Preventing Security and Privacy Attacks on Machine Readable Travel Documents (MRTDs)

After the tragic terror attacks of 9/11, the U.S. Congress resolved to bring about a major overhaul of the immigration process at border posts by passing the Enhanced Border Security and Visa Entry Reform Act of 2002. Section 303(c) of that act requires that countries that participate in the US Visa Waiver Program (VWP) have a program to issue machine readable passports that are tamper resistant and incorporate biometric and document authentication identifiers. In the interest of international reciprocity, the U.S. will issue similar machine readable passports to U.S. citizens. The Technical Advisory Group of the International Civil Aviation Organization (TAG/ICAO) has issued specifications for the deployment of Machine Readable Travel Documents (MRTD) that are equipped with a smart card processor for the purposes of biometric identification of the holder. Some countries, such as the United States, intend to issue machine readable passports that serve only as passports. Other countries, such as the United Kingdom, intend to issue more sophisticated multi-application passports that can also serve as national identity cards. We have conducted a detailed security analysis of these specifications, and we present the results in this paper. We also illustrate possible, hypothetical scenarios that in turn, could cause a compromise in the security and privacy of holders of such travel documents. Finally, we suggest improved cryptographic protocols and high-assurance smart card operating systems to prevent these compromises and to support electronic visas as well as passports.

By: Gaurav S. Kc; Paul A. Karger

Published in: RC23788 in 2005


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .