December 2006

e-Passport

Views: 286

There is a growing need to review the international standardisation, regulation and recommendations for travel documents, with a focus on e-Passports and other travel documents. It, therefore, becomes pertinent to provide an overview of the worldwide activities for e-Passports and border control in the time window 2005 to 2009.

Standardisation

Five Task Forces (TF) began running under ICAO/NTWG (International Civil Aviation Organisation/New Technology Working Group) in 2005, with some to finish in 2006. Most of the international standards for travel documents were frozen in the beginning of 2006 under ICAO 9303-1. This captures data structure (ICAO/LDS), biometrics, security architecture (ICAO/PKI), data storage-technology (EEPROM) and –size (32/64k) interface (ISO 14443) of the e-Passport and the data transmission speed (424kpbs).

Further additional activities are planned for 2007, which includes defining mechanical tests  for electronic passports for 10 years lifetime under ISO standardisation activity; agreement of the security scheme on Extended Active Authentication Control (EAC) under ICAO/PKI  (NTWG TF 5); expanding the current EU Citizen Card (ECC) standard CEN TC224 for  e-Government with the I.A.S. (Identification, Authentication and Signing) scheme together  with a technical bridge to the ICAO framework. The agreement of a joint logical data structure and security architecture is the target; conformity test procedure for EAC products (e- Passports, e-ID cards, resident permit cards, border control terminals) under ISO; and, new standard for commercial readers for government and nongovernment applications.

“In view of the growing threat to security worldwide, it has become pertinent to focus on e- Passports and other travel documents – their international standardisation, regulation and recommendations. e-Passport technology is addressing the security threat effectively”

One important government application is the reading and handling of biometric data. The  initial access to the data set is defined by Basic Access Control (BAC) but for the fingerprint  data only by a special security key (using EAC). The access to the data set in the  nongovernment applications is very often realised by password and for access to e- Government applications and for online authentication by PIN (Personal Identification Number). The government reader needs a device security certificate, to ensure mutual authentication of the transaction so as to have the access key to the fingerprint data in the IC (Integrated Circuit).

Regulations/Recommendations

The government regulations and/or recommendations that are in progress or are expected are  as follows: USA published the US VISIT (Visitor and Immigration Status Indicator Technology) program in 2003 for 27 visa waiver countries and non-visa waiver countries;  USA published the tender for the US e-Passport in December 2003; EU (European Union)  Commission published in October 2004 the regulation 2252 for biometric passports; EU  published in February 2005 the specification for the first implementation step of biometric passports in the EU area with frontal photo, microcontroller and minimum 32k EEPROM and  the security level ICAO/ PKI/BAC. The implementation was to be done till August 2006; EU  Commission published the final EAC specification 1.1 for the second implementation step of digital travel documents. This includes the requirement to store the fingerprints of each  citizen’s two index finger. After this publishing of specification in June 2006, each member  state has 36 months for implementation (latest in June 2009); USA announced the trusted  traveller programme to Mexico and Canada as part of the US VISIT programme. This programme has the name PASS CARD (People Access Security System); China announced the  trusted traveller programme to Hong Kong and Macao as part of their border control  programme; USA announced the electronic visa programme for the non-Visa Waiver Programme (VWP) countries as part of the US VISIT programme. This visa type needs no  international standard; USA starts the Transport Worker ID Credential project with a pilot  called TWIC programme. This programme captures workers such as those in harbours, train stations, and besides drivers of trucks and public buses; USA starts the Container Security  Initiative (CSI) program with the electronic seal on all sea container. This project could be  linked in future to the TWIC program; EU defined the specific Advanced Passenger  Information (API) program. Main target is to harmonise the data set and structure of the passenger profiles in the EU area; EU announced a feasibility study or “Registered Passenger” for frequent flyer in the European area; and, USA has published in July 2006 the technical interoperability specification for registered travellers in the US.

Application scope

In terms of the application scope, Governments started in 2005 and 2006 several activities.  The USA Department of Homeland Security (DHS), under the Visa Waiver Program (VWP),  required the Visa Waiver countries to start issuing e-Passports from October 2006. Most of the  EU member states are part of the VWP. Countries such as Singapore, Brunei, Japan, Australia  and New Zealand are also members of the VWP. The USA Department of State  (DOS) together with DHS has started in summer 2005 a field trial test with electronic  Passports and the new border control between selected airports in USA, Australia, New  Zealand and Singapore. US A started the issuing of the US e-Passport in August 2006, which is  contactless secure crypto-controllers with 64k EEPROM as defined by ICAO. The chips have  a Common Criteria (CC) certificate with security level EAL5+, the highest security level  currently possible for chip hardware. The DHS has started in the 1st quarter 2006. tests with  electronic Visa with two frequency ranges – HF (13.56 MHz) and UHF (2.45 GHz). Currently there is no final decision, but the industry expects that the higher frequency band might be  selected. Target for this travel document are all non-VWP countries.

