Die approbierte Originalversion dieser Diplom-/ Masterarbeit ist in der Hauptbibliothek der Tech- nischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at The approved original version of this diploma or master thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng On Austrian ePassport Security DIPLOMARBEIT zur Erlangung des akademischen Grades Diplom-Ingenieur im Rahmen des Studiums Software Engineering & Internet Computing eingereicht von Stefan Vogl, BSc Matrikelnummer 0926857 an der Fakultät für Informatik der Technischen Universität Wien Betreuung: Ao. Univ. Prof. Dr. Wolfgang Kastner Mitwirkung: Dr. Christian Platzer Wien, 07.08.2014 (Unterschrift Verfasser) (Unterschrift Betreuung) Technische Universität Wien A-1040 Wien Karlsplatz 13 Tel. +43-1-58801-0 www.tuwien.ac.at On Austrian ePassport Security MASTER’S THESIS submitted in partial fulfillment of the requirements for the degree of Diplom-Ingenieur in Software Engineering & Internet Computing by Stefan Vogl, BSc Registration Number 0926857 to the Faculty of Informatics at the Vienna University of Technology Advisor: Ao. Univ. Prof. Dr. Wolfgang Kastner Assistance: Dr. Christian Platzer Vienna, 07.08.2014 (Signature of Author) (Signature of Advisor) Technische Universität Wien A-1040 Wien Karlsplatz 13 Tel. +43-1-58801-0 www.tuwien.ac.at Erklärung zur Verfassung der Arbeit Stefan Vogl, BSc Inzersdorfer Straße 80/1/13, 1100 Wien Hiermit erkläre ich, dass ich diese Arbeit selbständig verfasst habe, dass ich die verwende- ten Quellen und Hilfsmittel vollständig angegeben habe und dass ich die Stellen der Arbeit - einschließlich Tabellen, Karten und Abbildungen -, die anderen Werken oder dem Internet im Wortlaut oder dem Sinn nach entnommen sind, auf jeden Fall unter Angabe der Quelle als Ent- lehnung kenntlich gemacht habe. (Ort, Datum) (Unterschrift Verfasser) i Abstract In 2006, the first passports with an embedded RFID (Radio Frequency Identification) chip were released in Austria. Since then, all data printed on the passport, except the holder’s size and signature, are additionally stored on this chip. This includes the name, date of birth and the picture printed on the data page. Since 2009, two fingerprints are stored on the chip as well. Due to the fact that the mentioned data are very sensitive, it should be well protected. In a worst- case scenario, an attacker would use his NFC-enabled (Near Field Communication) smartphone to read, replay or modify these data for malicious purpose. Currently, various mechanisms are implemented to secure this information. These mechanisms try to prevent attacks against RFID systems like skimming, cloning and data modification. This thesis provides an in-depth analysis of the security measurements implemented in the Austrian ePassport. After this analysis, a feasibility study is done on the found weaknesses. This study shows, which of the weaknesses can be practically exploited and what threats can arise of this exploitation. For practically exploitable weaknesses, a proof of concept is devel- oped, whereas their emphasis lies on the availability of the hardware to show that no specialized equipment is necessary to attack ePassports. The results of this thesis show, that attacks are possible with consumer grade hardware, espe- cially if taking into account special circumstances in the Austrian implementation of the ePass- port. Some attacks can even be implemented on an NFC-enabled off-the-shelf smartphone. iii Kurzfassung In Österreich wurden 2006 die ersten Reisepässe, ausgestattet mit einem RFID (Radio Frequen- cy Identification) Chip, eingeführt. Seitdem sind die Daten, wie zum Beispiel Name, Geburts- datum und das auf dem Reisepass aufgedruckte Foto zusätzlich auf dem Chip abgelegt. Seit 2009 werden außerdem noch zwei Fingerabdrücke auf dem Chip gespeichert. Da es sich hierbei um äußerst sensible Daten handelt, müssen diese besonders geschützt werden. Im schlimms- ten Fall könnte ein Angreifer mit einem NFC-fähigen (Near Field Communication) Smartphone diese sensiblen Daten unbefugt auslesen, kopieren oder verändern. Um dies zu verhindern, wur- den Sicherheitsprotokolle entwickelt und implementiert, die den Reisepass-Chip vor Angriffen, wie Skimming (unbefugtes Auslesen), Klonen und vor dem Verändern der gespeicherten Daten, schützen sollen. Diese Arbeit bietet eine detaillierte Analyse der im österreichischen Reisepass implemen- tierten Sicherheitsmaßnahmen. Auf Basis dieser Analyse und der gefundenen Schwachstellen wird eine Machbarkeitsstudie durchgeführt, die aufzeigt, welche dieser Schwachstellen in der Praxis ausgenutzt werden können und welche Gefahren daraus entstehen. Die Praktikabilität dieser Angriffe wird durch die Entwicklung eines Proof of Concepts gezeigt. Besonderes Au- genmerk bei dieser Entwicklung liegt auf der verwendeten Hardware, um zu zeigen, dass keine speziellen Ressourcen benötigt werden, um den elektronischen Reisepass anzugreifen. Das Ergebnis dieser Arbeit zeigt, dass Angriffe auf den Reisepass bereits mit handelsübli- cher Hardware möglich sind. Größeren Erfolg haben diese, wenn besondere Eigenschaften des österreichischen Reisepasses in Betracht gezogen werden. Einige dieser Angriffe können sogar mit gängigen NFC-fähigen Smartphones durchgeführt werden. v Contents 1 Introduction 1 1.1 Related Work . 2 1.2 Motivation . 3 1.3 Methodology and Outline . 5 2 Background 7 2.1 RFID Principles . 7 2.2 Operating Frequencies . 8 2.3 History of RFID . 9 2.4 Proximity Card Standards . 10 2.5 Application Data Units (APDU) . 12 2.6 Logical Data Structure (LDS) . 14 2.7 Chip Specifications and Performance . 16 3 Security Features 19 3.1 Basic Access Control (BAC) and Secure Messaging (SM) . 19 3.2 Passive Authentication (PA) . 23 3.3 Active Authentication (AA) . 25 3.4 Extended Access Control (EAC) . 27 3.5 Password Authentication Connection Establishment (PACE) . 29 3.6 ICAO Public Key Infrastructure . 30 3.7 Implementation of Security Features in Austrian ePassports . 33 3.8 Comparison to other countries . 37 4 Attack Vectors 39 4.1 Eavesdropping and Skimming . 39 4.2 Cloning . 41 4.3 Forgery . 42 4.4 Tracking . 42 5 Attacks 45 5.1 Bruteforce Attack on the BAC . 45 5.2 Online Bruteforce Attack . 46 vii 5.3 Offline Bruteforce Attack . 48 5.4 Relay Attack . 55 5.5 Index Manipulation Attack . 57 5.6 Attack by Once Valid Readers . 58 5.7 Insecure Inspection Systems . 58 5.8 Android Implementation . 59 6 Future Work and Conclusion 67 6.1 Future Work and Future Developments . 67 6.2 Conclusion . 68 A Detailed Error Codes 71 B Analysed Passports 73 Bibliography 75 viii CHAPTER 1 Introduction The International Civil Aviation Organization (ICAO), as the aviation agency of the United Na- tions (UN), has a long history of specifying international travel documents. In the early 1980s, they published the first edition of the ICAO 9303 document specifying ‘A Passport with Machine Readable Capabilities‘. These first machine readable passports were equipped with a Machine Readable Zone (MRZ). In this zone on the data page of the passport the most important data of the passport like the name or the date of birth are printed in an OCR-B font. In 1995, the ICAO recognized the growing importance of biometrics to link the passport tighter to its owner. To store biometric features in a machine readable way on the passport, different storage technolo- gies were examined. In the end, a contactless integrated circuit was chosen for data storage. In the following years, the first specifications for electronic passports were published by the ICAO [1]. After the 9/11 terrorist attacks on the World Trade Center, multiple countries started to im- plement electronic passports [2]. Austria started to deploy the first generation of electronic passports on June 16, 2006. This first generation included the document holder’s photo as a bio- metric feature. In 2009, the second generation, which also included an electronic representation of two of the holder’s fingerprints, was deployed. To ensure the confidentiality, integrity and authenticity of the data stored on the chip the ICAO specifies a set of security mechanisms. Some of these mechanisms are mandatory and some of them are optional. To ensure the security of the additional biometrics like fingerprints, the German Bundesamt für Sicherheit in der Informationstechnik (BSI) proposed some extended security features, which were later adopted by the ICAO. In 2004 the European Council passed the Council Regulation No 2252/2004 [3], which made the storage of two fingerprints on the passport chip and the extended security features mandatory. 1 1.1 Related Work In the last decade, not only passports have been equipped with chips, to hold the personal data, also printed on the document, but also other high security documents are being equipped with electronic storage. The European Council Directive 2006/126/EC [3] introduced the possibility to integrate a microchip into a European driving license in 2006 and in 2012, Commission Reg- ulation No 383/2012 [4] laid down the technical requirements for an electronic driving license. The microchip should include, besides the data printed on the document, at least the license holder’s face image and signature. Two fingerprints and biometric data regarding iris can be stored optionally. It is also allowed, that member states store additional country specific data on the chip. The security features to protect the sensitive data on the chip are identical to the ones used in electronic passports. Basic Access Control (see Section 3.1) is used to protect the general access to the data on the chip, whereas Passive Authentication (see Section 3.2) is used to protect the integrity of the stored data. If more sensitive data is stored on the chip, it has to be protected by Extended Access Control (see Section 3.4). The technical details for electronic driving licenses are defined in ISO 18013. Electronic driving licenses are used for example in Australia and in Mexico. Besides driving licenses, other high security documents, like residents permits and vehicle registration cards are equipped with microchips for electronic storage and protection of the data and the documents.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages92 Page
-
File Size-