10-Biometrics-Lecture2-Day3-11-00-12-30

10-Biometrics-Lecture2-Day3-11-00-12-30 - Basic...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Basic Cryptography Application to Machine Readable Travel Documents Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasecwww.epfl.ch/ SV 2007 crypto mrtd EPFL 1 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 2 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 3 / 88 1 Introduction to Cryptography Defining Cryptography Cryptographic Primitives Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 4 / 88 Example of Critical Application SV 2007 crypto mrtd EPFL 5 / 88 Requirements strong bidirectional authentication confidentiality of communications integrity of communication need not the client part to be strongly secure SV 2007 crypto mrtd EPFL 6 / 88 Cryptography = Science of Information and Communication Security Entered in mass product markets quite recently secure communication bank cards, wireless telephone, e-commerce, pay-TV access control car lock systems, ski lifts payment prepaid phone cards, e-cash logistic & supply chains RFID, machine readable passports SV 2007 crypto mrtd EPFL 7 / 88 A Science of Malice in Communication Technologies how to abuse an information security system? how to model malicious adversaries? how to reduce to well known puzzle problems? SV 2007 crypto mrtd EPFL 8 / 88 1 Introduction to Cryptography Defining Cryptography Cryptographic Primitives Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 9 / 88 Cryptographic Primitives componants cryptographic primitive functionality security componants: algorithms, protocols, ... functionality: possible use in honest environment security: impossible use in malicious environment SV 2007 crypto mrtd EPFL 10 / 88 Basics on Communication Security Adversary Send message - Receive message - Authentication: only the legitimate sender can send Integrity: the received and sent messages must be the same Confidentiality: only the legitimate receiver can read SV 2007 crypto mrtd EPFL 11 / 88 A Few Cryptographic Primitives Conventional Asymmetric hash function symmetric encryption message authentication code key agreement protocol public-key cryptosystem digital signature SV 2007 crypto mrtd EPFL 12 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 13 / 88 1 Introduction to Cryptography Conventional Cryptography Symmetric Encryption Hash Function Message Authentication Code Secure Channel Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 14 / 88 Confidentiality Adversary Message - Encrypt Key 6 - Decrypt Message - CONFIDENTIAL 6 Key Generator SV 2007 crypto mrtd EPFL 15 / 88 Symmetric Encryption Primitive componants cryptographic primitive functionality security componants: algorithms Encrypt, Decrypt, Generator functionality: DecryptK (EncryptK (x )) = x for any K and x security: tricky definition for confidentiality SV 2007 crypto mrtd EPFL 16 / 88 DES Block Cipher plaintext block 64 bits - DES 64 bits ciphertext block 6 56 bits secret key 56 bits ? 64 bits plaintext block DES-1 64 bits ciphertext block SV 2007 crypto mrtd EPFL 17 / 88 Cost of Exhaustive Search classical conventional cryptography may require about 300 cycles on a P4 2GHz to check a guess (= 222.6 guesses per second) a special purpose hardware cracked a 56-bit keys within a day distributed.net cracked 64-bit keys within 1757 days in 2002 we need some way to enlarge the key SV 2007 crypto mrtd EPFL 18 / 88 Two-Key Triple DES X - DES - DES-1 - DES -Y K 61 K 62 K1 6 K = (K1 , K2 ) SV 2007 crypto mrtd EPFL 19 / 88 1 Introduction to Cryptography Conventional Cryptography Symmetric Encryption Hash Function