Enable screen reader Recent technological advances have allowed many governments to increase their defenses against threats to national security. One of these new measures is the biometric passport, which has grown out of the necessity to overcome the misuse of paper travel documents. Some of the problems that have been encountered with the use of paper passports are copying and manipulation, selling of valid passports to a third party, and counterfeit or forged passports. Due to the difficulty of discerning a real passport from a fake, agents must undergo extensive training that still does not adequately protect against these threats. One of the initial attempts to increase border security by more accurately verifying identity and preventing counterfeit passports was the introduction of e-passports, or electronic passports. E-passports are identical to paper passports with the addition of an embedded, contactless smart-card containing the same information as the visual passport, including a digital version of the photograph. The contactless smart card is a tiny microprocessor that transmits information wirelessly utilizing RFID technology over distances of less than four inches. These smart-cards utilize advanced security mechanisms to prevent alterations to the embedded data.
Unfortunately, these attempts did not prevent passport abuse. In response to persistent passport fraud, biometric technologies have been employed as an additional security measure. Biometric technology is an automated mechanism that verifies or identifies an individual based on physiological or behavioral characteristics (Down and Sands 1). Physiological characteristics are related to the shape of the human body and are inherited (e.g. fingerprint, retina, face, hand), while behavioral characteristics are related to the behavior of the person and are usually learned (e.g. voice, signature, typing rhythm). To verify, a biometric system compares the supplied biometric identifier with the stored reference template on file for the individual. Based on its comparison, the system confirms or denies the individual’s claimed identity. If a match is found, it is likely the person has been identified (Down and Sands 1).
Recent events have spurred global awareness of the need for secure environments, and to this end there are several clear advantages of using biometrics in network security, such as eliminating the use of passwords (which are easily forgotten or obtained by evildoers) and tokens (which are easily lost or stolen). Additionally, the user must be physically present, decreasing the likelihood of an unauthorized user remotely accessing the protected system. These advantages, coupled with an increase in affordable computing performance and a decrease in implementation costs, have afforded biometrics a central role in an ever-increasing number of applications.
The International Civil Aviation Organization (ICAO) has developed standards for securely protecting digitized biometrics of the holder stored in the passport. These specifications currently include one mandatory measure, “passive authentication,” and other optional mechanisms, such as “active authentication” and “basic access control.” See Table 1 for a summary of the mechanisms.
Passive Authentication securely ensures the authenticity of the data stored in the smart card by using a digital signature generated and signed by the issuing nation.
The verification process is performed in the following order:
Retrieve stored biometric data as well as trusted Country Signing CA Certificate from the smart card.
Verify the certificate.
Compute hash values from the data and compare to hash values from issuing nation.
Active authentication authenticates the individual chip using public-key cryptography, thereby ensuring the passport has not been cloned. The public key is housed on the readable portion of the smart-card, while the private key is stored within secure memory. In this protocol, the inspection system creates a random challenge, which is signed by the private key from inside the smart card. The encrypted message is transmitted back and decrypted using the smart-card’s public key, then compared with the original challenge to determine authenticity.
Basic Access Control also helps reduce the attacks from smart card cloning by blocking access from unauthorized RFID reader. The passport readable zone (or smart card), openly located inside a passport, is used by the card reader to get two types of data:
less-sensitive data (e.g. facial image, easily obtained from other sources) and sensitive data (e.g. fingerprints, difficult to obtain from other sources)
Optically scanned data, printed on the passport (26 bits, including passport number, date of birth, expired date, and three check digits), is used by the terminal to derive two keys, KENC and KMAC (collectively referred to hereafter simply as K). These two keys allow for triple-DES encryption of each message sent in a two-challenge, three-way communication, such that both encryptions occur using KENC with a single decryption between, using KMAC. The first message, sent from the passport’s chip to the terminal, contains a chip-generated random key, concatenated with a randomly generated bit-string challenge, encrypted using K. The terminal uses the same key-pair to decrypt this message, then creates a second message, sent to the chip, concatenating (then encrypting, again using K) the decrypted bit-string challenge with its own randomly generated key and challenge. Upon receipt, the chip decrypts, then compares its returned challenge with the original. If the two match, the terminal is deemed authentic by the chip, which stores the terminal’s key. Finally, the chip concatenates the decrypted terminal challenge with its own original challenge and random key, then encrypts using K. If, after decrypting this message, the terminal is able to match its returned challenge with the original, the chip is deemed authentic and its key is stored by the terminal. The two randomly generated keys are then XOR’d at both ends to derive a symmetric session key.
