access icon free Security assessment of the Spanish contactless identity card

The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results.

Inspec keywords: near-field communication; personal computing; access protocols; security of data; fraud; radiofrequency identification; random number generation; telecommunication security

Other keywords: loans; electronic passports; Spanish contactless identity card; pseudo-random number generator; identity theft; security assessment; mortgages; personal information theft; contactless interface; attack vector; online products; crime rings; terrorists; contactless access protocol; radio-frequency identification communication; near-field communication chip; criminals; online brute-force attacks

Subjects: Protocols; Protocols; RFID systems; Other radio links and systems; Data security

References

    1. 1)
      • 10. Madlmayr, G., Langer, J., Kantner, C., et al: ‘NFC devices: security and privacy’. Proc. Third Int. Conf. Availability, Reliability and Security (ARES), 2008, pp. 642647.
    2. 2)
      • 44. ‘rng-tools’. Available at https://wiki.archlinux.org/index.php/Rng-tools, accessed 15 February 2017.
    3. 3)
      • 2. ‘Spanish Penal Code (Organic Law No. 10/1995 of November 23, 1995)’, 1995. Available at http://www.wipo.int/wipolex/en/details.jsp?id=15759, accessed 15 February 2017.
    4. 4)
      • 13. Vaudenay, S.: ‘E-passport threats’, IEEE Secur. Priv., 2007, 5, (6), pp. 6164.
    5. 5)
      • 30. ECRYPT. ‘Yearly report on algorithms and keysizes’. European network of excellence in cryptology, 2012. Available at http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf, accessed 15 February 2017.
    6. 6)
      • 36. Cam Winget, N., Housley, R., Wagner, D., et al: ‘Security flaws in 802.11 data link protocols’, Commun. ACM, 2003, 46, (5), pp. 3539.
    7. 7)
      • 27. International Organization for Standardization. ‘ISO/IEC 7816-5-2013: identification cards – integrated circuit cards – part 5: registration of application providers’ (Geneva, Switzerland, 2004), Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=34259, accessed 15 February 2017.
    8. 8)
      • 38. Bundesamt für Sicherheit in der Informationstechnik (BSI). ‘Functionality classes and evaluation methodology for physical random number generators, AIS 31, V3’, 2013. Documents available at https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/Produktzertifizierung/ZertifizierungnachCC/AnwendungshinweiseundInterpretationen/AIS/AIS.html, accessed 15 February 2017.
    9. 9)
      • 1. Jakobsson, M., Myers, S.: ‘Phishing and countermeasures: understanding the increasing problem of electronic identity theft’ (Wiley, 2006).
    10. 10)
      • 43. National Institute of Standards and Technology. ‘FIPS PUB 140-2. Security requirements for cryptographic modules’, 2001. Available at http://csrc.nist.gov/groups/STM/cmvp/standards.html, accessed 15 February 2017.
    11. 11)
      • 48. Rousseau, C., Saint Aubin, Y.Random number generators’ (Springer New York, New York, NY, 2008), pp. 123.
    12. 12)
      • 14. Hoepman, J.H., Hubbers, E., Jacobs, B., et al: ‘Crossing borders: security and privacy issues of the European e-passport’, in Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (EDs.): ‘Proceedings of the first international workshop on security (IWSEC)’ (Springer, Berlin Heidelberg, 2006), pp. 152167.
    13. 13)
      • 23. Möllers, F.: ‘An analysis of traceability of electronic identification documents’. MSc thesis, Faculty of Electrical Engineering, Computer Science and Mathematics, Paderborn University, 2012.
    14. 14)
      • 16. Bender, J., Kügler, D.: ‘Introducing the PACE solution’, Keesing J. Doc. Identity, 2009, 30, pp. 2629.
    15. 15)
      • 18. Centro Criptológico Nacional (Spanish National Cryptologic Centre). ‘Documento 2014-39-INF-1766 v2. Informe de Certificación del producto DNIe-DSCF (dispositivo seguro de creación de firma) versión 3.0’. 2017, in Spanish. Available at https://www.commoncriteriaportal.org/files/epfiles/2014-39_inf-1766_v2.pdf, accessed 15 February 2017.