Message Authentication Code Secure Channel Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 20 / 88 Integrity Adversary Message ? Hash Message - ? Hash Digest INTEGER - ? Compare ok? - SV 2007 crypto mrtd EPFL 21 / 88 Hash Function Primitive componants cryptographic primitive functionality security componants: algorithm Hash functionality: implement a deterministic function security: too many requirements... hot topic at this time SV 2007 crypto mrtd EPFL 22 / 88 Cryptographic Hashing message ? MD5 128 - "Message Digest" (MD) devised by Ronald Rivest "Secure Hash Algorithm" (SHA) standardized by NIST MD4 in 1990 (128-bit digest) MD5 in 1991 (128-bit digest) published as RFC 1321 in 1992 SHA in 1993 (160-bit digest) (now obsolete) SHA-1 in 1995 (160-bit digest) SHA256, SHA384, SHA512 in 2002 (256-, 384-, and 512-bit digest) SV 2007 crypto mrtd EPFL 23 / 88 Security Properties for Hash Functions One-wayness : given y it is hard to find even one x such that y = h(x ). witness for a password Collision resistance : it is hard to find x and x such that h(x ) = h(x ) and x = x . digital fingerprint of the bitstring Randomness : given h1 (x ), . . . , hn (x ) it is hard to predict hn+1 (x ) secret key generation SV 2007 crypto mrtd EPFL 24 / 88 Recent Attacks on Hash Functions collision found on MD4 (Dobbertin 1996) preimage attack on MD4 (Dobbertin 1997) collision found on SHA0 (Joux+ 2004) collision found on MD5 (Wang+ 2004) theoretical attack on SHA1 (Wang+ 2005) ...research going on SV 2007 crypto mrtd EPFL 25 / 88 1 Introduction to Cryptography Conventional Cryptography Symmetric Encryption Hash Function Message Authentication Code Secure Channel Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 26 / 88 Authenticity Adversary Message X MAC Key 6 X,c - X,c Message - Check X ok? - CONFIDENTIAL AUTHENTICATED INTEGER 6 Key Generator SV 2007 crypto mrtd EPFL 27 / 88 MAC Primitive componants cryptographic primitive functionality security componants: algorithms MAC, Check, Generator functionality: CheckK (MACK (x )) = (x , ok) for any K and x security: tricky definition for authentication SV 2007 crypto mrtd EPFL 28 / 88 Hashing to Authentication: HMAC [RFC 2104] message ipad ? ? ? ? H ? ? H key||0 0 opad ? ? ? trunc ? MAC SV 2007 crypto mrtd EPFL 29 / 88 Encryption to Authentication: ISO/IEC 9797 x1 x2 x3 xn ? CK1 - ? CK1 ? - ? CK1 ? - ? CK1 ? ? CK2 ? trunc ? MAC SV 2007 crypto mrtd EPFL 30 / 88 1 Introduction to Cryptography Conventional Cryptography Symmetric Encryption Hash Function Message Authentication Code Secure Channel Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 31 / 88 Example of SSL/TLS Client Server ------------ - - - - - - -C - - - - - nonce - - - - - -S - - - - - ------- ----- - pre master secret nonce ------------ ------------ (key derivation) (key establishment) pre master secret ------------ ------------ check MACC MAC check - - - - - -S- - - - - - ------------ (open secure channel) SV 2007 crypto mrtd EPFL 32 / 88 Key Derivation in SSL/TLS ? ? pre master secret PRF nonceC (32 bytes) nonceS (32 bytes) - master secret (48 bytes) ? ? C S MAC key - S C MAC key - C S Enc key PRF - S C Enc key - C S IV - S C IV SV 2007 crypto mrtd EPFL 33 / 88 Secure Channel in SSL/TLS (Using CBC Encryption) seq num MAC key seq num MAC key ?? - MAC - = 6 fragment Adversary ?? - MAC ? fragment ? Enc key IV - Enc 6 Enc key Dec IV 6 SV 2007 crypto mrtd EPFL 34 / 88 Examples of Other Secure Channels SSL/TLS SSH IPSEC 3GPP WPA GSM WEP Bad Examples Bluetooth SV 2007 crypto mrtd EPFL 35 / 88 Remaining Problem: Key Setup Adversary Message - Enc/MAC Key 6 - - Dec/Check Message - ok? 6 Key B SS