Difference between revisions of "EPassport"

From YobiWiki
Jump to navigation Jump to search
Line 157: Line 157:
 
[http://travel.state.gov/passport/ppt_card/ppt_card_3921.html Won’t this chip violate Americans’ privacy?]
 
[http://travel.state.gov/passport/ppt_card/ppt_card_3921.html Won’t this chip violate Americans’ privacy?]
 
<i>There will be no personal information written on the electronic chip itself. The chip will have only a unique number pointing to a stored record contained in secure government databases.[...] In addition, to mitigate any possibility that the card could be tracked, it will be issued with a protective sleeve that will prevent the card from being read when not in use.</i>
 
<i>There will be no personal information written on the electronic chip itself. The chip will have only a unique number pointing to a stored record contained in secure government databases.[...] In addition, to mitigate any possibility that the card could be tracked, it will be issued with a protective sleeve that will prevent the card from being read when not in use.</i>
  +
  +
In the news:
  +
* [http://www.rfidhackers.com/viewtopic.php?f=5&t=6 see here] for slides, video & tools
  +
* [http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/ ElReg]
   
 
==Tools==
 
==Tools==

Revision as of 17:16, 20 February 2009

ICAO standards

Certificates

Overview

  • CSCA certificate (Country Signing CA certificate)
    • is typically valid for their period of intended use + period of validity of the issued passports + 3 months (e.g. 5+10+0.25) and renewed after their period of intended use (e.g. 5 years).
    • is used to verify the DS certificate
  • DS certificate (Document Signer certificate)
    • is typically valid for the period of validity of the passport itself + 3 months and renewed after their period of intended use (3 months). (e.g. 10+0.25)
    • is used to verify the integrity of the EF_DG* files of the passport through their hashes signed in EF_SOD
    • is optionally present in the EF_SOD file of the passport (mandated by US-VISIT & by EU I think)
  • SOD (Document Security Object)
    • RFC3369 CMS Signed Data Structure, signed by the Document Signer (DS).
    • Carries the hashed LDS Data Groups.
    • Stored in the MRTD’s chip.
    • MAY carry the Document Signer Certificate
  • AA (Active Authentication) keys
    • private key stored in the chip
    • public key available in EF_DG15, whom hash key is signed in SOD by DS

As per epassport2008 there are several certificates for the full EAC solution:

Element                              File name
CSCA certificate - name              NN_CSCA.der (.der, .cer)
DS certificate                       NN_DS (.der, .cer) preferably included in the ePassport chip
CVCA certificate                     NN_CVCA.cvcert (minimal validity at least 2 month)
CVCA private key under PKCS#8 format NN_CVCA.pkcs8
DV certificate                       NN_DVCA.cvcert (effective date like CVCA certificate)
IS certificate                       NN_IS.cvcert (effective date like CVCA certificate)
IS private key under PKCS#8 format   NN_IS.pkcs8

CSCA certificates

Stupid script to see what are the country certificates there (there are also CRLs):

#!/bin/bash 

rm xx*
csplit pkd.000033.ldif '%userCertif%' '/^userCertif/' '{*}'
for i in xx*; do
    cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -out $i.pem -outform pem
    cat $i |sed '1s/^.*:://;/:/,/qwerty/d' |openssl base64 -d|openssl x509 -inform der -text -noout > $i.txt
    test $? -eq 0 && rm $i
done

Verifying a passport

Passive Authentication

Example to verify a French passport:

Get France CSCA certificate: hum you should get country certificates from a trusted source ;-)

$ wget -O - http://jmrtd.org/csca/fr.cer |openssl x509 -inform  der -outform pem -out fr.PEM

EF_SOD certificate should have been extracted by RFIDIOt, if not:

$ tail -c+5 EF_SOD.BIN | openssl pkcs7 -inform DER -outform PEM -out EF_SOD.PEM

Verify DS certificate stored in the passport with country CSCA certificate:

$ openssl pkcs7 -in EF_SOD.PEM -print_certs -outform PEM |openssl verify -CAfile fr.PEM
stdin: OK

Verify SOD is well signed by DS

$ openssl smime -verify -in EF_SOD.PEM -inform pem -noverify > EF_SOD.data
Verification successful

Note that the 2 previous steps can be combined in one:

$ openssl smime -verify -in EF_SOD.PEM -inform pem -CAfile fr.PEM > EF_SOD.data
Verification successful

Verify files hashes are those signed in SOD
EF_SOD.data is ASN1 you can parse to retrieve the SHA1 of the DG* files, e.g.:

