ICAO's MRTD Report

ICAOINTERNATIONAL CIVIL AVIATION ORGANIZATION

MRTD REPORT

Stressing Security As ePassport technology defies its critics and privacy groups begin to better understand the scope and purpose of the biometric chip, more and more States are continuing to implement the world’s most secure solution to the interoperable travel document.

Also in this Issue: ePassport PKI and the ICAO PKD, Interoperability Overview, EAC Roll-out, In-House MRTD Training, CSCA Certificates Overview List, Maldives Implementation, ICAO’s role in MRTD advancement

Vol. 2, No 2

MRTD Report – Number 2 – 2007 4 3 12 38 36 16 32 43 20 40 30 ...... Chair Barry Kefauver confronts recent media confronts recent media Chair Barry Kefauver ...... Task Force on New Technologies Force Task Together with partners OeSD, Iris Corporation and NXP (formerly Philips), the Iris Corporation NXP (formerly and with partners OeSD, Together Document Section makes its transition to new ePassport Maldivian Travel specifications, getting their programme up and running a mere ten months after they established their goal. the Future Facing An overview of ICAO’s role in providing the necessary leadership and implementation assistance relating to new MRTD specifications. MRTD RFI TAG Travel Advisory Group on Machine-Readable Details of the ICAO Technical relating to new and improving information MRTD) request for Documents’ (TAG technologies.MRTD and ePassport MRTD Glossary of Terms Excerpts from the Gemalto White Paper discussing the inclusion of fingerprint Excerpts from the Gemalto White Paper enhanced security and privacy. biometrics for MRTD eLearning Programme with the the ideal solution to provide states When ICAO went shopping for on MRTD issues, Aine ni Fhloinn and background and know-how they’d need inHouse Training customized solution. had an affordable, CSCA Overview List Ministry of the Interior and Kingdom of the Sjef Broekhaar and Jan Verschuren the distribution of CSCA Relations, The Netherlands, discuss the IF4TD proposal for certificates. Initiative Maldives ePassport Australian passport official Ross Greenwood, Chairman of the 2007 ICAO PKD supportingboard, validation at border ePassport describes clearance the reasons for Member Stateand makes the business case for in the ICAO PKD. participation Achieving Interoperability of the Austrian State Printing House MBA, Executive Director Claudia Hager, (OeSD), describes to the development in depth the series of multilateral tests that led use. ePassport of a truly interoperable contactless chip for The Second Generation of ePassports Mauricio Siciliano discusses the more proactive role being more proactive role discusses the Mauricio Siciliano industry taken by ICAO and behind technology. ePassport MRTD and the facts in communicating stakeholders Secure Solution The ePassports: ISO Contents an Active Role Taking Editorial: and privacy of contactless chips, and hacker claims surrounding the security and technologicaldetailing the unprecedented multilateral represented achievement interoperability. by ePassport The Australian Perspective PKI and the ICAO PKD: ePassport - - repre- is to provide MRTD Report , please contact Mauricio MRTD Report encourages submissions from inte MRTD Report Tel: +1 (514) 954-8219 ext. 7068 +1 (514) Tel: E-mail : [email protected] Senior Editor: Anthony Philbin Copy Editor: Robert Ronald +01 (514) 886-7746 Tel: E-mail: [email protected] Site: www.philbin.ca Web +01 (514) 849-2264 Tel: E-mail: [email protected] Site: www.bang-marketing.com Web Allard Yves Mr. +01 (450) 677-3535 Tel: +01 (450) 677-4445 Fax: E-mail: [email protected] MRTD Report Opinions expressed in signed articles or in adverti rested individuals, organizations and States wishing to share updates, perspectives to or analysis related on sub- further information global civil aviation. For future mission deadlines and planned issue topics for editions of the Siciliano, managing editor at: [email protected] Anthony Philbin Communications Production and Design Bang Marketing Stéphanie Kennan Advertising Inc. Communications FCM Submissions The Editorial Managing Editor: Mauricio Siciliano MRTD Programme—Specifications and Guidance Material Section ICAO MRTD REPORT 2, NUMBER 2, 2007 VOLUME Published by International Civil Aviation Organization (ICAO) 999 University Street Montréal, Québec Canada H3C 5H7 The objective of the ICAO sements appearing in the ICAO sent the author’s or advertiser’s opinion and do not The mention of necessarily reflect the views of ICAO. specific companies or products in articles or adver- tisements does endorsed or not imply that they are to others of a recommended by ICAO in preference similar nature which are not mentioned or advertised. The publishers extend their thanks to the companies, organizations and photographers who graciously this issue. supplied photographs for a comprehensive account of new developments, trends, innovations and applications in the field of MRTDs to the Contracting States of ICAO and the international aeronautical and security communities. Copyright © 2007 International Civil Aviation Organization

EDITOR'S NOTE Taking an Active Role

In a time when tremendous efforts are being made regar ding the consistent and secure standardization of travel documents, the ePassport still has many faces. The world’s aviation and security communities are continuing to finalize issuance pro - cesses that respect minimum quality standards, local regulations, citizen rights and worldwide interoperabi lity requirements, but these goals are much closer now to being realized thanks to an unprecedented multilateral effort between State and industry experts.

For the last 30 years, ICAO has been the leader and prima ry forum for achieving world-class standards for ePassport documents. But setting the standards in this field is only one of ICAO’s functions. The ICAO Specifications and Guidance Mate- rial (SGM) Section is also committed to continue developing, improving, educating and promoting worldwide implementation of MRTD and eMRTD standards and specifications.

During the TAG/MRTD 17 meeting held in ICAO Headquarters last March, the Secretariat committed to prepare and put into action a communications strategy that would see the Organi- Should any of these issues be of particular concern to mem- zation playing a more active role in informing and educating bers of our readership, we would suggest that they contact the government administrations, private entities and the general MRTD Programme Office by visiting the ‘Contact Us’ section of public regarding the content of the MRTD Programme and its the MRTD web site at: http://mrtd.icao.int. Your input, concerns significant benefits for international air transport and national and requests in this field will be essential to help us build a security agencies. This role is even more significant today in comprehensive set of articles, information papers and presen- view of the present worldwide implementation of the ePassport, tations that will address these issues and reinforce the credi- not to mention the troubling misinformation that has been gene- bility and global consensus surrounding this important effort. rated by hackers and privacy groups who have made headline- grabbing but ultimately baseless claims regarding the threats Finally, you'll notice that this latest issue of the ICAO MRTD that contactless chips pose to the security and privacy of the Report has a new look and feel. This new approach is part of world’s travellers. an overall re-branding of ICAO's magazines to help stress the central role that ICAO plays in the global aviation com- In this issue of the ICAO MRTD Report we interview Mr. Barry munity, and to ensure that the Organization is clearly identi- Kefauver, formerly of the US Department of State, who cur- fied with the important work it carries out on behalf of all of rently chairs the ISO Task Force on new technologies of the aviation's stakeholders. We encourage any comments or

TAG/MRTD on the security and privacy issues related to the feedback on this new design and focus and hope that these 2007 2 – Number – MRTD Report ePassports. This is the first of a series of interviews, articles and changes have helped to make the MRTD Report more infor- reference materials that will address the specific and general mative and user-friendly. concerns that have recently been brought forward at conferen- ces and in the media. This body of reference will help to serve Enjoy your reading. States, the media and the general public in more clearly identifying and understanding the actual issues and concerns curren - tly being addressed regarding ePassport chip security and Mauricio Siciliano bearer privacy. Editor

3 COVER STORY: BARRY KEFAUVER INTERVIEW ePassports: The Secure Solution

THE ePASSPORT HAS ENGENDERED ITS FAIR SHARE OF HEADLINES SINCE ITS IMPLEMENTATION BEGAN SEVERAL YEARS AGO, MOSTLY AS A RESULT OF HACKERS AND PRIVACY GROUPS WHO HAVE MADE FANTASTICAL CLAIMS REGARDING THE THREATS THAT CONTACTLESS CHIPS POSE TO OUR SECURITY AND PRIVACY. BARRY KEFAUVER, FORMERLY OF THE US DEPARTMENT OF STATE AND CURRENTLY A CONSULTANT WHO, AMONG OTHER RESPONSIBILITIES, CHAIRS THE ISO TASK FORCE ON NEW TECHNOLOGIES, OVERSAW SOME OF THE EARLIEST ICAO AND RELATED PROCEEDINGS LOOKING INTO PASSPORT SECURITY, BIOMETRICS AND DATA STORAGE. HE ADDRESSES THE SERIOUS FLAWS IN THE CRITICS’ APPROACHES IN THIS INTERVIEW WITH THE ICAO MRTD REPORT, AND DESCRIBES THE HUGELY SUCCESSFUL TECHNICAL AND MULTILATERAL ACHIEVEMENT REPRESENTED BY THE ePASSPORT INITIATIVE.

ICAO MRTD Report: There have been a number of statements made in recent months regarding what are described as ‘privacy and security threats’ associated with the new RFID or ‘e’ Passports. Would you like to address these briefly before we discuss the situation in more depth?

Barry Kefauver: One of the biggest problems with the current crop of RFID naysayers is that most of their comments and observations, as unfounded as they may be, have gone to get down to the second-to-last paragraph in the column to un ans wered in the media. Essentially we have tried to point find the part referring to how the claims were later pointed out in rational ways where the holes in their critiques are, and out to be somewhat less than legitimate. Unfortunately, the they simply ignore the facts. This is in part due to the fact that media are not asking that crucial question, “so what.” some of them, Lukas Grunwald for instance, are focused on setting-up or are working for RFID security companies. To As an example, I encountered Lukas Grunwald in an open deal with the facts would blunt the bite of their old and tired forum at a secure documents conference this past May in arguments, diminishing their headline-garnering effects. London. This pattern of denial was clear from the get-go. His slide presentation would make one unfounded claim after The media isn’t totally to blame here, but the realities of con- another. When I and others in the audience would try to ad- temporary news gathering are such that wild claims made dress such claims as comprehensively as possible, he would by anyone calling themselves an ‘expert’ garner far more simply ignore the substance and go on to his next irrational headlines than do the reasoned, deliberative responses to statement. I offered several corrections to his erroneous these claims. You’ll see all sorts of headlines screaming about slides at that conference in May, though I noted that the iden- MRTD Report – Number 2 – 2007 security and privacy flaws in ePassports, but often you have tical errors were still in his presentation slides in July. We try

4 to let these critics understand where the more clearly why the ePassport is enhance passports-as-they-were goes holes in their arguments are and how as secure as its developers and all the way back to 1995. ICAO issued a false the premises are that they’re basing suppor ters claim. Request for Information (RFI) at that time their positions on, but in the end business is to elicit new ideas and new technologies business I suppose and their companies’ You have to realize that one of the most from industry that could allow passports vested interests rely on a certain level of significant factors associated with the cur- to carry additional security measures, spe- misinformation persisting in the public rent generation of passports is that these cifically the use of biometric data. domain. It’s unfortunate for the techno- documents, contactless chips aside, have logy’s credibility and it does a tremendous more physical features to protect them We discerned fairly early on that biomet- disservice to the many IT, security and than any other passport in history. Any of rics were really the only type of data that cryptographic specialists who took part in the new generation of ePassports curren- could provide passports with the additional the lengthy and very diligent development tly in circulation have the most advanced security we were looking for, and the only stages of the ePassport. Perhaps that’s and the state-of-the-art security features technology that could truly tie the docu- simply part and parcel of how things work available built right into the documents ment to the citizen to whom it had been these days and we have to white-knuckle themselves—basically passports are the rightfully issued. It took a full year to sim- our way forward. best they’ve ever been and this is before ply assess the various factors to be considered that could be addressed Where Grunwald and others and resolved multilaterally, based like him see these chip-based « I would like to stress that the chip in on the 125 or so criteria that passports as a toy to be an ePassport in no way replaces the needed to be esta blished by the brought into the laboratory and wide variety of additional security working group. The facial image made sport with on the basis of measures inherent in paper passports, was judged to be the one biome- impractical and questionable tric that could satisfy all the diffe- scenarios, I see them as globally- but rather enhances and strengthens rent countries’ requirements. The interoperable tools that have these mea sures through the addition very first Technical Report to be had to meet multi-variant inter- of biometric data to help tie the bearer generated by ICAO around this national requirements in order to the document in ways that could not be topic was the one reflecting the to be able to function effecti - process and specifics surroun ding vely within different coun tries, done before. We studied the technologies the selection and endorsement cultures and economies. One available to us, we consulted the world’s of the facial biometric. of the proposed ‘must-dos,’ for foremost experts in arri ving at our example, is ‘hashing’ the facial conclusions and best practices, and in the A little further down the road, in biometric (hashing, in this ins- end we have produced an exceptionally the context of the ICAO New Tech- tance, involves using prescri- nology Working Group (NTWG), bed cryp tographic algorithms secure document that will assist border we discerned that the contact- to protect data); however, control and other officials for decades less chip would provide the only hashing the image in that way to come. » practical approach for incorpora- would make it useless in a ting the biometric information globally-interoperable environ- into the passport document. I ment such as border control. need to stress here that this began pre- we come to the chip and the myriad other September 11, 2001, and that therefore, It’s very important to consider all of the security measures that have been develo - even before that tragic incident, the security features of a given ePassport as ped around that technology. world wide travel document community complementary. To highlight a specific, alle- had become absolutely certain that this ged deficiency of a document’s prin ting, Can we briefly go over the security was something that needed to be done if selec ted security features, bindery or con- features associated with the chip itself? passport secu rity measures were going 2007 2 – Number – MRTD Report tactless chip is to ignore the context that to remain effective and move forward. these documents are used within and to It’s very difficult for me to be brief about ignore the understanding that everyone the development of the ePassport. I get At that point in time there had been an developed early-on in the process with re- so wound up and there’s so much there. implementation of the contactless chip in spect to biometrics being an additive and Let’s start by saying that the chip itself a paper susbstrate (many, of course, had not a replacement security measure. and what it represents are the result of been used in plastic, ID-1-type cards over five years of agonizingly-detailed prior to this) which was of interest to us Let’s discuss those security features multilateral deliberation. The search for due to the differing chip placement con- for a moment and try to understand something to carry more information and figurations that would be requi red and, of

