Schneier on Security
A blog covering security and security technology.
« Wireless Dead Drop |
| Bug in Google's Censorship »
January 31, 2006
Dutch Biometric Passport Cracked
There's a good write-up from The Register.
Two points stand out. One, the RFID chip in the passport can be read from ten meters. Two, lots of predictability in the encryption key -- sloppy, sloppy -- makes the brute-force attack much easier.
But the references are from last summer. Why is this being reported now?
Posted on January 31, 2006 at 1:04 PM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is hardly a surprice, although I recall Bruce turning overly enthusiastic about RF-enabled passports on his last post some time ago due to their new "cryptographic" security features.
This was probably "only reported now", because until recently, until the mentioned TV broadcast, there's not been much news or discussion about the use of RFID in our Dutch passports. It's not mainstream news.
Sure: there have been worried people and articles and so on, but hardly any of it gets much publicity. My guess is that this is due to the apparent technological ignorance of a large part of the population.
Another reason it's getting more attention could be that the date for introducing the new Dutch passport (August of 2006) is growing near.
A likely explanation for why this issue didn't get attention sooner, is in part people's lack of understanding of/interest in rfid in general. Earlier this month, a long article explaining the rfid plans was written in an understandable way, on an IT news site: http://www.netkwesties.nl/editie138/... In this article, the problems of biometric passports in general are explained. Back in August, a member of parliament already asked questions about it that were "answered" by the secretary of Internal Affairs: http://tinyurl.com/bgk66 (in Dutch)
The 'key' is constructed from data readable in the passport in order to allow access to the person you hand the passport to. So the passport still has to be swiped through a reader to obtain the various parts of the key and start communicating.
Why, oh why would you still go for a contact-less interface like RF if you have to put the passport through a reader anyway? Make it a contact interface (like most smartcards) and you eliminate most eavesdropping issues that are being found at the moment.
Who are the people making the technical decisions?
Vendors and politicians: greedy salemen and gullible power-hungry fools.
I think the nastiest surprise is the complexity of the brute force attack: 35 bits.
Even DES was 56 bits.
@Ari Heikkinen - "enthusiastic about RF-enabled passports on his last post some time ago due to their new "cryptographic" security features"
I'm not an expert on smartcards or rfid, but just because the 'platform' has secure features doesnt autmoatically imply the implementation will be secure - it comes down to who implements it, whether they know what they should be trying to achieve, whether they are allowed to achieve it, and whether they are capable of achieving it ...
"This is hardly a surprice, although I recall Bruce turning overly enthusiastic about RF-enabled passports on his last post some time ago due to their new 'cryptographic' security features."
I believe I have always said that "the devil is in the details" when it comes to this sort of thing.
Sometimes the devil is in the implentors that force others to oblige or be arrested.
From what I know, Australian e-passports work on exactly same principles - the stored information is only pretected from being accessed by a random person by an access code derived from MRZ on the first page.
Note that below "PKI protected" means "digitally signed", not encrypted.
"... The data on the chip will be PKI (Public Key Infrastructure) protected, guaranteeing that it was put there by an authorised entity and has not been altered since. The chip's digital signature meets the requirements of the International Civil Aviation Organisation (ICAO), a specialised agency of the United Nations.
Basic Access Control (BAC) prevents the chip from being accessed until the Machine Readable Zone (MRZ) on the data page has been read. BAC and PKI make the Australian ePassport the most secure Australian passport ever.
The chip, and the equipment which reads it, have been manufactured to standards set by the ICAO. Australia is a council member of ICAO and has played a prominent role in the development of the ICAO standards for ePassports. ICAO standards are available from the ICAO."
Bruce, although I can understand it slipped your attention, it did get reported in your blog in August last year:
Usage of Basic Access Control (BAC) is indeed a great step forward. The next question is: will the implementation be sufficiently secure? Two weeks ago at the WhatTheHack conference in the Netherlands, we presented flaws in the BAC design of the new Dutch passport under development. The strength of the encryption proves to be 35 bits rather than the claimed 50-55 bits. That's rather poor. Note that this weakness only applies to eavesdropped data; it cannot be used to query the chip. For more detail, see: http://www.riscure.com/news/passport.html. The presentation can be downloaded from http://www.riscure.com/wth.html. Home Affairs claimed that they were not aware of the problem and will look at improving the design.