IG I UE Agreement - Agreement SV 2007 crypto mrtd EPFL 36 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 37 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography Key Agreement Protocol Public-Key Encryption Digital Signatures Public-Key Infrastructure All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 38 / 88 Secure Communications over Insecure Channels Adversary Message - Enc/MAC Key 6 - - Dec/Check Message - ok? 6 Key AUTHENTICATED INTEGER ProtoAlice - ProtoBob SV 2007 crypto mrtd EPFL 39 / 88 Key Agreement Primitive componants cryptographic primitive functionality security componants: two-party protocol functionality: interaction with no private input leads to identical output K on both ends security: a passive adversary should not get any information about K , computationaly SV 2007 crypto mrtd EPFL 40 / 88 The Diffie-Hellman Key Agreement Protocol Alice pick x at random, X g x K Yx Bob ----- ----- ----- ----- (K = g xy ) Y X pick y at random, Y g y K Xy communications must be authenticated and integer! SV 2007 crypto mrtd EPFL 41 / 88 Missing Authentication: Man-in-the-Middle Attack Alice pick x , X g x Eve Bob ---- ---- pick x , X g x X ---- ---- ---- ---- Y X pick y , Y g y K2 (X )y ---- ---- K1 (Y )x Y (K1 = g xy ) pick y , Y g y K1 X y , K2 Y x (K2 = g x y ) SV 2007 crypto mrtd EPFL 42 / 88 Semi-Authenticated Key Agreement Protocol Adversary Message - Enc/MAC Key 6 - - Dec/Check Message - ok? 6 Key ProtoBob ProtoAlice Public Key 6 AUTHENTICATED INTEGER 6 Key Secret Generator SV 2007 crypto mrtd EPFL 43 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography Key Agreement Protocol Public-Key Encryption Digital Signatures Public-Key Infrastructure All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 44 / 88 Public-Key Cryptosystem Adversary Message - Encrypt - Decrypt Message - Public Key 6 AUTHENTICATED INTEGER 6 Key Secret Generator SV 2007 crypto mrtd EPFL 45 / 88 Cryptosystem Primitive componants cryptographic primitive functionality security componants: algorithms Encrypt, Decrypt, Generator functionality: DecryptKs (EncryptKp (x )) = x for any (Kp , Ks ) generated by Generator and any x security: several definitions for confidentiality SV 2007 crypto mrtd EPFL 46 / 88 Security Semantic security: given a public key, for any two plaintexts, we cannot distinguish a valid encryption of either plaintext (apply to probabilistic encryption only) Message recovery: given a public key and the encryption of a random plaintext, it is hard to recover the plaintext (consequence of semantic security) SV 2007 crypto mrtd EPFL 47 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography Key Agreement Protocol Public-Key Encryption Digital Signatures Public-Key Infrastructure All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 48 / 88 Digital Signature Adversary Message - Sign - Verify Message ok? - Secret Key 6 Generator AUTHENTICATED INTEGER 6 Key Public SV 2007 crypto mrtd EPFL 49 / 88 Signature Primitive componants cryptographic primitive functionality security componants: algorithms Sign, Verify, Generator functionality: VerifyKp (SignKs (x )) = (x , ok) for any (Kp , Ks ) generated by Generator and any x security: tricky definition for unforgeability SV 2007 crypto mrtd EPFL 50 / 88 Security Unforgeability: given a public key, it is hard to forge a new valid message-signature pair Non-repudiation: given a public key, any valid message-signature pair must have been created by the secret key holder (often based on unforgeability) SV 2007 crypto mrtd EPFL 51 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography Key Agreement Protocol Public-Key