Information about http://cups.cs.cmu.edu/soups/2006/proceedings/p114_karger.pdf

Privacy and Security Threat Analysis of the Federal …

Tags: accreditation, cryptographic algorithms, graphic techniques, hspd, information processing, initial deployment, internet key exchange, karger, national institute of standards, nist, personal identity, privacy threat, scenarios, security privacy, security threat, thomas j watson, threat analysis, usability problems, watson research center, yorktown heights ny,
Pages: 8
Language: english
Created: Fri May 26 07:24:41 2006

Display cached document

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Privacy and Security Threat Analysis of the Federal
Employee Personal Identity Verification (PIV) Program

Paul A. Karger
IBM Research Division, Thomas J. Watson Research Center
PO Box 704, Yorktown Heights, NY 10598, USA
karger@watson.ibm.com

ABSTRACT is issued only by providers whose reliability has been established
This paper is a security and privacy threat analysis of new Federal by an official accreditation process."
Information Processing Standard for Personal Identity Verification In response to this HSPD, the National Institute of Standards
(FIPS PUB 201). It identifies some problems with the standard, and and Technology (NIST) developed Federal Information Process-
it proposes solutions to those problems, using standardized crypto- ing Standard Publication (FIPS PUB) 201 [33] on Personal Identity
graphic techniques that are based on the Internet Key Exchange Verification (PIV), as well as a series of accompanying publications
(IKE) protocol [16]. When the standard is viewed in the abstract, including [12, 3] to assist in the implementation. HSPD 12 imposed
it seems to effectively provide security and privacy, because it uses very short schedules for the development of FIPS PUB 201 and for
strong cryptographic algorithms. However, when you examine the the initial deployment of identification cards that met the standard.
standard in the context of potential user scenarios regarding its use; This paper is a security and privacy threat analysis of FIPS PUB
security, privacy, and usability problems can be identified. User 201. It identifies some problems with the standard, and it proposes
scenarios are employed to provide the context for the identifica- solutions to those problems, using standardized cryptographic tech-
tion of these problems, and the technical solutions are described to niques that are based on the Internet Key Exchange (IKE) proto-
address the issues raised. col [16].
The organization of the paper is as follows: First, the paper
presents an overview of FIPS PUB 201. Then it discusses the in-
Categories and Subject Descriptors creased vulnerability of contactless smart cards, when compared to
C.3 [Computer Systems Organization]: Special-Purpose and contact smart cards. Next, several potential vulnerabilities in FIPS
Application-Based Systems--smart cards; K.6.5 [Computing Mi- PUB 201 of varying severities are shown. FIPS PUB 201 cards are
lieux]: Management of Computing and Information Systems--Se- then contrasted with electronic passports. The paper then presents
curity and Protection, authentication a new cryptographic protocol that can solve the privacy and secu-
rity problems of both FIPS PUB 201 and electronic passports. The
General Terms paper concludes with a discussion of why these kinds of vulnera-
bilities can easily occur and makes recommendations on how NIST
security could proceed.