EU Commission has published the EU specification of the first step of the biometric passport.  The first implementation was to be completed by August 2006, i.e. 2 months earlier than the  US timeframe. This EU specification contains digital country signer certificate and document  signer certificate, frontal photo and digital MRZ data together with digital photo image stored  in a contactless microcontroller according to ICAO/PKI/ BAC. EU Commission has published 14351/2005, a recommendation for the minimum security approach of next generation  national e-ID cards. The scheme is the same as that for electronic passport in the second  implementation stage. This means face recognition and two index finger data combined with ICAO/PKI/EAC.

Sweden has started in October 2005 the issuing of their national e-ID card with the logical  data structure according to ICAO/LDS 1.7 and the security architecture according to  ICAO/PKI/ BAC, biometric data (face image) and the contactless interface according to ICAO/ ISO 14443. A secure crypto-controller with 32k EEPROM was selected. For national  e-Government services, this card has a second microcontroller with additional 32k freely  addressed EEPROM data space combined with a contact-based interface. This is a dual interface hybrid card.

The Netherlands Ministry of Interior has tested the border control process in the winter of  2005 at Schipol airport, Amsterdam. This was a pilot programme with around 5000  electronic passports, with BAC, but without the country signer certificate and document  signer certificate. On the terminal side, contactless ISO 14443 type A readers were installed.  In this program, two biometric data sets (face and 2 index fingerprints) were taken. The test  group were from the KLM airline crew members and frequent flyers.

Thailand’s Ministry of Foreign Affairs has started a pilot at Bangkok airport in June 2005 with daily issuing of 200 electronic passports. In terms of security, Passive Authentication (PA) was selected. The border control included two biometric data sets – face and 2 index fingerprints.

Besides, many workshops, conferences and specific Government events were organised in  2005 and 2006, most of them from the four technology corners such as ISSE and Global  Border Control capture IT/Security/Homeland security; European Biometric Forum with focus on Biometrics; World e-ID,European Passport Forum, CARTES and Intergraf with focus  on Smart Card and Passport; and, ICAO interoperability tests (Singapore, Tsukuba/Japan,  Berlin/ Germany etc.).

Implementation

Regarding the implementation of e- Passports, 27 countries of the US-VWP and some other  countries such as Thailand and Turkey have got experience in biometric data collection (e.g.  frontal photo), PKI (Public Key Infrastructure)/certificates and travel document issuing  process. Results about new border control process such as total cycle time of the process, accepting rate for document, data and recognition and maintenance of the border systems,  have been collected as well. By November 2006, 33 countries have either issued or started  the issuance of electronic passports (30% of all countries with Machine Readable Zone (MRZ)-passports; these issue up to 50% in volume of all passports). Among these 33 countries,  27 of them are members of US-VWP.

New activities would include countries with large populations such as China, India and  Pakistan. These countries are expected to start their e- Passport rollout program in near  future. Airlines, ground handler and immigration offices at airports have some understanding of the new process offering increased security and decreased process time for  border control, but the big picture combining e-Passport, Visa, API, paperless ticketing and the  impact on the complete traveller management process is unresolved. Border control police foresee a decreasing of travel document fraud.

e-Passport technology

Semiconductor companies listed as chip suppliers for European e-Passports need to  compulsorily obtain EAL 5+ (high) (Evaluation Assurance Level 5 Plus High) Common  Criteria certification, the highest security level for chips. Certifying security mechanisms to comply with this standard involves some of the most demanding tests in the world.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der  Informationstechnik– BSI), an independent and highly specialised national authority that  controls and monitors the entire process and issues internationally recognized Common  Criteria certificates in Germany, conducted assessed and tested Infineon’s security controller  designed for e-Passports – the SLE 66CLX641P – to meet EAL5+ (high) Common Criteria requirements, and certified it.

CC-security level EAL 5+ (high) is the highest certification level for microcontrollers.  Evaluation respectively certification bodies have full access to the development  documentation of the products being tested and can verify the effectiveness of their security functions in a series of detailed tests based on the latest scientific findings. The tests use the  internationally recognized BSI Protection Profile PP0002. This ensures that all attack  scenarios of practical relevance to chip cards/ e-Passports are taken into account both  theoretically and in laboratory  testes.

Banks to install Biometric ATMs in rural areas

In an attempt to cater services for the rural customers, public sector banks such as Union  Bank of India, Dena Bank and Central Bank of India have decided to install biometric  automated teller machine (ATMs). This is a part of their key strategies to tap the rural  market. The ATMs are to be installed within a month’s time frame. Already, other key  players such as Corporation Bank, Andhra Bank and Canara Bank have expressed keen  interest to roll out a pilot study by introducing one such ATM.

Comments

comments

Click to comment

Leave a Reply

Your email address will not be published.

Latest News

To Top