http://iet.metastore.ingenta.com
1887

Security assessment of the Spanish contactless identity card

Security assessment of the Spanish contactless identity card

For access to this article, please select a purchase option:

Buy article PDF
£12.50
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend to library

You must fill out fields marked with: *

Librarian details
Name:*
Email:*
Your details
Name:*
Email:*
Department:*
Why are you recommending this title?
Select reason:
 
 
 
 
 
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results.

References

    1. 1)
      • M. Jakobsson , S. Myers . (2006)
        1. Jakobsson, M., Myers, S.: ‘Phishing and countermeasures: understanding the increasing problem of electronic identity theft’ (Wiley, 2006).
        .
    2. 2)
      • (1995)
        2. ‘Spanish Penal Code (Organic Law No. 10/1995 of November 23, 1995)’, 1995. Available at http://www.wipo.int/wipolex/en/details.jsp?id=15759, accessed 15 February 2017.
        .
    3. 3)
      • W. Wang , Y. Yuan , N. Archer .
        3. Wang, W., Yuan, Y., Archer, N.: ‘A contextual framework for combating identity theft’, IEEE Secur. Priv., 2006, 4, (2), pp. 3038.
        . IEEE Secur. Priv. , 2 , 30 - 38
    4. 4)
      • A. Freire . (2015)
        4. Freire, A.: ‘El delito de robo de identidad (the crime of identity theft)’, 2015, in Spanish. Available at http://www.infoderechopenal.es/2015/10/delito-robo-identidad.html, accessed 15 February 2017.
        .
    5. 5)
      • M. Wieting . (2012)
        5. Wieting, M.: ‘Cuidado con perder el DNI’, 2012, in Spanish. Available at http://www.abc.es/20120420/espana/abci-suplantacion-identidades-201204191917.html, accessed 15 February 2017.
        .
    6. 6)
      • G. Avoine , A. Beaujeant , J. Hernandez Castro .
        6. Avoine, G., Beaujeant, A., Hernandez Castro, J., et al: ‘A survey of security and privacy issues in ePassport protocols’, ACM Comput. Surv., 2016, 48, (3), pp. 137.
        . ACM Comput. Surv. , 3 , 1 - 37
    7. 7)
      • (2011)
        7. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 3: initialization and anticollision’ (Geneva, Switzerland, 2011). Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=50942, accessed 15 February 2017.
        .
    8. 8)
      • (2010)
        8. Japanese Industrial Standard. ‘JIS X 6319-4:2010: specification of implementation for integrated circuit(s) cards – part 4: high speed proximity cards’ (Tokyo, Japan, 2010). Available at http://www.webstore.jsa.or.jp/webstore/PrevPdfServlet?dc=JIS&fn=pre_jis_x_06319_004_000_2010_e_ed10_i4.pdf, accessed 26 January 2015.
        .
    9. 9)
      • E. Haselsteiner , K. Breitfuß .
        9. Haselsteiner, E., Breitfuß, K.: ‘Security in near field communication (NFC) – strengths and weaknesses’. Proc. Workshop on RFID Security, Privacy (RFIDSec), 2006.
        . Proc. Workshop on RFID Security, Privacy (RFIDSec)
    10. 10)
      • G. Madlmayr , J. Langer , C. Kantner .
        10. Madlmayr, G., Langer, J., Kantner, C., et al: ‘NFC devices: security and privacy’. Proc. Third Int. Conf. Availability, Reliability and Security (ARES), 2008, pp. 642647.
        . Proc. Third Int. Conf. Availability, Reliability and Security (ARES) , 642 - 647
    11. 11)
      • J. Vila , R.J. Rodríguez .
        11. Vila, J., Rodríguez, R.J.: ‘Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited’. Proc. 11th Int. Workshop on RFID Security (RFIDsec), Springer, 2015 (LNCS, 9440), pp. 87103.
        . Proc. 11th Int. Workshop on RFID Security (RFIDsec) , 87 - 103
    12. 12)