Keywords 2. OVERVIEW OF FIPS PUB 201
personal identification, privacy, smart cards FIPS PUB 201 actually defines two kinds of Personal Identity
Verification (PIV) cards: PIV-I and PIV-II. PIV-I cards meet the
1. INTRODUCTION control and security requirements of HSPD 12, while PIV-II cards
In August 2004, President Bush issued Homeland Security Pres- meet the additional requirements for interoperability between fed-
idential Directive 12 (HSPD 12) [5] calling for a government-wide eral agencies. The purpose of the distinction between PIV-I and
standard for "secure and reliable forms of identification" for both PIV-II cards is to permit quicker agency compliance with HSPD
federal employees and contractors. By "secure and reliable", the 12. This paper will focus only on the PIV-II cards which are to
directive means identification that "(a) is issued based on sound cri- be implemented using smart card chips. For the remainder of this
teria for verifying an individual employee's identity; (b) is strongly paper, we assume that the term "PIV card" refers to a PIV-II card.
resistant to identity fraud, tampering, counterfeiting, and terrorist Printed on each PIV card will be the name and a photograph
exploitation; (c) can be rapidly authenticated electronically; and (d) of the card holder, the cardholder's organization, a serial number,
an expiration date, and a variety of other agency-specific informa-
tion. The card will contain both contact smart card and contact-
less smart card interfaces, implemented either with a single dual-
interface smart card chip or with two smart card chips. Both contact
and contactless interfaces are provided, because each provides ad-
vantages that can be exploited by federal agencies in their deploy-
Permission to make digital or hard copies of all or part of this work for ment of PIV cards. Contact interfaces provide higher levels of se-
personal or classroom use is granted without fee. curity, because they avoid the use of radio communications. How-
Symposium On Usable Privacy and Security (SOUPS) 2006, July 12-14,
2006, Pittsburgh, PA, USA. ever, contact interfaces are less convenient to use, and the electrical
Copyright 2006 IBM Corporation. contacts on the card can wear out with frequent use. Contactless
interfaces are much easier and quicker to use, as the card holder be fully encrypted. However, FIPS PUB 201 only requires that
needs only to wave the card near the reader to have the informa- the PIV card store one asymmetric key pair, and specifies in sec-
tion read. However, contactless interfaces have additional security tion 4.3 that "cryptographic operations with this key are performed
risks, discussed below in section 3. only through the contact interface." While FIPS PUB 201 permits
At a minimum, each smart card chip shall store a personal iden- an agency to store additional keys on the card and to encrypt the
tification number (PIN) known by the card holder, a Card Holder contactless communications with such keys, the use of encryption
Unique Identifier (CHUID), PIV authentication data consisting of on the contactless interface is not required. FIPS PUB 201 contains
an asymmetric key pair and corresponding certificate, and two bio- no rationale for not requiring encryption, and since the contactless
metric fingerprints. Each agency can store additional optional in- interface is more in need of encryption than the contact interface,
formation in the smart card chip, including cryptographic keys for the lack of requirements in this section are quite curious.
digital signatures, key management, additional physical access con-
trol applications, card management, etc.
4. CARD HOLDER UNIQUE IDENTIFIER
3. CONTACTLESS IMPLICATIONS (CHUID)
This section will examine a few user scenarios to highlight the The Card Holder Unique Identifier is specified in [39] and fur-
security and privacy differences between contactless and contact ther refined in [12]. The CHUID includes the Federal Agency
smart cards. Smart Credential Number (FASC-N) which is based on a much
FIPS PUB 201 [33] specifies that the PIV card shall have both older specification from the DoD Security Enterprise Integration
contact and contactless smart card interfaces. The contactless inter- Working Group (SEIWG-12) [35]. The original SEIWG-12 specifi-
faces are specified by ISO 14443-4 [18]. Contactless smart cards cation used the card holders social security account number (SSAN)
communicate over radio communications and are powered by trans- which could have contributed to identify theft. The use of the
missions from the reader itself. In many ways, contactless smart SSAN is strongly discouraged in [39, section 6.1] specifically to
cards are similar to radio frequency identification (RFID) tokens, avoid this threat of identity theft.
although there are detailed technical differences explained in [36]. In addition to the FASC-N, the CHUID contains a number of
Because of the use of radio, contactless smart cards, like RFID to- other fields of information about the card holder, the most relevant
kens, face more serious security and privacy threats than do contact of which is the agency code that indicates for which federal agency
smart cards that must be inserted into a reader before they can be does the card holder work.1
accessed. Section 4.1.6 of FIPS PUB 201 [33] states that "a read of a PIV
In a typical user scenario for a contact interface, the card holder CHUID is not considered a privileged operation." The result of this
will approach a contact smart card reader and insert his or her card assumption was a design decision that it was safe to transmit the
into a slot in the reader. For PIV cards, this reader is likely to be at CHUID in unencrypted form from the PIV card to the reader, prior
entrance to a federal agency. A PIV card holder is quite unlikely to to authentication. As we shall see in the next subsections, this as-
insert his or her card into a unauthorized reader. There have been at- sumption is invalid. The CHUID does contain sensitive information
tacks in which criminals created bogus Automatic Teller Machines that can lead to serious problems over the contactless interface.
(ATMs) into which unsuspecting customers inserted their cards, but
who would insert a PIV card into an ATM? If PIV cards became
4.1 CHUID Problems in Nov. 2004 Version
multi-application in the future, however, this threat of bogus read- In the draft of FIPS PUB 201 that was released for public com-
ers could become more real. ment [32] in November 2004, the CHUID also included a field
By contrast, the user scenario for an attack on a contactless in- called "Position Sensitivity". In table 5-2 of the November 2004
terface can occur anywhere. The card holder could be at home draft, Position Sensitivity was correlated with the level of back-
or walking down the street or actually using the contactless card ground investigation carried out on the card holder. This raised a
at a legitimate contactless reader at work. A contactless smart serious potential problem, as the level of background investigation
card could be powered and accessed while the card is stored in is directly correlated with the level of security clearance that the
the pocket of the card holder. While reliable access to contactless employee held. This means that an eavesdropper could determine
smart cards is only guaranteed over a small number of centimeters, the level of security clearance held by a federal employee from a
an attacker will be satisfied with a much lower level of reliability distance. That could put highly cleared federal employees at seri-
and can therefore achieve access at considerably greater distances. ous risk, particularly in overseas assignments.
This problem of eavesdropping at a distance has been most stud- Karger [23] and Bailey [2] pointed out these problems to NIST
ied in the context of a passport scenario. Yoshida [43] and the in January 20052 and recommended that the CHUID only be trans-
Smart Card Alliance [37] both report successful eavesdropping on mitted in encrypted form.3
contactless smart cards at a distance of 9 meters. Kfir and Wool [26] 1
Government contractors get different codes to specify employers
report successful attacks at 50 meters. It is believed that eavesdrop- (as opposed to Federal agencies), and these codes are not guaran-
ping is easier when the card is actually in use communicating with a teed to be unique.
legitimate reader, as in when a passport holder presents the contact- 2
Karger and Bailey's presentations were independently prepared
less passport to an immigration officer at the airport. In this case, and accepted for a public meeting held in January 2005 on Privacy
the attacker is not required to provide power to the contactless smart and Policy issues in FIPS PUB 201. However, concerns over the
card, only to listen to the signals. However, if the attacker is willing sensitive nature of the vulnerabilities disclosed led to Karger's work
to transmit at illegally high power levels, then attacks on cards that being presented only in private meetings with the government.
3
are not in use are possible at a distance. Since the attack consists Bailey also suggested the use of a Faraday cage to protect the card
only of some radio waves, the card holder is extremely unlikely to when not in use or the use of a button on the card to enable the
contactless interface only when the card holder specified. These
realize that eavesdropping has occurred. are good suggestions and should be considered. However, these
As a result of the possibility of this kind of eavesdropping, it is protections would not protect against eavesdropping the CHUID
of major importance that contactless smart card communications when the card was in use at a legitimate contactless reader.
4.2 CHUID Problems in Feb. 2005 Version problem is mitigated by a requirement in section 7 that says, "Cryp-
As a result of the comments from Karger and Bailey, NIST mod- tographic protocols using asymmetric keys that require PIN shall
ified the CHUID to eliminate the position sensitivity field. NIST not be used on the contactless interface." However, this require-
also added a special-risk security provision on page v of FIPS PUB ment does NOT state that the PIN shall not be used on the contact-
201. This provision allows the head of a department or independent less interface without the use of asymmetric keys. That option is
agency to identify a limited number of individuals whose overseas left to the agencies, and could easily lead to the exposure of the
assignments expose them to particular severe threats. Such individ- PIN in unencrypted form over the contactless interface. FIPS PUB
uals could be issued special credentials without wireless or biomet- 201 needs a clear and unequivocal requirement that the PIN (or a
ric capabilities. However, the number of such credentials must be value to be compared with the PIN) never be transmitted across the
minimized, and they are only permitted outside the Continental US contactless interface in unencrypted form.
(CONUS).
While the changes that NIST made to respond to Karger and 6. FAKE FINGERS
Bailey are good, as far as they go, they do not stop all the serious
FIPS PUB 201 [33] provides for unattended biometric authenti-
threats to the card holders.
cation in section 6.2.3.1 with further detailed user scenarios in [12,
The CHUID also includes the agency code in the FASC-N and
Appendix C]. An unattended biometric reader might be used to
the optional organization code in the CHUID.4 These agency codes
control access to a building, while saving the costs of having a se-
are fully specified and publicly available in [3], and they provide
curity guard present at all times.
a very detailed breakdown of specific organizations. Agencies are
However, these scenarios do not consider the possibility of an
not large scale organizations like the Department of Commerce or
attacker who has stolen a PIV card and obtained the PIN, per-
the Air Force. Rather the agency/organization codes are very fine
haps because the legitimate card holder wrote it down. The un-
grained and can identify organizations like the Animal and Plant
stated assumption is that in such a case, the biometric fingerprint
Health Inspection Service (code 12K3) or the Air Force Command
check would defeat the attacker. However, several papers [31, 30,
and Control (C2) & Intelligence, Surveillance and Reconnaissance
40] have demonstrated the effectiveness of fake "gummy" fingers
(code 571A). Clearly an eavesdropper might be much more inter-
against most commercial fingerprint readers, even those with "live-
ested in an employee of the latter agency than of the former. Even
ness" checks. In an attended biometric check, the guard can be
without the position sensitivity field, an attacker can assume that
trained to watch for fake fingers and ensure that a real finger is
an employee of agency 571A will likely have a much higher secu-
used. However, in an unattended scenario, the use of fake fingers
rity clearance than an employee of agency 12K3. Such information
becomes easy. Worse still, as biometric fingerprint checks become
would be of value to an attacker either overseas or within CONUS.
more common, a weakness in one biometric credential could affect
The solution to the problem was not to eliminate the position
the security of other credentials. Kc and Karger [25, section 3.2.2]
sensitivity field or to establish a special risk security provision for a
discuss how stealing a digitized fingerprint off a passport could be
selected set of employees who serve overseas. The proper solution
significantly easier than lifting a fingerprint off of something like a
is to protect the contents of the CHUID from eavesdropping using
drinking glass, because there would no difficulties with smearing.
encryption as shown in section 8.
Kc and Karger show how a fake fingerprint could be used to attack
Note that protecting the CHUID contents will not eliminate all
the unattended Malaysian boarder crossing system [22].
possible threats. Consider the user scenario in which a terrorist
wishes to exploit the ID card. For example, in the 1985 hijacking
of TWA Flight 847 [7], the terrorists found the ID card of US Navy 7. COMPARISON WITH ICAO MRTDS
diver Robert Stethem and brutally murdered him. No amount of It is interesting to compare the security and privacy of PIV cards
encryption will protect against an attack of that kind in which the with the comparable features for the new electronic passports that
terrorist can see what is printed on the ID card. are beginning to be deployed in compliance with specifications [27,
However, if you consider a user scenario in which the terror- 10] set by the International Civil Aviation Organization (ICAO) for
ist does not have physical possession of the ID card, then CHUID Machine Readable Travel Documents (MRTDs). The security and
protection can be effective. Terrorists like the Washington DC sni- privacy features of ICAO MRTDs have come under some legitimate
pers [17] might wish to attack federal employees or employees of criticism [21, 26, 25, 43].
a particular agency. In that scenario, eavesdropping on the CHUID Both ICAO MRTDs and PIV cards use a contactless interface,
might be very useful to help the snipers select a target. Similarly, but the ICAO MRTDs only use contactless - they have no con-
if an espionage recruiter is attempting to find a likely target, again tact interface. In general, the cryptographic protocols used on PIV
eavesdropping on the CHUID in a Washington, DC restaurant or cards are stronger than the ICAO protocols. The ICAO Basic Ac-
bar might prove very effective. cess Control keys have been shown to have insufficient entropy by
Witteman [42] who was able to brute force the cryptographic keys
of a Dutch passport in about two hours on a standard PC. By con-
5. PIN PROBLEMS trast, the strength of cryptographic keys required [34] for use in
The CHUID is not the only data item normally transmitted in PIV cards is quite adequate, and NIST recommends increasing the
unencrypted form. The authentication data that is to be compared minimum key sizes over time.
against the user's PIN is also always transmitted in the clear, as Both ICAO MRTDs and PIV cards suffer from some informa-
