Passport cloning in perspective

Posted by: ceesb

Posted on October 6, 2008

Recently, a tool [1] has been made available to "clone" electronic passports. Also, in recent international press items there have been several confusing and sometimes erroneous statements about the electronic passport. Let me try and explain what it means and takes to clone a passport, for cloning is possible given the specification for some types of electronic passports!

Cloneable vs. uncloneable passports

The standard (ICAO's MRTD) for electronic passports supports several flavors. The medium security variant of the electronic passport is really just a collection of data files containing the holder's personal details and picture. These files are electronically signed by the country issuing the passport. The signatures and data files can be downloaded from the electronic passport and written to a blank chip: there is no protection against cloning the passport data. Because of the electronic signatures, there is protection against modification of the data files contained on the passport. Also, because of the signatures the authenticity of the data files can be verified. The high security variant contains a mechanism that prevents cloning. We call these passports "AA-passports" after the name of the additional mechanism present on these passports. Most, but essentially, not all, data can be copied from the AA-passport onto a blank chip. A clone of a AA-passport can be detected due to the missing data that could not be copied from the original passport. This secret data is used in an authentication mechanism called "Active Authentication". Clones of AA-passport cannot perform a valid Active Authentication, because they are missing the secret data, which is in fact a private RSA key. Some (or most) countries use the medium security variant. Therefore, passports from these countries can be cloned (by specification). Electronic passports issued by The Netherlands are AA-passports and thus the high security variant.

Detection systems

Whereas the functions and requirements of the electronic passport are defined in a standard, the requirements for the detection system for reading these passports are not. Furthermore, the reading systems currently available do not all correctly verify the authenticity and integrity of the passport data. Weak detection systems can be tricked into accepting "cloned" AA-passports and even modified passports. A weakness in the passport [2] in combination with a weak detection system may cause a high security AA-passport to be degraded to a medium security passport without detection. The weakness in the passport is that not all data on the passport is signed. Specifically, some data from which one may derive whether or not the passport is AA is not signed and may be changed on a copy. Jeroen van Beek, who found the passport weakness, claims that clones he makes with the change in the unsigned data are accepted by all inspection systems that are based on "ICAO's worked examples" which is unwanted, because most developers will follow the worked examples blindly. Still, there is second way to detect whether the passport is AA, and that method is based on data that is actually signed. Clearly, a good detection will use information from the signed passport data on determining whether or not a passport supports AA. The tool that can be downloaded from [1] will automatically create a downgraded clone from an AA-passport.

Elvis in the Netherlands?

On the website where the passport cloning tool can be downloaded, there is a video showing the passport of Elvis being read on a passport reader at Schiphol Airport. It is important to note that the actual passport weakness discussed above is not the cause for fake Elvis passports being accepted by passport reading systems. The personal data of both medium security and high security passports is signed by the country issuing the passport via a certificate chain. Detection systems are responsible for checking the entire certificate chain down to the root certificate in order to verify the authenticity of a passport. A fake Elvis passport can well be signed, but never by a certified authority. The passport reading system at Schiphol Airport does not verify the certificate chain and therefore does not make note of this passport being a fake. The same holds for passport reading equipment present in Dutch town halls.

[1] freeworld.thc.org/thc-epassport/

[2] www.blackhat.com/presentations/bh-usa-08/van_Beek/bh_us_08_van_Beek_ePassports_Reloaded_Slides.pdf

Blog list