Overview security mechanisms in ePassports
The RFID chips in ePassports and similar documents contain personal information such as name, birthdate, nationality and face image. In this blogpost we’ll provide an overview of the different security mechanisms that are implemented by these RFID chips to secure this information. We also explain how ReadID uses these mechanisms. We try to make this not too technical, and will provide more details in follow-up blog posts
The main standard for these security mechanisms is the ICAO Doc 9303 specification. ICAO stands for International Civil Aviation Organization and is part of the United Nations. ReadID also supports the comparable ISO-18013 standard for electronic driving licences, but for brevity we ignore this in this blogpost.
There the security mechanisms are there to:
- Privacy – protect the privacy of the document holder by implementing access control and preventing eavesdropping
- Authenticity – ensure that the chip is not a forgery and that it is not manipulated
- Clone detection – detect if the chip is a copy
Privacy is very important for the passport holder, since the chip contains privacy sensitive information, such as personal numbers. In addition, this information can be used for identity theft. Someone has to be pretty close to the RFID chip to be able to read the content, but access control is needed nevertheless. For example, you do not want someone in line behind you in the supermarket to hold their smartphone close to your wallet and read the content. In addition, for example at an airport, secure messaging is needed to prevent someone from eavesdropping on the communication between your passport and the Automatic Border Control gate that is reading the chip in your passport.
The most important privacy-related security mechanism to implement this access control and secure messaging is Basic Access Control (BAC). The combination of document number, date of expiry and date of birth forms an access key, or password if you will, to access the chip. The idea behind this is that you need access to the holder page of the passport to be allowed to read the chip. Since the chip basically contains the same personal information as the holder page, there is no privacy loss when reading the chip: this information was already known. BAC also establishes an encrypted communication channel that prevents eavesdropping.
Since it is quite annoying to type the document number, date of expiry and date of birth, we use the smartphone camera to scan this information from the so-called Machine Readable Zone (MRZ, the bottom two or three lines in a passport / identity card). We use our own Optical Character Recognition technology for this.
Using BAC you can access almost all information in the chip with one important exception: the fingerprints. Access to these is not possible without authorization from the issuing country. We explain this, and details on the successor of BAC (PACE, SAC), in this blog post.
From a security perspective, this is the most import of the three goals: we want to make sure the RFID chip content is actually issued by the government and is not manipulated. The underlying principle for verifying integrity is digital signatures. This is a common principle in computer security: data is signed by the issuer (e.g., US government) using a so-called private key and the receiver of this information (e.g., a French police officer) can verify that this data is actually from the US government, using the so-called public key of the US government. This makes it possible to check if a passport is indeed issued by, in this case, the US government and that the content of the chip is not altered. You may not be aware of this, but e.g. your banking card and https in your browser are based on this principle.
This security mechanism to check the integrity is called Passive Authentication, and the certificate with the public key the Country Certificate. This security mechanism is called passive because ReadID does not need to interact with the chip during verification. ReadID thus reads the content of the chip, and then checks the digital signatures on the content. This can be done on the smartphone (ReadID’s client-only deployment model), but in most cases doing this on the server is more secure (client-server or SaaS deployment model).
In this blogpost we explain Passive Authentication in more detail, including the challenge of having the correct Country Certificate.
The above discussed authenticity checks will confirm that the chip content is authentic, but the chip itself could be cloned. Or put differently, Passive Authentication proves that a person with certain personal details exists, but does not prove that the information was read from the original passport. Depending on the use case, knowing that the holder is in possession of the original passport is desirable or even absolutely necessary. Where support for Basic Access Control and Passive Authentication is basically universal in ICAO 9303 documents, for clone detection there is more variation. Some, mostly older, passports do not support it at all. A common security mechanism for clone detection is Active Authentication. ReadID implements this in all three deployment models (client-only, client-server and SaaS). There are other possibilities for clone detection as well, details in a follow-up blogpost (to appear).