Encryption Digital Signatures Public-Key Infrastructure All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 52 / 88 Public-Key Infrastructure Authority K KAC P KP authenticated Client KP certificate U certificate (signed Kp ) Server SV 2007 crypto mrtd EPFL 53 / 88 An X.509 Certificate Example: Overall Structure Certificate: Data: Version: 3 (0x2) Serial Number: 674866 (0xa4c32) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server [email protected] Validity Not Before: Jun 2 13:10:11 2003 GMT Not After : Jun 11 10:21:15 2005 GMT ... X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE Signature Algorithm: md5WithRSAEncryption 8d:7b:78:60:88:c4:13:4e:94:0d:bc:3b:1b:1c:b6:c9:bc:b1: 0b:ed:7d:eb:6f:08:3a:ba:6d:21:36:93:38:36:66:7b:a7:bc: c0:3f:c4:e0:cf:b4:02:58:be:a6:b9:1d:45:a2:c4:58:38:07: e4:63:1a:d9:b9:8d:27:7c:93:67:31:82:6f:a3:3c:86:0c:e0: 10:71:de:f2:e9:74:af:ac:76:b4:5b:8e:48:57:9d:8f:12:f6: 72:63:8a:79:b4:74:e0:ba:ca:ac:1a:36:b4:16:38:c1:c5:d2: 73:ed:e8:64:b0:ae:9e:e2:36:d7:0c:77:92:cc:c7:c0:e0:8a: 54:24 SV 2007 crypto mrtd EPFL 54 / 88 An X.509 Certificate Example: Subject Subject: C=CH, ST=Bern, L=Bern, O=Switch - Teleinformatikdienste fuer Lehre und Forschung, CN=nic.switch.ch Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d0:0e:b7:16:bf:86:59:c3:97:e6:02:33:59:90: 65:29:b0:69:73:64:83:03:1b:df:62:a8:4d:c0:4f: 3c:d9:12:6b:8c:57:95:e1:57:e8:48:a6:7f:dd:15: 8b:9d:ad:93:dc:78:af:06:1a:ce:0f:7b:cc:c4:6f: a0:06:26:40:73:04:d3:da:7b:20:c1:15:37:8c:2f: 58:c4:d4:c1:4b:18:84:5c:54:f1:b1:a0:44:3c:e2: 0e:8a:a2:63:48:6b:34:c7:10:9d:a1:23:56:77:f5: 4e:3d:38:9a:70:5e:03:02:30:45:ee:81:e4:94:96: 47:18:9e:47:37:bb:18:f6:87 Exponent: 65537 (0x10001) SV 2007 crypto mrtd EPFL 55 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD 2 3 4 SV 2007 crypto mrtd EPFL 56 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD ICAO-MRTD Overview ICAO-MRTD Options Privacy Threats 2 3 4 SV 2007 crypto mrtd EPFL 57 / 88 Objectives to enable inspecting authorities of receiving States to verify the authenticity and integrity of the data stored in the MRTD use contactless IC chip devices add digitally stored fingerprint and/or iris images in MRTD treat those data as privacy-sensitive have no centralized private key maintained by ICAO (International Civil Aviation Organization) SV 2007 crypto mrtd EPFL 58 / 88 A 4-Party Problem human holder does not want to do heavy computations MRTD (Machine Readable Travel Document) should not leak without the holder approval should not contain any master secret issuing country does not interact gives no secret keys to other countries inspection system trust issuing country does not trust the MRTD nor the holder SV 2007 crypto mrtd EPFL 59 / 88 Underlying Cryptography SHA1 and sisters DES, triple-DES, CBC encryption mode one of the ISO/IEC 9797-1 MAC (next slide) RSA signatures (ISO/IEC 9796, PKCS#1), DSA, ECDSA X.509 SV 2007 crypto mrtd EPFL 60 / 88 ISO/IEC 9797-1 (MAC algorithm 3 based on DES with padding method 2) (concatenate message with bit 1 and enough 0 to reach a length multiple of the block size) x1 x2 x3 xn ? DESK1 - ? DESK1 ? - ? DESK1 ? - ? DESK1 ? ? DES-21 K ? DESK1 ? SV 2007 crypto mrtd EPFL 61 / 88 PKI each country has a certificate authority CSCA (Country Signing Certificate Authority) public key of CSCA KPuCSCA is self-signed into CCSCA CCSCA is distributed to other countries and ICAO by diplomatic means each DS (Document Signer) has a public key KPuDS , a secret key KPrDS , and a certificate CDS signed by CSCA revocation lists are frequently released SV 2007 crypto mrtd EPFL 62 / 88 Traveling Document MRTD (Machine Readable Travel Document) contains