Friday, December 18, 2020

Holiday Greetings from atsec

Our colleagues from around the world wish you Happy and Healthy Holidays and a good start into 2021.

Tuesday, December 8, 2020

Biometric e-Passports

by Richard Fant


Figure 1:  e-Passports issued by different countries

In today’s climate of COVID-19, domestic travel has become difficult, and international travel almost impossible. Many US airlines  now require their passengers to submit to a COVID-19 test within 24-48 hours prior to travel to prove the traveler is not currently infected. Some countries have even closed their borders to international visitors because of the pandemic.

As vaccines become available, immigration officials at border crossings  will need some way to reliably determine if a traveler has been immunized against COVID-19. Different methods are currently used by health organizations to track a traveler’s immunization records such as the World Health Organization “yellow card”. The problem is, many of those records are handwritten on paper and subject to fraud and manipulation as well as wear and tear.


Figure 2:  WHO "yellow card"

Biometric technology could be used to develop a “proof of vaccine record” for COVID-19. This would enable travelers to prove they are immune to the virus, and so help national and global economies restart after the pandemic. One digital tool that could track such vital immunization information is already in place: the Biometric Passport (a.k.a. the e-Passport). With biometric technology, passport control authorities can easily differentiate between authorized travelers and those travelers who represent a potential threat either from infectious disease or illegal activities.


Figure 3: International symbol used  on passport  covers to indicate  e-Passport compliance
   
How does an e-Passport work?
When applying for an e-Passport, a legitimate traveler voluntarily enrolls in a verification program where their personal biometric data is recorded and stored.  When that traveler passes through passport control, their personal characteristics are captured real-time, and then compared with their stored personal data. If the two samples match, the traveler is recognized as the legitimate passport holder and can then be verified as having the necessary requirements to enter the country (e.g. a Visa). If the stored data and real-time data don’t match, the traveler may be “invited” to participate in additional screening. While immunization records are not yet part of the Biometric Passport, the digital data can be easily added which would make the use of paper immunization records obsolete.

The following types of biometric data are already in use for e-passports:


Finger print scans consist of recording multiple finger tips held in a variety of positions against a flat plane of glass. These typically do not change with age, though injuries or scars can cause change.



Typically facial scans consists of taking a high resolution digital photo and then measuring the distances and angles between prominent features such as eyes, nose, mouth and ears. Wigs, eye-wear, makeup and jewelry have no effect on these measurements. However, these measurements may change as the passport holder ages.
 


Retinal scans are made by taking a high-resolution mapping of the iris which contains thousands of blood vessels laid out in a pattern unique to the individual. Those patterns don’t change with age, or surgeries such as Lasik or lens replacement.
However, glasses and hard contact lenses might produce glare or partly obstruct the iris.



Digital Signatures
Conventional cryptography uses the same key to encrypt data as it uses to decrypt data. This symmetric cryptography means the single key used for both encryption and decryption must be kept secret. By contrast, e-Passports implement asymmetric cryptography by using a pair of keys to secure its data: one key (private) is used to encrypt while a different  key (public) is used to decrypt. The private encryption key must be kept secret while the public decryption key is widely distributed.

This encryption and decryption process is also known as digital signature generation and verification. The digital signature used in an e-Passport is designed to confirm the authenticity of the data and detect if the data stored on its chip has been modified. The modification of a single bit in the e-Passport data will cause the verification of the digital signature to fail.

To initially prepare the e-Passport for a digital signature, the passport authority will generate hash values for all the files contained within its chip: picture, fingerprints, facial scan, personal data, etc.  The hash values will then be digitally signed using that country’s private signing key. As new records are added such as a Visa or possibly COVID-19 immunizations, online lists would be updated associating this particular e-Passport with those online records. For example, Australia uses Electronic Travel Authority (ETA) to keep track of which foreign passports have the appropriate Visa to enter their country.

When the e-Passport is used at a border crossing, the digital signature of the e-Passport is verified using the public key of the issuing country. This verification process informs border authorities that the electronic data in the e-Passport is authentic, was issued by the appropriate country and has not been modified.

These digital signatures are unique to each country. Each country also shares its public keys in the Public Key Directory (PKD). The PKD is a global repository  where countries exchange their public keys with other countries.

    
What actually happens at a border crossing?
Any Border Control System needs to verify the following:

  1. Does the passport belong to the person providing it?
  2. Is the passport authentic or was it falsified in any way?
  3. Is the passport issued by the proper authority entitled to issue it?
  4. Does the traveler have the necessary requirements to enter the country? For example: Visa or immunizations.

An arriving passenger at an international border crossing would present their e-Passport to an optical scanner located at a gate or kiosk while an RFID system downloads all the data from the e-Passport.

The Border Control System would then verify the digital signature in the e-Passport using the issuing country’s public key. The Border Control System would also capture the traveler’s biometric data real-time (e.g. finger prints or facial scan) and compare that sample against the traveler’s template stored in the e-Passport.

Once the traveler’s identity is verified, and the validity of the e-Passport is confirmed, the Border Control System would compare the traveler’s name and data against a list of requirements to determine if entry into the country is permitted. The list could contain immunization requirements, or specific names of undesirable travelers.  

To demonstrate the accuracy of a biometric scanner, consider that an automated facial recognition system will correctly verify a traveler 95% of the time while a human passport control officer has a false acceptance rate of 1 face out of 7 faces or a FAR of 14%. This means that an automated facial matching system is more accurate than one which relies solely on human judgment. For example, three weeks after being installed at Dulles Airport in Washington, D.C., automated facial recognition caught two travelers trying to illegally enter the United States using someone else’s passport. These same travelers had successfully cleared the human screener before being caught by the automated system.

Security of the e-Passport system
Many countries have gone to great lengths to protect the security of their e-Passport system.  For example, to establish a secure RFID connection between the Border Control System and the e-Passport, a session key is mathematically derived using data from the bottom of the e-Passport’s front page such as passport number, date of birth and expiration date (see the red circle in Figure 4).


Figure 4: Machine Readable Data

This derived session key is then used to establish a secure RFID channel between the e-Passport and the Border Control System using protocols based on the Diffie-Hellman key agreement to generate a shared secret password.  The channel is then used to securely download the e-Passport data to the Border Control System. This helps mitigate RFID attacks such as skimming and eavesdropping.

Shortly after the introduction of the Canadian e-Passport, instances of  forgery and fraud were reported in the press. It was discovered that newly issued e-Passports could  be electronically altered if attackers used a commercially available chip programmer. Officials also had reports of discrepancies between information contained in the remote database and what actually appeared in the passport.  Most passport authorities now lock the chips in the e-Passport after programming.

This is an example of a cloning attack where the data on a chip is over-written in order to mirror someone else’s chip. Another variation of this attack is when the chip is physically removed from one passport and inserted into a different passport. These attacks can be mitigated by verifying the chip data matches the information on the e-Passport’s first page. Participants in the US Global Entry Program are familiar with this verification process since they must scan the first page of their e-Passport at a kiosk at US border crossings where the contents of their chip are compared against the data scanned by the OCR reader.

But, even if an attacker successfully modified the contents of the e-Passport data, the forged e-Passport would still be detected by the Border Control System since the digital signature would no longer match the stored information.

Privacy Concerns
Over time, more personal and biometric data could be added into the e-Passport which could give rise to commercial abuse. For example, a few months after the e-Passport was introduced in Germany, German companies began lobbying the government to sell e-Passport personal data such as name and age to companies for targeted marketing. After long discussions, the German government eventually declined to sell the data. This shows how the personal data on an e-Passport could be abused in the future. For example, if eye color or medical history were included in the e-Passport, this information could be sold to companies that could then target advertising and specific products to the e-Passport holder.

Another privacy concern e-Passports may face in the future is understanding how foreign governments might misuse the biometric data of an individual where the medical condition or history of the traveler is inferred from the biometric data: some fingerprint patterns are related to chromosomal diseases; iris patterns could reveal genetic sex; hand vein patterns could reveal vascular diseases. This causes major privacy concern, since a government could misuse this medical information by placing restrictions for certain categories of travelers. For example, there are over 18 countries which currently deny entry for travelers who are HIV-positive. While a COVID-19 immunization record might be desirable, what other health data should not be tracked?

Future Trends
It is clear that biometrics for e-Passports are here to stay. It is also likely that additional health records such as immunization data will be added in the near future. It is even reasonable to assume that as biometric scanning improves, a Border Control System could began monitoring travelers immediately upon leaving their aircraft to determine if the passenger was legitimate well before they even arrive at Passport Control.