5 MRTD Report – Number 2 – 2007 6 our selectionof perts, electrical engineers, IT experts, physicists,cryptographers, electrical engineers,ITexperts, perts, security specialists, card security specialists, that this technology wasinsome that thistechnology highest caliber ofprofessionalshighest caliber thatcould acrosstheboard accom were carefullycon ce andsecurityat used for at inventorypurposes more far-fetched, therewereactuallyaseriesofallegationsmade them spoon-feed usalongthepathtoanRFIDfuture.Among oftheRFIDindustryandsimplylet were insomeway‘puppets’ truth. Throughout this process wehaveconsultedwith truth. Throughoutthisprocess furtherfromthe Grunwald comesupwith,nothingcouldbe sion on were 130 cross-industryexperts In 2004wehadastanding-room- ontheseissues. brought tobear were all“brain-dead”,andonlyhad‘ selected contactlesschipsandcameupwiththenewstandards and LasVegas, who thepeople London presentations inboth earlierthisyearathis this point Lukas Grunwald,whostated these decisions.To listento our at have, theworld’sexperts lo are completelydiffe chipusedin the 14443 used for inventorycontroland fact isthatthegenreofchip departmentstore.The your local is patentlypreposte launch satellitesandkeeptrackofindividualsfromspace—which that wehadselectedthecontactlesschipssocould This isoneofthoseareaswhere Was anyconsiderationevergiventocontactchipsinthisregard? etc. barcodes, cal memory, two-dimensional high-capacitymagneticstripes, over thefullrangeofstoragemediaalter thenexttwo-to-threeyearslooking the chip,andthenspent in2000regar tial senseofgeneraldirectionandpurpose manufacturingrent passport We processes. reachedsomeini- basedontheircur- thechipsintotheirdocuments incorporate greatest concern,theneedfor diffe have verydifferent perfor that we’vehad,andcontinueto I wanttomakeitveryclearhere the earlygoing. their disposal fortheir disposal adviceandexper gies, nottomention disposal regardingallof disposal where wepresentedfor plish vis-à-viscontact contactless technology creptin:namely,contactless technology thatwe tri si rent dered in rous. Individualstriedtomakethe bu that both passports tes that techno technology practitioners—basicallythe technology man less chipsandbiometricpassport - - review only meetinginLondonwhere way similartothechipsbeing « hand atajointICAO-ISOses- rent countries to be ableto rent countriestobe politicians andprinters’at politicians tise. LikemostofwhatMr. what wewereintendingto development stagesoftheePassport. part inthelengthyandverydiligent whotook specialists cryptographic disservice tothemanyIT, securityand atremendous credibility anditdoes unfortunate for thetechnology’s inthe publicdomain.It’s persisting rely onacertainlevelofmisinformation and theircompanies’vestedinterests the endbusinessisIsuppose on,butin they’re basingtheirpositions and howfalse thepremisesarethat where theholesintheirargumentsare We trytoletthesecriticsunderstand the mythssurrounding natives suchasopti- analo chip ex- be ding gy chip can be skimmed.However,chip canbe the was tomakesurethatthiscloningorothermisusewouldnot was feasible tous andrathersimplistic,butwhatwasimportant tivelytrivialmatter. We knewfromtheonsetthatcloningchips isarela- tactless chip,fromasecurityandengineeringstandpoint, tial proxi readfromproximityandtheaddedsecuritypoten- them tobe to nume expec industries, for instancebanking.Itwasherethatwerefinedour gave usfeedback basedontheirownimplementationsinother ins andborder the traveldocument com andforour disposal fromscoresof threedaystheseexperts, data. We andapplicationsat technologies notedallthepossible the chip,notnecessarilyreadmean is shown but mainlywhathasbeen the10cmrange, that, indeed,youcanaccessachipfrombeyond proventhusfarmoney onoverthepastseveralyears.It’sbeen agreatdealoftimeand communityhasspent travel document chips fromadistance)arealsosomethingthattheworldwide equipment thatyoucouldfitinto acigarettepack. itwasdangerousto humans.Notthekindof required tooperate rolledinontraintrackrails andthelevelofpower needed tobe example ofthisthatIwitnessed inalab,themachinequestion placement, andratherprecise circumstancesareneeded.Atone ofbook phisticated equipment,carefullyorchestratedlogistics considered toassesshowmuchofariskthisrepresents.So- be The abilitytocloneorcopythebiometricinformation onacon- bythisabilitythey’vedemonstrated? the actualrisksposed Whatare copy thesechipswithouttheholder’spermission? thosewhonowsaythattheycancloneor And sowhatabout panies andorga tations andfocused inontheISO14443serieschipdue rousperformance virtues,aswellthenecessityfor mity-reading wouldprovide. nizations, poured overtherequirementsof nizations, poured » with cloningisthe“sowhat” else’s passport, andessentiallyyou else’s passport, datapageofsomebodytocopied and attemptingtopresentapho- coats. Again, the rigour to be coats. Again,therigourtobe bythenicemeninwhite maybe the door, bysecurityofficials, maybe controlandescortedto of border cloning achip.You’d laughedout be privacy—it isanon-issue. securityorthebearer’s passport’s Cloning achiphasnoimpacton sion of photocopying someone sion ofphotocopying chip isbasicallytheelectronicver- Cloninga the traveldocument. jeopardize theoverallsecurityof The skimmingthreats(readingthe have thesecurity-threatequivalent inspec going uptoapassport datapage.Imagine else’s passport that onecanmerelyactivate pragmatics ofdoingsomust ingful datafromit.So,yes,a pection functionalitiesand pection test. applied tor of FIGURE 1: SUMMARY OF SECURITY RECOMMENDATIONS FROM TABLE IIIA-1, ICAO DOC 9303.

Threats (Counterfeiting) Basic features Additional features Paper substrates (5.1.1) controlled UV response appropriate absorbency registered watermark visible UV fibres/planchettes two-tone watermark and surface characteristics invisible UV fibres/ embedded or window thread chemical sensitizers planchettes

Label substrates (5.1.2) controlled UV response invisible UV fibres/planchettes embedded or window thread chemical sensitizers non-peelable adhesive visible UV fibres/planchettes

Plastic/synthetic substrates (5.1.4) security features providing an equivalent level of security in plastic optically variable feature (OVF) as per paper or substitute

Security printing (5.2) two-colour guilloche microprinting intaglio printing front-to-back register feature background unique biodata page design latent image deliberate error in microprint rainbow printing duplex pattern unique design on every page anti-scan pattern 3-D design feature tactile feature

Numbering (5.2.3) unique document number perforated document number special typefonts

Inks (5.2.2): UV inks on all pages optically variable properties thermochromic ink reactive inks metallic inks photochromic ink infrared penetrating numbering ink fluorescent ink metameric inks phosphorescent ink infrared dropout ink tagged ink

Photo-substitution (5.4.4) integrated biodata page OVF over the portrait storage and retrieval system guilloche overlapping portrait digital signature in document for digital portrait images secure laminate or equivalent embedded image biometric feature secondary portrait image

Alteration of the biodata (5.4.4) reactive inks chemical sensitizers in substrate OVF over the biodata secure laminate or equivalent secondary biodata image

Page substitution (5.5.3/4) lock stitch or equivalent programmable sewing pattern index marks on every page unique biodata page design fluorescent sewing thread biodata on inside page serial number on every page page folio numbers in guilloche

Deletion/removal of stamps and labels (5.5.5) reactive inks high-tack adhesives (labels) over-lamination frangible substrate (labels) 2007 2 – Number – MRTD Report chemical sensitizers permanent inks (stamps) high absorbency substrates

Document theft (5.7.1): good physical security arrangements CCTV in production areas control of all security components centralized production serial numbers on blank documents digital signature secure transport of blank documents embedded image internal fraud protection system international exchange on lost and stolen documents

7 MRTD Report – Number 2 – 2007 8 « reinforced as every new threatemerges. and reliably vigilantly pursued andexpertly where security andprivacyaregoing tobe measures, andbasically thisisanarea in ordertobreaktheir cryptographic amounts oflong-term networked computing wouldrequiremassive now inEurope security. ThenewerEACchipscoming out safety,ensure thebearer’s privacyand taken anyandallrequiredmeasuresto and ineveryothercredibleareawe’vealso preclude skimmingandeavesdropping, standards andrecommendedpracticesto are allnon-issues.We’ve implemented with actual,practicalsecuritythreats,these In areal-worldsense,whereonedeals » What we were finding was that chips and readers made by the same company, used in the same plant, could be rolled out and would functionally be considered interoperable. Real problems became apparent, however, when we started testing one company’s readers with another’s chips, and vice-versa. Basically at this stage of development nothing was working in a manner that would be useful to us from the interope rability standpoint. What we discovered was that the 14443 standard had a lot of holes (known affec- tionately as ‘doors’ in ISO) that we were going to need to fill-in ourselves if our inte - roperability goals were to have a hope of being achie ved. Fortunately we have been able to accomplish this.

What are some of the other security concerns that MRTD Report readers may wish to have reassurance or further information on?

Eavesdropping, whereby someone may wish to ‘listen-in’ on the data-exchange between a chip and a reader, is another area where much attention has been directed. Since this has been feasible for years, no one has ever shown much interest in actually doing this, but regardless there is enough consideration being given to a range of provisions, such as The bottom line is that yes, you can skim, At a watershed meeting over a two- Faraday cages for readers, that are ad- but this is extremely impractical with Ba- week period in Glasgow, where the dressing this issue and rendering this a sic Access Control and other measures world’s experts came together, industry very low level threat from an overall secu- that States are now implementing using and govern ment discussed everything rity standpoint. Governments and others state-of-the-art cryptographic techno logy. relating to chip security, passport man- in general have had security provisions If you look at the ICAO 9903 document’s ufacture and basically the entire panoply for many years designed to eliminate or security measures (see excerpt, page 7), of issues that needed to be discus sed minimize risks from unprotected or unau- you’ll find a lot of the information there in prior to the se rious testing getting thorized RF radiating from PCs and other much more arcane but important detail. started. Subsequen tly, at the Canberra types of sensitive equipment. Some countries are also using shields meeting, which was really the first built into the ePassport cover that render meeting where we started to put inter- Another area, albeit of a very low threat the contents, quite simply, unreadable un- operability to the test in a targeted way, level concern at this stage, is the so-called til authorized to do so. Now that Europe is we invited a host of chip and reader ePassport as a beacon scenario. Here it’s 2007 2 – Number – MRTD Report rolling-out fingerprint data into their manufacturers to come and be evalu- proposed that if unauthorized persons chips, necessary measures such as Ex- ated. It became apparent fairly quickly, were to access the information on a chip, tended Access Control techno logies are however, that claims of 14443 compli- if they could get that chip’s serial number, additionally being used to make this data ance were confused, exaggerated and and if they had a list of manufacturers that even more secure. very misleading (for a more detailed used chips built with those serial num- overview of the interoperability test bers, then and only then this group might What were some of your early meetings and their respective results, be able to identify a traveller's country of findings after you had settled on please see “Achieving Interoperability," origin. Though very impractical and highly the 14443 chips? on page 16). unlikely, the travel document community

