entrare negli Stati Uniti d’America (2012), http://poliziadistato.it/articolo/1090/

  11. Polizia di Stato: Note Tecniche Nuovo Passaporto (2012), http://img.poliziadistato.it/docs/note_tecniche.pdf

  12. Richter, H., Mostowski, W., Poll, E.: Fingerprinting passports. In: NLUUG Spring Conference on Security, pp, pp. 21–30 (2008)

    Google Scholar 

  13. Laurie, A.: RFIDIOt (2012), http://rfidiot.org/

  14. Carluccio, D., Lemke-Rust, K., Paar, C., Sadeghi, A.-R.: E-Passport: The Global Traceability Or How to Feel Like a UPS Package. In: Lee, J.K., Yi, O., Yung, M. (eds.) WISA 2006. LNCS, vol. 4298, pp. 391–404. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  15. NIST: Random Number Generation (2012), http://csrc.nist.gov/groups/ST/toolkit/rng/index.html

  16. Auletta, V., Blundo, C., De Caro, A., De Cristofaro, E., Persiano, G., Visconti, I.: Increasing Privacy Threats in the Cyberspace: the Case of Italian e-Passports. In: Proceedings of the 14th International Conference on Financial Cryptograpy and Data Security, pp. 94–104 (2010)

    Google Scholar 

  17. Mostowski, W., Poll, E., Schmaltz, J., Tretmans, J., Wichers Schreur, R.: Model-Based Testing of Electronic Passports. In: Alpuente, M., Cook, B., Joubert, C. (eds.) FMICS 2009. LNCS, vol. 5825, pp. 207–209. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  18. ISO/IEC: Information Technology – Personal Identification – ISO-Compliant Driving Licence – Part 3: Access Control, Authentication and Integrity Validation (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Joint Research Centre, European Commission, Via Enrico Fermi 2749, 21027, Ispra, VA, Italy

    Luigi Sportiello

Authors
  1. Luigi Sportiello
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute for Computing and Information Sciences, Department of Digital Security, Radboud University Nijmegen, Heyendaalseweg 135, 6525 AJ, Nijmegen, The Netherlands

    Jaap-Henk Hoepman

  2. Electrical Engineering Department, K.U. Leuven, ESAT - SCD/COSIC, Kasteelpark 10, 3001, Heverlee, Belgium

    Ingrid Verbauwhede

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sportiello, L. (2013). Weakening ePassports through Bad Implementations. In: Hoepman, JH., Verbauwhede, I. (eds) Radio Frequency Identification. Security and Privacy Issues. RFIDSec 2012. Lecture Notes in Computer Science, vol 7739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36140-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-36140-1_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-36139-5

  • Online ISBN: 978-3-642-36140-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation