In this article, René Clerc explains some of the basics of the RFID chips used in e‑Passports, and discusses some of the inherent difficulties that arise when verifying the authenticity of their contents; difficulties that are apparent especially when semi‑public and private organisations such as employers, banks, car rental companies and hotels are performing the verification. This article presents a solution that might mitigate these difficulties.

Many passports today are e‑Passports: passports that, besides traditional, physical security features, also contain a contactless chip that meets ICAO specifications. This chip harbours data on the document and its bearer, which can be read electronically. Currently, over 100 states worldwide issue such e‑Passports. Although this is a little over half of all states in the world, it does represent roughly 85% of the total volume of passports in circulation. This is the good news.
On a less bright note, research shows that only 25% of all states that issue an e‑Passport actually read data from the e‑Passport’s chip at their borders.1 This is only a tiny portion, and it indicates that there is a significant discrepancy between a state issuing such passports and a state being able to read them at their borders. We can only hope that this is due to a well‑balanced risk trade off.

Compliance and risk aversion
Although travel documents have been primarily designed and developed to facilitate travel and border crossing, they are becoming increasingly important in day‑to‑day, non‑travel situations. Opening a bank account, changing jobs, checking in at a hotel or accessing a secure facility: these are all situations in which someone must be able to identify himself with an identity document. There are two main drivers for organisations to check these identity documents:

Compliance
Legal regulations require companies to know who they are dealing with, and they are therefore required to authenticate the identity document. Failure to comply with these regulations can result in financial sanctions and even prosecution. A typical example is pre‑employment screening – fines for working illegally are high.

Risk aversion
In order to diminish the financial risk, companies want to know who they are dealing with. A typical example is a rental company, which has the desire to check an ID before their high value goods are handed over.
Sometimes both compliance and risk aversion are valid drivers, for example in the financial industry.
We can conclude that many different semi‑public and private organisations use ID documents to identify their customers, and therefore have an interest in verifying the authenticity of these documents. However, this is far from easy, especially when it is not a trained government official performing the task, but a regular employee of a private organisation instead.

RFID chips
An increasing number of identity documents contain an RFID chip, which complies with well‑defined standards. Reading and authenticating the contents of these chips can be done automatically. An increasing number of organisations that have either the desire or the requirement to authenticate identity documents are becoming aware of the importance of the RFID chip. Nowadays, the majority of tender specifications contain the requirement to read the chip’s contents. So it seems that besides immigration and border control, semi‑public and private organisations are gearing up for digital identification and reading the contents of chips. However, reading the contents is not the same as authenticating them. Below, the authentication process will be explained.

Security of the RFID chip
First of all, it is necessary to understand that the data in the RFID chip are secured. Regarding the chip’s security, two aspects can be highlighted: privacy and authenticity.

Privacy
In the case of RFID chips, the biometric data stored on the chip, such as finger prints or the iris image, are private, and only authorised inspection systems can read these sensitive contents. Access is mainly limited to governments that are trusted by the issuing state – not your average bank or temporary staffing agency.

Authenticity
Verifying the authenticity of the contents means checking whether the contents are written by the right issuing organisation and have not been manipulated since. This is distinct from the privacy aspect: it is a basic check on the source and integrity of the data in the chip.

figure 1. The security of the RFID chip.

Please note that besides privacy and authenticity there are a number of other RFID chip security features, such as the detection of cloning and building a secure communication channel. The remainder of this article, however, will touch slightly on privacy, but will largely focus on detecting authenticity.
 The data in the RFID chip are stored in data groups in the chip’s Logical Data Structure. All security related information is contained in the Document Security Object. Unique hashes for the data groups are computed. A hash is a unique and irreversible digital summary of a set of digital data. If the digital data are changed, recomputing the hash over the changed data will yield a different one. Finally, a digital signature is computed over these hashes. All in all, this means that if the data in any of the data groups have been altered, the digital signature that was computed will no longer be valid. By current standards, this digital signature is considered unforgeable (see Figure 1). 
In order to verify the validity of the signature, the inspection system needs access to a so‑called certificate. Below, the basics of how these certificates work are explained in the context of the RFID chip.

Certificates
An issuing authority generates key pairs: private keys with corresponding public keys. This is called asymmetric cryptography: the private key is kept private, and is used to create the digital signature. The public key, on the other hand, is used to verify the digital signature and it should be public. In the case of passports, this public key is embedded in the aptly named Document Signer (DS) Certificate, and in the vast majority of all cases this certificate is stored on the chip as well. This is very convenient, as it allows an inspection system to easily verify that the signature of the digital data on the chip is technically correct.

RFID chip tampering
Attackers usually follow a defined procedure to fake an RFID chip and make it appear authentic:
• They generate a key pair of their own: a bogus private key with a corresponding bogus public key.
• They proceed to place the data that should appear authentic in the RFID chip.
• They create a digital signature with their own private key and place the signature on the RFID chip.
• They place the corresponding public key, wrapped in a bogus DS certificate, on the RFID chip.

The procedure corresponds to the steps an issuing state would follow when issuing a genuine passport, with the only real difference that a bogus private key and a bogus DS certificate are used. Consequently, the only way in which the falsification would be detected, is by inspecting the DS certificate. If this certificate is accepted by inspectors as being issued by the correct issuing authority, the data will be deemed genuine and the fraud will remain undetected. Therefore, in order to completely verify the authenticity of the RFID chip’s contents, semi‑public and private organisations need to verify the authenticity of the DS certificate.

figure 2. Simplified RFID chip security chain.