9 MRTD Report – Number 2 – 2007 10 taken anyandallrequiredmeasurestoensurethebearer’s and eavesdropping,ineveryothercredibleareawe’vealso standards andrecommendedpracticestoprecludeskimming curity threats,theseareallnon-issues.We’ve implemented In areal-worldsense,whereonedealswithactual,practicalse- blowing itup. enough ofonenationalityoranother’scitizensinittowarrant a buswithchipskimmertryingtodetermineiftherewere scenarios wherebyterroristscould,for instance,follow around offar-fetchedprivacy mavensfromdreamingupanynumber andeffort.pense keepePassport criticsand Butthisdoesn’t tion thataskimmermightfindfromchipwithmuchmoreex- records, therebyduplicatingexactlythesamesortofinforma- for itfor andphotocopy yourpassport theirverificationand itmatterthatmanyhotels,fornor does instance,regularlyask far moreusefulinformation fromatrash-caninyourdriveway, reallymatter,doesn’t itmatterthatsomeonecanget nordoes To theprivacycrowdsortof‘sowhat’testcitedearlier inourminds. data integrityremainuppermost ther exampleofourcommitmenttoinsuringthatprivacyand and hasputmeasuresinplacetoeliminatethisconcern.Ano thisthreatseriously,nonetheless took aswedowithallthreats, - dustry, hasbroughtustowhere devoted toacommonpurpose, auniquepartnershipofgovernmentandin- Bringing together control andotherofficialsfor decadestocome. thatwillassistborder duced anexceptionallysecuredocument practices,andintheendwehavepro- conclusions andbest us, weconsultedtheworld’sforemost inarrivingatour experts donebefore.not be We availableto studiedthe technologies inwaysthatcould tothedocument data tohelptiethebearer strengthens thesemeasuresthroughtheadditionofbiometric butratherenhancesand passports, sures inherentinpaper in nowayreplacesthewidevarietyofadditionalsecuritymea- To conclude,IwouldliketostressthatthechipinanePassport bly reinforced aseverynewthreatemerges. andrelia vigilantlypursuedandexpertly vacy aregoingtobe measures, andbasicallythisisanareawheresecuritypri- networked computinginordertobreaktheircryptographic wouldrequiremassiveamountsoflong-term now inEurope safety, privacyandsecurity. ThenewerEACchipscomingout proud about theeffort andtheincom proud about expended thathasbeen we aretoday. Inmyview, allofthoseinvolvedcanfeel extremely parable multilateralachievementthattheePassport represents. - -

OPINION

ePassport PKI and the ICAO PKD: The Australian Perspective

AUSTRALIAN PASSPORT OFFICIAL ROSS GREENWOOD, CHAIRMAN OF THE 2007 ICAO PKD BOARD, DESCRIBES THE REASONS FOR SUPPORTING ePASSPORT VALIDATION AT BORDER CLEARANCE AND MAKES THE BUSINESS CASE FOR MEMBER STATE PARTICIPATION IN THE ICAO PKD. PARTICIPATING STATES HAVE BEEN DOWNLOADING CERTIFICATES TO SUPPORT VALIDATION OF ePASSPORTS SINCE THE ICAO PKD BECAME MRTD Report – Number 2 – 2007 OPERATIONAL IN MARCH 2007.

12 12 ePassports improve the inherent Debate continues about how to optimise the ePassport PKI security of travel documents by du- design to optimise security of the certificates—a conversa- plicating the biographical infor mation dominated by technical experts from the passport issu- tion and photograph from the data ing authorities. page onto a chip. As a result, provided the data on the chip is read Less attention has been given to ensuring that the arrangements during the border clearance for the exchange of "public key" certificates are reliable, timely process and compared to the infor- and efficient—the conversation of interest to the border control mation on the data page, any frau- authorities who want to be able to validate all ePassports, from dulent alteration of the document all the States that issue them. needs to be achieved in two places. A point lost in much of the technical discussion is that security in However, the real improvement in document security of ePass- the exchange of public key certificates process is a second order ports is the Public Key Infrastructure used to secure the informa- concern, because the public keys in themselves contain no per- tion written to the chip, thus providing an opportunity to confirm sonal data, and no data that can compromise PKI validation. It is that the information on the chip was put there by the issuing au- instructive that the “P” in the acronym PKI stands for “public.” thority, and not subsequently altered. The ICAO PKD is a repository for current, validated ePassport public key certificates which are available for download. Australia’s view is that the challenge facing the ePassport PKI are:

The full border security and aviation security benefits of ePass- 1. Achieving agreement on the PKI design, to ensure security ports will be realised when validation of the PKI certificates for of the certificates, and; each ePassport becomes the pervasive practice of border control authorities around the world. If this can be achieved, border 2. Ensuring the most extensive possible sharing of validated control authorities in all countries, by being able to readily iden- "public key" certificates, from all ePassport issuing countries. tify and remove from circulation bogus ePassports, will assist passport issuing authorities to manage the integrity and reputa- tion of the documents they issue. ePassport PKI and the ICAO PKD

To date, the ePassport PKI design and the design of the arrange- Under the current design, the ICAO PKD contains Document ments for exchange of certificates has largely been managed by Signer Certificates (CDS), a public key, that have been validated by the passport issuing authorities, the organizations responsible Country Signing Certificates (CCSCA), a separate public key, that for generating the PKI certificates. have not subsequently been the subject of a Certificate Revoca- tion List (CRL). Under this design it is a requirement for States to

However, it is border control authorities who are the primary forward the relevant public key certificates (i.e., CDS & CCSCA) and client for passport validation using PKI certificates. CRLs to ICAO to ensure that only validated, current CDS are inclu - ded in the ICAO PKD*. The fundamental feature of any PKI application, including that for ePassports, is that: Subsequent to this design being finalised, most ePassport issu-

ing countries have decided to include the CDS on the chip in their Security is guaranteed by "private keys" that are retained ePassports. If agreement can be reached for this practice to be by, and known only to, the issuing authority. mandated, there is scope to simplify the design of the ePassport PKI, and in turn of the ICAO PKD. This technical conversation will Validation is achieved by the exchange of "public keys". also need to resolve the divergent opinions that remain with res - pect to the distribution of public keys, in particular those associ- RDRpr ubr2–2007 2 – Number – MRTD Report The ICAO PKD has been designed to preserve a high level of ated with the Country Signing CA Certificates (CCSCA). data security, appropriate for the handling of the public keys associated with ePassports. It remains the responsibility of indivi- Distribution of Public Key Certificates dual States to preserve the absolute integrity of the private keys associated with their documents, and to advise if and when this Australia commenced production of ePassports in October 2005. integrity is compromised. At that point the ICAO PKD was not operational, and it was not

*The ICAO technical report on PKI for MRTDs states at 2.2.2 that “Country Signing CA Certificates (CCSCA) are not part of the ICAO PKD service” but goes on to state in the next sentence: “The PKD however SHALL use Country Signing CA Certificates (CCSCA) to verify the authenticity and integrity of the Document Signer Certificates received from participating States, before publishing.” and at 2.2.1 states that “Each Country Signing CA Certificates (CCSCA) generated by each State MUST also be forwarded to ICAO for the purpose of validation of Document Signer Certificates (CDS).” Certificate Revocation Lists similarly are required to be copied to ICAO.

13 Australia’s assessment is that bilateral exchange of public key certificates is unreliable, slow and inefficient. The reasons for this are that there are myriad practical constraints on bilateral exchange:

The scale required to manage bilateral exchange of certificates is formidable—80 countries issuing ePassports x new

CRL x new CDS x new CCSCA = a large volu me of transactions for each border control autho rity to manage.

The upload transactions are not straightforward:

Prior to public key certificates or revocation lists being loaded to a local directory, the credentials of the person and organization sending the certificate must be esta - blished. This is problematic because:

Contact persons change.

The names of organizations responsible for issuing ePassports change.

The organizational units responsible for managing certificate distribution change.

Sometimes even the organization itself responsible for passport issue changes.

All these changes lead to changes in email addresses, or the alternative contact details required to ensure accurate addressing by other means.

clear when it would become operational. In order to manage the Organizations receiving certificates will typically be invol- exchange of public key information until such time as the ICAO ved in border control. Organizations sending certificates PKD commenced operating, Australia established a Local Key are involved in passport issue. Other organizations res -

Directory (LKD) as a repository for the validated, current CDS of all ponsible for airport security may have an interest in re- ePassport issuing countries. ceiving the certificates, and the foreign ministries that manage diplomatic communication channels must be The Australian Passport Office has operated its LKD based on aware of all changes in order to send certificates to the the bilateral exchange by email of public key certificates since correct destination. December 2005. E-mail was chosen as the only practical means of bilateral exchange of certificates because Australia's diplo- In order for public key certificates to be uploaded, datasets matic representation in more than 80 countries falls well short of need to be assessed and tested as meeting specifications a presence in all the potential ePassport issuing States. In the in order to be accepted for upload. Where the data set is period since December 2005, Australia has invested significant rejected a bilateral communication is required to resolve effort in establishing and maintaining e-mail contact lists, mo ni tor- the issue. This is a common occurrence. ing ePassport implementation timetables, and requesting and distributing public key certificates and revocation lists. In summary, as jurisdiction varies between countries, border control agencies receiving certificates are impossibly placed to Our experience of distributing Australian public key certificates maintain reliable contacts with the passport issuing organiza- broadly reflects our experience in receiving them. Notwithstand- tions from other countries that are sending them. ing all efforts, few of the emails in which we distribute our public key certificates are acknowledged, most remain unacknowl- Moreover, a system that relied on bilateral exchange of certifi- edged and a significant number fail. Successful transactions in cates between governments would exclude access to non- one month are followed by failure or unacknowledged emails in Government clients for ePassport validation, such as airlines, MRTD Report – Number 2 – 2007 subsequent months. airport operators and the financial industry.

14 All of the foregoing suggests that the ex- interests of all States that the scheme or The ICAO PKD Board and the ICAO Secre- change of certificates is a process that can schemes in place to support validation tariat are working on these issues and en- more simply, efficiently and effectively be of ePassports grow in their coverage. gaging those with alternate views. done via a central point like the ICAO PKD. However, it is also the case that the ICAO Many countries are now producing Conclusions PKD needs to change: ePassports, but many fewer are reading data from the chips on ePassports at the The Australian Passport Office believes The current design predates the border. However, Australia expects inte r- that validation of ePassports can contri- widespread adoption of the practice est in validating ePassports and participa- bute to improved security of travel. We of including CDS on the chip in ePass- tion in the ICAO PKD will now start to therefore support extensive, reliable, ports—there is scope to simplify the grow as the number of ePassports in cir- timely and efficient exchange of "public exchange of "public key" certificates, culation makes the required investment key" ePassport certificates. to redesign the validation process in border processing hardware, systems and to change which certificates are integration and changed business Australia believes that the ICAO PKD is exchanged and how this is achieved. processes worthwhile. the best vehicle to deliver this goal. The current costs of participation are We want Australian travel documents to an impediment to expansion of the be secure. We want to assist other go vern - ICAO PKD. With the establishment ments in identifying and withdrawing phase complete and the ICAO PKD from circulation fraudulently altered or operational there is scope to reduce otherwise falsified Australian and other fees significantly as membership in ePassports. Australia believes it is in the the PKD increases. RDRpr ubr2–2007 2 – Number – MRTD Report

15 OVERVIEW Achieving Interoperability By Claudia Hager, MBA, Executive Director of the Austrian State Printing House (OeSD)

EVEN THE MOST SECURE OF ePASSPORTS IS ONLY AS in Singapore in November 2005, and in Berlin, Germany, in USEFUL AS THE READER THAT CAN COMMUNICATE May/June 2006. Figure 1, below, gives an overview of all the WITH IT. CLAUDIA HAGER, EXECUTIVE DIRECTOR OF THE interoperability tests performed during this period. The test AUSTRIAN STATE PRINTING HOUSE, OUTLINES THE sessions evolved from a series of general assessments on to EVOLVEMENT OF ePASSPORT/READER INTEROPERABILITY AND THE ISSUES THAT NEEDED TO BE OVERCOME FIGURE 1 BEFORE TRULY RELIABLE AND GLOBAL DATA INTER- CHANGE COULD BE ACHIEVED. List of locations, number of chips (eMRTDs), readers and participants present at the various ePassport interope rability tests conducted since 2004. There were two primary preliminary considerations regarding global interoperability and the new generation of chip-based eMRPs Readers Participants travel documents: the need for additional storage capacity for Canberra 10 6 – biometric data, and; an open platform for data storage and data Morgantown 100 18 150 reading. To satisfy both requirements, ISO 14443, applicable to Sydney 120 15 ~100 contactless chips, was chosen as a globally interoperable Baltimore ~25 8 ~20 medium that as an added benefit was not bound to a specific Tsukuba 600 35 200 or proprietary vendor’s application. Singapore 140 40 240 Berlin 443 45 400 The standardized chip provides enough capacity to store a variety of raw biometric data types. Although ISO 14443 clearly specifies the chip’s technical requirements, the standard also FIGURE 2 provides for flexible tolerances which can be implemented dif- ferently depending on a manufacturer’s individual priorities. It Evolution of interoperability test objectives. was therefore of the utmost importance to test the various Interoperability Test Objective beta-version ePassports (with different chips, operating systems, chip locations and data sizes) and readers in multiple environ- Canberra Examine compatibility of Type-A & Type-B and ments to judge the effect of these varying tolerances and more explore additional requirements that need to closely reflect the actual conditions of live performance. be specified Morgantown Research if ICAO specifications addressed all The Road to Interoperability basic issues in multi-vendor condition Sydney Investigate incompatibility problems and test During the last three years, several governments have hosted readability/usability for corrections interoperability tests. Passport and chip manufacturers, ope ra - of specifications ting system developers and reader manufacturers were invi ted Baltimore Determine the operational impact on primary to participate in live tests of their products in the designa ted inspection systems area of application, namely border crossing. ePassports (or Tsukuba Test with standard equipment and measure simply ‘chip inlays’ in the early stages of the test series) were reading speed/chip characteristics with cross-tested against each other under a variety of interopera- scientific approach bi lity scenarios. The target was to benchmark the performance Singapore Promote interoperability between ePassports and rates and isolate areas for improvement. ePassport readers including optional features Berlin Simulate border situations, no standard data The first interoperability test was hosted in Canberra, Australia, sets allowed, focus on reliability of reading MRTD Report – Number 2 – 2007 in February 2004. The last and biggest test sessions were held rather than speed