$ openssl asn1parse -inform DER -in EF_SOD.data
   0:d=0  hl=3 l= 150 cons: SEQUENCE          
   3:d=1  hl=2 l=   1 prim: INTEGER           :00
   6:d=1  hl=2 l=   7 cons: SEQUENCE          
   8:d=2  hl=2 l=   5 prim: OBJECT            :sha1
  15:d=1  hl=3 l= 135 cons: SEQUENCE          
  18:d=2  hl=2 l=  25 cons: SEQUENCE          
  20:d=3  hl=2 l=   1 prim: INTEGER           :01
  23:d=3  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:D560D2D999F12923D92DBB1E5EE55232B4A4C1B1
  45:d=2  hl=2 l=  25 cons: SEQUENCE          
  47:d=3  hl=2 l=   1 prim: INTEGER           :02
  50:d=3  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:637018B2449BE126CE9D4B6CAE98D92198829B6D
  72:d=2  hl=2 l=  25 cons: SEQUENCE          
  74:d=3  hl=2 l=   1 prim: INTEGER           :0B
  77:d=3  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:E9F3127A90D7A8C6237018DA294299C3EE61E03C
  99:d=2  hl=2 l=  25 cons: SEQUENCE          
 101:d=3  hl=2 l=   1 prim: INTEGER           :0C
 104:d=3  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:9C878F2D2B1E22BD876E65F092FF76F2E5719D87
 126:d=2  hl=2 l=  25 cons: SEQUENCE          
 128:d=3  hl=2 l=   1 prim: INTEGER           :0D
 131:d=3  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:43B89A69B60BEFE5B51752B896951C21F3601B60

and compare them with

$ sha1sum EF_DG1.BIN 
d560d2d999f12923d92dbb1e5ee55232b4a4c1b1  EF_DG1.BIN
$ sha1sum EF_DG2.BIN 
637018b2449be126ce9d4b6cae98d92198829b6d  EF_DG2.BIN
$ sha1sum EF_DG11.BIN 
e9f3127a90d7a8c6237018da294299c3ee61e03c  EF_DG11.BIN
$ sha1sum EF_DG12.BIN 
9c878f2d2b1e22bd876e65f092ff76f2e5719d87  EF_DG12.BIN
$ sha1sum EF_DG13.BIN 
43b89a69b60befe5b51752b896951c21f3601b60  EF_DG13.BIN

To be perfect, we should also check CSCA and DS against CRLs supposedly available at ICAO PKD.

Active Authentication

Note that for this specific French passport, AA doesn't seem to be possible, no DG15!

A4.2. Active Authentication Mechanism
Active Authentication is performed using the ISO7816 INTERNAL AUTHENTICATE '88' command. The input is a nonce (RND.IFD) that MUST be 8 bytes. The ICC computes a signature, when an integer factorization based mechanism is used, according to ISO9796-2 Digital Signature scheme 1 ([R17], ISO/IEC 9796-2, Information Technology – Security Techniques – Digital Signature Schemes giving message recovery – Part 2: Integer factorisation based mechanisms, 2002.). cf D1.3.1.2
M MUST consist of M1 and M2, where M1 MUST be a nonce of length c – 4 bits and M2 is RND.IFD.
The trailer option 1 MUST be used in case of SHA-1, if not SHA-1 then option 2 MUST be used.
The result of the signature computation MUST be signature 3 without the non-recoverable message part M2.

Extracting the public key of the passport:

$ tail -c+4 EF_DG15.BIN |openssl rsa -pubin -inform der -text -out EF_DG15.PEM -outform pem

You can realise an AA challenge and collect the response e.g. in AA1.BIN
Here is an example without BAC, for illustration:

cla=00 ins=88 p1=00 p2=00 lc=08 data=0001020304050607(=M2)

Extracting the recoverable part of the message from the signature:

$ openssl rsautl -inkey EF_DG15.PEM -pubin -keyform PEM -in AA1.BIN -raw -verify -out AA1.data

The message should have the format '0x6A' || M1 || H(M1||M2) || '0xBC' if SHA-1 is used
Trailer could also be 2 bytes, one identifying the hash algo and the last one being '0xCC'
Header is 0b01|1(partial recovery)|0000(padding)|1=61 => xor 'B' = 6A
To verify the hash, compare its copy with your own calculation:

$ dd if=AA1.data bs=1 skip=1 count=106 2>/dev/null |xxd -p|sed '4a0001020304050607'|xxd -p -r|sha1sum
5dc9eee4a0428414eaba0b920d15b064ba054104  -
$ dd if=AA1.data bs=1 skip=107 count=20 2>/dev/null |xxd -p
5dc9eee4a0428414eaba0b920d15b064ba054104

See also Belgian_ePassport#Active_Authentication

Security of the ePassport infrastructure

Papers

Tools

See also below.
eCl0wn and mrpkey (RFIDIOt) can clone data of a chip but they cannot clone the secret counterparts of elements linked to AA or EAC therefore they're stripping such elements (e.g. EF.DG15) from EF.COM.
However as stated by ICAO in its supplement to Doc 9303, rel7, R1-p1_v2_sIV_0006: Authenticity, integrity and completeness of the LDS data should be verified using the Document Security Object and not the EF.COM, as a matter of good inspection system design.

US Passport Card

Don't mix US Passport Book (ICAO) with the US Passport Card (see also wikipedia), valid when entering the United States from Canada, Mexico, the Caribbean and Bermuda at land border crossings or sea ports-of-entry and skimmed much more easily. Won’t this chip violate Americans’ privacy? There will be no personal information written on the electronic chip itself. The chip will have only a unique number pointing to a stored record contained in secure government databases.[...] In addition, to mitigate any possibility that the card could be tracked, it will be issued with a protective sleeve that will prevent the card from being read when not in use.

In the news:

Tools

OpenMRTD

library

JMRTD

Java host API & Javacard applet to build your own epassport infrastructure

RFIDIOt

See RFID#RFIDIOt

eCL0WN

Applet for Nokia NFC phone

vonJeek emulator

Specific countries

Misc