Difference between revisions of "Belgian ePassport"

From YobiWiki
Jump to navigation Jump to search
Line 71: Line 71:
 
# EF_SOD certificate should have been extracted by RFIDIOt, if not:
 
# EF_SOD certificate should have been extracted by RFIDIOt, if not:
 
tail -c+5 EF_SOD.BIN | openssl pkcs7 -inform DER -outform PEM -out EF_SOD.PEM
 
tail -c+5 EF_SOD.BIN | openssl pkcs7 -inform DER -outform PEM -out EF_SOD.PEM
# Verify DS? certificate with country CSCA certificate:
+
# Verify DS certificate stored in the passport with country CSCA certificate:
 
openssl pkcs7 -in EF_SOD.PEM -print_certs -outform PEM |openssl verify -CAfile fr.PEM
 
openssl pkcs7 -in EF_SOD.PEM -print_certs -outform PEM |openssl verify -CAfile fr.PEM
 
# you should get back a OK:
 
# you should get back a OK:
 
stdin: OK
 
stdin: OK
  +
# Verify SOD signed by DS, how?
   
 
As per epassport2008 there are several certificates for the full EAC solution:
 
As per epassport2008 there are several certificates for the full EAC solution:

Revision as of 23:19, 3 February 2009

Back to Belgian eGov

Belgian ePassports

Characteristics

  • Current versions demo
  • Uses Opentrust PKI (former IDX-PKI from idealx)
  • Price:
    • 30€ droit de chancellerie
    • taxes communales (Ixelles=26€, Leuven=11€?,...)
    • 41€ frais de confection
    • Much more expensive if urgent or 64 pages (~250€)
  • maker? at least not Zetes (contradictory info here)
    Mais nous ne fabriquons pas le passeport belge, c’est vrai. C’est un contrat qui a été attribué avant que nous ne soyons actifs sur ce segment. S’il y a un appel d’offres, j’imagine que nous y répondrons.

chip

  • ATR 3B 8E 80 01 80 91 E1 31 C0 64 77 E3 03 00 83 82 90 00 6C
  • ATR 3B 8E 80 01 80 91 91 31 C0 64 77 E3 03 00 83 82 90 00 1C (as mentioned in pcsc-lite smartcard_list.txt)
  • ATR 3B 88 80 01 00 00 01 07 01 72 90 00 EC (on a recent passport 01/2009 EH431xxx)
  • Belgium is one rare country to also include the owner handwritten signature, in EF_DG7
  • Non-compliances?
    • Requires option 0x0C whenever you select the application or a file (important for non-BAC passports), usually other passports implement 7816-4 a bit better and accept the standard select_file but apparently Belgium just implemented the example of LDS just as it was presented, no more)
    • non-BAC passports have a bug in EF_DG11, in full name of holder (tag 5F0E): null length followed by "A0 06 02 01 01"
    • newer passports have a bug in EF_DG12, using tag 5F85 instead of 5F55 for the document issuance timestamp (5F85 is in LDS1.7, 5F55 is in ISO standard)
    • newest passports (with polycarbonate transparent sheet) don't have the bug anymore in EF_DG12, skipping simply document issuance timestamp
  • Reading the DS certificate in EF_SOD (output truncated):
openssl pkcs7 -text -print_certs -in EF_SOD.PEM
Authority:
       Issuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BE
       Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BE
       X509v3 extensions:
           X509v3 Authority Key Identifier:.
               keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0E

Security of Belgian ePassports

RFID-enabled Passports

ICAO standards

Country certificates

Stupid script to see what are the country certificates there (there are also CRLs):

#!/bin/bash 

rm xx*
csplit pkd.000033.ldif '%userCertif%' '/^userCertif/' '{*}'
for i in xx*; do
    cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -out $i.pem -outform pem
    cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -text -noout > $i.txt
    test $? -eq 0 && rm $i
done

CSCA Country certificates can be used to verify the DS certificate present in the EF_SOD file of the passport.
CSCA certificates are typically valid for their period of intended use + period of validity of the issued passports + 3 months (e.g. 5+10+0.25) and renewed after their period of intended use (e.g. 5 years).
DS certificates are typically valid for the period of validity of the passport itself + 3 months and renewed after their period of intended use (3 months). (e.g. 10+0.25)

Example to verify a French passport:

# Get France country certificate: hum you should get country certificates from a trusted source ;-)
wget -O - http://jmrtd.org/csca/fr.cer |openssl x509 -inform  der -outform pem -out fr.PEM
# EF_SOD certificate should have been extracted by RFIDIOt, if not:
tail -c+5 EF_SOD.BIN | openssl pkcs7 -inform DER -outform PEM -out EF_SOD.PEM
# Verify DS certificate stored in the passport with country CSCA certificate:
openssl pkcs7 -in EF_SOD.PEM -print_certs -outform PEM |openssl verify -CAfile fr.PEM
# you should get back a OK:
stdin: OK
# Verify SOD signed by DS, how?

As per epassport2008 there are several certificates for the full EAC solution:

Element                              File name
CSCA certificate - name              NN_CSCA.der (.der, .cer)
DS certificate                       NN_DS (.der, .cer) preferably included in the ePassport chip
CVCA certificate                     NN_CVCA.cvcert (minimal validity at least 2 month)
CVCA private key under PKCS#8 format NN_CVCA.pkcs8
DV certificate                       NN_DVCA.cvcert (effective date like CVCA certificate)
IS certificate                       NN_IS.cvcert (effective date like CVCA certificate)
IS private key under PKCS#8 format   NN_IS.pkcs8

Security of the ePassport infrastructure

Tools

OpenMRTD

library

JMRTD

Java host API & Javacard applet to build your own epassport infrastructure

RFIDIOt

See RFID#RFIDIOt

eCL0WN

Applet for Nokia NFC phone

vonJeek emulator

Misc