« Top 10 (free) Security Tools for Windows Mobile | Main | Detecting hosts bridging your network to a wireless network »


Fun reading passports with RFIDIOt

I recently had the opportunity to try Major Malfunction's RFIDIOt toolkit out a RFID-enabled New Zealand passport (as we just got one for our daughter). The RFID reader I was using is a ACG Multi-ISO Compact Flash reader, which presents itself as a serial device when I plugged it into the Linux box (running Ubuntu 7.04 - Feisty Fawn) I was using.

First things first, you need to install a few libraries that aren't installed by default with Ubuntu: 

sudo apt-get install python-imaging-tk python-serial python-crypto

This works nicely in Ubuntu 7.04 - for some reason the python-imaging-tk package seemed to be broken in Ubuntu 6.10 when I tried it (which is needed for the mrpkey.py tool which reads the passport).

Next step - edit the RFIDIOtconfig.py file to reflect the details of your RFID reader - in my case, this merely involved editing the first line to reflect the serial port (ttyS2 in my case): 

# Out-of-Box Multi-ISO Serial
card= RFIDIOt.rfidiot(RFIDIOt.rfidiot.READER_ACG,'/dev/ttyS2',9600, 1)

So, first of all lets try performing a select on the passport - in this case, multiselect to perform multiple selects. This should tell us whether a New Zealand passport behaves like a UK passport in that there is ID generation going on. 

[foo:~/Desktop/RFIDIOt-0.1k]$./multiselect.py 
multiselect v0.1f (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8
Card ID: 10B925A8

Apparently not - we get the same ID each time. Lets move on to trying to read the detail on the passport. This involves deriving some information from the Machine Readable Zone (MRZ) on the passport (if you've ever wondered what those two lines on the bottom of the passport photo pages translate to). For example (some information obscured), the second line of the MRZ on my daughter's passport (EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06), equates to:

  • Passport number: EAnnnnnn
  • Check Digit: 3
  • Nationality: NZL
  • Date Of Birth: 07nnnn
  • Check Digit: 3
  • Sex: F
  • Expiry: 12nnnn
  • Check Digit: 6
  • Optional: <<<<<<<<<<<<<<
  • Check Digit: 0
  • Composite Check Digit: 6

So now we can run the the mrpkey tool to read the passport (note I had to edit TAG_TYPES, and change 6C to 6c and 6D to 6d for this to work): 

[foo:~/Desktop/RFIDIOt-0.1k]$./mrpkey.py "EAnnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06"
mrpkey v0.1g (using RFIDIOt v0.1j)
reader:  ACG MultiISO 1.0  (serial no: 34060218)

Passport number: EAnnnnnn<
Nationality: NZL
Date Of Birth: 07nnnn
Sex: F
Expiry: 12nnnn
Optional: <<<<<<<<<<<<<<

Generate local keys:

Key MRZ Info (kmrz): EAnnnnnn<307nnnn312nnnn6

Select Passport Application (AID):  OK
Select Master File:  Basic Access Control enforced!
Authenticating:  OK

Generate session keys: 

Kifd XOR Kicc (kseed):  1edfc8a6963509b658a131c582715ab4
Session Key ENC:  544929197fc7cdb96dae46e03876d6ce
Session Key MAC:  0b209e16f42c543743b97586016138d0

Calculate Send Sequence Counter: 

SSC:  e73e5c97ee24ba0e
60165f01
File Length:  24
Reading: 00000
EF.COM:  Length:  22
Tag: 5f01 (LDS Version)
  Length:  4
    Data:  30313037
Tag: 5f36 (Unicode Version)
  Length:  6
    Data:  303430303030
Tag: 5c (Tag List)
  Length:  4
    Data Group:  61 (EF.DG1 Data Recorded in MRZ)
    Data Group:  75 (EF.DG2 Encoded Identification Features - FACE)
    Data Group:  6c (EF.DG12 Additional Document Detail(s))
    Data Group:  6d (EF.DG13 Optional Detail(s))
EF.COM stored in /tmp/EF_COM.BIN

Select EF.SOD:  File Length:  2055
Reading: 00000
EF.SOD stored in /tmp/EF_SOD.BIN

Select DG1: 
615b5f1f
File Length:  93
Reading: 00000
EF.DG1 stored in /tmp/EF_DG1.BIN
EF.DG1:  Data Length:  88
  Decoded Data: P<NZLCLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<EAnnnnn<3NZL07nnnn3F12nnnn6<<<<<<<<<<<<<<06
    Document code:  P<
    Issuing State or organisation:  NZL
    Name:  CLARKE<<xxxxx<xxxxxxx<<<<<<<<<<<<<<<<<<
    Passport Number:  EAnnnnnn<
    Check Digit:  3
    Nationality:  NZL
    Date of Birth:  07nnnn
    Check Digit:  3
    Sex:  F
    Date of Expiry:  12nnnn
    Check Digit:  6
    Personal Number or other optional elements:  <<<<<<<<<<<<<<
    Check Digit:  0
    Composite Check Digit:  6

Select DG2: 
File Length:  14517
Reading: 00000
EF.DG2:  JPEG image stored in /tmp/EF_DG2.JPG
EF.DG2 stored in /tmp/EF_DG2.BIN

And voila! Passport read...

Photo from RFID chip

Tags:

Found this useful? Then Digg It.

Posted by Justin Clarke on April 18, 2007 12:25 PM |


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

All spam will be reported

Search

Google
Web justinclarke

About

This page contains a single entry from the blog posted on April 18, 2007 12:25 PM.

The previous post in this blog was Top 10 (free) Security Tools for Windows Mobile.

The next post in this blog is Detecting hosts bridging your network to a wireless network.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.36

Valid XHTML 1.0!