16 more focused measurements of specific abilities as the actual An eMRTD read and accepted by the GRT can be considered as ‘state-of-the-art’ became more apparent. Figure 2 on the pre- being compliant with the LDS and PKI standards defined in 9303 ceding page provides an overview of the objectives* of each of Part 1, 6th edition. The tool conveys additional information— the tests and illustrates the progression that occurred. such as the security mechanisms being applied and the data fields being utilized—as well as the facial and fingerprint images In order to obtain comparable reading data, a common software and MRZ data. platform called the Golden Reader Tool (GRT) was developed by the Essen Group (a group of specialists from UK, The Netherlands Apart from the widely employed GRT program, other testing and Germany that met in the city of Essen in 2004). This software software has also evolved. The Japanese test hosts developed continues to serve as an interoperability testing tool for compliance proprietary “NMDA Test Software,” and the hosts of the Singapo- with the ICAO specifications on the application and security level. re sessions also used their own “Interfest Test Software.” Figure 3, The GRT has been constantly updated and provides comprehen- below, shows the technological development of the samples and sive data related to the ePassport reading process. readers over the past two years and includes a glossary of applicable terms and acronyms used for this purpose.

FIGURE 3

Technological development of samples and readers over the past two years and glossary of terms and acronyms employed.

Canberra Morgantown Sydney Baltimore Tsukuba Singapore Berlin

Reading Poor OK OK Not Satisfactory Good Very Satisfactory Very Good

Data Set – Silver Silver & 34k photo Silver Tsukuba Orchid, Individual Only Individual

GRT, NMDA, GRT (50%), Tool – – – GRT GRT, NMDA Interfest individual

2, 5, 10 cm, Rotated, 0, 2 cm at Read Range – – 0, 2 cm, Flip 0 cm rotated upside down four positions

Eavesdropping – Yes – Shield Test – – –

Bps Average 106 kbps 212 kbps 212 kbps 212 kbps 424 kbps 848 kbps 848 kbps

Time Average > 30 sec > 30 sec 30 sec ~ 20 sec 3 sec - 10 sec 2 sec - 5 sec 5 sec

SoD Test – – – Yes Yes Yes

BAC – – – – Yes Yes Yes

AA – – – – – Yes Yes

EAC – – – – – Yes Yes

Reading The first line gives the general impression participants and Read Range This was a set of tests measuring the position of the organizers had from the test sessions. document and the distance from the reader antenna.

Data Set In many tests a standard data set was provided to the partici- Eavesdropping Tests on eavesdropping were carried out and analysed. pants in advance so they could all load the same data onto the ePass- ports submitted for testing. The advantage was the comparability of the Bps Average This shows the acceleration in reading speed over time, data with the same image size on different chips, different operating measured in kilobits per second. systems, different antenna geometry and different chip locations in the passports that were tested. The disadvantage was that the readers had Time Average Very generally, this line gives the average reading speed RDRpr ubr2–2007 2 – Number – MRTD Report pre-stored the MRZ data for BAC-reading and therefore all reading pa- with/without BAC and different data sizes. Reading duration proportion- rameters were adapted to the sample data set. Presenting an ePassport ally decreased when reading speed increased. with different data still caused substantial problems for the reader. This was not a realistic border scenario where–hopefully–each ePassport SOD Test The digital signature of the data was verified where indicated. has a different data set stored in the chip. Hence the last interoperability test in Berlin only allowed individual data in order to better simulate a BAC A test of Basic Access Control was included. border environment. A server for uploading the different public keys used by the passport manufacturers was available, however all pass- AA A test of Active Authentication was included. ports had the public key stored on the chip. EAC A test of Extended Access Control was included. Tool The type of reading software is listed here.

17 * Information obtained from Mr. Junichi Sakaki (Co-chair ISO SC17/WG3/TF4) during interoperability tests in Singapore, November 2005, updated by Claudia Hager. One example of a sample data set, in this case the «Orchid Data Set» come of the Berlin and earlier testing sessions and used in the Singapore Interoperability Test. the major issues that emerged as a result of each are summarized in Figure 4 (see table, page 19).

The organizers of the Berlin test also smuggled two wrongly-personalised passports into the group of test samples. One had an incorrect hash value, the other a faulty digital signature. This was an excellent means to detect those few readers that firstly verify the digital signature and secondly give a clear message in the user interface to the border officer about the cause of the reading error.

Analysis of Interoperability Issues

ePassport operating systems, antennas, chip integration and reader manufacturing have develo - ped rapidly during the last three years. General and basic issues surfacing in the first test sessions In the test session in Berlin, GRT was once again the most com- were soon solved, while later tests focused on more detai led and monly used software (used by about 50 per cent of the readers). specific questions. Reading speed was around 5 seconds on average due to the greater number of security layers involved (at least BAC, often It is important to note that all test sessions were followed by a also AA). Only individual data sets were allowed in the tests and detailed report which was distributed to all participants and none of the previously used test data were employed. The out- which were then made available to the industry. The awareness MRTD Report – Number 2 – 2007

18 of the potential issues was highlighted FIGURE 4 and is reflec ted in the Supplements to the ICAO Doc.9303 Part 1, and huge Summarized outcomes and major issues discerned during interoperability improvements were obvious between testing: 2004–2006. each of the test sessions. Interoperability Test Findings The results and findings of the Singapore Canberra Need to specify ‘Reset’ time and Berlin tests showed substantial im- Antenna design has great influence on performance provements and fewer issues were Power requirement too high spotted. Fifteen new reader manufac- OS implementations in early stage turers participated in these sessions; Morgantown Need to specify APDU however it was clear that reader manu- Command details not correctly implemented facturers who had already participated Eavesdropping technically possible up to 10m in earlier test sessions had more stable Jamming threat with more than one chip reading performance than newcomers. Sydney Field Strength sensitivities Chip detection After the last test session, it could be CBEFF & LDS format error concluded that the maturity of ePass- ports had advanced to the implementa- Baltimore Slow reading speed tion level, as field-proven experience has Poor ergonomic usability now demonstrated. For the reader man- Power problem ufacturers it can be generalised that SoD is not verified by readers those having the experience of previous Tsukuba Short File Identifier not used as specified interoperability tests and the back- 3 byte Le needs clarification ground of border control processes per- BAC successfully implemented formed extremely well. Thanks to the Singapore Antennae orientation can be an issue series of test sessions, the new genera- AA, EAC, BAC lite many variations tion of travel documents was globally and jointly develo ped and are now fit for Berlin Low quality MRZ (necessary for BAC) the implementation process. Type B sensible to field strength variations Shielded passports difficult to read Reader conformity tests are necessary RDRpr ubr2–2007 2 – Number – MRTD Report

19 GEMALTO WHITE PAPER

Moving to the Second Generation of Electronic Passports: Fingerprint biometrics for enhanced security & privacy

Excerpts from the Gemalto White Paper courtesy of Eric Billiaert, Marketing Communications Manager, Identity, Gemalto, July 2007

The European Union has made it clear that a new security mechanism known as Extended Access Control (EAC) is necessary for access protection. EAC implementation is a complex affair and requires skilled handling and cooperation from all EU members throughout the migration process.

The new system requires the set up of a complete Public Key Infrastructure (PKI) and two new security mechanisms. This development has a significant impact on all major players, including governments, national printers, the ePassport industry and citizens.

As the industry moves forward and inter- able biometric markers on travel docu- second biometric marker in ePassports, operability tests proceed unabated, it is ments. Then, on February 28, 2005, the was adopted by the European Commis- clear that countries that have yet to EC adopted the first phase of the ePass- sion on June 28, 2006. The deadline for broach EAC migration have a lot of work port technical specifications, which set compliance is set for June 28, 2009. to do. Executed properly, EAC offers August 28, 2006 as the deadline for all Under these specifications, when imple- huge advances in more secure travel member states to include a facial bio- menting fingerprint images on second documents and tighter border control, metric image on ePassports. generation ePassports access rights to but the deadline is fast approaching. read the fingerprints must be further Pioneering states such as Sweden and protected by a security measure called First Generation ePassports Norway were first to introduce a fully Extended Access Control. European- and ICAO-compliant ePassport In the aftermath of September 11, 2001, using facial biometrics in October 2005. Extended Access Control the US changed its entry requirements and Twenty-three other US Visa Waiver coun- required all countries participating in the tries met the August 28, 2006 deadline. First generation ePassports are meant to Visa Waiver Program to start deploying be easily read. They have also been care- electronic passports as of October 26, 2006. Second Generation ePassports fully designed to be tamper- and forgery- Subsequently, in December 2004, the proof. The following security measures European Commission (EC) passed the The second phase of the technical speci- were imple mented with first generation (EC) 2252/2004 regulation, calling for fications from (EC) 2252/2004, which ePassports: MRTD Report – Number 2 – 2007 common technical specifications to en- called for the use of fingerprints as a

20 Passive Authentication (mandatory ICAO recommends the use of EAC to pro- A brute-force attack, where the attacker with ICAO)—Allows reader to check tect fingerprints and iris scans, but leaves gathers as much computational power as the authenticity of the data stored in the definition of the actual mechanism up possible and implements the fastest the microprocessor. The data is digi- to the individual country. The technical known discrete-log extraction algorithm tally signed by the issuing country. specifications for the EU were prepared by (currently GNFS) would typically require the Brussels Interoperability Group (BIG) 273 (respectively 2103) operations for a Basic Access Control (mandatory for and approved by EU article 6. 1024-bit (resp. a 2048-bit) DH public phase one EU ePassports)—Prevents key, and 2128 operations for a 256-bit passport reading without the holder’s Tightened Security with EAC ECDH public key. This represents several involvement. To protect against skim- decades of unceasing computations over ming and eavesdropping, a key must The chip authentication stage of EAC is a large-scale computer network and by be used to gain access to the micro- based on a chip-dedicated Diffie-Hellman far exceeds the limits of practicality. processor and the communication is asymmetric key pair using either DH encrypted. This requires that the (PKCS#3) or ECDH (ISO 15946), the latter Extended Access Control consists of three passport be intentionally shown and implementing elliptic curve cryptography. phases: Basic Access Control (BAC), follo - optically read before access to the The public part of the key is digitally wed by; Chip Authentication, and; Terminal chip is granted. signed by the issuing country, while the Authentication. Basic Access Control is microprocessor contains the matching pri- used to prevent skimming and eavesdrop- Active Authentication (optional with vate portion which can never be read out. ping. This is achieved by encrypting the ICAO)—Prevents the copying of the communications using a symmetric key microprocessor. The readable data in Through chip authentication, the terminal obtained and created by reading the opti- the microprocessor contains a public ascertains that the chip possesses the cal data in the Machine Readable Zone key and the corresponding private key private portion, thereby identifying it as (MRZ). Chip Authentication performs the is stored in the microprocessor but genuine and making chip cloning unfeasi- same function as Active Authentication in cannot be read. ble. An attacker trying to the ePassport the ICAO standards, i.e., proving the micro- faces the practical problem of computing processor is genuine and thus protecting Extended Access Control (mandatory the microprocessor’s private key given the electronic passport against cloning. It for phase two EU ePassports)— Limits the public elements (which can always be will also enhance the BAC security mecha- access to additional biometrics to the obtained freely). Carrying out this task is nism by replacing the encryption key with issuing country and countries that commonly referred to as the Discrete a totally random key. Terminal Authentica- have permission from the issuing Logarithm problem and requires massive tion aims to prove to the microprocessor country. This capability will be used to computational resources even for practi- that the terminal is allowed to access the protect fingerprints, iris scans (optio nal) cal key sizes. data on the microprocessor. and other privacy-sensitive data. RDRpr ubr2–2007 2 – Number – MRTD Report

21 This access is granted through a chain of cer tificates, the root of Subsequently, a specially adapted key agreement protocol will which is the passport issuer. In other words, only the issuer of the allow both the issuing and inspecting countries to generate the passport controls who can access the data on the document. The same secret and unique key, which is contained within every introduction of EAC will not make the security mechanisms of BAC second generation passport, to access the information needed. obsolete, but it will supplement them. In the future, the entire Every second generation ePassport can use the secret key to reading process for a biometric ePassport will always be carried establish a secure communication channel with an inspection out in three consecutive steps: Basic Access Control, Chip Au- system at a border control post and to prove that it is the origi- thentication and Terminal Authentication. nal passport and not a counterfeit. The trustworthy public key allows the ePassport mechanism to verify the credentials pre- How Does EAC Work? sented by the inspecting party and then permit or deny access to biometric data. In the Chip Authentication stage, when the reader authenticates the microprocessor, a standard PKI challenge-response process bet - The fact that with EAC the ePassport challenges the inspection ween the reader and the microprocessor is used whereas Terminal system before providing sensitive data ensures that the passport Authentication process is a somewhat more complex system. issuer retains control over who is allowed to view the secure data stored on an ePassport’s microprocessor, since each government To decode the encrypted data contained on an ePassport micro- controls the issuing of credentials to the border control posts of processor, the border control authorities of the visited country other states. Second generation ePassports are thus armoured must request authorization to access the passport holder’s fin- against counterfeiting and can protect their biometric data more gerprint data from the home country where the ePassport was securely (see Figure 1, below). issued. Friendly countries will have mutual agreements in place that enable their border control authorities to share information.

