Stand-by Attacks on  E-ID Password  Authentication
 Lucjan Hanzlik, Przemyslaw Kubiak,  Miroslaw Kutylowski
 
 Wroclaw University of Technology 
 

We show that despite  the  cryptographic strength of the password authentication, 
we cannot exclude an attack by a passive adversary that manipulates neither 
the reader nor the microcontroller of the identity document, he only penetrates 
the device at some moment in a hidden way. So even the most careful examination 
and certification of the smart cards and the readers cannot prevent  attacks of 
this kind. We present concrete attack scenarios for PACE-GM, PACE-IM and SPEKE protocols.

We show that the weaknesses  can be easily and effectively eluded via changing 
a few implementation details on the side of a reader. Our second contribution is 
that immunity against the attacks can be tested by the operator of the reader, 
thus replacing costly and unreliable certification process of black box devices. 

Keywords:
massive surveillance, temporary penetration attack, privacy, tracing,  
wireless communication, personal identity card, password authentication,  
PACE, SPEKE, verifiability, certification


INSCRYPT'2014