© The Institution of Engineering and Technology
The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results.
References
-
-
1)
-
10. Madlmayr, G., Langer, J., Kantner, C., et al: ‘NFC devices: security and privacy’. Proc. Third Int. Conf. Availability, Reliability and Security (ARES), 2008, pp. 642–647.
-
2)
-
3)
-
4)
-
13. Vaudenay, S.: ‘E-passport threats’, IEEE Secur. Priv., 2007, 5, (6), pp. 61–64.
-
5)
-
6)
-
36. Cam Winget, N., Housley, R., Wagner, D., et al: ‘Security flaws in 802.11 data link protocols’, Commun. ACM, 2003, 46, (5), pp. 35–39.
-
7)
-
27. International Organization for Standardization. ‘ISO/IEC 7816-5-2013: identification cards – integrated circuit cards – part 5: registration of application providers’ (Geneva, Switzerland, 2004), .
-
8)
-
38. Bundesamt für Sicherheit in der Informationstechnik (BSI). , 2013. .
-
9)
-
1. Jakobsson, M., Myers, S.: ‘Phishing and countermeasures: understanding the increasing problem of electronic identity theft’ (Wiley, 2006).
-
10)
-
43. National Institute of Standards and Technology. , 2001. .
-
11)
-
48. Rousseau, C., Saint Aubin, Y. ‘Random number generators’ (Springer New York, New York, NY, 2008), pp. 1–23.
-
12)
-
14. Hoepman, J.H., Hubbers, E., Jacobs, B., et al: ‘Crossing borders: security and privacy issues of the European e-passport’, in Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (EDs.): ‘Proceedings of the first international workshop on security (IWSEC)’ (Springer, Berlin Heidelberg, 2006), pp. 152–167.
-
13)
-
23. Möllers, F.: ‘An analysis of traceability of electronic identification documents’. , Faculty of Electrical Engineering, Computer Science and Mathematics, Paderborn University, 2012.
-
14)
-
16. Bender, J., Kügler, D.: ‘Introducing the PACE solution’, Keesing J. Doc. Identity, 2009, 30, pp. 26–29.
-
15)
-
18. Centro Criptológico Nacional (Spanish National Cryptologic Centre). . 2017, .
-
16)
-
9. Haselsteiner, E., Breitfuß, K.: ‘Security in near field communication (NFC) – strengths and weaknesses’. Proc. Workshop on RFID Security, Privacy (RFIDSec), 2006.
-
17)
-
18)
-
47. Maurer, U.: ‘A universal statistical test for random bit generators’, J. Cryptol., 1992, 5, (2), pp. 89–105.
-
19)
-
5. Wieting, M.: , 2012, .
-
20)
-
3. Wang, W., Yuan, Y., Archer, N.: ‘A contextual framework for combating identity theft’, IEEE Secur. Priv., 2006, 4, (2), pp. 30–38.
-
21)
-
21. Liu, Y., Kasper, T., Lemke Rust, K., et al: ‘E-passport: cracking basic access control keys’. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS: OTM Confederated Int. Conf. 2007, Vilamoura, Portugal, November 25–30, 2007, Proc., Part II, Berlin, Heidelberg, 2007, pp. 1531–1547.
-
22)
-
15. Jeng, A.B., Chen, L.Y.: ‘How to enhance the security of e-passport’. 2009 Int. Conf. Machine Learning and Cybernetics, vol. 5, 2009, pp. 2922–2926.
-
23)
-
31. Barker, E. ‘Recommendation for key management’ (National Institute of Standards and Technology, 2016). .
-
24)
-
39. Bernstein, D.J., Chang, Y.A., Cheng, C.M., et al: Factoring RSA keys from certified smart cards: Coppersmith in the wild, in: Sako, K., Sarkar, P. (EDs.). ‘Advances in Cryptology - ASIACRYPT 2013: 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part II’ (Springer, Berlin Heidelberg, 2013), pp. 341–360.
-
25)
-
20. Meingast, M., King, J., Mulligan, D.K.: ‘Embedded RFID and everyday things: a case study of the security and privacy risks of the U.S. e-passport’. Proc. 2007 IEEE Int. Conf. RFID, 2007, pp. 7–14.
-
26)
-
46. Rukhin, A., Soto, J., Nechvatal, J., et al: , 2010. .
-
27)
-
35. Borisov, N., Goldberg, I., Wagner, D.: ‘Intercepting mobile communications: the insecurity of 802.11’. Proc. Seventh Annual Int. Conf. Mobile Computing and Networking MobiCom ‘01, New York, NY, USA, 2001, pp. 180–189.
-
28)
-
32. Carluccio, D., Lemke Rust, K., Paar, C., et al: ‘E-passport: the global traceability or how to feel like a UPS package’. Proc. Seventh Int. Workshop on Information Security Applications (WISA 2006). , 2007. pp. 391–404.
-
29)
-
40. Knuth, D.E.: ‘The art of computer programming’, in (EDs.): ‘Seminumerical Algorithms’, vol. 2 (Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1997, 3rd edn.).
-
30)
-
34. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 2: radio frequency power and signal interface’ (Geneva, Switzerland, 2016). .
-
31)
-
32)
-
22. Vijayakrishnan, P., Pieprzyk, J., Wang, H.: ‘Formal security analysis of Australian e-passport implementation’. Proc. Sixth Australasian Conf. Information Security – Volume 81 AISC ‘08, Darlinghurst, Australia, 2008, pp. 75–82.
-
33)
-
37. Atos IT solutions and services GmbH. , 2016. .
-
34)
-
29. Ministerio del Interior (Spanish Ministry of Home Affairs). . 2013, .
-
35)
-
42. Pearson, K.: ‘On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling’, Philos. Mag. Ser. 5, 1900, 50, (302), pp. 157–175.
-
36)
-
6. Avoine, G., Beaujeant, A., Hernandez Castro, J., et al: ‘A survey of security and privacy issues in ePassport protocols’, ACM Comput. Surv., 2016, 48, (3), pp. 1–37.
-
37)
-
38)
-
33. ‘Advanced security mechanisms for machine readable travel documents and eIDAS token. Part 1 – eMRTDs with BAC/PACEv2 and EACv1’. , 2015.
-
39)
-
26. International Organization for Standardization. ‘ISO/IEC 7816-4-2013: identification cards – integrated circuit cards – part 4: organization, security and commands for interchange’ (Geneva, Switzerland, 2013), .
-
40)
-
41)
-
24. Cuerpo Nacional de Policía (Spanish National Police Corps). , 2015, .
-
42)
-
17. Richter, H., Mostowski, W., Poll, E.: ‘Fingerprinting passports’. NLUUG Spring Conf. Security, 2008.
-
43)
-
41. Walker, J.: , 2008. .
-
44)
-
19. Atos IT Solutions and Services GmbH. , 2016. .
-
45)
-
11. Vila, J., Rodríguez, R.J.: ‘Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited’. Proc. 11th Int. Workshop on RFID Security (RFIDsec), Springer, 2015 (, 9440), pp. 87–103.
-
46)
-
7. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 3: initialization and anticollision’ (Geneva, Switzerland, 2011). .
-
47)
-
25. Cuerpo Nacional de Policía (Spanish National Police Corps). , 2015, .
-
48)
-
8. Japanese Industrial Standard. ‘JIS X 6319-4:2010: specification of implementation for integrated circuit(s) cards – part 4: high speed proximity cards’ (Tokyo, Japan, 2010). .
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2017.0299
Related content
content/journals/10.1049/iet-ifs.2017.0299
pub_keyword,iet_inspecKeyword,pub_concept
6
6