FIGURE 1

EAC Terminal Authentication

1. CVCA certificate from the issuing country is stored on the passport chip during passport personalization. This certificate will be used 2 to verify the inspection system's certificates (access rights to fingerprint data) in the Country A Country B passport reading step. Passport control authority Issuing authority (DV, Document Verifier) (DVCA, Country Verifier 2. Country B certifies (i.e., gives permission to) Certificate Authority) Country A’s passport control authority to authorize their access to read the fingerprint 1 data from Country B’s passport. 3 3

3. Country A’s border controlling authority certifies (i.e., gives permission to) its border control locations or individual devices (Inspection Systems) to have an access to read the finger print data 4 from Country B’s passport. 5

4. Country A’s border control reader (Inspection Country A Country B System) shows Country B’s passport its authori - Border control location Passport zation to access the fingerprint data on the chip. (e.g., harbour, airport) or a single reader device (IS, Inspection System) 5. Country B’s passport allows reading of fingerprints once the inspection system has proven its authorization from the Country B. MRTD Report – Number 2 – 2007

22 The Implications for Key Players

All players involved in enrolment, passport manufacturing, personalization and border control processes must consider that many complex competencies will be involved in second generation ePassport deployments, some of which are completely new. These competencies include the following:

Cryptography and advanced authentication techniques.

Implementing new EAC compliant operating systems on the microprocessors in use.

Management of a PKI certificate au- enrolment system must not have access to must be done following the international thority, responsible for the registra- an individual’s fingerprints. Common Criteria process designed for tion of public keys, revocation of cer- evaluating secure IT systems. The con- tificates, etc. To avoid heavy and expensive security text of the second generation ePassport mechanisms for enrolment stations, sys- evaluation—a document entitled the Biometric data capture, storage and tems based on PKI technology have been Protection Profile—has been developed matching of configurations in accor- developed and can conveniently be used by European national standard bodies dance with both high security stan- to satisfy these privacy requirements. and security organizations like BSI (Bun- dards and strict privacy policies. The system used for securing privacy for desamt für Sicherheit in der Information- the whole issuing chain—from enrolment stechnik) and DCSSI (Direction Centrale Capture of enrolment data material, to personalization—is termed “end-to- de la Sécurité des Systèmes d’Informa- preparation and formatting. end” privacy. tion) with support from the industry. It was endorsed in EU Article 6. Authenticating individuals’ identities The Impact on Passport Manufacturing with the appropriate government en- The purpose of the certification is to tities and verifying that the applicant When implementing second-generation provide an independent 3rd party eva- provides valid ID credentials. ePassports, the biggest change for luation that guarantees that security passport booklet manufacturers and se- mechanisms in ePassports’ contactless Establishing a chain or network of curity printers is the passport cover or microprocessors are robust enough to trust, especially internationally. datapage containing the microprocessor withstand even the most sophistica ted that meets all the interoperability and intrusion attacks. Operating system The Impact on Enrolment security requirements set by EAC. Com- and electronic datapage (paper, poly- pared to first generation ePassports, carbonate…) suppliers will take care of The most obvious requirement for second there is a vast set of requirements that the operating system development and generation ePassports are the reader needs to be fulfilled. First of all, a fully CC security evaluation, ensuring a stations that will be installed for fingerprint EAC-compliant operating system must smooth and convenient transition for collection at passport application agencies. be used. In addition, 32 KB microproces- passport manufacturers.

The least visible element—to citizens—is sors are not big enough. A minimum 64 2007 2 – Number – MRTD Report how to protect fingerprint privacy all the KB memory capacity is needed as MRZ The Impact on Personalization way from enrolment to personalization. and passport holder data take up some 5 KB, facial images 20 KB, and finger- There are several new challenges facing As the purpose of EAC is privacy protec- prints some 10 KB each. personalizers, mostly centring around se- tion, security issues become apparent not curity and productivity. New data and keys only when the fingerprints are housed on There is also a requirement from the EU must be prepared, requiring updates of the microprocessor, but also throughout which stipulates that the operating sys- numerous systems at the personalization the whole application and issuing process. tem on the microprocessor must be secu- site. Implementing EAC will require Even the staff operating the passport rity certified. This security certification changes for the key management system,

Second Generation ePassports Key Challenges for Governments and Border Control Authorities

At the enrolment stage, to create the infrastructure to capture fingerprints. At the production stage, to ensure privacy and secure storage of personal data. At the border control stage, to adapt the infrastructure to biometric verification

as unique asymmetric Diffie-Hellman keys entire border control reader must be systems, the impact on reading times will are to be generated for each passport compatible and equipped with the docu- still be less than three seconds compared and more certificates need to be incorpo- ment authentication software linking to to first generation ePassports. rated on the microprocessor. It is also im- the passport controlling authority (DV, portant during the personalization stage Document Verifier). In practice, this The Impact on Governments to protect fingerprint privacy before the means that the whole reader system and Citizens data are securely stored on the passport needs to be updated. microprocessor. This is achieved through EAC stands a good chance of success as end-to-end privacy between enrolment This in turn means that the whole PKI long as governments support this evolu- and personalization. scheme required by EAC must be exten - tion with an adequate framework of ded to the inspection system on borders laws, manpower and infrastructure. In It is important to remember that, after in order to be able to propagate, verify, almost all EU countries, the introduction personalization, readers used for passport and revoke numerous certificates. In addi- of biometric passports has legislative quality assurance must perform both Chip tion, the inspection systems at border implications and regulations must be Authentication and Terminal Authentica- control stations must be compatible with adapted or revised. tion to verify the certificate con- fidence chain from the issuing New technologies such authority (CVCA, or Country as smart cards, biomet- Verifier Certificate Authority), rics and contactless to get access rights to read technology have gained the data from the micropro - attention and their use- cessor, and finally to confirm fulness is becoming their accuracy. As in normal better understood, but Terminal Authentication du- questions of privacy and ring border inspection, these security continue to hold certificates must also be rene - the prevailing political wed periodically. focus. Countries that have successfully tested Also, while some 25 KB of data eID schemes recognize were loaded on the micro pro- the importance of safe- cessor with first generation guarding citizens’ privacy of ePassports, some 45 KB and communicating the must be loaded on the microprocessor several algorithms such as RSA and ellip- potential benefits of these new solutions, for EAC passports. This has an effect on tic curves in the various passports they’ll and public opinion and the activities of productivity unless the latest persona- need to process. pressure groups can potentially influence lization technologies are put in place to how second generation ePassport mecha- offset the expected time increases. The amount of data read from the micro- nisms are designed and accepted during processor will be twice as large compared this deve lopment stage. The Impact on Border Patrol to first generation ePassports. The EAC mechanisms and the enhanced security Uniquely, the EAC protocol requires au- As with enrolment, the most visible as- calculations on the microprocessor are to thorization from the ePassport issuer to pect for users during border control is be performed as well, with all of these fac- allow certain specific data groups to be that new reader stations for fingerprint tors resulting in increased inspection read by specified groups of readers. With- reading will be installed. Not only will fin- times unless newer readers are employed. out this protection, anyone with the neces- MRTD Report – Number 2 – 2007 gerprint scanners be installed, but the With top-quality readers and operating sary technical skills could read all the

26 data on a passport. When implemented, EAC will have the ef- liberties, that it will make it more difficult for terrorists to as- fect of strengthening all the other security measures because sume false identities, and that it will also facilitate legitimate the protocol will not operate as a stand-alone element. travel since accurate identity verification will be made easier. This is a national initiative. EAC-equipped readers will link back to national Public Key Di- rectories (PKD), meaning that the Passive Authentication need In the EU, the Brussels Interoperability Group (BIG) was formed no longer blindly trust the document signer certificate held in 2006 to resolve the technical issues related to the develop- within the ePassport. Instead, this certificate can be validated ment, implementation and application of EAC in the member against the country signer certificate in the PKD. states. The group’s tasks include finalizing the certificate policy for EAC, setting up a pilot implementation, and providing In such a scenario, governments will provide a second and more guidelines to EU member states on the implementation of significant block of security infrastructure for the benefit of the technical specifications. citizens of the issuing countries. This enhanced security of digital identities eliminates the threat of identity theft, thus addressing Preliminary EAC interoperability sessions were held in December privacy concerns, while increased service levels via automated 2006 in Italy to ascertain the level of common understanding of gates and fast track lines can slash queuing times by a third. the EAC specifications. After this session, comments and clarifi- cations were posed by countries and manufacturers to improve The Current Status of Second Generation the previous specifications. In mid-March, 2007, an official inter- ePassport Implementations operability session was held in Prague where all the EAC passports inspected with an official inspection system successfully In August 2006, Singapore implemented a biometric passport passed the test. This proved that EAC interoperability is guaran- including fingerprints and a related security scheme. The imple- teed on a local scale. mentation of BioPass—as the Singapore ePassport is known as—has gone smoothly according to authorities. Nevertheless BIG members considered that more complete cross tests were necessary to enhance the interoperability of the global Some privacy concerns have been voiced over the introduc- system. In May 2007, the Portuguese Aliens and Borders Service tion of biometrics in travel documents. The authorities have (SEF) in Lisbon hosted the interoperability tests performed by clearly stated that biometric technology will not restrict civil various European Countries set up by BIG of the European Com-

FIGURE 2

Timeline of International interoperability tests of EAC hardware and software solutions.

EU regulation EU ePass EU first step EU second step ePass took effect specification ePass face, BAC Face, 2 fingersprints, EAC

Jan. 18 Aug./Sept. Aug. 28 June 28 DEC. MAR. MAY SEPT.

SPEC EAC AEC Pilots

AEC Interop Tests RDRpr ubr2–2007 2 – Number – MRTD Report 2005 2006 20072008 2009

Oct. Oct. 25 Oct. 25

US: ePass US: digital US: ePass issuing photo for entry for entry

27 mission. The goal was to check the pro- For countries and members of the in- that can foil any attempt to gain illegal posed EAC test suite specifications de- dus try this is good news, as a choice in entrance through border checkpoints. veloped by the ad hoc group (partici- test platforms means the availability of pants from France, Germany, Joint competitive tools. However, developing The second generation of ePassports Research Centre, The Netherlands, UK) test tools with complete specifications with fingerprint biometrics is one more with verification of the certificate update does take time, and therefore a com- tool that agencies can use in order to in the ePassport. mitment for September 2007 is crucial. ensure that the person presenting a Pilot tests are set to begin in several passport to a border guard is, in fact, This was a new release for the majority countries by this time, and full-scale the person represented on the travel of suppliers. Preliminary results of test interoperability testing of EAC readers document. Extended Access Control suites illustrated firstly that the and passports between countries is through the use of strong encryption AFNOR-BSI specifications have been planned to take place in 2008. For a and PKI-based public/private key pairs well defined and well understood by more complete timeline please refer to to ensure impenetrable data transmis- developers, and secondly that the four Figure 2 on page 25. sion will provide enhanced border se- tools are well-advanced and therefore curity for years to come. most of the ePassports were tested Conclusions successfully. Two methods for certifi- EU countries are expected to introduce cate verification were used, and results In a world where international terro- second generation ePassports by mid should be considered as indicators of rists and criminals are becoming ever 2009. To succeed with such a challen- an advance in the two specifications more sophisticated in their use of cut- ging but achievable goal, government (passport and test tools), taking into ting-edge technology, it is imperative agencies and state printers should li- account that developers had only two that national agencies charged with aise with global technology partners weeks to prepare. securing borders stay one step ahead able to integrate the new document by employing systems and processes production processes.

