1 / 17

RFID chips and EU e-passports: the end of privacy?

Nikita Maria Department of Applied Informatics University of Macedonia - Greece. RFID chips and EU e-passports: the end of privacy?. Overview. e-Passport Layout e-Passport Technologies e-Passport Generations e-Passport Vulnerabilities Proposed Measures Legal Efforts

tad-simpson
Download Presentation

RFID chips and EU e-passports: the end of privacy?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nikita Maria Department of Applied Informatics University of Macedonia - Greece RFID chips and EU e-passports: the end of privacy?

  2. Overview • e-Passport Layout • e-Passport Technologies • e-Passport Generations • e-Passport Vulnerabilities • Proposed Measures • Legal Efforts • Conclusions and Proposals 5th International Conference on Information Law

  3. e-Passport • The layout 5th International Conference on Information Law

  4. e-Passport Technologies • Biometric Data • powerful identifiers • used for authentication and stored on a RFID chip • R.F.I.D. • contactless IC chip • meets all three considerations of usability, data capacity and performance [ICAO Technical Report, 2004] • embedded in the paper passport and communicates wirelessly with the passport reader using an antenna 5th International Conference on Information Law

  5. ICAO • The International Civil Aviation Organization (ICAO) is a specialized agency that issues passport standards as recommendations to the national governments • Introduced the biometrics and the technology of contactless chips (RFID) and the communication protocols • The 3 e-Passport generations.. 5th International Conference on Information Law

  6. e-Passport Generations • 1st generation • Passive Authentication Protocol (mandatory) • proves to the reader authenticity of the data • cannot detect cloning • Active Authentication Protocol (optional) • chip authentication • Prevents cloning What about the reader? Is he authentic? Is anyone else “listening” through the communication channel? 5th International Conference on Information Law

  7. e-Passport Vulnerabilities • Skimming attacks • occur from distance when an unauthorized reader gains access to the stored data • the attacker communicates directly with the RFID chip (reader authentication needed) 5th International Conference on Information Law

  8. e-Passport Vulnerabilities • Eavesdropping • occurs when the attacker intercepts the communication between the RFID chip and the border control reader (secure messaging) 5th International Conference on Information Law

  9. e-Passport Generations • 1stgeneration • Basic Access Control (optional) • Reader authentication • Secure messaging The reader optically reads the MRZ and derives an access key The RFID chip also knows this key Cryptographic Session Key derived (Secure messaging) • ACCESS KEY = • Document Number+ • Date of Birth + • Date of Expiry Mutual authentication 5th International Conference on Information Law

  10. e-Passport Generations • 2nd generation • Extended Access Control Protocol (optional) • Chip and Terminal authentication • Stronger encryption Its disadvantage is that it depends on BAC! • BAC turned out to be a very successful protocol because of its simplicity • Now is implemented in almost every e-passport • BUT the security that it provides is limited by the design of the protocol - the keys are cryptographically weak 5th International Conference on Information Law

  11. e-Passport Generations • 3rd generation • Supplemental Access Control (replace BAC) • implements asymmetric cryptography • data encryption is based on a shared key, unlike BAC which generates the key based on the MRZ • Data is protected both when stored on the chip and when transmitted to the reader • Higher level of protection is succeeded 5th International Conference on Information Law

  12. Proposed Measures • Faraday cage • is a metal jacket • prevents any electric or magnetic fields to pass through • A metal surface on an adjacent page Both are vulnerable to eavesdropping when they are expressly presented by their holders! 5th International Conference on Information Law

  13. Legal Efforts ICAO • In 1980 issued the first edition of the Doc 9303 as a guideline for issuing machine-readable passports • Introduced the biometrics and the technology of contactless chips (RFID) and the communication protocols • The Doc 9303 evolved through time and separate volumes were published • Doc 9303 part 1 volume 2 (2006) • specifications for electronically enabled passports with biometric identification capability were presented 5th International Conference on Information Law

  14. Legal Efforts European Level • E-passports introduced with Council Regulation (EC) No 2252/2004 • standards for security features and biometrics in passports issued by Member States, taking into account the specifications of ICAO • the data subject’s right of verification is recognized • access, rectify, erase • Commission Decision C(2005) 409 • issue passports with a digital facial image stored in the RFID chip by 2006 • fingerprints by 2008 • implement the BAC communication protocol 5th International Conference on Information Law

  15. Conclusions • The widespread of privacy concerns used to originate mainly in the fields of law • Now has obviosly expanded into the information technologies • Since biometric data was stored on the RFID chip… Privacy Threats arose • The RFID technology’s infrastructure is responsible for these problems • The EU Commission suggested to enhance RFID with privacy enhancing technologies (PETs) (anonymisation, coding, encryption and authentication) 5th International Conference on Information Law

  16. Proposals • Intensive proposed methods to enhance protection of privacy are vital • Fundamental changes are required even to the physical design of the RFID • Or second thoughts should be done about replacing the RFID technology with another that follows data protectionprinciples and applies privacy by design • Cooperation between computer and law scientists is vital for implementing a privacy enhancing technology for e-passports that entails the advantages of the RFID. 5th International Conference on Information Law

  17. Thank you for your attention! Any questions? 5th International Conference on Information Law

More Related