Privacy-related security mechanisms for ePassports
In a previous blog post we provided an overview of the different security mechanisms for ePassports and similar ICAO 9303 documents. In this blog, we zoom in on the security measures to protect the privacy of the holder.
Passports contain privacy sensitive information, such as personal number. Protection of this information is very important, for example to prevent identity theft. Someone must be close to the RFID chip to be able to read the content via NFC, but access control is needed nevertheless. Access control means a technically inherent form of control over who can access and read the chip via NFC. For example, you do not want someone in line behind you in the supermarket to hold their smartphone close to your wallet and read the content. In addition, for example at an airport, secure messaging is needed to prevent someone from eavesdropping on the communication between your passport and the Automatic Border Control gate that is reading the chip in your passport.
Summarizing this, the objective for privacy-related security mechanisms is protecting the privacy of the document holder by implementing access control and preventing eavesdropping. We’ll discuss the three privacy-related security mechanisms:
- Basic Access Control
- Password Authenticated Connection Establishment
- Extended Access Control
Beside the above three security mechanisms to protect access to the chip, this can also be done by putting a metal shielding in the passport cover. The passport then must be opened to be able to read the chip. The United States passport is an example of this.
Basic Access Control
Basic Access Control (BAC) is the simplest and oldest mechanism to protect access to the chip found in ePassports. To access a chip that is protected by BAC, you need to know the document number, the date of birth of the holder and the expiry date of the document. This information is used as a password to encrypt all communication with the passport and can be found in the Machine-Readable Zone of the document. This mechanism prevents unauthorized access to the chip because only entities that know the information that is used as the password can access the chip. The idea behind it is simple and elegant: you can only get access to the content of the chip if you already have optical access to the document, i.e., you already know what is on the chip. Eavesdropping is prevented as well, because an attacker that intercepts the communication between chip and reader cannot decrypt it without knowledge of the password. Although the implementation of BAC is not mandatory, it is used in all modern ePassports.
There has been some debate on the security of BAC, as the combination of document number, date of birth and expiry date can in some cases be guessed by brute forcing all possible combinations. The security of the password is especially reduced if some of some of the fields can somehow be related to each other. For example, if an issuer would increment the document number for each document that was issued, the document number is related to the date the document was issued, and therefore also related to the expiry date of the document. Relations like this effectively reduce the number of possible variations (entropy) of the password and as such reduce the security. This weakness has a larger impact on eavesdropping than on access control. An attacker can record the communication and try many passwords afterwards, but the number of attempts to get access is typically limited by the passport. For example, it may respond very slowly after a reader tries to get access with an incorrect BAC, thereby making a try-many-different-BAC-combinations attack very unpractical.
To avoid this blog post becoming too long, we will not discuss the privacy-related security mechanisms in electronic driving licenses (ISO18013), but please be aware there is a security mechanism very like BAC for ISO18013 which is called BAP.
Password Authenticated Connection Establishment
Password Authenticated Connection Establishment (PACE) is Supplemental Access Control (SAC). Depending who you talk to, they may use PACE or SAC, but typically refer to the same. PACE is a successor of BAC that uses more modern cryptography to provide an increased level of security. EU mandates the implementation of PACE by its member states for newly issued travel documents. Passports that have support for PACE also support BAC to remain compatible with the ICAO 9303 standard, that requires documents that support PACE to also support the older BAC. PACE solves the possible security problems of BAC by exchanging strong passwords to prevent eavesdropping immediately after access control. For getting access to the chip, the same combination of document number, birthdate and expiry date is used as password. Additionally, the chip can accept one or more Card Access Numbers (CAN) as a password. Typically, a CAN is only 6 digits long and is printed on the document, like the Machine-Readable Zone.
Starting in January 2018, documents that implement PACE are no longer required by the ICAO standard to implement BAC for backwards compatibility. We expect that some countries may soon drop the support for BAC, requiring PACE to get access to the content on the chip. Until that happens, there is always the fallback to BAC to get access to the chip. ReadID implements PACE already, and we participated in the PACE/SAC interoperability tests that were done at Secure Document World in May 2016 (SDW Interop 2016).
Extended Access Control
The third privacy-related security mechanism we discuss in this blog is Extended Access Control (EAC). This is used to protect more privacy sensitive information in the chip, especially fingerprints. EAC must be executed before the fingerprints can be read. The ICAO standard only suggests implementing additional access control mechanisms for protecting more sensitive information, but leaves the specification up to its member states. EAC is therefore not an ICAO standard, but in Europe it has been standardized by the BSI (see here and here). EAC consists of two mechanisms: Chip Authentication (CA) and Terminal Authentication (TA). The first is a cloning detection mechanism that we’ll discuss in another blog post. EAC-TA is about privacy and thus the subject of this blog post.
Contrary to BAC and PACE, the execution of EAC-TA does not involve a password that can be derived from information on the data page. Instead the terminal (device that reads the passport) must present a government issued certificate to the chip, to proof that it is authorized to read such sensitive information.
In practice, only a very few organizations such as national border control, police and local governments receive authorization to read the fingerprints from a passport. Especially in an international context it is very difficult to arrange. Because of this, EAC-TA seems to be used very little. We have already implemented EAC-TA some years ago, and ReadID can support EAC-TA for customers that have received such authorization. This is however currently not a production feature.
This blog post provided a short overview of privacy related security mechanisms. In follow-up blogposts, we explain the security features of ePassports that are related to authenticity of the chip and clone detection (to appear).