European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, July 2011 Legal notice The contents of this publication do not necessarily reflect the official opinion of any institution or body of the European Union. Neither Frontex nor any person or company acting on behalf of Frontex is responsible for the use that may be made of the information contained in this report. All rights reserved No part of this publication may be reproduced in any form or by any means electronic or mechanical, including photocopying, recording or by any information storage retrieval system, without permission in writing from the copyright holder. For translation or reproduction rights please contact Frontex (address information below) Information about the European Union is available on the Internet. It can be accessed through the Europa server (www.europa.eu) Frontex Agency Rondo ONZ 1 00-124 Warsaw Poland Tel: +48 22 544 9500 Fax: +48 22 544 9501 Web: www.frontex.europa.eu Enquiries: [email protected] 2 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 Introductory Note by Frontex In 2010 Frontex — also formally known as European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union — commissioned a study on the Security of Electronic Passports (e- Passports) in Europe. In the following paragraphs we briefly describe why and how this was done. Frontex Research and Development Unit As part of the Capacity Building Division at Frontex, the Research and Development Unit (RDU) is tasked to follow up on developments in research relevant to border control and disseminate this information to the end-users. The Unit‘s objectives according to the Frontex Multi Annual Plan 2010-2013 are in particular: a) to drive the process of harmonization and development of standards, both technical and operational, for border control; b) to provide for adequate representation of the common interests of the Member States in European border security research; c) to keep Member States informed concerning new technical/technological developments in the field of border control. The Unit produces guidelines and commissions studies to assess the value of new technology and to help establish priorities for the development of future capabilities for European border security. Examples of the guidelines and studies produced, or in production, by the Unit include ―Best Practice Guidelines on the Design, Deployment and Operation of Automated Border Crossing Systems (2011)‖, ―BIOPASS – Study on Automated Border Crossing systems for Registered Passengers at Four European Airports‖, ―BIOPASS II – Automated Biometric Border Crossing Systems Based on Electronic Passports and Facial Recognition: RAPID and SmartGate‖, ―Ethics of border control‖, ―Anti- corruption measures in EU border control‖. 3 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 Study on Electronic Passport Security e-Passport, as identified by the symbol at bottom-left. Since August 2006 the 27 Member States of the European Union have been required to issue e-Passports that contain a digital facial image, and since June 2009 they have been obliged to issue second generation e-Passports that also include two fingerprints. The purpose of mandating issuance of e-Passports has been to strengthen the link between the passport and the carrier of the passport, as well as to make it easier to verify the authenticity of the passport. Other European biometric initiatives include the Visa Information System currently being rolled out, which is used for 3rd country nationals applying for a visa to the Schengen area. With the increase in the numbers of e-Passports in circulation in the European Union the need arises to assess the security impact of the new technology. Border guards will be encountering e-Passports in ever greater numbers, and in some cases – most notably the Automated Border Control (ABC) systems already in operation in several major European airports – the added functionality of these passports is already being put to use for travel facilitation of European citizens. Meanwhile, the added security that e-Passports can provide, with the proviso that they are used correctly, will likely mean that fraudulent travelers will move away from falsified passports and instead seek to subvert the border control system either by attempting look-alike fraud using genuine documents, or by trying to subvert the issuance process in order to be fraudulently issued with genuine e-Passports. The Schengen borders-code, and also the Schengen handbook, provide instructions on how to conduct border checks and border surveillance, but does not deal with biometrics to any larger extent. In view of this, coupled with the widespread dissemination of e-Passports, the Frontex Research and Development Unit commissioned a study on the ―Operational and Technical security of E-passports‖ in 2010. 4 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 The tender for the study was awarded to PriceWaterhouseCoopers, working together with Collis and the digital-security group of Radboud University, Nijmegen, the Netherlands. The study group began their work in mid 2010 and the study was completed by the spring of 2011. The specific objectives of the study, as stated in the terms of reference, were as follows: a) to establish an inventory of security relevant issues in the context of the application for, production, and use of electronic passports (BAC and EAC) in Europe; b) to individuate differences among EU/Schengen member States and highlight eventual problems for interoperability when the passports are used for identification at external borders; c) to identify best practices related to the issuance processes; d) to suggest a set of recommendation to redress security gaps in the issuance process. The study included direct interviews with selected experts and a questionnaire answered by European authorities, and was concluded with a risk-analysis workshop attended by experts selected by the EU/Schengen Member States national authorities. The resulting report covers not only security but also interoperability and follows the e-Passport through all the steps of its life-cycle, from application to invalidation. e-Passport life-cycle. 5 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 Interesting issues that unfortunately had to be left outside the scope of the study include technical issues specific for e-Passport readers or the accuracy of biometric technologies. The final report of the study is presented here as it was delivered to Frontex by the study group, with only some cosmetic modifications. Frontex supported the work of the study group with guidance and contacts, but did not in any way affect the production of the report as regards conclusions and recommendations. During the concluding risk analysis workshop it was found that the attending experts in some cases held differing views on vulnerabilities and priorities, so the study should be seen as an initial wide probe into the issue of European e-Passport security. Future activities At the time of writing some of the topics under consideration by the Frontex Research & Development Unit for future action as a consequence of the study are: a) standards for evaluation of biometric systems in Europe; b) PKI technical implementation surveys; c) e-Passport interoperability; d) recommendations for e-Passport inspection procedures; e) gap analysis for border control (not limited to e-Passports). 6 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 Table of contents 1. Introduction to the study 13 2. E-passport document study 14 2.1. Introduction 15 2.2. E-passport documentation 17 2.2.1. E-passports in Europe 17 2.2.2. Security mechanisms of e-passports 17 2.3. Technical security of e-passports 25 2.3.1. Documentation 25 2.3.2. Security objectives 29 2.3.3. Conclusions 31 2.4. Issuance security of e-passports 32 2.4.1. European regulation of the issuance process 32 2.4.2. Security issues identified in literature 32 2.4.3. Conclusions 34 2.5. Usage security and interoperability of e-passports 35 2.5.1. E-passport usage 35 2.5.2. Inspection procedure 37 2.5.3. Inspection systems 40 2.5.4. Security issues 40 2.5.5. Interoperability 43 2.5.6. Configuration of security mechanisms 44 2.5.7. Mitigating the impact of known issues in genuine e-passports 45 2.5.8. Conclusions 45 3. Interview results 46 3.1. Interview results on issuance 46 3.2. Interview results on technical security and usage 47 4. Generic threat and vulnerability assessment in the e- passport life cycle 49 4.1. Introduction 49 4.2. Risk identification 50 4.2.1. Ultimate incident outcome 50 7 of 189 Operational and Technical security of Electronic Passports – Frontex, Warsaw, July 2011 4.2.2. Incident outcomes 51 4.2.3. Attack model 52 4.3. E-passport life cycle 55 4.3.1. Security management 57 4.3.2. Development and Manufacturing 57 4.3.3. Application 62 4.3.4. Entitlement 66 4.3.5. Personalisation 69 4.3.6. Delivery 73 4.3.7. Usage 76 4.3.8. Invalidation 82 4.4. Summary table of vulnerabilities per life cycle step 85 5. Questionnaire results 101 5.1. Conclusions from the questionnaire 101 5.2. Questionnaire set-up 103 5.2.1. Questionnaire responses 103 5.3. Results on issuance 104 5.3.1. Main results 104 5.3.2. Detailed results 106 5.4. Results on technical security 109 5.4.1. Main results 109 5.4.2. Detailed results 109 5.5. Results on usage 112 5.5.1.