U.S. patent application number 12/752831 was filed with the patent office on 2010-07-29 for privacy-enhanced e-passport authentication protocol.
This patent application is currently assigned to Certicom Corp.. Invention is credited to Daniel R.L. Brown, Scott A. Vanstone.
Application Number | 20100189253 12/752831 |
Document ID | / |
Family ID | 37430915 |
Filed Date | 2010-07-29 |
United States Patent
Application |
20100189253 |
Kind Code |
A1 |
Brown; Daniel R.L. ; et
al. |
July 29, 2010 |
PRIVACY-ENHANCED E-PASSPORT AUTHENTICATION PROTOCOL
Abstract
A passport authentication protocol provides for encryption of
sensitive data such as biometric data and transfer of the
encryption key from the passport to the authentication authority to
permit comparison to a reference value.
Inventors: |
Brown; Daniel R.L.;
(Mississauga, CA) ; Vanstone; Scott A.;
(Campbellville, CA) |
Correspondence
Address: |
Blake, Cassels & Graydon LLP
199 BAY STREET , SUITE 2800, COMMERCE COURT WEST
TORONTO
ON
M5L 1A9
CA
|
Assignee: |
Certicom Corp.
Mississauga
CA
|
Family ID: |
37430915 |
Appl. No.: |
12/752831 |
Filed: |
April 1, 2010 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
11436986 |
May 19, 2006 |
7720221 |
|
|
12752831 |
|
|
|
|
60682862 |
May 20, 2005 |
|
|
|
Current U.S.
Class: |
380/30 |
Current CPC
Class: |
H04L 9/3247 20130101;
H04L 2209/805 20130101; H04L 9/3066 20130101; H04W 12/06 20130101;
H04W 12/47 20210101; H04L 9/3231 20130101 |
Class at
Publication: |
380/30 |
International
Class: |
H04K 1/00 20060101
H04K001/00 |
Claims
1. A method of maintaining confidentiality of sensitive information
stored in a machine readable document pertaining to a correspondent
during transmission of said sensitive information to a machine for
examination, comprising: generating an encryption key e from a
public key of said correspondent and encrypting said sensitive
information with said encryption key e to obtain a ciphertext C,
forwarding said ciphertext C to said machine, receiving from said
machine an ephemeral public key obtained from an ephemeral private
key b of said machine and said ciphertext C, and returning to said
machine additional information to permit recovery of said sensitive
information by said machine from said ciphertext C.
2. A method according to claim 1 further comprising: prior to
forwarding one of said ciphertext C and said additional information
to said machine, authenticating said machine to said machine
readable document, wherein said one of said ciphertext C and said
additional information is forwarded to said machine only upon
successful authentication of said machine.
3. A method according to claim 1 wherein said sensitive information
is biometric information.
4. A method according to claim 1 wherein said ephemeral public key
is used to generate said additional information.
5. A method according to claim 1 wherein said additional
information permits recovery of said encryption key e.
6. A method according to claim 1 wherein said encryption key e is
derived from a value R obtained from a long term public key Q of
said correspondent and a session private key k generated by said
machine readable document.
7. A method according to claim 6 wherein said additional
information permits computation of said value R by said machine and
thereby derivation of said encryption key e.
8. A method according to claim 6 wherein said long term public key
Q has a corresponding long term private key d and said additional
information is obtained from combining said long term private key d
and said ephemeral public key.
9. A method according to claim 6 wherein said ephemeral public key
incorporates a signature component s that binds a long term private
key d of said correspondent and said session private key k with a
hash h of said ciphertext C.
10. A method of maintaining confidentiality of sensitive
information stored in a machine readable document pertaining to a
correspondent during transmission of said sensitive information to
a machine for examination, comprising: said machine initiating a
request to assemble a message by said machine readable document,
said message having a primary portion M.sub.1 and a secondary
portion M.sub.2, said primary portion including a ciphertext C
obtained from encrypting said sensitive information with a session
encryption key e and said secondary portion containing less
sensitive information retrieved from said machine readable document
and including a long term public key of said one correspondent,
receiving said message from said machine readable document,
generating a value from said ciphertext C and said secondary
portion M.sub.2, generating an ephemeral private key, and utilizing
said value and said ephemeral private key to generate a public
session key from said value and said ephemeral private key,
forwarding said public session key to said machine readable
document and obtaining from said machine readable document
additional information to permit recovery of said sensitive
information from said ciphertext C, and said machine recovering
said sensitive information from said ciphertext C using said
additional information.
11. A method according to claim 10, wherein said additional
information is a further public key that permit recovery of said
session encryption key.
12. A method according to claim 10, further comprising: said
machine comparing said recovered sensitive information with a
reference input obtained directly from said correspondent to
authenticate identity of the correspondent.
13. A machine readable document having a cryptographic unit
including an arithmetic processor for performing cryptographic
operations and a random number generator to provide ephemeral
session keys, a data communication interface for communicating with
a machine for examining said machine readable document, and a
memory device to store sensitive information in a secure manner,
said data communication interface and said memory device being in
data communication with said cryptographic unit, said cryptographic
unit performing operations to implement the method of claim 1.
14. A machine readable document according to claim 13, wherein said
cryptographic unit includes a secure memory device for storing
private keys and certificates.
15. A machine readable document having a cryptographic unit
including an arithmetic processor for performing cryptographic
operations and a random number generator to provide ephemeral
session keys, a data communication interface for communicating with
a machine for examining said machine readable document, and a
memory device to store sensitive information in a secure manner,
said data communication interface and said memory device being in
data communication with said cryptographic unit, said cryptographic
unit performing operations to implement the method of claim 1.
16. A machine readable document according to claim 15, wherein said
cryptographic unit includes a secure memory device for storing
private keys and certificates.
17. A machine for authenticating a correspondent based on sensitive
information stored in a machine readable document pertaining to the
correspondent, comprising: a data processing engine, a data
communication interface coupled to the data processing engine, the
data communication interface being configured to communicate with a
machine readable document having stored therein sensitive
information pertaining to the correspondent, and a scanner coupled
to the data processing engine for obtaining a reference input
directly from the correspondent, wherein the data processing engine
is configured to implement the method of claim 10.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a divisional of U.S. patent application
Ser. No. 11/436,986 filed on May 19, 2006 and claims priority from
U.S. Provisional Patent Application No. 60/682,862 filed on May 20,
2005 hereby incorporated by reference.
TECHNICAL FIELD
[0002] The present invention relates to protocols for restricting
access to sensitive information embedded in documents such as
passports and identity cards.
BACKGROUND OF THE INVENTION
[0003] Existing passport security technology links identity of an
individual by embedding a photograph within the passport.
[0004] The existing linkage is not cryptographically strong as
substituting a different photograph is relatively easy. Also, the
photograph is compared manually to the face of the traveller by the
border control inspector, which has certain problems.
[0005] To enhance security, it has been proposed to provide
machine-readable passport or identity card in which biometric data
is stored in a chip within the document and can be retrieved for
examination. Typically, the biometric data will be an iris scan,
fingerprint or images of the face of the bearer.
[0006] The International Civil Aviation Organisation (ICAO) has
proposed machine readable travel documents (MRTD), i.e. e-Passport
system that authenticates the identity of individuals to border
control stations by cryptographically linking the identity of the
individual (such as name and nationality) to biometric data for the
individual.
[0007] The cryptographic linkage is obtained by digitally signing
the identity data and biometric data of the individual. The
resulting signed identity and biometric information is conveyed
from the passport to a passport reader. The signature binds the
identity of the individual to the biometric identity, which makes
faking a passport a cryptographically hard problem. A concern
arises however that each individual's biometric information is
highly sensitive and should not be inadvertently made
available.
[0008] It is therefore an object of the present invention to
obviate or mitigate the above disadvantages by making it more
difficult for unauthorized parties to obtain the biometric
information and other sensitive information from a document such as
a passport.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] An embodiment of the invention will now be described with
reference to the appended drawings wherein:
[0010] FIG. 1 is a schematic representation of a passport
examination station;
[0011] FIG. 2 is a schematic representation of the components of
the passport and reader;
[0012] FIG. 3 is a representation of an exchange of data within the
station.
DETAILED DESCRIPTION OF THE INVENTION
[0013] Referring therefore to FIG. 1, a passport 10 includes a chip
12 and a radio frequency identification (RFID) tag 14 with an
antenna 16. A reader 20 includes an antenna 22 to communicate with
the antenna 16 and a scanner 24 to obtain a reference input from
the 18, bearer of the passport 10. The reference input may be a
real time fingerprint scan or iris scan or a facial image. The
reader 20 includes a data processing engine 26 to manipulate data
received from the passport 10 and scanner 24 and a screen 28 to
view the results of such manipulation. An input device 30, such as
a keyboard or mouse is included to permit user inputs.
[0014] As shown in FIG. 2, the chip12 contains a memory 32 to store
biometric data and personal information such as name, nationality
and date of birth. The memory 32 is designed to be tamperproof and
communicates with a cryptographic unit 34 and data transmission
network 36 connected to the antenna tag 14.
[0015] The cryptographic unit 34 includes an arithmetic processor
38 for performing cryptographic operations and a secure memory 40
for storing private keys and certificates. Preferably, the
underlying cryptographic system is an elliptic curve cryptosystem.
The cryptographic unit 34 includes the parameters of the underlying
system, such as the curve, and the generator G of the points on the
curve and has access to the public key Q of the passport.
[0016] In the preferred embodiment, the memory 40 includes a
private signing key d, the corresponding public key Q=dG, and a
certificate, Cert Q, which is issued by a certification authority,
such as the passport issuer, which certifies the public key Q. The
processor 38 can perform cryptographic operations such as point
addition, key derivation and hash functions. The cryptographic unit
34 also includes a random number generator (RNG) 42 to provide
integers for use as private session keys.
[0017] The data processing engine 26 of the reader 20 also includes
a cryptographic unit 50 including a random number generator 52 and
an arithmetic processor 54.
[0018] In operation, the scanner 20 initiates a message transfer by
activating the chip 12 through the RFID tag 14. A message M is
assembled consisting of the data required for processing the
passport and confirming identity such as the biometric data,
bearer's name, nationality and date of birth together with the
certificate of the bearer's public key Cert Q. The data utilized
will depend on the information required by the passport
control.
[0019] The message M is divided into two, parts, M.sub.1, M.sub.2,
with the sensitive information to be maintained confidential such
as the biometric data within the message part M.sub.1. Less
sensitive or publicly available information such as the country of
issue or visa is included in the message part M.sub.2.
[0020] A random number k is generated by the RNG 42 and a value
R=kQ computed. The value R is used in a key derivation function
(KDF) performed in the processor 38 to obtain a session encryption
key e. Any suitable KDF may be utilized, typically one utilizing a
secure hash function.
[0021] The message part M.sub.1, is checked for a predetermined
level of redundancy and, if that is not met, additional data added.
The session encryption key e, is used to encrypt the message part
M.sub.1 to cyphertext C. The cyphertext C is then concatenated with
the message part M.sub.2 and hashed using a secure hash function H
to obtain a value, h, i.e. h=H(C,M.sub.2).
[0022] A signature component s is then computed using the
relationship s=k+dh mod n where n is the order of the generator
G.
[0023] Data is then transferred through the RF ID tag 14 including
the signature component s, the public part of the message M.sub.2,
(which includes the certificate of the public key Q) and the
cyphertext C.
[0024] The reader 20 captures the data and initially verifies the
public key Q from the certificate. It then computes a value V=sG-hQ
and generates a private session key b from the RNG 52. A public
session key U=bV is then computed and sent to the chip 12 through
the RF ID connection. The chip 12 confirms that the point U is a
point on the curve and generates a further public key W=dU that is
sent back to the reader 20.
[0025] The reader then uses the private session key b to compute a
value equal to R, namely (b.sup.-1 mod n) W and then uses the KDF
to get the value corresponding to e. Using the computed value of e,
the cyphertext C is decrypted and the biometric data in the message
part M.sub.2 is recovered. The redundancy of the recovered data is
checked and, if above the required level it is accepted.
[0026] The recovered data is then compared the reference data
obtained from the scanner to authenticate the bearer of the
passport.
[0027] By separating the message and encrypting the biometric data,
its confidentiality may be maintained even to an eavesdropper.
[0028] The signing process above is quite efficient for the signer.
The computation of R=kQ can be done in advance, or with assistance
of fixed pre-computed multiples of Q. The most expensive step for
the signer is computing W=dU.
[0029] The data exchange may also be enhanced by providing for
authentication of the reader 20. In this way, the signer can choose
whether or not to interact with the verifier. Ideally, the verifier
should authenticate itself to the signer, such as by a digital
signature or some symmetric key system. In this way, the signer can
control to whom the message portion M.sub.1 is revealed. This can
be done prior to the initial exchange of data or during the
exchange before the value W is transferred.
[0030] If the signing is too expensive computationally, then the
following modification is possible. The verifier sets b=1. Then
W=R, which the signer has already computed during signature
generation. To keep M.sub.1 confidential, this alternate approach
requires that R can be sent to the verifier confidentially. In
particular, passive eavesdroppers should bot be able to intercept
R. This might be accomplished by physical means, such as weak RF
signals, or by some form of encryption, such as the e-passport
basic access control encryption system.
[0031] By utilizing the bearer's public key Q in the computation of
R, the signature cannot be verified without involvement of the
bearer. In particular, the cyphertext C cannot be decrypted without
the acquiescence of the bearer.
[0032] It will be noted that once the verifier recovers R, it can
compute dQ, which can be seen to enable message recovery from the
signature, that is, without the interactive verification
process.
* * * * *