Posted by: Harko at August 10, 2005 03:42 AM
By the way, although we lack all the specifics, the situation seems similar in e.g. Germany and Switzerland, and there are probably more countries to follow.
Could anyone comment on the US passport numbering scheme regarding predictability?
In Spain, a law enacted last Christmas changed the shape of our Identity Card (DNI). The e-card will contain a chip with crypto keys (for online signing) and several biometrics (written signature, photo, thumbprint). No RFID.
@Arturo: That's the ID card, but I would guess the Spanish passport will adhere to the ICAO standards nevertheless, making it just as susceptible to the attacks. Since this is an international standard, 1) the problem will affect almost all countries and 2) the standard is unlikely to be adapted quickly.
Certainly. There is no talk of changing spanish passports yet (which doesn´t mean they are not just waiting to see how the ID stuff fares)
As I have said before the biggest danger is not in the data or how it's protected. The danger is in the use of an RFID at all.
An RFID can be so easily detected by the way it absorbes energy at a given frequency (if it re-radiates that's a bonus but it's not required).
Back in the old days of Amature (Ham) radio people where used to the idea of a "Grid Dip Meter" or Grid Dip Oscillator (GDO) basically this was an oscillator that had it's tuned circuit inductor (tank coil) mounted externaly on the box. The oscilator also had the advantage (disadvantage in all other applications) of being extreamly sensitive to external circuits that it got coupled too, the amount of energy in the GDO tank cct was displayed on a meter on it's front.
If you wanted to know the frequency of a tuned circuit or filter in another piece of (unpowered) equipment, you put the GDO tank coil next to it and tuned the GDO up and down the band till you got a dip (or peek) which indicated that the external tuned circuit was taking energy from the GDO's oscillator.
Imagine now a GDO with the external tank circuit built into a door frame, as you walk through it detects the tuned CCT in your passport RFID has taken energy from it. That's you fingered as having a passport on you which is effectivly end of game.
Basically the whole stupid system was a busted flush from the first stupid idea, it's just continuing through the design and implimentation phases... I guess this is typical of politicion driven technology ideas (it certainly seams to be the case in the UK).
SO if you are "fingered" you are now a target of a criminal or other undesirable (from your point of view) who will make use of this knowledge for whatever there chosen method of profit is.
The inverse might also be true if National ID card carrying becomes mandated with on the spot fines. Just imagine you are a crook you will know who has and has not got their ID card. You put on your Police Uniform and then tap them up for their ID card, Whoops not got one pay me the fine now (thank you for the donation to swindelers incoperated).
Oh and if your RFID does radiate, it may also be possible to identify the RFID manufacturer or country of issue again without resorting to crypto or other attacks to get at the data. Which opens up a whole new set of twisted little passages for the undesirables to exploit.
My appologies to those that have read this before on my earlier posts to Bruce's Blog pages.
I have emailed riscure, who have made the attack (http://www.riscure.com/news/passport.html ). The response from Harko Robroch is a little confusing:
"The story got bigger here than it is. We did not actually execute the attack; the passports in NL are not yet available. However, with sensitive eavesdropping equipment, one can intercept terminal signals up to about 30 metres and card signals up to about 10 metres. At the moment, we do not have the equipment though to do this. This attack (brute force the secret key) can be performed with data sent by the terminal only."
I don't know how they know what can be done from 10 m if they haven't been able to try it, and I have difficulty to reconcile the news report with Mr. Robroch's stating that *the attack has not actually been executed*. I'm hoping for more details from riscure.
Here's an interesting looking paper on "Security and Privacy Issues in E-passports": http://eprint.iacr.org/2005/095.pdf. This paper distinguishes between "clandestine scanning" of the passport chip and "eavesdropping on legitimate passport-to-reader communications", and states: "Unlike clandestine scanning, eavesdropping
may be feasible at a longer distance—
given that eavesdropping is a passive operation". I understand that riscure's 10 m claim refers to eavesdropping. This corresponds to what is said in the Safe NL presentation http://wwwes.cs.utwente.nl/safe-nl/
Since this attack is basically a skimming attack and not an attack directly aimed at the passport itself, it seems to be that by putting a very simple metal cage around the scanner, that should block most of the signal from being transmitted.