specified in the VERIFY APDU in section 2.3.3.2.1 of [12]. This tion not being encrypted over the contactless interface. In the case
4
of ICAO MRTDs, the use of encryption at all is completely op-
The distinctions between the agency code and the organization tional, and an electronic passport that transmits all of its data, in-
code are due to the FASC-N being specified in BCD for backwards
compatibility reasons. NIST hopes to eventually phase these out cluding biometrics to any eavesdropper is compliant with the stan-
and replace them with a global unique ID, based on an IPV6 ad- dards. Fortunately, many countries, including the US, have com-
dress for the agency. Use of a global unique ID would not change mitted [44] to the use of encryption to prevent this kind of ca-
any of the security or privacy issues in this paper. sual eavesdropping. PIV cards do a much better job of protect-
ing the biometrics by always requiring the use of strong cryptogra- go on to ISO standardization after the CEN process has completed.
phy when transmitting biometric information. However, FIPS PUB A summary of the Caernarvon authentication protocol can be found
201 [33] requires that the CHUID be transmitted in the clear, and in the Appendix, although for a full analysis of the protocol, the
this leads to the problems discussed above in section 4. reader is directed to the published paper [38].
Thus, the ICAO MRTDs and the PIV cards both suffer from IBM has also recommended the Caernarvon authentication pro-
cryptographic problems and need some significant improvements, tocol as a solution [25] to the privacy and security problems in the
but on balance, the PIV cards have fewer vulnerabilities. ICAO MRTD specifications.
Consider a user scenario of a terrorist wishing to gain access
to a facility protected only with an unattended biometric reader. 9. CONCLUSIONS
The terrorist kidnaps an employee who works in the building. The
We have seen that under some user scenarios, particularly those
employee is carrying both a PIV card and an electronic passport.
using contactless interfaces, that the FIPS PUB 201 PIV cards have
The terrorist extracts the digitized fingerprint biometric from the
privacy and security vulnerabilities. While many of these prob-
passport, and uses it to make a fake finger. Since the fingerprint is
lems could be avoided by eliminating the contactless interfaces,
already digitized, it is likely to produce a higher quality fake finger
that would also severely limit how the different federal agencies
than using the real finger. After all, the digitized version is already
could use the PIV cards. These issues are serious, because they
known to work in fingerprint readers. Under torture, the employee
impinge on the requirements specified in HSPD 12 [5] that the PIV
is forced to reveal the PIN. The terrorist now has possession of the
cards be "strongly resistant to identity fraud, tampering, counter-
PIV card, knows the PIN, and can use the fake finger to pass the
feiting, and terrorist exploitation."
biometric checks to gain access to the facility.
We have shown how the Caernarvon authentication protocol [38]
can solve most of the vulnerabilities, without giving up flexibility
8. SOLVING THE CHUID EXPOSURE is the use of PIV cards.
The right way to solve the CHUID exposure is to fully encrypt all
traffic between the PIV card and its readers, regardless of whether
9.1 Wireless Protocols are Hard to Secure
such traffic goes over the contact or the contactless interface. How- It is not the intent of this paper to be overly harsh on the pro-
ever, fully encrypted traffic could lead to privacy exposures for the cess followed by NIST to develop the standards. Getting wireless
card holder, depending on how the cryptographic keys are negoti- security protocols to be secure is a very hard task, and NIST was
ated between the card and the reader. given a very short time in which to complete FIPS PUB 201. From
The German DIN standards [8, 9] for digital signature cards5 at- the track record of other major wireless security protocol develop-
tempt to protect such traffic between smart cards and reader, but ments, it is not surprising that some problems remain. Among the
they have the disadvantage that the card must reveal its identity protocols that have had similar problems are 802.11 [13], Cellu-
and certificate in the clear before it has verified the credentials of lar Digital Packet Data (CDPD) [15], cell phones [29], Intelligent
the reader. This could be viewed as a violation of the privacy of the Transport Systems (ITS) [24], and many others. These problems
card holder - the identity and certificate of the card are revealed, not arise, because the designers of a wireless protocol frequently focus
just to the reader, but also to anyone eavesdropping on the commu- on the issues of getting the protocol to work and may not have to
nications between the reader and the card. address many of the subtle security and privacy implications. Such
To avoid these privacy problems, IBM developed the Caernarvon projects need to do comprehensive vulnerability analyses to ensure
authentication protocol [38] that preserves the card holder's privacy not only the security of the protocols themselves, but also that side
by revealing nothing until the reader has been authenticated. Very effects of the protocols do not create problems for other systems.
briefly, the Caernarvon protocol generates a Diffie-Hellman6 ses- The problem here was not the choice of cryptographic algorithms
sion key first to protect all subsequent communications from exter- or protocols, but rather that certain critical information was left un-
nal eavesdroppers. Then it requires the reader to authenticate itself encrypted.
to the chip, and only after the chip has determined that the reader
is authorized, does the chip reveal any information at all about the
9.2 Usability
card holder. Analysis of a security or privacy system for usability normally
The Caernarvon authentication protocol [38] was specifically de- focuses on the end users. FIPS PUB 201 ID cards are very easy
signed to protect the privacy of a smart card holder and is based on to use. You just waive them near the contactless reader. This is
the SIGMA family [28] of protocols that form the basis of the In- excellent usability for the card holder. However, there are serious
ternet Key Exchange Protocol (IKE) [16]. Not only are the SIGMA issues for the federal agencies who wish to deploy these cards.
protocols a widely used standard, they have also been formally FIPS PUB 201 specifies only a minimal set of mandatory cryp-
proven correct [6]. IBM has chosen not to assert any IP claims tographic functions, and in the process, leaves some critical infor-
on the protocol, to ensure that it can be freely used in standards. mation exposed and unencrypted. However, it also provides a wide
As a result, the Caernarvon protocol is being adopted [1] for use by variety of cryptographic options so that the federal agencies can
CEN, the European Committee for Standardization and will likely devise their own cryptographic extensions. We have also seen that
designing secure wireless cryptographic protocols is hard. Without
5 careful examination of many different user scenarios, it is very easy
The German digital signature card standards are based on ISO
11770-3 [20, section 6.7, Key Agreement Mechanism 7]. to leave subtle but potentially fatal vulnerabilities.
6
Diffie-Hellman was the first public-key algorithm openly pub- This paper has proposed the mandatory use the Caernarvon au-
lished in 1976 [11]. The Diffie-Hellman algorithm was first devel- thentication protocol as a way to use a formally proven protocol
oped by M. J. Williamson at the Communications-Electronics Se- to address many if not all of the possible user scenarios. Perhaps
curity Group (CESG) in the UK and published internally somewhat
later in [41], but that work remained classified until much later [14]. the real problem is that FIPS PUB 201 provides too much crypto-
It gets its security from the difficulty of calculating discrete loga- graphic flexibility. Choosing a single authentication protocol that