Extended Access Control was developed in Germany as a response to the vulnerabilities of BAC, and encompasses two distinct mechanisms: chip authentication and terminal authentication. In particular, the 26 bits of (publicly accessible) information used to generate the BAC key-pair, K, was found to be much too weak. Chip authentication responds to this particular weakness by coupling a static chip key-pair with a Diffie-Hellman terminal key-pair generated for each passport scan. Like active authentication, the chip’s private key resides in secure memory and remains unknown. The chip and terminal exchange public keys, and the chip specifies certain domain parameters during this exchange. Both sides then generate identical session keys for terminal authentication as a function of the domain parameters, their own private key, and the other’s public key. Afterward, the passport chip hashes the terminal’s public key and stores this value to be recalled during terminal authentication. Passive authentication is required immediately after. Terminal authentication represents a significant improvement to the BAC mechanism as well, given that the same randomly generated DH key-pair works in tandem with a frequently changed country-verified certificate authority (CVCA) certificate. The terminal sends its current CVCA certificate, which the chip verifies using the CVCA public key stored internally, then extracts the terminal’s public key from this certificate, generates and sends a random challenge to the terminal. Upon receipt, the terminal signs this challenge through concatenation of the challenge, chip-ID, and its hashed public key, then encrypts using its own private key. The chip will only grant the terminal access to its “sensitive” data upon successful completion of this communication. However, the recent development of secure protocols does not mean that the e-passports are impervious to attack. While the EU has already implemented EAC protocols, EAC-enabled passports are subject only to those protocols implemented in a given terminal. As current ICAO guidelines require only passive authentication and passports remain valid for a decade, EAC-enabled passports are still prone to cloning at terminals that do not yet support the protocol. Currently, only ten out of the 45 countries have signed up for the public key directory (PKD) code system, and only a few countries swap their codes manually (Boggan).
Additionally, the use of RFID technology in many current implementations may allow for government officials and other attackers, if active authentication is implemented in the absence of BAC, to remotely track the movement of each passport in real-time, raising several privacy concerns. Even under active authentication, the certificate used provides enough information to derive the key-pair used in BAC, rendering the mechanism useless (though making attacks somewhat more time-consuming) if it is not implemented after the session key derivation in BAC. The attackers can determine whether the targeted passport is within close proximity by recording the time it takes for the device to respond, and precisely-honed acts of terrorism and attacks on specific individuals may occur as a result (Zorz).
The question now becomes whether or not the smart cards should be placed within e-passports and other identification documents. According to Chothia and Smirnov of the University of Birmingham's School of Computer Science, “the security hole can be closed by standardizing error messages and ‘padding’ response times in future e-passports. However, little can be done as of now due to the large number of e-passport users involved.” Others argue that it is simply too expensive to replace documents in response to security concerns (Goodin).
While the purpose of biometrics within passports may be to create a unique identifier, their inclusion may actually create more dire security issues. The technology remains fairly controversial, as privacy advocates and security experts alike suggest a lack of international coordination may lead to identity theft. Additionally, biometric data will become increasingly susceptible to corruption and alteration as it propagates into other databases incorporating the technology. In theory, it may be impossible to verify one’s own identity. These security flaws in congress present a solid argument against the use of personal characteristics as a security mechanism.