Smart Card Handbook
Security and Privacy Issues in E-passports
SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
ePassport: Securing International Contacts with Contactless Chips
Financial Cryptography and Data Security
Model-Based Testing of Electronic Passports
FMICS '09 Proceedings of the 14th International Workshop on Formal Methods for Industrial Critical Systems
E-passport: the global traceability or how to feel like a UPS package
WISA'06 Proceedings of the 7th international conference on Information security applications: PartI
E-Passport: cracking basic access control keys
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Increasing privacy threats in the cyberspace: the case of Italian e-passports
FC'10 Proceedings of the 14th international conference on Financial cryptograpy and data security
Crossing borders: security and privacy issues of the european e-passport
IWSEC'06 Proceedings of the 1st international conference on Security
Hi-index | 0.00 |
Different countries issue an electronic passport embedding a contactless chip that stores the holder data (ePassport). To prevent unauthorized reading of the sensitive information present on such chip an access control mechanism based on symmetric cryptography, the Basic Access Control (BAC), has been introduced. In this work we present the flaws we have found out in some implementations of the software hosted on ePassport chips and how BAC is affected. In particular we show how it is possible to discern the different software versions used on the chip over time through some their peculiar fingerprints. This information can be used to shrink the BAC keys space making the protocol weaker. In addition, we show the presence of a defective function to exchange random material during the BAC procedure that opens a door for a hypothetical MITM attack. The results of this paper could be exploited as a first guide for reviewing and refining existing ePassport implementations.