an optically readable MRZ a logical data structure LDS (list of files, e.g. MRZ + image + SOD ) document security object SOD , containing the hash of LDS files and a signature by DS (may contain the certificate CDS by CSCA) (for active authentication only) a public key KPuAA and secret key KPrAA (also signed in in SOD ) SV 2007 crypto mrtd EPFL 63 / 88 MRZ Example document type issuing country holder name doc. number + CRC date of birth + CRC gender date of expiry + CRC options + CRC SV 2007 crypto mrtd EPFL 64 / 88 Access Control Options none: anyone can query the ICC, communication in clear basic: uses secure channel with authenticated key establishment from MRZ extended: up to bilateral agreements (no standard) SV 2007 crypto mrtd EPFL 65 / 88 Passive Authentication (No Access Control) inspection authority dumps LDS, extracts the CDS , verifies it, check the signature of SOD inspection authority loads LDS and check its hash in SOD pro requires no processing capabilities on the MRTD side con no privacy protection SV 2007 crypto mrtd EPFL 66 / 88 Basic Access Control inspection authority reads an MRZ info (document number + date of birth + date of expiry), takes the 16 first bytes of its SHA1 hash to derivate symmetric keys inspection authority and ICC mutually authenticate and derive session keys inspection authority can now talk to ICC through a secure channel pro privacy protection con requires processing capabilities on the MRTD side SV 2007 crypto mrtd EPFL 67 / 88 (Pre)key Derivation from MRZ (Basic Access Control) set D = SHA1(MRZ info)||00 00 00 01 compute H = SHA1(D ) first 16 bytes of H are set to the 2-key triple-DES KENC set D = SHA1(MRZ info)||00 00 00 02 compute H = SHA1(D ) first 16 bytes of H are set to the 2-key triple-DES KMAC adjust the parity bits of the all DES keys SV 2007 crypto mrtd EPFL 68 / 88 Session Key Derivation (Basic Access Control) compute KENC and KMAC from MRZ info (previous slide) run a protocol to compute Kseed (next slide) set D = Kseed ||00 00 00 01 compute H = SHA1(D ) first 16 bytes of H are set to the 2-key triple-DES KSENC set D = Kseed ||00 00 00 02 compute H = SHA1(D ) first 16 bytes of H are set to the 2-key triple-DES KSMAC adjust the parity bits of the all DES keys SV 2007 crypto mrtd EPFL 69 / 88 Authentication and Key Estab. (Basic Access Control) IFD (derive KENC and KMAC from MRZ info) ICC -- - - - - - - - - - - - pick RND.IFD, K.IFD S RND.IFD||RND.ICC||K.IFD E IFD EncKENC (S ) M IFD MACKMAC (E IFD) E IFD,M IFD GET CHALLENGE RND.ICC - - - - - - - - - - - -- pick RND.ICC, K.ICC -- - - - - - - - - - - - check, decrypt R RND.ICC||RND.IFD||K.ICC E ICC EncKENC (R ) check, decrypt - - - - - - - - - - - -- E ICC,M ICC M ICC MACKMAC (E ICC) (derive KSENC and KSMAC from Kseed = K.ICC K.IFD) SV 2007 crypto mrtd EPFL 70 / 88 Secure Channel (Basic Access Control) message KSENC KSMAC message ? ? Enc ? - MAC ? ? Adversary 6 ? Dec 6 KSENC KSMAC ? - MAC- = 6 6 SV 2007 crypto mrtd EPFL 71 / 88 Active Authentication proves that ICC knows some secret key KPrAA by a challenge-response protocol pro prevents chip substitution con processing demanding SV 2007 crypto mrtd EPFL 72 / 88 Active Authentication Protocol IFD pick RND.IFD check ICC --------- -------- -------- --------- RND.IFD F nonce||RND.IFD SignKPrAA (F ) SV 2007 crypto mrtd EPFL 73 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD ICAO-MRTD Overview ICAO-MRTD Options Privacy Threats 2 3 4 SV 2007 crypto mrtd EPFL 74 / 88 Passive vs Active ICC Passive Authentication ICC is just a memory no privacy protection anyone can download the ICC content Basic Access Control ICC does some computation