On Wed, Feb 01, 2006 at 02:03:10PM -0500, vin@TheWorld.com wrote: | Anne & Lynn Wheeler pointed out: | | > Face and fingerprints swiped in Dutch biometric passport crack | > http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/ | | Didn't the EU adopt the same design that the US uses?

Passport standards are written by the International Air Travel Association (IATA).

| Am I right to presume that the passport RFID chip used by the Dutch is

Actually, the international standards for the Machine Readable Travel Documents (passports, aka MRTDs) are written by the International Civil Aviation Organisation (ICAO). Both the US and EU passports comply to the ICAO standards. However, EU passports will be further protected by a so called Extended Access Control procedure. This procedure provides, among others, terminal authentication to the passport, to reduce the risk that biometric data is read by rogue readers. Also, there are many small details in which the passports from different countries may differ. For instance, the 'RFID' anti-collision identifier used when setting up a connection between the passport and the reader may either be fixed or generated randomly for each session. Or, as is indeed the case in the Dutch passport, the passport number may correlate with the issuing date, reducing the entropy of the key derived from the Machine Readbale Zone (MRZ). The "Riscure" attack is based on this correlation; they estimate the remaining entropy of the data on the MRZ to be roughly 2^35. This MRZ data is used to derive the symmetric session keys. Their attack works by recording (ie eavesdropping) a succesful communication session between a passport and a reader. Then, all possible combinations of the MRZ data can be tried off line to generate the corresponding session keys and check whether that succesfully decrypts the recorded session. Note that straighforward skimming, ie trying to access a passport with a fake terminal by trying all possible combinations of MRZ data is still impossible because the chip in the passport is slow to respond; even if you could try one MRZ access code every millisecond (totally unrealistic), you'd be busy half a year. This limits the usefulness of the attack a bit. Also note that an encrypted key exchange like protocol for deriving the session key from the MRZ access code would also have prevented this attack... Jaap-Henk On Thu, 2 Feb 2006 12:37:24 -0500 Adam Shostack <adam@homeport.org> writes: the

| same -- or functions the same -- as the one used in the new US digital | passports? | | >From what I've read, it seems that the sequential numbering scheme the | Dutch use on their passports may have made this attack easier -- but it | was already feasible, and will be against the passports of other nations | which did not so helpfully minimize their obfuscation technique with | sequential numbering? | | Anyone got more details than those offered in the Rinscure press release? | Thoughts?

The papers explain the attack in fair detail. I blogged every useful linksI could find a few days ago at http://www.emergentchaos.com/archives/002355.html, and there's more links in comments.

Adam

| _Vin | | | > | > The crack is attributed to Delft smartcard security specialist Riscure, | > which explains that an attack can be executed from around 10 metres and | > the security broken, revealing date of birth, facial image and | > fingerprint, in around two hours. | > | > .. snip .. | | | --------------------------------------------------------------------- | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

-- Jaap-Henk Hoepman | I've got sunshine in my pockets Dept. of Computer Science | Brought it back to spray the day Radboud University Nijmegen | Gry "Rocket" (w) www.cs.ru.nl/~jhh | (m) jhh@cs.ru.nl (t) +31 24 36 52710/53132 | (f) +31 24 3653137 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]