Verifying the DS certificate
The DS certificate should have been generated by the issuing state’s so‑called Country Signing Certificate Authority (CSCA). This is the sole authority within the issuing state that generates and signs DS certificates. To verify the certificate, the CSCA’s public key is needed, which is embedded in the CSCA certificate. For obvious reasons, the CSCA certificate is not stored on the chip.
This final step in authentication is very important. Failure to perform this last check would mean it is impossible for anyone to make any claim about the authenticity of the e‑Passport. The link from the DS certificate to the CSCA certificate must be established.
Numerous cases have been reported in which ‘hackers’ proved that the e‑Passport was ‘hacked’ and that it was inherently insecure. This had nothing to do with errors in the chip or the protocols themselves – in all these cases, the inspection systems failed to correctly verify the certificate chain. See Figure 2 for a simplified overview of this certificate chain.

Certificate distribution
In cryptography, a public key is required to verify the digital signature and authenticate the contents. Although keys and cryptography are always surrounded by a hint of secrecy, it is essential to understand that the public part of the generated key pairs should be what its name implies: publicly known. The certificates that contain these public keys are generally published in a number of sources: 
• The website of the relevant ministry issuing the passport. When downloading certificates from websites, make sure it is the right website and that the connection is secured via HTTPS.
• Master Lists, a collection of CSCA certificates that are trusted by the publisher of this Master List.
If you trust the publisher of a Master List, you put trust in the CSCA certificates on that list.
• Bilateral exchanges between government representatives.
• The ICAO Public Key Directory (PKD), to which participants upload certificate information.
The PKD contains DS Certificates, Master Lists and Revocation Lists (see Box 1), but no individual CSCA certificates.

Other more unconventional means of sharing these certificates are to print them on business cards and to include them in every press release.

The more widespread a certificate with public key is known, the less prone the key pair (and hence, the signed data) is to an attack. This cannot be stressed enough: a public key should be as public as possible. The more websites the certificate is published on, the more directories or Master Lists that contain it and the more bilateral exchanges that have been made all help, because of the simple fact that an attacker has to make their fake certificate known through all these sources, some of which are clearly out of their reach.

For the national agencies that are managing border control, one could state that there is a justifiably high interest in authenticating e‑Passports: national security is at stake. However, as mentioned before, only a quarter of all states issuing e‑Passports (that is actually one eighth of all states) are reading e‑Passports at their borders. The word ‘reading’ is used here on purpose – it is unclear how many states are actually authenticating the contents of the chip, but there are reasons to believe that this number is even smaller.

Everybody should be able to authenticate the contents of RFID chips. It should not be limited to border control, but be possible also for semi‑public and private organisations that have an interest in checking identity documents, such as banks, car rental companies, employers and hotels. However, although over 100 states are issuing e‑Passports, many of them fail to adequately publish the necessary information to enable others to authenticate their passports. In the next section, we will propose a way to circumvent
this problem.

Crowdsouced certificate information
First of all: when available, organisations should use the CSCA certificates as much as possible. If not available – which is often the case – the mechanism below can provide an alternative way to judge the authenticity of the e‑Passport.
 As mentioned above, the DS certificate is actually present on the e‑Passport’s chip. We can leverage this fact, and use it to establish trust in the e‑Passport. It is important to know that a DS certificate is typically used to digitally sign the contents of a batch of hundreds of thousands of documents, after which a new DS certificate is generated for the next batch.
 Imagine the following case, where a person presents an e‑Passport to an inspection point. And let us assume that no CSCA information is available for the state that issued this e‑Passport. At this point, only one thing can be done: to authenticate the chip’s contents against the DS certificate that is on the chip itself. Which, again, says nothing about the authenticity.Subsequently, the e‑Passport is verified in the traditional way, by checking the physical security features. We do the same with the contents of the chip: recall that the machine readable zone and the document bearer’s photo are both on the chip and on the biographical data page. This means that these data are in fact redundant, and that they can be compared. If the document is physically correct, we register that this specific DS certificate was used to correctly sign a physically correct identity document.

Of course, one so‑called positive encounter should not result in a massive amount of trust being put in that certificate. It actually doesn’t mean anything – from a single case one cannot derive a generic conclusion. But what if, over the course of time, in different geographical locations, the number of positive encounters of this DS certificate is increasing? Then it actually does start to mean something: chances are becoming increasingly smaller that this is some kind of sophisticated distributed attack.
 This is clearly not the same level of trust as is gained from correctly verifying the certificate chain up to the CSCA – that remains the only route which provides close to absolute certainty. However, by following the process described here, it is possible to place a fair amount of trust in the authenticity of these e‑Passports.

Classification of certificate
One could propose a classification of certificates. By placing certificates into different trust categories based on the sources through which they are obtained, a distributed trust model can be built.
 In this way we use the power of crowdsourcing to build trust in the DS certificates – without infringing on any individual’s or organisation’s privacy (see Box 2).
 Of course, the decision whether or not to trust an identity document, either with or without chip, can be made a lot easier by using inspection systems: computers and passport readers. Ultimately, the results need to be interpreted and a decision must be made. Therefore, it should always be made explicit what the level of trust is that can be put in the results of the chip authentication and what the reason was for awarding this level of trust.

Closing thoughts
Electronic verification of identity documents is shaping the future. If done correctly, it is a very quick and highly reliable way to authenticate an identity document. However, the means to do this are not always easily available: not even for border control, let alone for semi‑public and private organisations that have the need to reliably verify ID documents. Checking the authenticity of e‑Passports should be possible, and might be made easier by building a distributed trust model for the classification of DS certificates.

Reference
1 http://www.icao.int/Meetings/TAG-MRTD/Documents/Tag-Mrtd-21/Tag-Mrtd21_IP03.pdf. Accessed on: 2 December 2014.