rithms in a finite field, as compared with the ease of performing has been proven correct makes it easier to ensure that not just the
exponentiation calculations in the same field. usage scenarios specified in FIPS PUB 201 are secure, but also that
agency-specific usage scenarios that are not yet specified will also DIN V66291-4, Secretariat: DIN Deutsches Institut f� r u
be secure, without requiring such a high cryptographic skill level Normung e.V, Berlin, 17 October 2000.
on the part of agency developers. [10] Development of a logical data structure (LDS) for optional
It would be useful and interesting to conduct further research to capacity expansion technologies. LDS 1.7�2004�05-18,
see if, by reducing the cryptographic options to just the Caernar- Revision 1.7, International Civil Aviation Organization,
von authentication protocol, that there are any remaining agency- Montreal, Quebec, Canada, 18 May 2004. URL:
specific usage scenarios that the Caernarvon authentication proto- http://www.icao.int/mrtd/download/technical.cfm.
col cannot handle. [11] W. Diffie and M. E. Hellman. New directions in
cryptography. IEEE Transactions on Information Theory,
10. ACKNOWLEDGMENTS IT-22(6):644�654, 1976.
I must acknowledge the many people who commented on this [12] James F. Dray, Scott B. Guthery, and Teresa Schwarzhoff.
and earlier versions of this work, including David Toll, Sam We- Interfaces for personal identity verification. NIST Special
ber, Charles Palmer, Elaine Palmer, Stu Feldman, Tom Hissam, Publication 800-73, National Institute of Standards and
Suzanne McIntosh, John McKeon, Michael Karasick, and the anony- Technology, Gaithersburg, MD, April 2005. URL:
mous reviewers of the paper. http://csrc.ncsl.nist.gov/publications/nistpubs/800-73/SP800-
73-Final.pdf.
11. REFERENCES [13] Jon Edney and William A. Arbaugh. Real 802.11 Security:
[1] Application interface for smart cards used as secure Wi-Fi Protected Access and 802.11i. Addison-Wesley,
signature creation devices - part 1: Basic requirements. CWA Boston, MA, 2004.
14890-1, Comit� Europ� en de Normalisation (CEN),
e e [14] J. H. Ellis. The story of non-secret encryption. Technical
Brussels, Belgium, March 2004. URL: report, Communications-Electronics Security Group
ftp://ftp.cenorm.be/PUBLIC/CWAs/e- (CESG), Cheltenham, UK, 1987. URL:
Europe/eSign/cwa14890-01-2004-Mar.pdf. http://www.cesg.gov.uk/publications/media/nsecret/ellis.pdf.
[2] Dan Bailey. Contactless threats to FIPS 201 systems. In [15] Yair Frankel, Amir Herzberg, Paul A. Karger, Hugo
Public Meeting Addressing Privacy and Policy Issues in a Krawczyk, Charles A. Kunzinger, and Moti Yung. Security
Common Identification Standard for Federal Employees and issues in a CDPD wireless network. IEEE Personal
Contractors, Washington, DC, 19 January 2005. National Communications, 2(4):16�27, August 1995.
Institute of Standards (NIST). URL: [16] D. Harkins and D. Carrel. The internet key exchange (IKE).
http://csrc.ncsl.nist.gov/piv-program/workshop-Jan19- RFC 2409, November 1998. URL:
2005/Bailey.pdf. ftp://ftp.rfc-editor.org/in-notes/rfc2409.txt.
[3] William C. Barker and Hildegard Ferraiolo. Codes for the [17] Sari Horwitz and Michael Ruana. Sniper: Inside the Hunt for
identification of federal and federally assisted organizations. the Killers Who Terrorized the Nation. Random House, New
NIST Special Publication 800-87, Version 1.0, National York, 2003.
Institute of Standards and Technology, Gaithersburg, MD, [18] Identification cards - contactless integrated circuit(s) cards -
January 2006. URL: proximity cards - part 4: Transmission protocol. ISO/IEC
http://csrc.ncsl.nist.gov/publications/nistpubs/800-87/sp800- 14443-4, International Standards Organization, Geneva,
87-Final.pdf. Switzerland, 2000.
[4] David E. Bell and Leonard J. LaPadula. Computer security [19] Information technology - identification cards - integrated
model: Unified exposition and multics interpretation. circuit(s) cards with contacts - part 4: Inter-industry
Technical Report ESD�TR�75�306, The MITRE commands for interchange. ISO/IEC 7816-4, International
Corporation, Bedford, MA, USA, HQ Electronic Systems Standards Organization, Gen` ve, 1995.
e
Division, Hanscom AFB, MA, USA, June 1975. [20] Information technology - security techniques - key
[5] George W. Bush. Policy for a common identification management - part 3: Mechanisms using asymetric
standard for federal employees and contractors. Homeland techniques. ISO/IEC 11770-3, International Organization for
Security Presidential Directive Hspd-12, The White House, Standardization, Gen` ve, 1 November 1999.
e
Washington, DC, 27 August 2004. URL: [21] Ari Juels, David Molnar, and David Wagner. Security and
http://csrc.nist.gov/policies/Presidential-Directive-Hspd- privacy issues in e-passports. In SecureComm 2005, First
12.html. International Conference on Security and Privacy for
[6] Ran Canetti and Hugo Krawczyk. Security analysis of IKE's Emerging Areas in Communication Networks, Athens,
signature-based key-exchange protocol. In Advances in Greece, 5�9 September 2005. URL:
Cryptology - Crypto 2002, volume 2045 of Lecture Notes in ~
http://www.cs.berkeley.edu/daw/papers/epassports-sc05.pdf.
Computer Science, pages 143�161, Santa Barbara, CA, [22] Dato' Mohd Jamal Kamdi. The Malaysian electronic
2002. Springer-Verlag. passport. In Twelfth Meeting of the Facilitation Division,
[7] Kurt Carlson. One American Must Die: A Hostage's Cairo, Egypt, 22 March - 2 April 2004. International Civil
Personal Account of the Hijacking of Flight 847. Congdon & Aviation Organization (ICAO). URL:
Weed, 1986. http://www.icao.int/icao/en/atb/fal/fal12/presentations.htm.
[8] Chipcards with digital signature application/function [23] Paul A. Karger. FIPS PUB 201 security and privacy
according to SigG and SigV - part 1: Application interface. recommendations. Report RC23871 (W0501-049), IBM
DIN V66291-1, Secretariat: DIN Deutsches Institut f� r u Corporation, Thomas J. Watson Research Center, Yorktown
Normung e.V, Berlin, 15 December 1998. Heights, NY, 14 January 2005. URL:
[9] Chipcards with digital signature application/function http://domino.watson.ibm.com/library/CyberDig.nsf/Home.
according to SigG and SigV - part 4: Basic security services. [24] Paul A. Karger and Yair Frankel. Security and privacy threats
to ITS. In Proceedings of the Second World Congress on Comparing and contrasting applications and capabilities.
Intelligent Transport Systems '95 Yokohama, volume V, Technical report, Smart Card Alliance, Princeton Junction,
pages 2452�2458, Yokohama, Japan, 9�11 November 1995. NJ, 17 December 2004. URL:
VERTIS: Vehicle, Road and Traffic Intelligence Society. http://www.smartcardalliance.org/pdf/alliance activities
[25] Gaurav S. Kc and Paul A. Karger. Preventing attacks on /rfidvscontactless final 121704.pdf.
machine readable travel documents (MRTDs). Report [37] RFID tags, contactless smart card technology and electronic
2005/404, Cryptology ePrint Archive, 11 April 2006. URL: passports: Frequently asked questions. Technical report,
http://eprint.iacr.org/2005/404.pdf. Smart Card Alliance, Princeton Junction, NJ, 3 January
[26] Ziv Kfir and Avishai Wool. Security and privacy issues in 2005. URL: http://www.smartcardalliance.org/pdf/alliance
e-passports. In First International Conference on Security activities/RFID Contactless Smart Cards FAQ FINAL
and Privacy for Emerging Areas in Communication 010305.pdf.
Networks (SecureComm 2005), pages 47�58, Athens, [38] Helmut Scherzer, Ran Canetti, Paul A. Karger, Hugo
Greece, 5�9 September 2005. URL: Krawczyk, Tal Rabin, and David C. Toll. Authenticating
http://eprint.iacr.org/2005/052. mandatory access controls and preserving privacy for a
[27] Tom A. F. Kinneging. PKI for machine readable travel high-assurance smart card. In 8th European Symposium on
documents offering ICC read-only access. Version 1.1, Research in Computer Security (ESORICS 2003), pages
International Civil Aviation Organization, Montreal, Quebec, 181�200, Gj�vik, Norway, 13�15 October 2003. Lecture
Canada, 1 October 2004. URL: Notes in Computer Science, Vol. 2808, Springer Verlag.
http://www.icao.int/mrtd/download/technical.cfm. [39] Technical implementation guidance: Smart card enabled