Key Priorities per Sector

Passport Booklet Manufacturers Select new, higher performance microprocessors together with EAC compliant operating systems in inlays, in passport cover, in polycarbonate datapage.

Enrolment System Implement biometric data capture, storage and matching of configurations (in accordance with both high security standards and strict privacy policies). Install fingerprint scanners at passport application premises.

Personalization Site Update key management system for massive key generation and management of fingerprint end-to-end privacy. Update quality control stations with Inspection System and Document Verifier functionality so that they can simulate border control terminal authentication. Use state-of-the-art personalization technologies to offset personalization time increase and avoid throughput deterioration.

Governments Set up and manage a Public Key Infrastructure (PKI) certificate authority (registration of public keys, revocation of certificates, etc. Create a chain or network of trust, especially internationally.

Border Control Install fingerprint scanners. Update/renew the border control reading systems to be compatible to and equipped with the document authentication software with a link to the passport controlling authority (DV, Document Verifier). MRTD Report – Number 2 – 2007

MRTD TRAINING eLearning for ePassports

WHEN ICAO WENT SHOPPING FOR THE IDEAL SOLUTION TO PROVIDE STATES WITH THE BACKGROUND AND KNOW-HOW THEY WOULD NEED ON MRTD ISSUES, AINE NI FHLOINN AND InHOUSE TRAINING HAD AN AFFORDABLE, CUSTOMIZED SOLUTION AVAILABLE FASTER THAN Aine Ni Fhloinn, YOU COULD SWIPE A CHIP PAST A READER. Director, InHouse Training

In April 2005, ICAO met with representa- ting to ICAO. This feedback is essential grams require deve lopment investment tives from InHouse Training (www.inhouse- to the Organization’s ongoing activities and hosting costs, Aine Ni Fhloinn, Director training.ie) to discuss the options available relating to the maintenance and deve- of www.inhousetraining.ie, suggested a for online training and examination tools lopment of standards. novel solution. that could be developed to assist States and authorities with their implementation 3. For officials involved in implementation, “In an ideal world, learning would never be needs for ePassport technology. eLearning (online standardised training) blocked by lack of funding,” began Ms. Ni provides co-ordinated programs across Fhloinn. “Though we may not live in an In the course of these preliminary dis - diverse geographical areas, lower costs, ideal world, online approaches often allow cussions, several key factors were noted ensured quality levels and improved ven- us to rethink traditional training and busi- that made it apparent that the online ap- dor selec tion and relationships. Online ness models. Our approach was simply to proach would be uniquely suited to the testing capabilities offer further assuran - de-couple certification (the result of a suc- training needs surrounding ePassport ces relating to skill level attainment. cessful exam) and the quality learning ex- learning requirements: perience that ICAO was seeking to provide. 4. Vendors and implementers benefit By providing the training free of charge, 1. As e-learning only requires web facilities from shared understanding because it countries facing budget pressures could such as browsers and network access, leads to more effective and innovative still participate equally—regardless of in- participants are free from agenda and products/services. ternal budgets.” travel management. It became clear from these early discus- By virtue of this approach, countries, ven- 2. Shared training provides for the enhan- sions that ICAO needed to offer exception- dors and individuals with more accommo- ced communication essential for cross ally affordable training that would support dating training budgets still retain the op- border communication, helping to both the Organization’s inclusive international portunity to become certified, but the need resolve interoperability challenges and culture. In response to this need, but still for certification doesn’t create an obstacle increase the amount of feedback rever- cognizant of the fact that even online pro- to parties seeking merely to develop their MRTD Report – Number 2 – 2007

30 skills. On the merits of this approach and their excellent track area of biometrics. Open book exams are suited to a working record in providing quality e-learning courses, InHouse Training environment where continuous learning plays a role in everyday was awarded the exclusive right to use ICAO’s logo in identifying operations. As identification technology evolves, the learning habit and marketing their MRTD course. (including accessing learning resources) is as important as the content to be learned. Self-managed exams support learning habits The courses themselves were developed using 3D animation as well as a positive certification experience. software and Adobe Flash technology. In effect, every animation sequen ce (each step in a unit) is a miniature movie. The “The objective of our certification process is not to pass or fail indi- course interface and all the artwork are original and designed viduals, it is to provide concrete, measureable results,” continued to enhance the e-learning experience. Ms. Ni Fhloinn. “We believe Certification will be most useful for decision makers who need to benchmark companies and indivi- The animations used fall into two categories: ‘photorealistic’ for a duals offering MRTD-related products and services.” primary story telling sequence (with characters); and ‘silhouettes’ for faster illustration purposes (bullet points). “This animation style A free quick quiz that exactly replicates the format of a formal strongly aids the learning process, including memory recall,” com- exam is available for all of the online training courses. The courses mented Ms. Ni Fhloinn. “At the same time it makes for an attrac- and exams are currently only available in English, but based on tive and very user-friendly course.” demand they will later be translated for the convenience of the broader ICAO community. The exams themselves are open book and self-managed. The State University of New York University at Buffalo (UB) administers InHouse Training is looking forward to feedback and suggestions quality assurance and provide requested certifications for course from all those taking courses and exams. Ms. Ni Fhloinn will be in exams. UB is one of America’s oldest medical universities and has Montreal this October and welcomes any interested parties to a history of research into identification technologies. It was the contact her while she’s there (email: [email protected]). first university in the world to dedicate a research centre to the

The courses themselves were developed using 3D animation software and Adobe Flash technology. In effect, every animation sequence (each step in a unit) is a miniature movie. The course interface and all the artwork are original and designed to enhance the e-learning experience.

A free quick quiz that exactly replicates the format of a formal exam, is available for all of the online training courses. The courses and exams are currently only available in English, but based on demand they will later be translated for the convenience of the broader ICAO community. RDRpr ubr2–2007 2 – Number – MRTD Report

31 PUBLIC KEY DISTRIBUTION

How to Obtain CSCA Certificates: The CSCA Overview List By Sjef Broekhaar and Jan Verschuren, Ministry of the Interior and Kingdom Relations, The Netherlands

WITH THE INTRODUCTION OF E-MRTDS, A NEW PHENO MENON TWO LEVELS: THE COUNTRY KEY, INCORPORATED IN THE HAS BEEN INTRODUCED—THE DISTRIBUTION OF PUBLIC CSCA CERTIFICATE, AND; THE DOCUMENT SIGNER KEY KEYS TO VERIFY THE INTEGRITY AND AUTHENTI CITY OF THE (CONTAINED IN THE DS CERTIFICATE). FURTHERMORE, A INFORMATION STORED ON THE ELECTRONIC MEDIUM CERTIFICATE REVOCATION LIST (CRL) IS ESSENTIAL IN THE (CHIP). ACCORDING TO ICAO SPECIFICATIONS THERE ARE VERIFICATION PROCESS.

ICAO currently requires that the CSCA The completed field in the members Secondly it is advised to use more than Certificate be distributed by bilateral profile has to be sent to the Regional one contact point on the COL to request means, preferably via diplomatic chan- Representative of the IF4TD. This con- and verify the specific CSCA Certificate nels. No other specific mechanism for tact person will insert the information before using the Certificate in an Inspec- bilateral exchange other than ‘diplo- into a draft version on the IF4TD web tion System. matic exchange’ is defined in the tech- site. When the information is entered nical report. the providing body is asked to check Countries or international organiza- the details and, if they confirm the accu- tions who are already issuing e-MRTDs Some countries have experience with racy of the content, the information is and want to publish their CSCA Certifi- this manner of distribution but face published on the public site and made cates can contact one of the authors: difficulties in order to find the right con- accessible to all members of the IF4TD. Sjef Broekhaar or Jan Verschuren, Minis- tact person in a ministry or organiza- try of the Interior and Kingdom Rela- tion. The NTWG was looking for a new As an additional measure, a hard-copy tions, The Netherlands (Sjef Broekhaar solution for distribution of the CSCA CSCA Overview List (COL) is created. e-mail is noted just above). Certificates and what follows is sugges- The COL consists of the same fields as ted approach. In the new solution the publi shed on the IF4TD web site, as well International Forum for Travel Docu- as an extra check possibility, namely ments (IF4TD, see ICAO MRTD Report, the fax number. The COL will be sent to Volume 1, Number 2) will play a key role ICAO Headquarters for publication on in indicating where and how the CSCA their web site: www.icao.int/mrtd. Certificates can be obtained. Since approximately 90 per cent of the coun- The COL provides control authorities tries issuing an e-MRTD are members an overview with locations and contact of the IF4TD, this would be a logical step. points for requesting CSCA Certifi- cates. The trust in the obtained CSCA How does it work? In the members Certificates can be improved if there profile of a country or organization an are seve ral different ways of checking extra field is integrated entitled: “CSCA their authenticity, therefore it is impor- Certificate.” In this field the issuing tant to check first the authenticity of body can add the following infor ma- the downloaded COL from the ICAO tion: “How to obtain the CSCA Certifi- web site. This can be done by checking cate,” “Website,” “Contact Person,” the COL against the published one at “General e-mail address,” “CSCA Ver- the IF4TD web site or to request a copy sion,” “CSCA Verification Value Created of the COL by sending an e-mail to by means of” and, if necessary, “Addi- [email protected]. MRTD Report – Number 2 – 2007 tional information.”

32 CSCA CERTIFICATES OVERVIEW LIST–CONTINUED ON PAGE 34

Contact Points and Locations–Version 3, September 2007

Country How to the Contact Person General E-mail Fax Number Website or CSCA Version CSCA Verification Created By Obtain CSCA Address LDAP Address & Validity Value Belgium Request via Mr. Luc Corbeels Josephus.hendrikx@ +32.2.501.8701 N/A Year: 2004 Version: 01 27 b5 ce 14 7b SHA-1 e-mail to: diplobel.fed.be 1e 3b 9d 11 ff luc.corbeels@ e1 7e 99 d9 99 diplobel.fed.be 82 c8 69 b8 58

Thailand

Sweden

Norway Request Mrs. Ellen [email protected] +47.61.318.001 N/A Year: 2005 Version: XX 2f b8 03 37 e2 SHA-1 via e-mail Thorvaldsen 59 54 85 70 49 42 05 e7 64 7f 2b dc bc c6 09

Australia

Germany Via website Mr. Dennis Kügler csca-germany +49.22.8958.2722 www.bsi.de/csca 2005, serial: 00df; 6e 7e be 85 98 SHA-1 (of or e-mail @bsi.bund.de relative distinguished e7 8f a1 b0 61 Public Key) name = ”SN=001” a6 12 74 a8 4f 9e d2 2e df c7 www.bsi.de/csca 2005, serial: 00df; 61 f0 c0 95 23 SHA-1 (of relative distinguished 27 5f 9d 92 f9 Public Key) name = ”SN=002” 83 bf 4d ef f5 34 35 6b 32 06

New Zealand

United Kingdom

Japan Via Diplomatic Ms. Noriko pki.passport@mofa. jp +81.3.5501.8166 N/A N/A N/A N/A Channel in each Nishimura country (primary method) or via general e-mail.