access to ICC requires MRZ info knowledge limited privacy protection SV 2007 crypto mrtd EPFL 75 / 88 Standard vs Custom Protocol Basic Access Control standard protocol weak privacy protection simple computations Extended Access Control requires bilateral agreements SV 2007 crypto mrtd EPFL 76 / 88 Basic Access Control vs Active Authentication Basic Access Control ICC can be cloned simple computations to perform Active Authentication protection against clones requires public-key cryptography in ICC SV 2007 crypto mrtd EPFL 77 / 88 Faraday Cages Regular Document can access to ICC without the holder approval cheap easy access for IFD Metalic Cover document must be opened to access to ICC more expensive not fully effective SV 2007 crypto mrtd EPFL 78 / 88 Extra Data Only Basic Data name + age + picture limited privacy threat least harmful solution More Biometrics finger print, iris image open the Pandora box threat on humankind SV 2007 crypto mrtd EPFL 79 / 88 1 Introduction to Cryptography Conventional Cryptography Asymmetric Cryptography All Together Now: ICAO-MRTD ICAO-MRTD Overview ICAO-MRTD Options Privacy Threats 2 3 4 SV 2007 crypto mrtd EPFL 80 / 88 Detecting Passports when prompted by a reader, the ICC answers with a random number (temporary device identity) ISO 14443 this number has a certain format: information leakage can check if there is an MRTD in the neighborhood the protocol and radio signature (pattern) leaks can detect if there is an MRTD issued by a given country SV 2007 crypto mrtd EPFL 81 / 88 Unauthorized Wireless Access Radius: easy at a distance less than 5cm claimed to be possible at a distance up to 10m Threat: (if MRZ info is known): tracing people (if MRZ info is unknown): identifying people by bruteforce entropy of MRZ info between 35 and 56 bits one experiment reported (with low entropy): it took 4h SV 2007 crypto mrtd EPFL 82 / 88 Passive Skiming Radius: MRTD signal weaker than reader signal experiment done at a distance of 50cm (expensive equipment) claimed to be possible at a distance up to 10m Threat: offline bruteforce: identifying people Countermeasure: (known MRZ info attacks): Diffie-Hellman protocol (unknown MRZ info): EKE-like protocole SV 2007 crypto mrtd EPFL 83 / 88 Identity Theaft stealing MRTD cloning MRTD (no active authentication): just copy the ICC (active authentication): make an ICC with same content and without active authentication SV 2007 crypto mrtd EPFL 84 / 88 Circulating Personal Data signed personal data: transferable proof of name, age, etc can no longer hide ones name, age, etc SV 2007 crypto mrtd EPFL 85 / 88 Comments (Personal Opinion) privacy protection is rather small old technology: DES standard is no longer supported SHA1 hash function is half broken home-made secure channel random key establishment based on low-entropy MRZ info cryptography could have been better missing on/off switch SV 2007 crypto mrtd EPFL 86 / 88 Further Readings FergusonSchneier. Practical Cryptography. Wiley & Sons. 2003. Kind of "crypto for dummies" Vaudenay. A Classical Introduction to Cryptography: Applications for Communication Security. Springer. 2005. The lecture notes for my students ICAO-NTWG, PKI Task Force. Machine Readable Travel Documents -- PKI for Machine Readable Travel Documents offering ICC Read-Only Access v1.1. International Civil Aviation Organization. 2004. http://www.icao.int/mrtd SV 2007 crypto mrtd EPFL 87 / 88 Q&A ...
View Full Document

This note was uploaded on 06/25/2009 for the course MATH MAT 400 taught by Professor Jamespotvein during the Fall '08 term at University of Toronto.

Ask a homework question - tutors are online