Abstract
The new electronic passport stores biometric data on a contactless readable chip to uniquely link the travel document to its holder. This sensitive data is protected by a complex protocol called Extended Access Control (EAC) against unlawful readouts. EAC is manifold and thus needs a complex public key infrastructure (PKI). Additionally EAC is known to suffer from unsolved weaknesses, e.g., stolen (mobile) passport inspection systems due to its missing revocation mechanism. The paper at hand seeks for potential approaches to solve these shortcomings. As a result we present an evaluation framework with special focus on security and scalability to assess the different candidates and to give a best recommendation. Instead of creating new protocols, we focus on solutions, which are based on well-known protocols from the Internet domain like the Network Time Protocol (NTP), the Online Certificate Status Protocol (OCSP), and the Server-based Certificate Validation Protocol (SCVP). These protocols are openly standardised, widely deployed, thoroughly tested, and interoperable. Our recommendation is that the EAC PKI would benefit most from introducing NTP and OCSP.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bickenbach, H.J., Brauckmann, J., Alfred, G., Horváth, T., Knobloch, H.J.: Common PKI Specifications for interoperable Applications, v2.0 (January 2009), http://www.common-pki.org/uploads/media/Common-PKI_v2.0.pdf
BSI: Certificate Policy für die ePass-Anwendung der hoheitlichen Dokumente. Bundesamt für Sicherheit in der Informationstechnik (BSI) (October 2010)
BSI: Technical Guideline TR-03110 Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI). Bundesamt für Sicherheit in der Informationstechnik (BSI), 2.05 edn. (October 2010)
Chaabouni, R., Vaudenay, S.: The extended access control for machine readable travel documents, EPFL (February 2010)
Deacon, A., Hurst, R.: The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments. RFC 5019 (Proposed Standard) (September 2007)
Hoepman, J.-H., Hubbers, E., Jacobs, B., Oostdijk, M., Schreur, R.W.: Crossing borders: Security and privacy issues of the european e-passport. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 152–167. Springer, Heidelberg (2006)
ICAO: ICAO MRTD Report, vol. 1(1) (March 2006)
ICAO: ICAO MRTD Report, vol. 2(1) (April 2007)
IETF: RFC 2560 – X.509 Internet Public Key Infrastructure – Online Certificate Status Protocol - OCSP
IETF: RFC 3820 – Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile
IETF: RFC 5055 – Server-Based Certificate Validation Protocol (SCVP)
IETF: RFC 5246 – The Transport Layer Security (TLS) Protocol - Version 1.2
IETF: RFC 5905 – Network Time Protocol Version 4: Protocol and Algorithms Specification
ISO: Identification cards – Integrated circuit cards – Part 8: Commands for security operations – ISO/IEC 7816-8 (September 2009)
Moses, T.: Protecting biometric data with extended access control – securing biometric datasets in electronic identification documents, Entrust, Inc. (January 2010), http://download.entrust.com/resources/download.cfm/23504/
Papapanagiotou, K., Markantonakis, C., Zhang, Q., Sirett, W.G., Mayes, K.: On the Performance of Certificate Revocation Protocols Based on a Java Card Certificate Client Implementation. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds.) SEC 2005. IFIP AICT, vol. 181, pp. 551–564. Springer, Heidelberg (2005)
Pasupathinathan, V., Pieprzyk, J., Wang, H.: An on-line secure e-passport protocol. In: Chen, L., Mu, Y., Susilo, W. (eds.) ISPEC 2008. LNCS, vol. 4991, pp. 14–28. Springer, Heidelberg (2008)
Rankl, W., Effing, W.: Smart Card Handbook, 4th edn. Wiley (August 2010)
Straub, T., Hartl, M., Ruppert, M.: Digitale Reisepässe in Deutschland - Prozesse und Sicherheitsinfrastruktur. In: Dittmann, J. (ed.) Sicherheit. LNI, vol. 77, pp. 233–243. GI (2006)
van Tilborg, H.C., Jajodia, S. (eds.): Encyclopedia of Cryptography and Security, 2nd edn. Springer (September 2011)
Vaudenay, S., Vuagnoux, M.: About machine-readable travel documents. Journal of Physics: Conference Series 77(1) (2007)
Wiegers, K.E.: Software Requirements, 2nd edn. (Pro-Best Practices). Microsoft Press (March 2003)
Yum, D.H., Lee, P.J.: Separable Implicit Certificate Revocation. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 121–136. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Buchmann, N., Baier, H. (2014). Towards a More Secure and Scalable Verifying PKI of eMRTD. In: Katsikas, S., Agudo, I. (eds) Public Key Infrastructures, Services and Applications. EuroPKI 2013. Lecture Notes in Computer Science, vol 8341. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-53997-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-53997-8_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-53996-1
Online ISBN: 978-3-642-53997-8
eBook Packages: Computer ScienceComputer Science (R0)