Security assessment of the Spanish contactless identity card

摘要

The theft of personal information to fake the identity of a person is a common threat normally performed by individual criminals, terrorists, or crime rings to commit fraud or other felonies. Recently, the Spanish identity card, which provides enough information to hire online products such as mortgages or loans, was updated to incorporate a near-field communication chip as electronic passports do. This contactless interface brings a new attack vector for criminals, who might take advantage of the radio-frequency identification communication to virtually steal personal information. In this study, the authors consider as case study the recently deployed contactless Spanish identity card assessing its security against identity theft. In particular, they evaluated the security of one of the contactless access protocol as implemented in the contactless Spanish identity card, and found that no defences against online brute-force attacks were incorporated. They then suggest two countermeasures to protect against these attacks. Furthermore, they also analysed the pseudo-random number generator within the card, which passed all the performed tests with good results.