Rodríguez, Ricardo J; Garcia-Escartin, Juan Carlos
Security Assessment of the Spanish Contactless Identity Card Journal Article
In: IET Information Security, vol. 11, no. 6, pp. 386–393(7), 2017, ISSN: 1751-8709.
Abstract | Links | BibTeX | Tags: contactless cards, identity cards, NFC, Security
@article{RG-IFS-17,
title = {Security Assessment of the Spanish Contactless Identity Card},
author = {Ricardo J Rodríguez and Juan Carlos Garcia-Escartin},
url = {http://webdiis.unizar.es/~ricardo/files/papers/RG-IFS-17.pdf},
doi = {10.1049/iet-ifs.2017.0299},
issn = {1751-8709},
year = {2017},
date = {2017-01-01},
journal = {IET Information Security},
volume = {11},
number = {6},
pages = {386--393(7)},
publisher = {Institution of Engineering and Technology},
abstract = {The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.},
keywords = {contactless cards, identity cards, NFC, Security},
pubstate = {published},
tppubtype = {article}
}
The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire on-line products such as mortgages or loans, was updated to incorporate a Near Field Communication (NFC) chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the RFID communication to virtually steal personal information. In this paper, we consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, we evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defenses against on-line brute-force attacks were incorporated. We then suggest two countermeasures to protect against these attacks. Furthermore, we also analyzed the pseudo-random number generator within the card, which passed all the performed tests with good results.