France

Singapore

Iceland

Austria Via website Mr.Robert [email protected] +43.1.90600.39709 www.bmi.gv.at 2006 V3 Serial 46 7b 29 82 26 SHA-256 Gottwald /csca Number: 01 4c 05 b1 16 37 Valid from: 09-06-2006 2b b2 2e aa 7a till 12-09-2021 5b 32 db 8f fa 9c 70 5a db 85 71 c3 ac 06 b8 12 6c

33 RDRpr ubr2–2007 – 2 Number – Report MRTD 11 37 64 9b 67 67 9b 64 11 37 3b d4 d4 c4 a0 2a c4 19 4f ec de f5 c4 e1 85 de f5 e1 c4 01 29 fe dd b9 Encryption c8 5f 47 3b 10 74 (1.2.840. b7 78 3e 27 113549.1.1.11) 2f ba c2 40 15 47 37 ba 7f 53 c0 92 7b 02 82 f5 87 68 ce 26 df 9c cb 56 69 ff 52 (41 9e 65 23) 7d 64 6c 88 f8 11-09-2016f4 ac 02 0e 71 24-11-2016e1 89 78 04 66 20-10-2021 0b 0853 61 eb nl/echtheidsken-merken/csca 21-08-2006 30-08-2014 fd bf 6d 65 ef e5 5a 8b 11 fd gov.si/eindex.htm41 de 7e dc b5 RSA With dnielectronico.es dnie.es:389 20-07-2006 36 el 30 ca b5 intermin.fi fi/cp-csca/ 12-06-2006 43 2f 88 1b 73 Dedemadis gov.gr from 24-08-2006 16 33 89 12 2e country Via websiteVia Rakshit Tommi Mr. ePassport.Finland@ websiteVia +358.9.1604 2223 Jan Verschuren Mr. http://www.fineid. [email protected] +31.70.356.0066 2006 valid websiteVia https://www.bprbzk Georgios Mr. e5 2006 valid 2f 6f 2d 9d gr [email protected]. +30.210.7296229 SHA-1 f2 8a 97 71 http://www.passport. f4 2006 version 1 SHA-1 ec bc ad e3 9b SHA-1 Diplomatic Via Channel in each Czarnecki Rafal Mr. sekretariat.drr@ +48.22.602.8215 N/A mswia.gov.pl 2005, V3 19 35 7f 69 17 SHA-1 website Obtain CSCAObtain Contact Via Person Michael Holly Mr. Ca-cst-pki-ops@ LDAP site Via +1.202.663.2654 Address Juan Crespo Mr. N/A oficinatecnica@ state.gov +34.91.890.2018 Ldap://ldap. 2004 Year 2006 valid f0 2a 8c 1b 77 LDAP Address ac SHA-1 37 f5 8a 69 & Validity SHA-1 Value e-mail, Via In the near Ales Pelan Mr. Serial Number [email protected] d3 +386.01.4788.649 42 a4 34 8b http://www.csca-si. June 08, 2006 3a 88 a2 88 91 SHA-256 future via the MRTD Report – Number 2 – 2007 Finland Netherlands Greece Poland CSCA CERTIFICATES OVERVIEW LIST–CONTINUED FROM PAGE 33 CSCA PAGE FROM CERTIFICATES OVERVIEW LIST–CONTINUED 3, September 2007 and Locations–Version Contact Points Country the to How Portugal United Person Contact States E-mail General Portugal Spain Number Fax or Website CSCA Version CSCA Verification By Created Lithuania Lithuania Luxembourg Slovenia

34 1f f3 b6 16 5a 89 8c 4c a2 b1 71 c7 b7 5a 01 SN=1 da c8 b8 ca db Serial Number 5e d5 31 1e 56 index.html?lang=de b0 20 0b 88 68 88 0b 20 index.html?lang=de b0 or admindir.admin.ch (port389) 16 76 1b dc 11 kontakty/csca.html V3. Version: f6 92 c0 10 9a RDRpr ubr2–2007 2 – Number – MRTD Report Obtain CSCAObtain Address LDAP Address & Validity Value Via website or Via e-mail or LDAP Roman Vanek Mr. schweizerpass@ +41.31.324.14.10 http://www.bit.admin. 01 2006, Version: fedpol.admin.ch a2 b6 d6 63 b2 SHA-1 ch/adminpki/00247/ 33 61 91 4d 30 country for now. country for Via website Via Libor Pokorny Mr. [email protected] +420.974.816.823 http://www.mvcr.cz/ 24/07/2006 a8 96 7d c0 4a SHA-1 Diplomatic Via Channel in each Helar Laasik Mr. [email protected] +372.666.2721 N/A 2007 Year: 2f 86 7b e3 4a SHA-1 = EU Member State Country Country the to How Hungary Czech Person Contact Republic E-mail General Switzerland Number Fax Andorra or Website San Marino Ireland Liechtenstein CSCA Version Italy CSCA VerificationHong Kong SAR By Created Estonia

35 IMPLEMENTATION UPDATE

Maldives Make Move to ePassport

FIRST SOUTH ASIAN COUNTRY TO IMPLEMENT ICAO-COMPLIANT BIOMETRIC TRAVEL DOCUMENTS

Seeking to reinforce its existing visa-exemption agreement with the UK and to enhance the security of its travel documents, the Maldives have become the first South Asian nation to make the move to the ePassport. OeSD re-designed the passport layout, leading to a harmonic The move comes on the heels of recent US visa-waiver requi re- visual combination of Maldivian art and tradition combined ments concerning ePassports and the expectation that the UK with a variety of overt and covert security features. The new with whom the Maldives currently enjoys visa-exemption. ePassport did not only impress the president at the inaugura- Making their document state-of-the-art with respect to gene ral tion ceremony, but also all the citizens that have applied for security and fraud-protection measures were also important the new travel document so far. considerations. Apart from the OeSD for the document itself, other suppliers The Maldives made the decision last October to move to for the Maldivian solution included Iris Corporation for the chip ePassport technology, setting themselves a very tight dead- inlays and chip personalization, as well as NXP (former Philips) line to have the program up and running by their Indepen- for the chip. The chip itself features a 72kB storage capacity, dence Day on 26 July 2007. Despite the mere 10 months of which fulfills the requirements for storing both a facial image lead time, Maldivian officials, together with their contractors, and two index fingerprints as biometric identifiers, as well as easily met their target. full security mechanisms.

“Fortunately we were able to implement the program on time The passport data is protected by Passive Authentication, Ba- and on budget,” commented Aiman Ibrahim, Head of the Mal- sic Access Control and Active Authentication—thus surpassing divian Travel Document Section. “To help offset some of the current ICAO requirements. The ePassports are securely per- production costs—due to the low volumes we require—we sonalized in one central location in the capital city of Male. bought chips and passports from our partner (Oesterreichis- che Staatsdruckerei (OeSD) and thus enjoyed the benefit of Maldivian officials expect to issue 20,000 of their new ePass- MRTD Report – Number 2 – 2007 their economies of scale.” ports per year for the next three-to-five years.

OVERVIEW Facing the Future

THE ADVENT OF THE ePASSPORT HERALDS A GLOBAL REVOLUTION IN TRAVEL IDENTIFICATION, PERMITTING AIRLINES AND BORDER OFFICIALS AT AIRPORTS TO MORE PRECISELY MATCH DOCUMENTS TO PEOPLE, AUTHENTICATE DATA AND GENERALLY TO PROCESS TRAVELLERS AT AIRPORT CHECKPOINTS AND GATES MORE ACCURATELY AND EFFICIENTLY. THE ePASSPORT ALSO OFFERS SUBSTANTIAL BENEFITS TO THE RIGHTFUL HOLDER BY PROVIDING A MORE SOPHISTICATED MEANS TO CONFIRM THAT THE DOCUMENT IS AUTHENTIC WITHOUT JEOPARDIZING PRIVACY. THE ICAO MRTD REPORT REVIEWS ICAO’S ROLE IN DEVELOPING AND IMPLEMENTING THIS IMPORTANT NEW INITIATIVE.

The need to verify identities to protect the travelling public, as well as to provide countries with higher degrees of certainty regarding individuals entering their borders, has accelerated the adoption of biometric technology in recent years.

In September 2006, ICAO published the two-volume, sixth edition, of Doc 9303, Part 1_Machine Readable Passports (MRPs). Developed by ICAO’s Technical Advisory Group on Machine Readable Travel Documents (TAG/MRTD), the first volume is comprised of the specifications for the non-biome - tric MRP, while the second volume contains the specifications for the biometrically-enhanced MRP, or ‘ePassport.’

The ICAO ePassport standard specifies that facial recognition technology will be the primary biometric standard worldwide public in general while providing airline, airport and border for travel documents, and that the compressed image of the control officials with the enhanced identification confirmation face will be stored, along with the data from the machine rea- tools they were looking for in the aftermath of 9/11. As of dable zone of the passport, in a contactless integrated circuit March 2007, 34 ICAO Contracting States had begun issuing (IC) chip embedded into the passport itself. ePassports to their citizens.

According to a private study conducted in spring 2006, nearly ePassport data will have to be programmed according to a 70 per cent of consumers worldwide support using biometric Logical Data Structure as specified by ICAO. To assure the rea - technologies administered by a trusted organization (e.g., a der of the chip that the data therein, including the facial image, bank, government, airline or border control authority) as a way is valid, the ePassport data will be digitally signed and a spe- to verify an individual’s identity. The study also found that cially-tailored public key infrastructure (PKI) project has been 66 per cent of consumers worldwide favoured biometrics as specified in order to protect the signed data from counterfei - the ideal method to combat fraud and identity theft as com- ting or unauthorized alteration. This system ensures that any pared to other methods such as smart cards and tokens. overwriting chip data cannot go undetected.

This use of facial recognition technology to enhance ePassport The public keys (i.e., strings of characters used to encrypt or MRTD Report – Number 2 – 2007 security and privacy is therefore reassuring to the travelling decrypt information) will be distributed through a central public

38 key directory (PKD) that has been set the secure PKD Office was opened at Regional symposia for the Latin Ameri- up by ICAO. The Member States of the ICAO Headquarters. can and the African/Middle East regions TAG-MRTD had recommended that are planned for 2008–2009 In 2005, ICAO be the designated organization Implementation individual UIMRTD assistance projects to oversee the PKD because of its long were implemented in Bhutan, Brazil and track record as the developer of MRTD ICAO has set up a special project to as- Colombia, and in 2006 assistance was standards, its international stature as sist those States which have not yet provided to 12 States. For the 2008-2010 a United Nations agency and its subs- begun issuing machine readable pass- triennium, ten indivi dual UIMRTD missions tantial interest in document security. ports with the objec tive of universal im- to States are planned for each year. The oversight of a central, politically- plementation ahead of the mandatory neutral site overseen by ICAO was April 2010 deadline as prescribed in An- Finally, the 36th Assembly, shortly after seen as essential to a cooperative, in- nex 9. ICAO provides assistance in the the time of this writing, will have voted teroperable regime for passport secu- form of project planning, education and on several amendments to Appendix rity that would be accessible by all training, arrangements for financing, D of Assembly Resolution 43/1, Facili- Member States. procurement assistance, as well as start- tation, regarding international coope - up project management and/or system ration in protecting the security and Equally important is that a central PKD evaluation services upon requests from integrity of passports. These amend - would be publicly accessible to any en- Member States. ments include the recognition that tity required to verify ePassports, such as airlines, who are on the front lines where the examination of travel documents is concerned. As a deterrent to the fraudulent alteration or counterfeiting of passports, or the use of stolen passports by impostors to gain access to aircraft, PKI represents a potentially very effective anti-terrorism and aviation security measure.

The ICAO Council confirmed the develop ment of a PKD, on a cost-recovery basis, under the aegis of ICAO. The develop ment, implementation and operation of this project involve three major stake- As part of this project, two self-financed, Member States of the United Nations holders: the PKD operator, ICAO and the worldwide MRTD/Biometrics Symposia have resolved, under the Global participants (i.e., an ePassport-issuing were held at ICAO Headquarters in 2005 Counter-Terrorism Strategy, adopted State or entity that follows the arrange- and 2006. A third Symposium, with an on 8 September 2006, to step up ments for participation in the PKD). aviation security emphasis, is planned for efforts and cooperation at every level, October 2007, also at ICAO Headquarters. as appropriate, to improve the secu- In 2006, the overall design and develop- rity on manufacturing and issuing ment of the PKD was approved, various In June 2006, a biometrics and machine identity and travel documents and to levels of testing were completed and ap- readable passport implementation prevent and detect their alteration proved, and review and acceptance of workshop for the Asia-Pacific Region of fraudulent use; an urging by the the planned PKD facility was finalized. In was held in the Hong Kong Special Ad- Assembly to Member States to issue February 2007, a Memorandum of Under - ministrative Region (SAR) of China, and machine readable passports in accor- standing (MoU) which set out the arran - a Latin American regional symposium dance with the specifications of Doc 2007 2 – Number – MRTD Report gements for participation in the PKD, on AVSEC-FAL (including MRTDs) was 9303, Part 1, and; a request that the and for its establishment and operation, held in the Dominican Republic. Also, Council to continue the work on en- was approved by the Council. In March in July 2007, a regional conference for hancing passport fraud, implementing 2007, with the receipt of the fifth Notice European and African Mediterranean the related SARPs of Annex 9 and de- of Participation in the PKD, the MoU be- States was held in Vienna on document veloping guidance material to assist came effective. The PKD Board, the gover- security and ICAO MRTD standards. This Contracting States in maintaining the ning body responsible for the over- conference was held in conjunction with integrity and security of their pass- sight and supervision of the PKD, was the Organization for Security and Co- ports and other travel documents. formally convened in March 2007, and operation in Europe (OSCE).

39 TAG MRTD REQUEST FOR INFORMATION ICAO NEW TECHNOLOGIES WORKING GROUP REQUEST FOR INFORMATION 2007/8

BACKGROUND

The International Civil Aviation Organization (ICAO) Technical Advisory Group on Machine-Readable Travel Documents (TAG MRTD) is responsible for the development of specifications for travel documents with the goal of global interoperability. In addition, the TAG MRTD seeks to advise ICAO on technology issues related to the issuance and use of machine-readable travel documents.

