What is RFID, where is it being used and why? Security implications of RFID Why is it being used to secure passports? The methodology used to asses

Similar documents
Spoofing Attack Against an EPC Class One RFID System

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

Lecture 41 Blockchain in Government III (Digital Identity)

LDS2 Concept and Overview: Exploring Possibilities in Travel Border Clearance

Survey Paper on Efficient and Secure Dynamic Auditing Protocol for Data Storage in Cloud

Secure Government Computing Initiatives & SecureZIP

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

2 Electronic Passports and Identity Cards

How To Secure Electronic Passports. Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

Paul A. Karger

How to Create, Deploy, & Operate Secure IoT Applications

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Future Expansion for emrtd PKI Mark Joynes, Entrust

Applying Context to Web Authentication

Wireless LAN Security (RM12/2002)

A Trust Infrastructure for epassports

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Applying biometric authentication to physical access control systems

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

Trusted Networks: Design of an RFID Trusted Reader (D4.4.1)

Authentication Technologies

The epassport: What s Next?

The EAC for MRTD. 26 January 2010

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Technical Solutions Novel Challenges to Privacy Privacy Enhancing Technologies Examples

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

A Multi-Application Smart-Card ID System for George Mason University. - Suraj Ravichandran.

OneID An architectural overview

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Wireless Network Policy and Procedures Version 1.5 Dated November 27, 2002

CSC 474 Network Security. Authentication. Identification

COMPGA12 1 TURN OVER

Verifying emrtd Security Controls

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

PKI Credentialing Handbook

Lecture 8: User Authentication

RFID systems: anti-collision protocols and applications. Naeem Khademi Cyber-Physical Systems,

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Effective Strategies for Managing Cybersecurity Risks

Extended Privacy Protection with Flexible Architecture in RFID Using Variable Key Scheme

Hash-based Encryption Algorithm to Protect Biometric Data in e-passport

The Learner can: 1.1 Describe the common types of security breach that can affect the organisation, such as:

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Strategies for the Implementation of PIV I Secure Identity Credentials

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

National Transportation Worker ID Card (TWIC) Credentialing Direct Action Group Functional Requirements DRAFT

CIT 480: Securing Computer Systems. Authentication

Systems Analysis and Design in a Changing World, Fourth Edition

Executive Summary. (The Abridged Version of The White Paper) BLOCKCHAIN OF THINGS, INC. A Delaware Corporation

Security Requirements for Crypto Devices

Face recognition for enhanced security.

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

ECA Trusted Agent Handbook

AoT: Authentication and Access Control for the Entire IoT Device Life-Cycle

MODULE NO.28: Password Cracking

ISSN: ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 3, Issue 10, April 2014

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

(2½ hours) Total Marks: 75

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Authentication. Steven M. Bellovin January 31,

Stakeholder and community feedback. Trusted Digital Identity Framework

Lecture 9 User Authentication

Cryptography in Radio Frequency Identification and Fair Exchange Protocols

CREDENTSYS CARD FAMILY

Proving who you are. Passwords and TLS

IoT & SCADA Cyber Security Services

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

Efficient RFID Authentication protocol for Ubiquitous Computing Environment

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Confirmed VPN Privacy Audit and Open Watch Analysis Summary Report and Documentation

RFID Communications - Who is listening?

DigitalPersona Altus. Solution Guide

Biometrics problem or solution?

HID Passport Datapage Technology

Bitcoin, Security for Cloud & Big Data

The European Union approach to Biometrics

Choosing a Full Disk Encryption solution. A simple first step in preparing your business for GDPR

Maintaining Trust: Visa Inc. Payment Security Strategy

Security Mechanisms and Access Control Infrastructure for e-passports and General Purpose e-documents

Privacy Challenges in Big Data and Industry 4.0

Legal Regulations and Vulnerability Analysis

Securing Internet of things Infrastructure Standard and Techniques

Securing Multiple Mobile Platforms

OPINION ON THE DEVELOPMENT OF SIS II

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

HARDWARE SECURITY MODULES (HSMs)

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Identification and Authentication

A Remote Biometric Authentication Protocol for Online Banking

Whitepaper: GlobalTester Prove IS

Network Working Group. Category: Standards Track September The SRP Authentication and Key Exchange System

Achilles System Certification (ASC) from GE Digital

SMart esolutions Information Security

CHAPTER 6 EFFICIENT TECHNIQUE TOWARDS THE AVOIDANCE OF REPLAY ATTACK USING LOW DISTORTION TRANSFORM

BSI TR Part 1.1 A framework for Official Electronic ID Document conformity tests

Teradata and Protegrity High-Value Protection for High-Value Data

Study on Computer Network Technology of Digital Library

Transcription:

Matthew Sirotich

What is RFID, where is it being used and why? Security implications of RFID Why is it being used to secure passports? The methodology used to asses epassports and create its successor epassports security breaches The proposed epassport The Irony of it all Concluding statements

A Radio Frequency Identification Tag (RFID) is a tiny, inexpensive chip that transmits a uniquely identifying number over a short distance to a reading device, and thereby permits rapid, automated tracking of objects (Jules, 2005 p. 1)

RFID has multiple applications through multiple sectors: Defence: logistics, inventory control, asset management and tracking of vehicles (Administration, 2005). RFID is also being assessed for human centric applications (Christensen, 2006).

Business RFID has been coined the predecessor of the optical barcode (Jules, 2006 p. 381) and hence has vast implementations in the Business to Business and Business to Consumer industry Logistics, inventory control etc. Consumer sector Innovations providing efficiency such as the RFID library. More radically, some have implanted themselves to automate daily authentication regimes such as logging into their computer (Graafstra, 2007).

It is being used in all these sectors because the technology facilitates non line of sight identification.