    16. 16)
      • 9. Haselsteiner, E., Breitfuß, K.: ‘Security in near field communication (NFC) – strengths and weaknesses’. Proc. Workshop on RFID Security, Privacy (RFIDSec), 2006.
    17. 17)
      • 4. Freire, A.: ‘El delito de robo de identidad (the crime of identity theft)’, 2015, in Spanish. Available at http://www.infoderechopenal.es/2015/10/delito-robo-identidad.html, accessed 15 February 2017.
    18. 18)
      • 47. Maurer, U.: ‘A universal statistical test for random bit generators’, J. Cryptol., 1992, 5, (2), pp. 89105.
    19. 19)
      • 5. Wieting, M.: ‘Cuidado con perder el DNI’, 2012, in Spanish. Available at http://www.abc.es/20120420/espana/abci-suplantacion-identidades-201204191917.html, accessed 15 February 2017.
    20. 20)
      • 3. Wang, W., Yuan, Y., Archer, N.: ‘A contextual framework for combating identity theft’, IEEE Secur. Priv., 2006, 4, (2), pp. 3038.
    21. 21)
      • 21. Liu, Y., Kasper, T., Lemke Rust, K., et al: ‘E-passport: cracking basic access control keys’. On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS: OTM Confederated Int. Conf. 2007, Vilamoura, Portugal, November 25–30, 2007, Proc., Part II, Berlin, Heidelberg, 2007, pp. 15311547.
    22. 22)
      • 15. Jeng, A.B., Chen, L.Y.: ‘How to enhance the security of e-passport’. 2009 Int. Conf. Machine Learning and Cybernetics, vol. 5, 2009, pp. 29222926.
    23. 23)
      • 31. Barker, E.Recommendation for key management’ (National Institute of Standards and Technology, 2016). Special Publication 800-57 Revision 4. Available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf, accessed 15 February 2017.
    24. 24)
      • 39. Bernstein, D.J., Chang, Y.A., Cheng, C.M., et al: Factoring RSA keys from certified smart cards: Coppersmith in the wild, in: Sako, K., Sarkar, P. (EDs.). ‘Advances in Cryptology - ASIACRYPT 2013: 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part II’ (Springer, Berlin Heidelberg, 2013), pp. 341360.
    25. 25)
      • 20. Meingast, M., King, J., Mulligan, D.K.: ‘Embedded RFID and everyday things: a case study of the security and privacy risks of the U.S. e-passport’. Proc. 2007 IEEE Int. Conf. RFID, 2007, pp. 714.
    26. 26)
      • 46. Rukhin, A., Soto, J., Nechvatal, J., et al: ‘A statistical test suite for random and pseudorandom number generators for cryptographic applications’, 2010. Available at http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html, accessed 15 February 2017.
    27. 27)
      • 35. Borisov, N., Goldberg, I., Wagner, D.: ‘Intercepting mobile communications: the insecurity of 802.11’. Proc. Seventh Annual Int. Conf. Mobile Computing and Networking MobiCom ‘01, New York, NY, USA, 2001, pp. 180189.
    28. 28)
      • 32. Carluccio, D., Lemke Rust, K., Paar, C., et al: ‘E-passport: the global traceability or how to feel like a UPS package’. Proc. Seventh Int. Workshop on Information Security Applications (WISA 2006). Revised Selected Papers, 2007. pp. 391404.
    29. 29)
      • 40. Knuth, D.E.: ‘The art of computer programming’, in (EDs.): ‘Seminumerical Algorithms’, vol. 2 (Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1997, 3rd edn.).
    30. 30)
      • 34. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 2: radio frequency power and signal interface’ (Geneva, Switzerland, 2016). Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=50942, accessed 15 February 2017.
    31. 31)
      • 45. Zalewski, M.: ‘Strange attractors and TCP/IP sequence number analysis’. Available at http://lcamtuf.coredump.cx/oldtcp/tcpseq, accessed 15 February 2017.
    32. 32)
      • 22. Vijayakrishnan, P., Pieprzyk, J., Wang, H.: ‘Formal security analysis of Australian e-passport implementation’. Proc. Sixth Australasian Conf. Information Security – Volume 81 AISC ‘08, Darlinghurst, Australia, 2008, pp. 7582.
    33. 33)