      • (2017)
        12. NFC World. ‘NFC phones: the definitive list’, 2017. Available at http://www.nfcworld.com/nfc-phones-list/, accessed 25 January 2017.
        .
    13. 13)
      • S. Vaudenay .
        13. Vaudenay, S.: ‘E-passport threats’, IEEE Secur. Priv., 2007, 5, (6), pp. 6164.
        . IEEE Secur. Priv. , 6 , 61 - 64
    14. 14)
      • J.H. Hoepman , E. Hubbers , B. Jacobs . (2006)
        14. Hoepman, J.H., Hubbers, E., Jacobs, B., et al: ‘Crossing borders: security and privacy issues of the European e-passport’, in Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (EDs.): ‘Proceedings of the first international workshop on security (IWSEC)’ (Springer, Berlin Heidelberg, 2006), pp. 152167.
        .
    15. 15)
      • A.B. Jeng , L.Y. Chen .
        15. Jeng, A.B., Chen, L.Y.: ‘How to enhance the security of e-passport’. 2009 Int. Conf. Machine Learning and Cybernetics, vol. 5, 2009, pp. 29222926.
        . 2009 Int. Conf. Machine Learning and Cybernetics , 2922 - 2926
    16. 16)
      • J. Bender , D. Kügler .
        16. Bender, J., Kügler, D.: ‘Introducing the PACE solution’, Keesing J. Doc. Identity, 2009, 30, pp. 2629.
        . Keesing J. Doc. Identity , 26 - 29
    17. 17)
      • H. Richter , W. Mostowski , E. Poll .
        17. Richter, H., Mostowski, W., Poll, E.: ‘Fingerprinting passports’. NLUUG Spring Conf. Security, 2008.
        . NLUUG Spring Conf. Security
    18. 18)
      • (2017)
        18. Centro Criptológico Nacional (Spanish National Cryptologic Centre). ‘Documento 2014-39-INF-1766 v2. Informe de Certificación del producto DNIe-DSCF (dispositivo seguro de creación de firma) versión 3.0’. 2017, in Spanish. Available at https://www.commoncriteriaportal.org/files/epfiles/2014-39_inf-1766_v2.pdf, accessed 15 February 2017.
        .
    19. 19)
      • (2016)
        19. Atos IT Solutions and Services GmbH. ‘Certification report BSI-DSZ-CC-0967-2016 for CardOS DI V5.3 EAC/PACE Version 1.0 of the BSI’, 2016. Available at https://www.commoncriteriaportal.org/files/epfiles/0967a_pdf.pdf, accessed 15 February 2017.
        .
    20. 20)
      • M. Meingast , J. King , D.K. Mulligan .
        20. Meingast, M., King, J., Mulligan, D.K.: ‘Embedded RFID and everyday things: a case study of the security and privacy risks of the U.S. e-passport’. Proc. 2007 IEEE Int. Conf. RFID, 2007, pp. 714.
        . Proc. 2007 IEEE Int. Conf. RFID , 7 - 14
    21. 21)
      • Y. Liu , T. Kasper , K. Lemke Rust .
        21. Liu, Y., Kasper, T., Lemke Rust, K., et al: ‘E-passport: cracking basic access control keys’. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS: OTM Confederated Int. Conf. 2007, Vilamoura, Portugal, November 25–30, 2007, Proc., Part II, Berlin, Heidelberg, 2007, pp. 15311547.
        . On the Move to Meaningful Internet Systems 2007: CoopIS , 1531 - 1547
    22. 22)
      • P. Vijayakrishnan , J. Pieprzyk , H. Wang .
        22. Vijayakrishnan, P., Pieprzyk, J., Wang, H.: ‘Formal security analysis of Australian e-passport implementation’. Proc. Sixth Australasian Conf. Information Security – Volume 81 AISC ‘08, Darlinghurst, Australia, 2008, pp. 7582.
        . Proc. Sixth Australasian Conf. Information Security – Volume 81 AISC ‘08 , 75 - 82
    23. 23)
      • F. Möllers .
        23. Möllers, F.: ‘An analysis of traceability of electronic identification documents’. MSc thesis, Faculty of Electrical Engineering, Computer Science and Mathematics, Paderborn University, 2012.
        .
    24. 24)
      • (2015)
