Study and security analysis of the Spanish identity card Javier Correa-Marichal1 Pino Caballero-Gil1 Carlos Rosa-Remedios2 and
2025-05-02
0
0
222.62KB
9 页
10玖币
侵权投诉
Study and security analysis of the Spanish
identity card
Javier Correa-Marichal1, Pino Caballero-Gil1, Carlos Rosa-Remedios2, and
Rames Sarwat-Shaker3
1Department of Computer Engineering and Systems, University of La Laguna,
38200 Tenerife, Spain
alu0101233598@ull.edu.es,pcaballe@ull.edu.es,
2CECOES 1-1-2, Canary Islands Government,
38003 Tenerife, Spain
crosa@gsccanarias.com,
3Telef´onica Tech,
28050 Madrid, Spain
rames.sarwatshaker@telefonica.com
Abstract. The National Identity Document is a fundamental piece of
documentation for the identification of citizens throughout the world.
That is precisely the case of the DNI (Documento Nacional de Identi-
dad) of Spain. Its importance has been enhanced in recent years with the
addition of a chip for the authentication of users within telematic admin-
istrative services. Thus, the document has since been called: electronic
DNI or simply DNIe. Sensitive user information is stored in that inte-
grated circuit, such as personal and biometric data, along with signature
and authentication certificates. Some of the functionalities of the DNIe
in its current version at the time of writing this work have been imple-
mented for years in the DNI 3.0 version launched in 2015, and therefore
have already been extensively studied. This work provides a theoretical
and practical compilation study of some of the security mechanisms in-
cluded in the current DNIe and in some of the applications that require
its use. It has been carried out using only mobile devices and generic
card readers, without having any type of privileged access to hardware,
software or specific documentation for the interception of packets be-
tween the DNIe and the destination application. In other words, it is an
exploratory analysis carried out with the intention of confirming with
basic tools the level of robustness of this very important security token.
Keywords: DNIe, eMRTD, NFC, API hooking
1 Introduction
The Spanish identity card or DNI (Documento Nacional de Identidad) is a doc-
ument issued by the Spanish Ministry of the Interior, to prove the identity and
personal data of any Spanish citizen. Since obtaining it is mandatory for all
Spaniards over 14 years of age, millions of DNIs are issued annually in Spain [1].
arXiv:2210.04064v1 [cs.CR] 8 Oct 2022
2 Javier Correa-Marichal et al.
Taking advantage of its popularity, and in order to promote the digitization of
telematic services offered by public administrations, in 2006 a new version of the
DNI was launched with a chip that offered various functionalities related to the
identity of the holder, and since then it has been called electronic DNI or DNIe.
The security of the physical document and its electronic components and
related software is improved with each new revision. Each update of the DNIe,
before being certified by the Certification Body of the National Cryptologic Cen-
ter, passes an evaluation process developed by the National Currency and Stamp
Factory – Royal Mint under request of the General Police Directorate, and car-
ried out by an accredited laboratory that passes SOG-IS audits. This evaluation
follows the Common Criteria methodology (ISO/IEC 15408). Specifically, the
DNIe software has been certified with the evaluation assurance level EAL4+
EAL4 AVA VAN.5, and the chips have been certified as a Secure Signature Cre-
ation Device, in accordance with European standards [2]. These certifications
provide a very high level of confidence. However, design or implementation er-
rors often go unnoticed in certified products already deployed on technologies,
so it is always necessary to consider security as a process and not as a state.
In the launch of the DNIe 3.0 in 2015, an interface for use through NFC was
included, which allows the DNIe to be used directly through mobile devices that
include this technology, in an effort to popularize its use [3].
At the time of writing this work, the last revision of the DNI had been
launched in August of the previous year, in 2021, with an announcement on
the official website [4]. One of the most notable features of this version is the
design and functionality, seeking to homogenize the identity documents of the
countries of the European Union so that their use can be standardized and
approved according to the eIDAS regulation, of digital identification in Europe.
In addition, as announced on the police website [5], the current version of the
DNIe includes new security measures, both visible and invisible.
This study has been performed on the latest version of the DNIe since it
was carried out on a document issued at the end of 2021. It is an exploration
of the implementation of the functionalities and security mechanisms contained
in the document and some linked apps. The main goal of this research has been
to confirm the resilience of the DNIe against several frequent attack vectors on
electronic identity cards and NFC devices [6]. In fact, this study does not provide
new vulnerabilities or attacks on the contactless protocols of the DNIe, but rather
serves to show that, in general, the protocols used to communicate through the
contactless interface with the DNIe are sufficiently secure. Following the rules of
ethical hacking, this analysis has been presented to the Spanish National agency
in charge of developing the DNIe.
This document is organized as follows. Sections II, III and IV introduce,
respectively, the different interfaces of the DNIe, the logical structure of the
data stored in the DNIe and the security mechanisms developed to protect its
integrity. Section V collects some details of the research carried out on the current
version of the DNIe and various applications that require its use. Finally, section
VI presents the conclusions of this work.
摘要:
展开>>
收起<<
StudyandsecurityanalysisoftheSpanishidentitycardJavierCorrea-Marichal1,PinoCaballero-Gil1,CarlosRosa-Remedios2,andRamesSarwat-Shaker31DepartmentofComputerEngineeringandSystems,UniversityofLaLaguna,38200Tenerife,Spainalu0101233598@ull.edu.es,pcaballe@ull.edu.es,2CECOES1-1-2,CanaryIslandsGovernment,38...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
相关推荐
-
Michael Moorcock - Elric 6 - StormbringerVIP免费
2024-12-08 6 -
Michael Crichton - PreyVIP免费
2024-12-08 11 -
Mercedes Lackey - WintermoonVIP免费
2024-12-08 7 -
Mercedes Lackey - SE 1- Born To RunVIP免费
2024-12-08 8 -
Mercedes Lackey - Heralds of Valdemar 1 - Arrows Of The QueeVIP免费
2024-12-08 10 -
Melville, Herman - TypeeVIP免费
2024-12-08 15 -
MaryJanice Davidson - [Betsy 5] - Undead and Unpopular (v1.0)VIP免费
2024-12-08 18 -
Marion Zimmer Bradley - Darkover - The Heirs of HammerfellVIP免费
2024-12-08 19 -
MacDonnell, J E - 096 - Execute!VIP免费
2024-12-08 15 -
Lovecraft, H P - The Dream Quest Of Unknown KadadthVIP免费
2024-12-08 21
分类:图书资源
价格:10玖币
属性:9 页
大小:222.62KB
格式:PDF
时间:2025-05-02
作者详情
相关内容
-
2015年6月英语四级真题答案及解析(卷二)
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2015年6月英语四级真题答案及解析(卷三)
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第二套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第三套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
-
2016年12月六级(第一套)真题
分类:外语学习
时间:2025-05-02
标签:无
格式:PDF
价格:5.8 玖币
渝公网安备50010702506394