      • 37. Atos IT solutions and services GmbH. ‘Security target ‘CardOS DI V5.3 EAC/PACE version 1.0’, Rev. 2.01, edition 04/2016’, 2016. Available at https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Reporte/Reporte09/0967b_pdf.pdf;jsessionid=8F38A3EA5734CA889E8EA7AB5E6B6190.1_cid341?_blob=p ublicationFile v=2, accessed 15 February 2017.
    34. 34)
      • 29. Ministerio del Interior (Spanish Ministry of Home Affairs). ‘Real decreto 869/2013’. 2013, in Spanish. Available at https://www.boe.es/boe/dias/2013/11/23/pdfs/BOE-A-2013-12320.pdf, accessed 15 February 2017, Boletín Oficial del Estado, 23rd November 2013.
    35. 35)
      • 42. Pearson, K.: ‘On the criterion that a given system of deviations from the probable in the case of a correlated system of variables is such that it can be reasonably supposed to have arisen from random sampling’, Philos. Mag. Ser. 5, 1900, 50, (302), pp. 157175.
    36. 36)
      • 6. Avoine, G., Beaujeant, A., Hernandez Castro, J., et al: ‘A survey of security and privacy issues in ePassport protocols’, ACM Comput. Surv., 2016, 48, (3), pp. 137.
    37. 37)
      • 28. ‘ICAO Doc 9303, machine readable travel documents part 11 — security mechanisms for MRTDs’, 2015. Available at https://www.icao.int/publications/Documents/9303_p11_cons_en.pdf, accessed 15 February 2017.
    38. 38)
      • 33. Advanced security mechanisms for machine readable travel documents and eIDAS token. Part 1 – eMRTDs with BAC/PACEv2 and EACv1’. (Bundesamt für Sicherheit in der Informationstechnik (BSI), Technical Guideline, TR-03110-1, 2015.
    39. 39)
      • 26. International Organization for Standardization. ‘ISO/IEC 7816-4-2013: identification cards – integrated circuit cards – part 4: organization, security and commands for interchange’ (Geneva, Switzerland, 2013), Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=54550, accessed 15 February 2017.
    40. 40)
      • 12. NFC World. ‘NFC phones: the definitive list’, 2017. Available at http://www.nfcworld.com/nfc-phones-list/, accessed 25 January 2017.
    41. 41)
      • 24. Cuerpo Nacional de Policía (Spanish National Police Corps). ‘DNIe basic reference guide’, 2015, in Spanish. Available at https://www.dnielectronico.es/PDFs/Guia_de_referencia_basica_v1_5.pdf, accessed 15 February 2017.
    42. 42)
      • 17. Richter, H., Mostowski, W., Poll, E.: ‘Fingerprinting passports’. NLUUG Spring Conf. Security, 2008.
    43. 43)
      • 41. Walker, J.: ‘ENT. A pseudorandom number sequence test program’, 2008. Available at http://www.fourmilab.ch/random/, accessed 15 February 2017.
    44. 44)
      • 19. Atos IT Solutions and Services GmbH. ‘Certification report BSI-DSZ-CC-0967-2016 for CardOS DI V5.3 EAC/PACE Version 1.0 of the BSI’, 2016. Available at https://www.commoncriteriaportal.org/files/epfiles/0967a_pdf.pdf, accessed 15 February 2017.
    45. 45)
      • 11. Vila, J., Rodríguez, R.J.: ‘Practical experiences on NFC relay attacks with android: virtual pickpocketing revisited’. Proc. 11th Int. Workshop on RFID Security (RFIDsec), Springer, 2015 (LNCS, 9440), pp. 87103.
    46. 46)
      • 7. International Organization for Standardization. ‘ISO/IEC 14443-3: identification cards – contactless integrated circuit(s) cards – proximity cards – part 3: initialization and anticollision’ (Geneva, Switzerland, 2011). Available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=50942, accessed 15 February 2017.
    47. 47)
      • 25. Cuerpo Nacional de Policía (Spanish National Police Corps). ‘NFC DNIe user guide’, 2015, in Spanish. Available at https://www.dnielectronico.es/PDFs/Guia_de_Referencia_DNIe_con_NFC.pdf, accessed 15 February 2017.
    48. 48)
      • 8. Japanese Industrial Standard. ‘JIS X 6319-4:2010: specification of implementation for integrated circuit(s) cards – part 4: high speed proximity cards’ (Tokyo, Japan, 2010). Available at http://www.webstore.jsa.or.jp/webstore/PrevPdfServlet?dc=JIS&fn=pre_jis_x_06319_004_000_2010_e_ed10_i4.pdf, accessed 26 January 2015.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-ifs.2017.0299
Loading

Related content

content/journals/10.1049/iet-ifs.2017.0299
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading