4

I'm a complete newby, so please pardon my ignorance when it comes to basic cryptography aspects.

My question is whether a biometric passport with Active/Chip Authentication (AA or CA) can be used to generate digital signatures for docs (or rather their hashes). If so, is there any API available to do that?

Thank you in advance for your feedback!

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
Proto Ukr
  • 153
  • 4

2 Answers2

4

Active Authentication (AA henceforth) relies on RSA or ECDSA and allows you to sign data. However, as our is not meant to sign data you should not use it for that purpose.

First of all, the only PKI that verifies the public key is that used for passive authentication of the passport - so you probably have to set up a separate PKI for it to be useful. Passive authentication simply embeds the public key in a "data group" which is then authenticated by a signature set by a country's signing certificate. However, the public key used is not in a certificate itself.

Second, the signing is used for passport authentication only and therefore does not require user confirmation / commitment such as entering a PIN. Hence any reader with access to the contents of the passport is allowed access to the signing procedure, so having a signature does not prove user consent in any way.

The old AA algorithm uses the ISO/IEC 9796-2 signature scheme 1 giving message recovery. I've never been able to find out why (and I was directly involved), probably it was copied from some banking standard. Newer ones may use PSS as well. If 9796 is used then you might not be able to find too many parties that are able to verify the generated signature. AA is performed using the INTERNAL AUTHENTICATE command and is performed over RND.IFD which is specified for 8 bytes only, severely limiting input data.

If the passport still uses AA then you might also have a problem with the size of the keys. If you want to sign something for non-repudiation then you may want to have an RSA key size of 3072 bits or above. There aren't many smart cards that have the hardware for such large key sizes (at least not if you want to fit the other tens of pages of protocol spec in there as well).

In principle AA may use ECDSA, but it makes more sense for the country to use CA if that's the case. Finally, there may also be passports that use PACE-CAM, where the CA internal authentication is embedded in the initial authentication procedure.

For Chip Authentication (CA) the signature generation was considered a threat to the privacy of the user. A country could for instance use it to sign time and coordinates to create tracking. That's why CA is based on Diffie-Hellman key agreement rather than a signature generation function. Unfortunately, that also makes it unavailable for signature generation.

Conclusion: it is next to impossible to use AA and CA for digital signatures used for non-repudiation; AA was not designed to support such use case and CA was deliberately designed to avoid the use case. AA could be used to sign 8 bytes without user consent, but that's about it.

Besides the technological barriers, I'd certainly consider using AA or CA for anything other than (national) border control morally wrong. It should not be used even with consent, as any advantage that is gained can also be used to pressure people into using a passport for what it is not designed to do.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
  • Not ISO 9796 either, it was withdrawn in 2000 following attacks in the chosen-messages setup. Must be ISO 9796-2; EMV and some Javacard Classic use it's Digital signature scheme 1, implicit hash identifier, alternative signature production and opening. That scheme 1 is academically (if not quite practically) broken in the chosen-messages setup. I knew ICAO specs reference ISO 9796-2 but did not knew passports could sign with it; thought it was for verifying certificates. – fgrieu Oct 17 '19 at 19:58
  • @fgrieu I'll check to be sure. Ah, there it is: "The IC SHALL compute a signature, when an integer factorization based mechanism is used, according to [ISO/IEC 9796-2] Digital Signature scheme 1.". Link here. – Maarten Bodewes Oct 17 '19 at 20:37
  • Thanks for the spec. Indeed the passport computes the signature of what's given as the input to its INTERNAL AUTHENTICATE command. Because the recoverable part of the message is generated by the passport, ISO 9796-2 Scheme 1 becomes a functional equivalent of RSASSA-PSS, with the same provable security argument. For a more complete answer to the question we'd need to know A) preconditions for the passport to accept to do that; B) restrictions (esp. length) to the input of INTERNAL AUTHENTICATE; C) how the certificate for the private key used for this signature can be obtained and verified. – fgrieu Oct 18 '19 at 05:46
  • From memory: A. BAC or PACE authentication only B. 8 (random) bytes if memory serves me right (good point) C. the public key is embedded in the data within the passport, which is verified using Passive Authentication - it's not in a certificate but PA does use X.509 certificates. I think (B) is the biggest issue after the fact that the user does not commit to the signature in any way. It reads RND.IFD which is 8 bytes, but it can really be any data on most if not all passports... – Maarten Bodewes Oct 18 '19 at 10:41
  • Wow, so many details that start to fade :) – Maarten Bodewes Oct 18 '19 at 10:58
2

Although main points have already been made in Maarten's answer, I'd like to share a demo on the passive auth in question: https://github.com/psvz/icao And also, ICAO does expose all public keys one needs to verify whole chain of trust.

Now, problem with AA signing arbitrary bytes is exactly in its power. If your passport could sign with a state being the root of trust (which is what you want), you could have money (think electronic currency as opposed to crypto currency) and voting system that would no longer require the state to administer. That is a political danger. Usual argument, of course, would revolve around privacy e.g., governments could exploit your passports and track you. However, even with Basic Access Control (BAC) in place the privacy concern is hypothetical. Temptation to circumvent BAC isn't. And all in all, no party would be prepared to take chances with so many long-term risks at stake...

wick
  • 141
  • 4