e-Passport -- Security

dashingincestuousSecurity

Feb 22, 2014 (3 years and 7 months ago)

84 views

e
-
Passport
--

Security
& Privacy Issues

Achmad Rully

arully@computer.org

BCS 2006

2


Intro: Privacy Issue

What is, What isn't


Privacy Goal:

Citizen VS Government



Intro: Privacy Issue

What is, What isn't

BCS 2006

4

Data


It

s all about data and its use


Revocable (alterable) data


Data which can be revoked or changed


Ex: handwriting, address, name, etc


Non
-
Revocable (permanent) data


Data which is an eternal feature of the object so that
one cannot revoke or alter it, or it is proven highly
impractical to do that


Ex: some biometric data (fingerprint, eye
-
retina, hand
geometry (palm

s vena pattern), DNA, etc)

BCS 2006

5

Revocable Data


Susi, a woman, has lost her smart card ID:


Name


Photo


Address


Password


Badu, a stalker, use the data to stalk Susi


Solution:


Persecute the person


Change address

BCS 2006

6

Non
-
Revocable Data


Budi, a businessman, has lost her ID:


Name


Address


Fingerprint


Pak Ogah, a criminal hacker, use the data to access
biometric protected resource in Budi

s office


Solution:


Persecute the person


You CAN NOT CHANGE YOUR FINGERPRINT

BCS 2006

7

Non
-
Revocable Data

(authentication, other case)


Budi, a Mercedes new series motorist, was
attacked by
stolen car

s mafia


His finger was cut so the mafia

can steal his Mercedes



Ethical question:

Which one you value most:


Your finger


Mercedes

Privacy Goal:

Citizen VS Government

BCS 2006

9

Privacy Goal:

Citizen VS Government (SP)


Government or Service Provider


Government or SP want to authenticate their
citizen before using their services


Ex: authenticate user to get a mobile phone
number


Corporation is included in this category


Citizen


Citizen want their data to be used in limited
purpose.


Ex: to get a new mobile phone number

BCS 2006

10

Biometric in Privacy
Issue

(1)


Biometric data, has been very useful in
authenticating an individual as a biometric data
will closely relate with particular individual that
own the data by using distinctive physical
features.


Biometric data has been in used as an ID system
in government and military facility, and now
beginning to be expanded in mass use.


Convenient, accurate, and auditable.

BCS 2006

11

Biometric in Privacy
Issue

(2)


Some government already introduce ID system
(National ID Card KTP in Indonesia, e
-
Passport,
etc) base on biometric data, without any
protection to the private data.


Yet even if they somehow provide protection,
there weren

t any guarantee whether the system
can not be reversed to retrieve the original data.


The possibility to recover protected data would
render the system itself not useful.

BCS 2006

12

Biometric in Privacy
Issue

(3)


Government Regime can change

(in Indonesia every 5 years).

Private non
-
revocable data can't


Therefore,
balancing

between the need
to authenticate trustfully, with the need to
protect private data
must be addressed
.


(look at minority report film)

BCS 2006

13

Biometric in Privacy
Issue

(4)


Developed Country:

Priority in convenience


Almost every one care about privacy


Developing Country:

Priority in survival


No one care about privacy

BCS 2006

14

Privacy protection:

Technology VS Law


Law: to protect human


Developed Country: US, Japan, Europe


Developing Country: Indonesia


Technology: to make life easier


Conventional: password, pass
-
phrase


Biometric ID: finger, iris, DNA


Mobile ID: RFID, touch card

BCS 2006

15

Comparing Country

in Privacy Data Protection

Indonesia

Japan

Data Retention

10 years

3
-
10 years

Responsibility

???

Very High

(harakiri, etc)

Corporate/Gov
Awareness

Low to Medium

Medium to High

Citizen
Awareness

Low to Medium

Very High

BCS 2006

16

Privacy in Indonesia

?


Poor:


No privacy law


No political will to address privacy issue


Low Corporate awareness


Low Citizen awareness


Good:


Minimal biometric feature implemented in national ID
card, Passport and almost other authentication



more convenience (?)

e
-
Passport

BCS 2006

18

e
-
Passport


Recommended (mandatory?) by ICAO


2 side of argument:


Government:

to make it easier & smoother for traveler


Citizen:

proliferation of private non
-
revocable data


Protection:


Originality Protection: paper feature


Data Protection: biometric feature


Country:

US, UK, Dutch, Malaysia, (and almost every
country).

BCS 2006

19

United Kingdom’s e
-
Passport

BCS 2006

20

Japan’s e
-
Passport

BCS 2006

21

Japan’s e
-
Passport

BCS 2006

22

Japan’s e
-
Passport:

Originality Protection

Laminate & Holograms

Micro
-
lettering Lines

Micro Letters

Watermark

(Mt. Fuji)

Laser
-
perforation

BCS 2006

23

Japan’s e
-
Passport:

Data Protection

BCS 2006

24

Indonesia’s Passport

BCS 2006

25

e
-
Passport: revocability


Address: easy
-

medium


Signature: easy


Photo: hard


Fingerprint: irrevocable


Iris: irrevocable

BCS 2006

26

Case example:

Indonesia e
-
Passport


6 February 2006


First phase, can be issued in 43 Immigration Office. Old
passport still valid until expired date


Feature


Revocable private data:

name, address, birthday


Non
-
revocable private data (biometric):

fingerprint, facial feature


BUT

Indonesia not yet provide e
-
Passport widely

Possibly, there is a dispute about procurement???


e
-
Passport


machine readable passport

BCS 2006

27

Case example:

Indonesia passport


Possible attacks


Tampering


Change passport data after visa approval


Not yet established security procedure


Originality protection: using freezing technique

Question

& Discussion

BCS 2006

29

Closing Remark


It is up to people to decide what is the boundary
of their privacy


Including, enforcing their privacy protection


People should maintain their own irrevocable
private data


Research in data privacy protection is not yet
mature


Security is time dependent, so not disclosing
your private data is better

Thank You