        24. Cuerpo Nacional de Policía (Spanish National Police Corps). ‘DNIe basic reference guide’, 2015, in Spanish. Available at https://www.dnielectronico.es/PDFs/Guia_de_referencia_basica_v1_5.pdf, accessed 15 February 2017.
        .
    25. 25)
      • (2015)
        25. Cuerpo Nacional de Policía (Spanish National Police Corps). ‘NFC DNIe user guide’, 2015, in Spanish. Available at https://www.dnielectronico.es/PDFs/Guia_de_Referencia_DNIe_con_NFC.pdf, accessed 15 February 2017.
        .
    26. 26)
      • (2013)
        26. International Organization for Standardization. ‘ISO/IEC 7816-4-2013: identification cards – integrated circuit cards – part 4: organization, security and commands for interchange’ (Geneva, Switzerland, 2013), Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=54550, accessed 15 February 2017.
        .
    27. 27)
      • (2004)
        27. International Organization for Standardization. ‘ISO/IEC 7816-5-2013: identification cards – integrated circuit cards – part 5: registration of application providers’ (Geneva, Switzerland, 2004), Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=34259, accessed 15 February 2017.
        .
    28. 28)
      • (2015)
        28. ‘ICAO Doc 9303, machine readable travel documents part 11 — security mechanisms for MRTDs’, 2015. Available at https://www.icao.int/publications/Documents/9303_p11_cons_en.pdf, accessed 15 February 2017.
        .
    29. 29)
      • (2013)
        29. Ministerio del Interior (Spanish Ministry of Home Affairs). ‘Real decreto 869/2013’. 2013, in Spanish. Available at https://www.boe.es/boe/dias/2013/11/23/pdfs/BOE-A-2013-12320.pdf, accessed 15 February 2017, Boletín Oficial del Estado, 23rd November 2013.
        .
    30. 30)
      • (2012)
        30. ECRYPT. ‘Yearly report on algorithms and keysizes’. European network of excellence in cryptology, 2012. Available at http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf, accessed 15 February 2017.
        .
    31. 31)
      • E. Barker . (2016)
        31. Barker, E.Recommendation for key management’ (National Institute of Standards and Technology, 2016). Special Publication 800-57 Revision 4. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf, accessed 15 February 2017.
        .
    32. 32)
      • D. Carluccio , K. Lemke Rust , C. Paar . (2007)
        32. Carluccio, D., Lemke Rust, K., Paar, C., et al: ‘E-passport: the global traceability or how to feel like a UPS package’. Proc. Seventh Int. Workshop on Information Security Applications (WISA 2006). Revised Selected Papers, 2007. pp. 391404.
        .
    33. 33)
      • 33. Advanced security mechanisms for machine readable travel documents and eIDAS token. Part 1 – eMRTDs with BAC/PACEv2 and EACv1’. (Bundesamt für Sicherheit in der Informationstechnik (BSI), Technical Guideline, TR-03110-1, 2015.
        .
    34. 34)
      • (2016)
        34. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 2: radio frequency power and signal interface’ (Geneva, Switzerland, 2016). Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=50942, accessed 15 February 2017.
        .
    35. 35)
      • N. Borisov , I. Goldberg , D. Wagner .
        35. Borisov, N., Goldberg, I., Wagner, D.: ‘Intercepting mobile communications: the insecurity of 802.11’. Proc. Seventh Annual Int. Conf. Mobile Computing and Networking MobiCom ‘01, New York, NY, USA, 2001, pp. 180189.
        . Proc. Seventh Annual Int. Conf. Mobile Computing and Networking MobiCom ‘01 , 180 - 189
    36. 36)
      • N. Cam Winget , R. Housley , D. Wagner .
