Implementation of biometrics, issues to be solved

Similar documents
Preventing fraud in epassports and eids

Moving to the third generation of electronic passports

Security by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA

Operational and Technical security of Electronic Passports

Keep Out of My Passport: Access Control Mechanisms in E-passports

Best Practices for the Use of RF-Enabled Technology in Identity Management. January Developed by: Smart Card Alliance Identity Council

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP Version 1.01 (15 th April 2010)

MACHINE READABLE TRAVEL DOCUMENTS

A Note on the Relay Attacks on e-passports

Common Criteria Protection Profile. Machine Readable Travel Document with ICAO Application, Basic Access Control BSI-CC-PP-0055

Electronic machine-readable travel documents (emrtds) The importance of digital certificates

Statewatch Briefing ID Cards in the EU: Current state of play

eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke

Common Criteria Protection Profile

Machine Readable Travel Documents

Discover Germany s Electronic Passport

Full page passport/document reader Regula model 70X4M

Landscape of eid in Europe in 2013

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Establishing and Managing the Schengen Masterlist of CSCAs

Mobile Driver s License Solution

MOBILE IDENTIFICATION:

New Attacks against RFID-Systems. Lukas Grunwald DN-Systems GmbH Germany

Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, Developed by: Smart Card Alliance Identity Council

PKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

PKD Board ICAO PKD unclassified B-Tec/36. Regulations for the ICAO Public Key Directory

Modular biometric architecture with secunet biomiddle

Biometrics for Public Sector Applications

TÜBİTAK BİLGEM ULUSAL ELEKTRONİK & KRİPTOLOJİ ARAŞTIRMA ENSTİTÜSÜ AKİS PROJESİ AKİS V1.4N

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs

ARCHIVED PUBLICATION

Entrust Smartcard & USB Authentication

Security Analysis of Australian and E.U. E-passport Implementation

E-Passport Testing. Ensuring Global Acceptance. Jos Chehin Date: 17 November 2006 Location: ASML

Sub- Regional Workshop and Consulta;ons on Capacity- Building in Travel Document Security: Colombia, 2013

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

Strengthen RFID Tags Security Using New Data Structure

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP Approved by the Federal Ministry of Interior. Version 1.

Public Key Directory: What is the PKD and How to Make Best Use of It

Chapter 15 User Authentication

Doc. Machine. authority

Information about the European Union is available on the Internet. It can be accessed through the Europa server (

Using Contactless Smart Cards for Secure Applications

FAQs Electronic residence permit

Advanced Authentication

How encryption works to provide confidentiality. How hashing works to provide integrity. How digital signatures work to provide authenticity and

RFID SECURITY. February The Government of the Hong Kong Special Administrative Region

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Description of the Technical Component:

Savitribai Phule Pune University

I N F O R M A T I O N S E C U R I T Y

Article. Electronic Notary Practices. Copyright Topaz Systems Inc. All rights reserved.

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Problems of Security in Ad Hoc Sensor Network

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Fighting product clones through digital signatures

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Understanding Digital Signature And Public Key Infrastructure

MACHINE READABLE TRAVEL DOCUMENTS

W.A.R.N. Passive Biometric ID Card Solution

SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT

What is a Smart Card?

Electronic Passports in a Nutshell

ID Document Scanning and Biometric Solutions

Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems

FAQs - New German ID Card. General

AADHAAR E-KYC SERVICE

RFID Security. April 10, Martin Dam Pedersen Department of Mathematics and Computer Science University Of Southern Denmark

Implementing high-level Counterfeit Security using RFID and PKI

COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES

Data Protection Technical Guidance Radio Frequency Identification

I N F O R M A T I O N S E C U R I T Y

Best Solutions for Biometrics and eid

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

THE LEADING EDGE OF BORDER SECURITY

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Ciphire Mail. Abstract

Deputy Chief Executive Netrust Pte Ltd

Security Digital Certificate Manager

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

The German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik

Biometrics, Tokens, & Public Key Certificates

National Certification Authority Framework in Sri Lanka

Biometric Authentication using Online Signature

ADVANCE AUTHENTICATION TECHNIQUES

Transcription:

ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents Working Party of the Council of the European Union, SBGS of the Republic of Lithuania

Content I. Physical security features of travel documents and purpose of the Biometrics II. Protection of biometrical data III. Control infrastructure examples IV. Issues to be solved (conclusions)

Physical security features of travel documents and purpose of Biometrics

Common physical security features of MRTDs Recommendation for travel documents physical security features are laid down in the ICAO doc. 9303 (Machine Readable Travel Documents) Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States

EUROPEAN UNION BIOMETRIC ACTIVITIES ICAO recommendations and specifications form the basis for Europe EU adopted Regulation 2252/2004 of 13 December 2004, which formed the basis for the upcoming European intelligent passport First biometric feature: Digital frontal portrait deadline for introduction - August 2006 Second biometric feature: Two flat digital fingerprints deadline for introduction - June 2009 Combination of the two will lead to enhanced biometric security Both features are stored on a contactless radio frequency (RF) chip. They are stored as images in JPEG format.

