DID

Decentralized Identifiers (DIDs) v0.13

TOC

New eID

工商社論》新式數位身分證(New eID)引發的疑慮

有關New eID的製作,在晶片資安管理的規格方面,是依據ISO 14443及ICAO之國際安全標準規範訂定。每個晶片都會有其專屬識別碼(Unique ID,簡稱UID);負責承製的中央印製廠,會在內政部核可下,以UID資訊記錄卡片的生產履歷,避免晶片外流、盜用或被不當使用,未來亦可用來辨識晶片卡是否是偽變造卡,是重要的管控機制。至於晶片寫入個人資料,則採用ICAO對隱私保護之建議,會啟動隨機亂數序號機制,每次感應都會重新產生隨機亂數,根本無法追蹤晶片的使用軌跡,這與現行晶片護照相同。

Doc 9303 Part 11: Security Mechanisms for MRTDs - ICAO

Table 10. Key agreement algorithms

Algorithm / FormatDHECDH
Key Agreement Algorithm[PKCS#3]ECKA [TR-03111]
X.509 Public Key Format[X9.42][TR-03111]
TLV Public Key FormatTLV, cf. Section 9.4.2TLV, cf. Section 9.4.3
Ephemeral Public Key Validation[RFC 2631][TR-03111]
  • [X9.42] ANSI: X9.42, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography, 1999
  • [TR-03111] BSI: Technical Guideline TR-03111: Elliptic Curve Cryptography, Version 2.0, 2012
  • [RFC 2631] Rescorla, Eric: RFC 2631 Diffie-Hellman key agreement method, 1999

Basic access control - Wikipedia

There is a replay attack against the basic access control protocol that allows an individual passport to be traced.[3][4] The attack is based on being able to distinguish a failed nonce check from a failed MAC check and works against passports with randomized unique identifiers and hard to guess keys.The basic access control mechanism has been criticized as offering too little protection from unauthorized interception. Researchers claim [5] that because there are only limited numbers of passport issued, many theoretically possible passport numbers will not be in use in practice. The limited range of human age ranges further reduce the space of possibilities.In other words, the data used as an encryption key has low entropy, meaning that guessing the session key is possible via a modest brute force attack.

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Basic Access Control
  Grants access to data after inspection systems are authorized
  Authorization through the Machine Readable Zone (MRZ)
    Nine digit document number
    In many countries: issuing authority + incrementing number
    Six digit date of birth Can be guessed or assumed to be a valid date
    Six digit expiry date 
    16 most significant bytes of SHA1-hash over MRZ_info are 
      used as 3DES key for S/M (ISO7816 secure messaging)
---
BAC 
  The access key is printed on the passport
  Many times the passport is put on a Xerox machine in:
    Hotels Rentals (cars, ski, ...) 
    Shops (cell phones, ...)
  The data from the MRZ is stored in many private databases (airlines, banks ...)
---
BAC And Traceability
  With the BAC handshake data known, 
    the random unique ID is worthless
    the MRTD is traceable
    access to the content (LDS-DG.1 &DG.2) is possible
    access to the SOD is possible

Privacy features for contactless cards - Privacy Features of European eID Card Specifications 2008

Contactless chip cards require additional security mechanisms. At least the following issues should be addressed:

  • Skimming: an attacker opens a clandestine connection to the chip and gains access to the data,
  • Eavesdropping: an attacker intercepts the communication between the chip and an authorised reader,
  • Location Tracking: an attacker generates person or card-specific movement profiles

As mentioned above, BAC protects electronic passports against skimming attacks while, for example, the passport holder carries his passport in the pocket. During the border control procedure, the reading device optically scans the document and authenticates to the chip using keys derived from the MRZ printed on the data page. Some European countries, like the Netherlands and Sweden, adopted BAC in the specifications of their national ID cards where the MRZ is printed on the back of the card.

The BAC mechanism only weakly addresses the issue of eavesdropping and it does not prevent reading (or copying) the data of a lost passport. However, in the second generation of European passports, this problem is addressed by the Extended Access Control (EAC) protocol which, besides the mutual authentication of card and reader, establishes a strongly encrypted communication channel. Similar techniques, some of them adapted to internet-authentication use-cases, can be found in the specifications for the German eID card and inclusion into the European Cititzen Card standard is currently under discussion.

Location tracking is an important privacy issue in contactless eID systems. An electronic passport with an RFID chip, if equipped with Basic Access Control, does not reveal any personal information of the passport holder as long as it is safely stored in a pocket and its MRZ is unknown to the attacker. However, the initialisation of wireless communication according to ISO 14443 requires the chip to send a unique identifier to the card reader. An attacker with several distributed reading devices (e.g. in door frames) could therefore distinguish the passport holder without actually having access to the files on the chip. Combined with other data sources, the attacker might be able to generate person or card-specific profiles. This particular attack is relatively easy to avoid – most electronic passports generate random UIDs for every session (see Supplement 9303, E11,) but as a general rule, privacy- protecting RFID systems should be designed very carefully.

林宗男、李忠憲/數位身分證的資安風險

晶片的公私鑰雖然是在晶片內產製,但是需將公鑰資料讀出才能產生個人憑證申請檔(CSR)。公鑰能匯出當然私鑰也能匯出。但是內政部卻告訴國人無法匯出,明顯與事實不符。全體國民公私鑰key pair只有廠商知道如何產生,公務機關無法驗證,憑空製造國家安全的治理危機。我們呼籲政府應當採取分散式架構建構我國數位國家政策,放棄這個不當政策,正面回應民間及學術界「一卡一用」的主張。

TODO

Hyperledgger Aries

Sidetree

DID Resolution

201909