[28] Hugo Krawczyk. SIGMA: the 'SIGn-and-MAc' approach to physical access control systems. Version 2.2, Physical
authenticated diffie-hellman and its use in the IKE protocols. Access Interagency Interoperability Working Group,
In Advances in Cryptology � CRYPTO 2003 Proceesings, Government Smart Card Interagency Advisory Board,
volume 2729 of Lecture Notes in Computer Science, pages Washington, DC, 30 July 2004. URL:
399�424, Santa Barbara, CA, 17-21 August 2003. http://www.smart.gov/information/TIG SCEPACS v2.2.pdf.
Springer�Verlag. [40] Lisa Thalheim, Jan Krissler, and Peter-Michael Ziegler.
[29] Susan Kumpf and Nora Russell. Getting the jump on fraud. Body check: Biometric access protection devices and their
Cellular Business, 9(10):24�26, October 1992. programs put to the test. c't - magazin f� r computertechnik,
u
[30] Tsutomu Matsumoto. Gummy and conductive silicone page 114, November 2002. URL:
rubber fingers: Importance of vulnerability analysis. In http://www.heise.de/ct/english/02/11/114/.
Advances in Cryptology: ASIACRYPT 2002, pages 574�575, [41] M. J. Williamson. Thoughts on cheaper non-secret
Queenstown, New Zealand, 1�5 December 2002. Lecture encryption. Technical report, Communications-Electronics
Notes in Computer Science, Vol. 2501, Springer Verlag. Security Group (CESG), Cheltenham, UK, 10 August 1976.
[31] Tsutomu Matsumoto, Hiroyuki Matsumoto, Koji Yamada, URL: http://www.cesg.gov.uk/publications/media/nsecret
and Satoshi Hoshino. Impact of artificial "gummy" fingers /cheapnse.pdf.
on fingerprint systems. Proceedings of the SPIE, Optical [42] Marc Witteman. Attacks on digital passports. In What the
Security and Counterfeit Deterrence Techniques IV, Hack, Liempde, near Den Bosch, The Netherlands. URL:
4677:275�289, 24�25 January 2002. URL: http://wiki.whatthehack.org/index.php/Track:Attacks on
http://cryptome.org/gummy.htm. Digital Passports.
[32] Personal identity verification (PIV) for federal employees [43] Junko Yoshida. Tests reveal e-passport security flaw.
and contractors: Public draft. FIPS PUB 201, National Electronic Engineering Times, (1336):1, 30 August 2004.
Institute of Standards and Technology (NIST), Gaithersburg, URL: http://www.eetimes.com/news/latest/showArticle.jhtml
MD, 8 November 2004. URL: ?articleID=45400010.
http://csrc.nist.gov/publications/drafts/draft-FIPS 201- [44] Kim Zetter. Feds rethinking RFID passport. Wired News, 26
110804-public1.pdf. April 2005. URL:
[33] Personal identity verification (PIV) for federal employees http://www.wired.com/news/privacy/0,1848,67333,00.html.
and contractors. FIPS PUB 201, National Institute of
Standards and Technology (NIST), Gaithersburg, MD, 25
February 2005. URL: APPENDIX
http://csrc.ncsl.nist.gov/publications/fips/fips201/FIPS-201-
022505.pdf. A. CAERNARVON AUTHENTICATION
[34] W. Timothy Polk, Donna F. Dodson, and William E. Burr. PROTOCOL
Cryptographic algorithms and key sizes for personal identity
This appendix provides a brief summary of the Caernarvon au-
verification. NIST Special Publication 800-78, National
thentication protocol. A much more complete analysis can be found
Institute of Standards and Technology, Gaithersburg, MD,
in [38].
April 2005. URL:
In addition to the privacy problems discussed in section 8, the
http://csrc.ncsl.nist.gov/publications/nistpubs/800-78/sp800-
protocols based on ISO 11770-3 also have the disadvantage that the
78-final.pdf.
number of bits transmitted in all the stages is somewhat larger than
[35] Prime item product function specification for magnetic stripe
necessary. Minimizing the total number of bits transmitted is im-
credentials (MSC). SEIWG 012, U.S. Department of
portant, because some smart card readers will only communicate
Defense, Security Enterprise Integration Working Group
at 9600bps, and even ignoring the cost of computing the crypto-
(SEIWG), Washington, DC, 28 February 1994.
graphic operations, the time needed to transmit all the bits could
[36] RFID tags and contactless smart card technology: become a serious problem in response time to the card holder.
To resolve both the privacy problems and to reduce the number At this point, neither A nor B has revealed his identity. How-
of bits to be transmitted, the Caernarvon authentication protocol is ever, they now can compute a mutual key KAB . Using the mutual
based on the SIGMA design [28] and the Internet Key Exchange key KAB , they can derive additional keys KEN C , for encrypting
(IKE) standard [16]. This protocol offers several significant advan- messages and KM AC , for computing message authentication codes
tages: (MACs).
Stage 3. A now sends its certificate to B by encrypting it with
1. The session key parameters are exchanged very early in the KEN C . A now computes E01 as shown below:
protocol, even before the authentication has been completed.
In this way, the information exchanged in the protocol, in- E01 = 3DESKEN C (Cert(A))
cluding the peers' identities can be protected from third-party
eavesdropping. A now transmits E01 together with its MAC to B, as shown in
2. A discloses its identity and credentials to B first; B reveals its Figure 3.
identity and credentials only after verifying those of A. This
prevents revealing the card holder's identity to a reader that E01 M ACKM AC (E01 )
cannot be authenticated or that cannot prove that it is autho- -
rized for a particular mandatory access classes. Therefore, the A B
card's identity is protected not only against eavesdropping,
but also against an active (man-in-the-middle) attacker. The Figure 3: Authentication Stage 3: A sends certificate to B
reader's identity is not protected against an active attacker,
but presumably the reader has fewer privacy concerns than Stage 4. B responds with a challenge, as shown in Figure 4.
the card holder. Note that in all authentication protocols, one From a strictly cryptographic perspective, stage 4 could be com-
party must reveal its identity first, and that party's privacy will bined with stage 2, reducing the total number of message flows.
always be subject to active attacks of this kind. However, this is a protocol for smart cards, and it must fit into the
existing standard for smart card commands [19] and use the GET
3. IKE transmits fewer bits in total. This will improve perfor- CHALLENGE and EXTERNAL AUTHENTICATE commands.
mance on slow readers.
4. The SIGMA and IKE protocols followed here have been rig-
RND.B
orously analyzed and proven correct [6], which is a major
benefit in any system planning to be evaluated at the high- A B
est levels of the Common Criteria. In particular, see [28] for
more details on the cryptographic rationale of these protocols Figure 4: Authentication Stage 4: B sends challenge to A
and the subtle cryptographic attacks they prevent.
Stage 5. A now computes E1 as shown below:
This section contains a cryptographic description of the authen-
tication protocol used by Caernarvon. Note that in contrast to the E1 =
protocol described in ISO 11770-3, the Caernarvon protocol starts 3DESKEN C (A SigSKA [KA A RN D.B KB DH(g p q)])
as in unauthenticated Diffie-Hellman, and then authenticates the
reader,A, before the card, B, exposes its identity. The crucial tech- A now transmits E1 and a MAC of E1 to B, as shown in Fig-
nical difference between these protocols is that in the case of the ure 5. The signature is a signature with message recovery, so all
Caernarvon protocol, A can authenticate itself to B without having parameters in the signature can considered to be recoverable. The
to know B's identity, while in the ISO protocol, A authenticates Diffie-Hellman key parameters are part of the signature in order to
to B by signing B's identity (thus requiring the knowledge of B's provide authenticity of the parameters. See [38] for details.
identity by A before A can authenticate to B). A (the reader) and B
(the Caernarvon card) share the Diffie-Helman public quantities p,
q, and g. E1 M ACKM AC (E1 )
Stage 1. A chooses a random number a with 1 a q - 1, A - B
computes a key token KA = g a mod p, and transmits it to B, as
shown in Figure 1. Figure 5: Authentication Stage 5: Authenticate A

At the conclusion of stage 5, B has authenticated A. It is at
KA
this point that the Caernarvon authentication protocol permits the
A - B card to make a security policy decision about whether it wishes to
communicate with A or not. The security policy checks are done
Figure 1: Authentication Stage 1: A sends a key token to B here, so that B can verify A's access rights, before revealing any
privacy-sensitive information to A. While any security policy can
Stage 2. B chooses a random number b with 1 b q - 1, be used here, the Caernarvon authentication protocol was specifi-
computes a key token KB = g b mod p, and transmits it to A, as cally designed to support mandatory access controls for both com-
shown in Figure 2. mercial citekarger-wisac2000 and defense purposes [4].

Stage 6: B now verifies the MAC, decrypts E1 , and verifies the
KB
signature using A's public key P KA . B has now authenticated A
A B and knows that KA and KB are fresh and authentic. However at
this point, while B knows there is no man-in-the-middle because B
Figure 2: Authentication Stage 2: B sends a key token to A checked the signature from A, A does not know who he is talking
to, and hence is unsure if there may be a man-in-the-middle attack.
B computes E02 (its encrypted certificate) and sends it to A, as
shown in Figure 6.

E02 = 3DESKEN C (Cert(B))

E02 M ACKM AC (E02 )
A B
Figure 6: Authentication Stage 6: B sends certificate to A

Stage 7. A sends a challenge to B, as shown in Figure 7. Just as
for stage 4, strict cryptographic requirements could reduce the total
number of message flows. However, once again, it is desirable to
use the ISO standard [19] GET CHALLENGE and EXTERNAL
AUTHENTICATE commands.

RND.A
A - B
Figure 7: Authentication Stage 7: A sends challenge to B

Stage 8. B now computes E2 as shown below:

E2 = 3DESKEN C (B SigSKB [KB B RN D.A KA ])

The signature is a signature with message recovery, so all param-
eters in the signature can considered to be recoverable.
B now transmits E2 and a MAC of the value E2 to A, as shown
in Figure 8.

E2 M ACKM AC (E2 )
A B
Figure 8: Authentication Stage 8: authenticate B

A can now verify the MAC and decrypt E2 . Using the chain of
certificates back to the root CA, A can verify the certificate from the
IC manufacturer for B, which contains B's identify B and public
key P KB . Thus A knows, and can trust, B's public key P KB .
Hence A can now authenticate B by verification of the signature:

SigSKA [KA A RN D.B KB DH(g p q)]

At this point, the protocol is complete. A and B have a session
key, have verified their respective identities, and have prevented
replays. Any further communications, such as verification of bio-
metrics, can now be carried out safely and securely.