Introduction of e-documents Reasons to introduce electronics in passports (and other travel E-documents) to increase document security (more difficult to forge) cryptography to establish the link between the document and holder Biometrics (electronic hardware & digital data)

Protection of biometrical data

What s in the chip? Basically the information is the same as printed in a travel document s data page In the EU countries it is not allowed to store additional information not printed in the booklet (except fingerprints) Information stored in the form of files Data groups containing data (DG1 - DG16)

Data groups Data group DG1 DG2 DG3 DG4 DG5 DG6 DG7 DG8 DG9 DG10 DG11 DG12 DG13 DG14 DG15 DG16 Stored data Machine readable zone (MRZ) mandatory Biometric data: face - mandatory Biometric data: fingerprints Biometric data: iris Picture of the holder as printed in the passport Reserved for future use Signature of the holder as printed in the passport Encoded security features data features Encoded security features structure features Encoded security features substance features Additional personal details (address, phone) Additional document details (issue date, issued by) Optional data (anything) Data for securing secondary biometrics (EAC) Active Authentication public key info Next of kin

Data groups DG1 (MRZ) and DG2 (facial photo) are mandatory DG3 (Fingerprints) is mandatory in the EU countries Other data groups are optional

GENERAL WORKFLOW for centralized passport production Digital data capture Secure data transfer Passport production Optical personalisation Electronic personalisation Digital signature Bundesdruckerei GmbH

ELECTRONIC PERSONALIZATION: ICAO LDS SPECIFICATION Authentication Method Mandatory Cryptographic Mechanism Remarks Passive authentication (PA) YES Digital Signature Proof that LDS and Document certificate are authentic and not modified Does not prevent 1:1 copy or chip exchange Basic Access Control (BAC) No EU: YES (required) Challenge/ Response Mechanism based on DES3 recommendation: Secure Messaging based on session key Prevents skimming and eavesdropping, if there is a secure communication. Low security level. No prevention of 1:1 copy or chip exchange Higher complexity and requirements to the chip Supplemental Access Control (SAC) No EU: YES (required) from December 2014 Password Authenticated Connection Establishment (PACE v2) based on asymmetric key pair Advanced prevention of skimming and eavesdropping due the stronger key cryptography No prevention of 1:1 copy or chip exchange Extended Access Control (EAC) No (Optional) additional symmetric Key or asymmetric key pair Prevents unauthorized access to sensitive data Prevents skimming Additional Key Management Active authentication (AA) No (Optional) Challenge/ Response Mechanism based on Public Key Cryptography Digital Signature Proof, that document certificate is no copy and refers to the right IC Chip has not been changed Higher complexity and requirements to the chip Data encryption No (Optional) symmetric or asymmetric encryption method Protection of sensitive data (e.g. fingerprint) No prevention of 1:1 copy or chip exchange

Privacy protection Basic Access Control (BAC) and Supplemental Access Control (SAC) Role of BAC is to protect privacy of a passport holder Data cannot be read from a remote distance without knowing the data of the MRZ; SAC new, advanced privacy protection security mechanism based on Password Authenticated Connection Establishment (PACE)

Data integrity All data groups are digitally signed by the issuing country (they are encrypted) A digital signature is applied to reveal any tampering of the original data (hash functions SHA) This is a significant security feature which increases document security This feature is called PASSIVE authentication (PA)

Passive authentication (PA) PA is able to recognize: Data change (e.g. photo modification) Digital signature not created by the proper authority PA requires a specific digital certificate of the issuing country this is called the Country Signing Certification Authority (CSCA). If the CSCA certificate of the issuing country is not available the digital signature cannot be verified and passport cannot be validated

Active Authentication (AA) Optional security feature to prevent RFID cloning. It is based on cryptographic challenge-response algorithm that can verify if the RFID contains in its secure memory a secret key stored during the personalization by the issuing country. The result of the AA is simple: PASS / FAIL. Fail suggests a forgery.

Privacy protection - EAC Fingerprints (stored in DG3) in the 2 nd generation European passports are protected with additional mechanism called Extended Access Control (EAC). EAC requires additional secret key and certificate provided by the issuing country of the passport EAC protected data can be only read by authorized border authorities Only fingerprints (DG3) are EAC protected, all remaining data (DG1-2,5-16) is BAC-protected

Control infrastructure examples Helps or not??

Checking of RFID helps if it is done in a right way PA failed, no CSCA presented in the reader

Checking of RFID helps if it is done in a right way PA failed, no CSCA presented in the reader

Checking of RFID helps if it is done in a right way PA successful, CSCA presented in the reader Chip is genuine

Does your ABS s or document readers check e-documents authenticity and compare digital signatures? Opening RFID without checking digital signatures is needless and very expensive toy

Issued to be solved (conclusions)

Further improvements No strong need for improvement of physical security features of travel documents anymore (if minimum security level has been achieved); Biometrics increase security of a document ONLY if it is checked in a right way; Biometrics establish a strong link between a document and its holder ONLY if all electronical security features (signatures) are checked;

Further improvements (2) Exchange of CSCA (DSCA) certificates is ESSENTIAL : ICAO Public Key Directory (PKD) Bilateral agreements Verification of certificates by the control authorities is ESSENTIAL: Passive authentication (PA) Active authentication (AA)

Thank you for your attention Eugenijus Liubenka, Chairman of the Frontiers / False Documents Working Party of the Council of the European Union, State Border Guard Service of the Republic of Lithuania eugenijus.liubenka@vrm.lt

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information