Researchers such as Jules (2005), Lamb (2006), Thornton (2006), Molnar (2005) and Karjoth (2005) are already describing the inherent weaknesses of RFID technology

The major threats posed by RFID systems are: Tracking the act of following a tags movements based upon its UID response to interrogations Inventorying allowing a user to identify object(s) being carried by another person. (Jules, 2005).

The rationale behind RFID in passports as documented by the Australian Government s department of foreign affairs is: To provide protection against tampering and misuses Reduce identity fraud Enhance border protection Provide a fast and efficient passport verification system

New Passport Old Passport Misuses Provides added security to stamp out misuses Occurs frequently Identity Fraud Reduces the occurrence Occurs frequently Border Protection Provides more cumbersome protection due to enhanced passport Provides protection, but has been known to let the wrong people in Speedy verification A lot faster (even self service) Slow process in comparison

To use quantitative experimentation to prove the insecurities of current epassport technology. Qualitative representations of this data will then be used to perform a security audit of current epassport technology. The findings, along with the qualitative data were used to influence the construction of the proof of concept. The proposed solution was finally compared to the current epassport to determine which best provided privacy and security to its users.

Firstly, it is important to assess the underlying technology. Experiment Injection attack Blocking a reader Skimming a tag Killing a tag Flooding a reader Copy and mimic a tag Measurement Breach Breach Breach Breach Resisted Breach Breach

It is now possible to apply this information to the epassport to define security breaches and to assess the impact of these breaches. Security Breach Skimming Injection attack Faraday cage failing Killing a tag Copying a tag and mimicking Does it impede on the privacy and security meant to be provided by the epassport? A user could be followed and profiled, a smart bomb could be created if commonalities in data were found. A database could be destroyed hence rendering the epassport system useless. The failing Faraday cage in the current epassport allows for rogue reading in stealth. A tag can be killed and hence reduce an epassport back into a paper-based passport. Hence no added security. An epassport could be copied and the encryption taken home to be used in an offline attack to decrypt the data.

Step User Tag Machine Database Border security 1 2 3 4 User presents passport open at machine readable section to machine Machine requests fingerprint from user Sends search query consisting of the retrieved ID information Responds with Users fingerprint and pointer to their information 5 User supplies fingerprint to fingerprint reader 6 Matches fingerprint with fingerprint on file. If match sends pointer to database

Step User Tag Machine Databases Border security 7 Database replies with User information and tag password 8 Sends retrieved password to tag 9 Replies with hashed user information 10 11 Sends authentication decision Border security may opt to speak with the user (owner of the passport) or simply rely upon the machines decision.

Questioning epassport s key 3DES military standard encryption ICAO decided that the key was to comprise of a concatenation of the passport number, holders date of birth, and passport expiry date (in that particular order).

The proposed implementation uses message digests that can never give away the original text. Then isn t it possible to copy someone's message digest and use it as your own? Yes, but: 1. Have to know the unique password for the epassport he/she was trying to copy; and 2. Have to have the same fingerprint as the legitimate user; and 3. Have to look exactly like the legitimate user.

Security provided by the system: Layer 1 Unique user query in the database Layer 2 Biometric test, a searchprint is taken and compared to the fileprint Layer 3 Tag verifies itself by responding to the correct password that is sent randomly Layer 4 Data preservation via message digest

Privacy preservation layers: Layer 1 Password protected tag prevents rogue reads Layer 2 Data is message digested and hence can never be used to gain information Integrity provided Multi stage authentication verification process, compares stored data to retrieved data Availability provided: Only a bona-fide user can access the tag due to the password protection. Policy prevents use of damaged RFID tag

Databases

Comparison of current epassport to proposed epassport Possible security breach Current epassport Proposed epassport Tracking Breach Resisted Breach Killing Breach Resisted Breach Injection attack Breach Breach Blocking security device Breach Resisted Breach Wave injection attack Breach Breach Steal information Breach Resisted Breach Flooding Resisted Breach Resisted Breach TOTAL Breach=6, Resisted Breach=1 Breach=2, Resisted Breach=5

Seminal documents must be revised.

epassport s are currently insecure and reduce the privacy and security of the user The proposed epassport addresses the found security breaches and should be implemented The reliance each seminal identification document has on each other and the chronological progression of their gathering needs review.

Jules, A. 2005. RFID Privacy: A technical primer for the non-technical reader. MA : RSA Labratories, 2005. Christensen, B. 2006b. VeriMed Implanted RFID Dogtags Studied By Military, VeriChip. Technovelgy. [Online] 2006b. [Cited: 4 12, 2007.] http://www.technovelgy.com/ct/science-fiction-news.asp?newsnum=722. Administration, Federal Highway. 2005. Technologies Supporting Military Deployments. FHWA office of operations. [Online] 2005. [Cited: 4 12, 2007.] http://ops.fhwa.dot.gov/opssecurity/dev-mx/chapter_5.htm. (Graafstra Graafstra, A. 2007. Hands on: How Radio-Frequency Identification and I got personal. IEEE Spectrum. 2007, pp. 15-19. Lamb, G, M. 2006. New 'e-passports' raise security issues ; Despite official assurances, some worry that thieves might read chip- toting US passports. Boston : s.n., 2006, p. 13. "RFID Security. Thornton, F. Haines, B. Das, A, M. Bhargava, H. Campbell, A. Kleinschmidt, J. 2006. Rockland : Syngress Publishing Inc, 2006. Molnar, D. Soppera, A. Wagner, D. 2005. Privacy for RFID through Trusted computing. Workshop on Privacy in the Electronic Society. November 7, 2005. Karjoth, G. Moskowitz, A, P. 2005. Disabling RFID Tags with Visible Confirmation: Clipped tags are silenced. Workshop on Privacy in the Electronic Society. November 7, 2005.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback