British "secure" passports "cracked"

| Comments (3) |
The Guardian is running an article by Steve Boggan about how he and Adam Laurie managed to access the new British electronic passports. The short story here is that access to the RFID tag is cryptographically protected but using a predictable key derived from your personal information:
Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone." When an immigration official swipes the passport through a reader, this feeds in the key, which allows a microchip reader to communicate with the RFID chip. The data this contains, including the holder's picture, is then displayed on the official's screen. The assumption at this stage is that this document is as authentic as it is super-secure. And, as we shall see later, this could be highly significant.

So, what Boggan and Laurie do is take a passport that they have physical access to (and hence can read the MRZ), extract the personal information, and talk to the passport:

"I was amazed that they made it so easy," Laurie says. "The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.

"The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.

"The Home Office has adopted a very high encryption technology called 3DES1 - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

It's important to take a step back and be clear about the threat model. There are two ways to look at the purpose of RFID passports. One is that you're simply trying to produce an object with the same privacy properties as a standard non-RFID passport but with more storage, convenient reading, and harder to forge. The basic security property of a standard passport is that anyone who has access to the passport can read all the data. If that's what you want, then it's perfectly reasonable to make remote access contingent on physical access, which is what printing the key in the MRZ does (more later on how the key is generated). And since the data is digitally signed, it is more forgery resistant than a physical passport--though still clonable.

On the other hand, your goal might be to have it have significantly better privacy properties than physical passports. In that case, you need some form of access control that limits access to authorized readers. This is harder than it sounds, though still partly doable. However, I don't get any sense that this was a design goal for RFID passports, so I'm not sure that this complaint about leaving the key under the mat is really fair. Certainly, it's been known for quite some time that this was the general design, so it's not like it's a big surprise that you can read passports if you have physical access.

That said, I'm not particularly enamored of using someone's personal information as the cryptographic key. As Laurie points out, this is sort-of-guessable, although I don't think the attack he suggests (your mailman taking your passport home and remote-scanning it through the envelope) is really plausible. Far better would be to have a random key that you print in the MRZ. The problem with the current design is that it lets anyone with this information (which they might be able to obtain independently of the passport, since, for instance, you fill it in various forms) build a scanner that can look for your particular passport. That seems undesirable.

1. As a card-carrying member of the COMSEC community I'm obliged by guild rules to throw a hissy fit whenever anybody calls anything "military-level" encryption, but at least I've confined it to a footnote. DES isn't military-level anything and is generally regarded as dangerously weak (well-designed but with a too small key-length).

3 Comments

Could I take a peek at that COMSEC guild card you carry?

The big issue in terms of more interesting attacks is that there isn't much entropy in the passport number (and it's well predicted by the passport's date of issue). It appears that UKIPS have not taken any steps to increase security against key-guessing attacks, e.g., by randomising the passport numbers in RFID passports.

This is not really new, some people in the netherlands did it already in 2005 and showed it on TV in February 2006 (according to german ticker - sorry german only).
The main weakness of the "Basic Access Control" is that the effective key length is only around 35 bit if you take the possible input data space for the key into account. This makes a brute-force offline attack feasible once you had sniffed some RFID communication data. The next step (when fingerprints are stored on the passport) is to use the
Extended Access Control that uses Public Key cryptography. This should be more safe against unauthorized access, however, I see problems if keys or certificates are leaking from the reading stations...see also high level info (english)

Leave a comment