        36. Cam Winget, N., Housley, R., Wagner, D., et al: ‘Security flaws in 802.11 data link protocols’, Commun. ACM, 2003, 46, (5), pp. 3539.
        . Commun. ACM , 5 , 35 - 39
    37. 37)
      • (2016)
        37. Atos IT solutions and services GmbH. ‘Security target ‘CardOS DI V5.3 EAC/PACE version 1.0’, Rev. 2.01, edition 04/2016’, 2016. Available at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte09/0967b_pdf.pdf;jsessionid=8F38A3EA5734CA889E8EA7AB5E6B6190.1_cid341?_blob=p ublicationFile v=2, accessed 15 February 2017.
        .
    38. 38)
      • (2013)
        38. Bundesamt für Sicherheit in der Informationstechnik (BSI). ‘Functionality classes and evaluation methodology for physical random number generators, AIS 31, V3’, 2013. Documents available at https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/Produktzertifizierung/ZertifizierungnachCC/AnwendungshinweiseundInterpretationen/AIS/AIS.html, accessed 15 February 2017.
        .
    39. 39)
      • D.J. Bernstein , Y.A. Chang , C.M. Cheng . (2013)
        39. Bernstein, D.J., Chang, Y.A., Cheng, C.M., et al: Factoring RSA keys from certified smart cards: Coppersmith in the wild, in: Sako, K., Sarkar, P. (EDs.). ‘Advances in Cryptology - ASIACRYPT 2013: 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part II’ (Springer, Berlin Heidelberg, 2013), pp. 341360.
        .
    40. 40)
      • D.E. Knuth . (1997)
        40. Knuth, D.E.: ‘The art of computer programming’, in (EDs.): ‘Seminumerical Algorithms’, vol. 2 (Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1997, 3rd edn.).
        .
    41. 41)
      • J. Walker . (2008)
        41. Walker, J.: ‘ENT. A pseudorandom number sequence test program’, 2008. Available at http://www.fourmilab.ch/random/, accessed 15 February 2017.
        .
    42. 42)
      • K. Pearson .
        42. Pearson, K.: ‘On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling’, Philos. Mag. Ser. 5, 1900, 50, (302), pp. 157175.
        . Philos. Mag. Ser. 5 , 302 , 157 - 175
    43. 43)
      • (2001)
        43. National Institute of Standards and Technology. ‘FIPS PUB 140-2. Security requirements for cryptographic modules’, 2001. Available at http://csrc.nist.gov/groups/STM/cmvp/standards.html, accessed 15 February 2017.
        .
    44. 44)
      • 44. ‘rng-tools’. Available at https://wiki.archlinux.org/index.php/Rng-tools, accessed 15 February 2017.
        .
    45. 45)
      • M. Zalewski .
        45. Zalewski, M.: ‘Strange attractors and TCP/IP sequence number analysis’. Available at http://lcamtuf.coredump.cx/oldtcp/tcpseq, accessed 15 February 2017.
        .
    46. 46)
      • A. Rukhin , J. Soto , J. Nechvatal . (2010)
        46. Rukhin, A., Soto, J., Nechvatal, J., et al: ‘A statistical test suite for random and pseudorandom number generators for cryptographic applications’, 2010. Available at http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html, accessed 15 February 2017.
        .
    47. 47)
      • U. Maurer .
        47. Maurer, U.: ‘A universal statistical test for random bit generators’, J. Cryptol., 1992, 5, (2), pp. 89105.
        . J. Cryptol. , 2 , 89 - 105
    48. 48)
      • C. Rousseau , Y. Saint Aubin . (2008)
        48. Rousseau, C., Saint Aubin, Y.Random number generators’ (Springer New York, New York, NY, 2008), pp. 123.
        .
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2017.0299
Loading

Related content

content/journals/10.1049/iet-ifs.2017.0299
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading
This is a required field
Please enter a valid email address