There is a growing need to review the international standardisation, regulation and recommendations for travel documents, with a focus on e-Passports and other travel documents. It, therefore, becomes pertinent to provide an overview of the worldwide activities for e-Passports and border control in the time window 2005 to 2009.
Five Task Forces (TF) began running under ICAO/NTWG (International Civil Aviation Organisation/New Technology Working Group) in 2005, with some to finish in 2006. Most of the international standards for travel documents were frozen in the beginning of 2006 under ICAO 9303-1. This captures data structure (ICAO/LDS), biometrics, security architecture (ICAO/PKI), data storage-technology (EEPROM) and –size (32/64k) interface (ISO 14443) of the e-Passport and the data transmission speed (424kpbs).
Further additional activities are planned for 2007, which includes defining mechanical tests for electronic passports for 10 years lifetime under ISO standardisation activity; agreement of the security scheme on Extended Active Authentication Control (EAC) under ICAO/PKI (NTWG TF 5); expanding the current EU Citizen Card (ECC) standard CEN TC224 for e-Government with the I.A.S. (Identification, Authentication and Signing) scheme together with a technical bridge to the ICAO framework. The agreement of a joint logical data structure and security architecture is the target; conformity test procedure for EAC products (e- Passports, e-ID cards, resident permit cards, border control terminals) under ISO; and, new standard for commercial readers for government and nongovernment applications.
“In view of the growing threat to security worldwide, it has become pertinent to focus on e- Passports and other travel documents – their international standardisation, regulation and recommendations. e-Passport technology is addressing the security threat effectively”
One important government application is the reading and handling of biometric data. The initial access to the data set is defined by Basic Access Control (BAC) but for the fingerprint data only by a special security key (using EAC). The access to the data set in the nongovernment applications is very often realised by password and for access to e- Government applications and for online authentication by PIN (Personal Identification Number). The government reader needs a device security certificate, to ensure mutual authentication of the transaction so as to have the access key to the fingerprint data in the IC (Integrated Circuit).
The government regulations and/or recommendations that are in progress or are expected are as follows: USA published the US VISIT (Visitor and Immigration Status Indicator Technology) program in 2003 for 27 visa waiver countries and non-visa waiver countries; USA published the tender for the US e-Passport in December 2003; EU (European Union) Commission published in October 2004 the regulation 2252 for biometric passports; EU published in February 2005 the specification for the first implementation step of biometric passports in the EU area with frontal photo, microcontroller and minimum 32k EEPROM and the security level ICAO/ PKI/BAC. The implementation was to be done till August 2006; EU Commission published the final EAC specification 1.1 for the second implementation step of digital travel documents. This includes the requirement to store the fingerprints of each citizen’s two index finger. After this publishing of specification in June 2006, each member state has 36 months for implementation (latest in June 2009); USA announced the trusted traveller programme to Mexico and Canada as part of the US VISIT programme. This programme has the name PASS CARD (People Access Security System); China announced the trusted traveller programme to Hong Kong and Macao as part of their border control programme; USA announced the electronic visa programme for the non-Visa Waiver Programme (VWP) countries as part of the US VISIT programme. This visa type needs no international standard; USA starts the Transport Worker ID Credential project with a pilot called TWIC programme. This programme captures workers such as those in harbours, train stations, and besides drivers of trucks and public buses; USA starts the Container Security Initiative (CSI) program with the electronic seal on all sea container. This project could be linked in future to the TWIC program; EU defined the specific Advanced Passenger Information (API) program. Main target is to harmonise the data set and structure of the passenger profiles in the EU area; EU announced a feasibility study or “Registered Passenger” for frequent flyer in the European area; and, USA has published in July 2006 the technical interoperability specification for registered travellers in the US.
In terms of the application scope, Governments started in 2005 and 2006 several activities. The USA Department of Homeland Security (DHS), under the Visa Waiver Program (VWP), required the Visa Waiver countries to start issuing e-Passports from October 2006. Most of the EU member states are part of the VWP. Countries such as Singapore, Brunei, Japan, Australia and New Zealand are also members of the VWP. The USA Department of State (DOS) together with DHS has started in summer 2005 a field trial test with electronic Passports and the new border control between selected airports in USA, Australia, New Zealand and Singapore. US A started the issuing of the US e-Passport in August 2006, which is contactless secure crypto-controllers with 64k EEPROM as defined by ICAO. The chips have a Common Criteria (CC) certificate with security level EAL5+, the highest security level currently possible for chip hardware. The DHS has started in the 1st quarter 2006. tests with electronic Visa with two frequency ranges – HF (13.56 MHz) and UHF (2.45 GHz). Currently there is no final decision, but the industry expects that the higher frequency band might be selected. Target for this travel document are all non-VWP countries.
EU Commission has published the EU specification of the first step of the biometric passport. The first implementation was to be completed by August 2006, i.e. 2 months earlier than the US timeframe. This EU specification contains digital country signer certificate and document signer certificate, frontal photo and digital MRZ data together with digital photo image stored in a contactless microcontroller according to ICAO/PKI/ BAC. EU Commission has published 14351/2005, a recommendation for the minimum security approach of next generation national e-ID cards. The scheme is the same as that for electronic passport in the second implementation stage. This means face recognition and two index finger data combined with ICAO/PKI/EAC.
Sweden has started in October 2005 the issuing of their national e-ID card with the logical data structure according to ICAO/LDS 1.7 and the security architecture according to ICAO/PKI/ BAC, biometric data (face image) and the contactless interface according to ICAO/ ISO 14443. A secure crypto-controller with 32k EEPROM was selected. For national e-Government services, this card has a second microcontroller with additional 32k freely addressed EEPROM data space combined with a contact-based interface. This is a dual interface hybrid card.
The Netherlands Ministry of Interior has tested the border control process in the winter of 2005 at Schipol airport, Amsterdam. This was a pilot programme with around 5000 electronic passports, with BAC, but without the country signer certificate and document signer certificate. On the terminal side, contactless ISO 14443 type A readers were installed. In this program, two biometric data sets (face and 2 index fingerprints) were taken. The test group were from the KLM airline crew members and frequent flyers.
Thailand’s Ministry of Foreign Affairs has started a pilot at Bangkok airport in June 2005 with daily issuing of 200 electronic passports. In terms of security, Passive Authentication (PA) was selected. The border control included two biometric data sets – face and 2 index fingerprints.
Besides, many workshops, conferences and specific Government events were organised in 2005 and 2006, most of them from the four technology corners such as ISSE and Global Border Control capture IT/Security/Homeland security; European Biometric Forum with focus on Biometrics; World e-ID,European Passport Forum, CARTES and Intergraf with focus on Smart Card and Passport; and, ICAO interoperability tests (Singapore, Tsukuba/Japan, Berlin/ Germany etc.).
Regarding the implementation of e- Passports, 27 countries of the US-VWP and some other countries such as Thailand and Turkey have got experience in biometric data collection (e.g. frontal photo), PKI (Public Key Infrastructure)/certificates and travel document issuing process. Results about new border control process such as total cycle time of the process, accepting rate for document, data and recognition and maintenance of the border systems, have been collected as well. By November 2006, 33 countries have either issued or started the issuance of electronic passports (30% of all countries with Machine Readable Zone (MRZ)-passports; these issue up to 50% in volume of all passports). Among these 33 countries, 27 of them are members of US-VWP.
New activities would include countries with large populations such as China, India and Pakistan. These countries are expected to start their e- Passport rollout program in near future. Airlines, ground handler and immigration offices at airports have some understanding of the new process offering increased security and decreased process time for border control, but the big picture combining e-Passport, Visa, API, paperless ticketing and the impact on the complete traveller management process is unresolved. Border control police foresee a decreasing of travel document fraud.
Semiconductor companies listed as chip suppliers for European e-Passports need to compulsorily obtain EAL 5+ (high) (Evaluation Assurance Level 5 Plus High) Common Criteria certification, the highest security level for chips. Certifying security mechanisms to comply with this standard involves some of the most demanding tests in the world.
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik– BSI), an independent and highly specialised national authority that controls and monitors the entire process and issues internationally recognized Common Criteria certificates in Germany, conducted assessed and tested Infineon’s security controller designed for e-Passports – the SLE 66CLX641P – to meet EAL5+ (high) Common Criteria requirements, and certified it.
CC-security level EAL 5+ (high) is the highest certification level for microcontrollers. Evaluation respectively certification bodies have full access to the development documentation of the products being tested and can verify the effectiveness of their security functions in a series of detailed tests based on the latest scientific findings. The tests use the internationally recognized BSI Protection Profile PP0002. This ensures that all attack scenarios of practical relevance to chip cards/ e-Passports are taken into account both theoretically and in laboratory testes.
Banks to install Biometric ATMs in rural areas
In an attempt to cater services for the rural customers, public sector banks such as Union Bank of India, Dena Bank and Central Bank of India have decided to install biometric automated teller machine (ATMs). This is a part of their key strategies to tap the rural market. The ATMs are to be installed within a month’s time frame. Already, other key players such as Corporation Bank, Andhra Bank and Canara Bank have expressed keen interest to roll out a pilot study by introducing one such ATM.