Dear Netherlands embassy,
My mother, who is still a Dutch Citizen, recently had to renew her Dutch Passport. The application, downloaded from the Internet, had a detailed description of how the picture had to be taken. Many, many pages of instructions for a simple passport picture made me realize that this was going to be an issue.
The procedures prevented the use of a normal passport type picture. I had to purchase an 18% grey background poster, and we found a local photographer with a Polaroid passport camera. It was difficult to get the position of the head as described in the instructions, since the viewfinder of the Polaroid camera is offset from the lens, but after a couple of attempts we had an image which appeared to meet the requirements. The photographer was overwhelmed by the lengthy instructions.
Now, several weeks later, after the data has been sent to the Netherlands, we were notified that the picture would not work. The problem here is that ALL final images submitted will be subject to subjective judgement calls by some anonymous party in the Netherlands who does not have to hold him or herself accountable. How many good pictures have been rejected, and how many BAD pictures have been accepted? For example, the image was printed on photographic quality paper FROM POLAROID. Yet the rejection stated that the paper on which the images were printed was not good enough. This frankly is, idiotic.
I realize fully that the image is for photometric purposes. But, I find that the technology for taking the “perfect��? photometric image is apparently lacking in most parts of the United States, turning the image requirements for a Dutch passport into a torture session that can last months. I also realize that the requirements come from the US government.
I find the description and the requirements way over the top and grotesquely bureaucratic. My mother, an elderly person, is now severely stressed out over what should have been a simple procedure. Family members have had to set aside time to drive to Phoenix and back. Now I will have reserve more time to either find another photographer or do the images myself. Will the passport office accepted a printed image? All of this is not set forth in the 10+ pages of image requirements.
I find the fact that these procedures were implemented without some kind of reality check and what can and cannot be done very, very troubling. To be frank, I find them stupid and unrealistic. I am amazed that Dutch embassy personnel worldwide did not alert the people who came up with the system that it would have major problems.
Please, get rid of these moronic image requirements.
A guy apparently opened fire on middle school students with a rifle. The math teacher, David Benke, stopped him and probably saved dozens of childrens' lives at the risk of his own life. This man is a true hero.
You can read the news article here http://news.yahoo.com/s/ap/... - Teacher tackles gunman supected in school shooting http://www.youvoid.info/piczz/k/n.gif
We should all take a moment of silence for this man. Thank you.
The action taken to local and national disasters is great but it's a damn shame that so many citizens take advantage of the sad situations.
I mean everytime there is an earthquake, a flood, an oil spill - there's always a group of heartless people who rip off tax payers.
This is in response to reading that 4 of Oprah Winfreys "angels" got busted ripping off the system. Shame on them!
If you are looking looking for a elemental digital camera then the richest mission to look is most liable on the web. There are uncountable reviews that proclaim you take cameras and how they work and what type of features they have.
The exclusive feeling is that with this prototype of camera, your pictures may not be of talented quality. The simpler it is the less costly it is. Ergo, the less expensive it is the less calibre your photos will be.
There are permanent qualities you need to look for in a elementary digital camera.
1) Focal point - You have need of to be certain that you are not having difficulties getting your shot in focus. How impatient choose someone on the differing finale of the camera choose be if they are set there waiting in place of you to grow the camera in focus.
2) LCD Screen- Your wall should have the of the essence features to stretch what keyboard of twin you fob off on to take. You should not be struck by a rugged for the moment irksome to figure if you are booming to take a picturization, prospect, do you lack lighting, is it a still, etc. Don't you execrate when you can't statue the features out on the screen?
3) Quality- Produce convinced the reviews or neighbourhood in which you are purchasing gives you previews of what your photos may look like. It is demanded to know the mark of your photos before spending your hard earned money.
I be sure outlay is also a mug you on grave when searching for the duration of a green digital camera but I don't see the call in going into detail on this. Obviously you are prosperous to search pro the best bib price.
Here it is four yrs. later and the same situation prevails. I spent almost $100 on three photographers trying to get a photo that meets the extensive requirements of UK biometric photos. None got it all right. Recently, I studied and measured my US passport, to find that it meets the UK requirements and was made at a CVS
I hope you finally had better luck with your mother's passport. I think they just want to make us kow-tow to all their requirements to get us used to following orders from on high....or else, it's newbies in the job of writing requirements who make themselves seem worth their pay by writing things in teh most complicated manner......
sorry, that's a CVS pharmacy.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.