The TAG MRTD, through its New Technologies Working Group (NTWG), issues an RFI every three years in order to keep abreast of new and improving technologies. Relevant information gathered during the RFI process is summarised and shared among the 190 ICAO Contracting States. ICAO also considers this information when international standards are developed.

AREAS OF INTEREST

Information regarding technologies that may be used in machine-readable passports, visas and card-based travel documents is sought for consideration. The technologies sought are to assist in the folowing areas: assessment of applicant eligibility; document security and production; linking documents to holders/bearers; providing reliable authentification of genuine documents; facilitate secure and reliable transit of travellers through airports, seaports and other international border control points.

Interested parties are invited to provide technical, application environment and pricing information for technologies in the following cathegories:

Category Requirement Multi-application data chip environment Effective methodology for creating a secure multi-application environment within the data chip, where the e-passport application co-exists securely with other applications (e.g., e-government applications). Secure writing and retrieving without compromising the security of the original data is paramount.

Self-service facilitation Technologies and processes suitable for automated self-identification at international borders and/or entitlement facilities that will enable either unattended border crossing or program enrolment.

Data mining technologies Pattern recognition for applicant and staff behaviours to assist in the identification of external and internal fraud.

Travel document security concepts Document security features, innovative data page materials, substrates, binding materials and adhesives, advanced anti-copying devices (e.g., holographic/crystagraphic features or security inks), and security technologies that allow for globally interoperable, machine assisted document authentication and verification.

E-government and e-commerce Electronic online systems that may be applied to secure Internet based passport and visa application processes. Secure communications for multilateral data-sharing.

Biometric database management Integrated ID management tool that enables concurrent, multi-factor biometric searching and matching for profiling and alert management.

Biometric verification on the move Biometric matching in a non-intrusive way with a high tolerance for distance and angles.

Portable enrolment and verification stations Portable multi-modal enrolment enabling the capture and verification of multiple biometrics (particularly fingerprints).

Transliteration software Language software technologies to assist in transliterating non-Latin characters (e.g., Cyrillic or Arabic) into Latin characters. MRTD Report – Number 2 – 2007

40 CONSIDERATIONS

Interested parties must present their technologies in the context of ICAO Document 9303, which prescribes international format and on-board data storage standards for machine-readable passports, visas, and other official machine-readable travel documents. Interested parties must also be able to substantiate any claims related to performance of the technology proposed. Proposals will be reviewed against a variety of qualitative and quantitative factors, depending on the category. Generally, this will include such aspects as cost, innovation, and compatibility with current and future document issuance and border control processes. Dependant technologies, reliability, accuracy and speed are also factors that may be considered by the selection panel. Interested parties should also recognise that in the application of these technologies, the NTWG panel will give particular consideration to the ICAO goals of facilitation, security, and global interoperability.

SUBMISSIONS

Written responses to this RFI must be provided by 26th October 2007 to: David Philp RFI Coordinator ICAO New Technologies Working Group c/o New Zealand Passport Office Department of Internal Affairs PO Box 10-526 Wellington New Zealand

Interested parties are advised that ICAO is under no obligation to designate any standard or take any further action with any party as a result of this Request for Information. Summary sheets supplied in response to this RFI will be made availa - ble to Contracting States. Accompanying information and descriptive literature may also be made available to Contracting States. With the exception of the summary sheets, any other information that is considered non-disclosable to all ICAO Contracting States should be identified as such. Non-disclosable information will be retained exclusively for the use of the government members of the ICAO New Technology Working Group.

Requests for copies of ICAO standards documents (ICAO Document 9303, Parts 1 to 3) should be directed to: ICAO DOCUMENT SALES UNIT 999 University Street, Montréal, Quebec, Canada, H3C 5H7 Tel: +1 (514) 954-8022

Fax: +1 (514) 954-6769 2007 2 – Number – MRTD Report E-mail: [email protected] Online access to publications: www.icao.int/eshop/ Online ordering: http://icaodsu.openface.ca/mainpage.ch2

This Request for Information is placed by the New Zealand Passport Office, Department of Internal Affairs in furtherance of its participation in the TAG/MRTD also being a contracting State of ICAO, a United Nations specialised agency. The New ZealandGovernment and its employees accept no responsibility for the actions or undertakings of ICAO, ICAO participants, or ICAO staff.

GLOSSARY

THIS GLOSSARY IS INCLUDED TO ASSIST THE READER WITH Contactless integrated circuit An electronic microchip coupled to an TERMS THAT MAY APPEAR WITHIN ARTICLES IN THE ICAO aerial (antenna) which allows data to be communicated between the chip MRTD REPORT. THIS GLOSSARY IS NOT INTENDED TO BE and an encoding/reading device without the need for a direct electrical connection. AUTHORITATIVE OR DEFINITIVE.

Counterfeit An unauthorized copy or reproduction of a genuine security Anti-scan pattern An image usually constructed of fine lines at varying document made by whatever means. angular displacement and embedded in the security background design. When viewed normally, the image cannot be distinguished from the Database Any storage of biometric templates and related end user remainder of the background security print, but when the original is information. scanned or photocopied the embedded image becomes visible.

Biographical data (biodata) The personalized details of the bearer of the document appearing as text in the visual and machine readable zones on the biographical data page of a passport book, or on a travel card or visa.

Biometric A measurable, physical characteristic or personal beha - vioural trait used to recognize the identity, or verify the claimed identity, of an enrollee.

Biometric data The information extracted from the biometric sample and used either to build a reference template (template data) or to com- pare against a previously created reference template (comparison data).

Biometric sample Raw data captured as a discrete unambiguous, unique and linguistically neutral value representing a biometric charac te- ristic of an enrollee as captured by a biometric system (for exam ple, biometric samples can include the image of a fingerprint as well as its derivative for authentication purposes). Data storage (Storage) A means of storing data on a document such as an MRP. Doc 9303, Part 1, Volume 2 specifies that the data storage on an Biometric system An automated system capable of: ePassport will be on a contactless integrated circuit. 1. capturing a biometric sample from an end user for an MRP; 2. extracting biometric data from that biometric sample; Digital signature A method of securing and validating information by 3. comparing that specific biometric data value(s) with that contained electronic means. in one or more reference templates; 4. deciding how well the data match, i.e. executing a rule-based Document blanks A document blank is a travel document that does not matching process specific to the requirements of the unambi - contain the biographical data and personalized details of a document guous identification and person authentication of the enrollee with holder. Typically, document blanks are the base stock from which perso- respect to the transaction involved; and nalized travel documents are created. 5. indicating whether or not an identification or verification of identity has been achieved. Duplex design A design made up of an interlocking pattern of small irregular shapes, printed in two or more colours and requiring very close Black-line white-line design A design made up of fine lines often in the register printing in order to preserve the integrity of the image. form of a guilloche pattern and sometimes used as a border to a security document. The pattern migrates from a positive to a negative image as it Embedded image An image or information encoded or concealed within progresses across the page. a primary visual image.

Capture The method of taking a biometric sample from the end user. End User A person who interacts with a biometric system to enroll or

have their identity checked. 2007 2 – Number – MRTD Report Certificating authority A body that issues a biometric document and certifies that the data stored on the document are genuine in a way which Enrollment The process of collecting biometric samples from a person will enable detection of fraudulent alteration. and the subsequent preparation and storage of biometric refe rence templates representing that person’s identity. Chemical sensitizers Security reagents to guard against attempts at tampering by chemical erasure, such that irreversible colours develop Enrollee A human being, i.e. natural person, assigned an MRTD by an is- when bleach and solvents come into contact with the document. suing State or organization.

Comparison The process of comparing a biometric sample with a pre- ePassport A Machine Readable Passport (MRP) containing a contactless viously stored reference template or templates. See also “One-to-many” integrated circuit (IC) chip within which is stored data from the MRP data and “One-to-one”.

43 page, a biometric measure of the passport holder and a security object to tance and rejection are reversed, thus reversing the meaning of “false ac- protect the data with Public Key Infrastructure (PKI) cryptographic tech- ceptance” and “false rejection”. nology, and which conforms to the specifications of Doc 9303, Part 1. False non-match rate Alternative to “false rejection rate”; used to avoid Extraction The process of converting a captured biometric sample into confusion in applications that reject the claimant if their biometric data biometric data so that it can be compared to a reference template. matches that of an enrollee. In such applications, the concepts of acceptance and rejection are reversed, thus reversing the meaning of “false Failure to acquire The failure of a biometric system to obtain the acceptance” and “false rejection”. necessary biometric to enroll a person. False rejection When a biometric system fails to identify an enrollee or Failure to enroll The failure of a biometric system to enroll a person. fails to verify the legitimate claimed identity of an enrollee.

False acceptance When a biometric system incorrectly identifies an in- False rejection rate/FRR The probability that a biometric system dividual or incorrectly verifies an impostor against a claimed identity. will fail to identify an enrollee or verify the legitimate claimed identity of an enrollee. The false rejection rate may be estimated as follows: False acceptance rate/FAR The probability that a biometric system will FRR = NFR / NEIA or FRR = NFR / NEVA where FRR is the false rejec- incorrectly identify an individual or will fail to reject an impostor. The rate tion rate, NFR is the number of false rejections, NEIA is the number given normally assumes passive impostor attempts. The false acceptance of enrollee identification attempts, and NEVA is the number of enrollee rate may be estimated as FAR = NFA / NIIA or FAR = NFA / NIVA where FAR verification attempts. This estimate assumes that the enrollee identifi- is the false acceptance rate, NFA is the number of false acceptances, NIIA cation/verification attempts are representative of those for the whole is the number of impostor identification attempts, and NIVA is the num- population of enrollees. The false rejection rate normally excludes ber of impostor verification attempts. “failure to acquire” errors.

False match rate Alternative to “false acceptance rate”; used to avoid Fibres Small, thread-like particles embedded in a substrate during confusion in applications that reject the claimant if their biometric data manufacture. matches that of an enrollee. In such applications, the concepts of accep- MRTD Report – Number 2 – 2007

44 Fluorescent ink Ink containing material that glows when exposed to Guilloche design A pattern of continuous fine lines, usually computer light at a specific wavelength (usually UV) and that, unlike phosphores- generated, and forming a unique image that can only be accurately recent material, ceases to glow immediately after the illuminating light originated by access to the equipment, software and parameters used in source has been extinguished. creating the original design.

Forgery Fraudulent alteration of any part of the genuine document, e.g. Heat-sealed laminate A laminate designed to be bonded to the biog- changes to the biographical data or the portrait. raphical data page of a passport book, or to a travel card or visa, by the application of heat and pressure. Front-to-back (see-through) register A design printed on both sides of the document or an inner page of the document which, when the page is Holder A person possessing an ePassport, submitting a biometric sam- viewed by transmitted light, forms an interlocking image. ple for verification or identification whilst claiming a legitimate or false identity. A person who interacts with a biometric system to enroll or have Full frontal (facial) image A portrait of the holder of the MRP produced their identity checked. in accordance with the specifications established in Doc 9303, Part 1, Vo lume 1, Section IV, 7. Identifier A unique data string used as a key in the biometric system to name a person’s identity and its associated attributes. An example of an Gallery The database of biometric templates of persons previously en- identifier would be a passport number. rolled, which may be searched to find a probe. Identity The collective set of distinct personal and physical features, Global interoperability The capability of inspection systems (either data and qualities that enable a person to be definitively identified from manual or automated) in different States throughout the world to obtain others. In a biometric system, identity is typically established when the and exchange data, to process data received from systems in other person is registered in the system through the use of so-called “breeder States, and to utilize that data in inspection operations in their respective documents” such as birth certificate and citizen ship certificate. States. Global interoperability is a major objective of the standardized specifications for placement of both eye readable and machine readable Identification/Identify The one-to-many process of comparing a sub- data in all ePassports. mitted biometric sample against all of the biometric reference templa tes RDRpr ubr2–2007 2 – Number – MRTD Report

45 on file to determine whether it matches any of the templates and, if so, JPEG and JPEG 2000 Standards for the data compression of images, the identity of the ePassport holder whose template was matched. The used particularly in the storage of facial images. biometric system using the one-to-many approach is seeking to find an identity amongst a database rather than verify a claimed identity. Con- Laminate A clear material, which may have security features such as opti- trast with “Verification”. cally variable properties, designed to be securely bonded to the biographical data or other page of the document. Image A representation of a biometric as typically captured via a video, camera or scanning device. For biometric purposes this is stored Laser engraving A process whereby images (usually personalized ima - in digital form. ges) are created by “burning” them into the substrate with a laser. The images may consist of both text, portraits and other security features and Impostor A person who applies for and obtains a document by assu m- are of machine readable quality. ing a false name and identity, or a person who alters his3 physical appearance to represent himself as another person for the purpose of using Laser-perforation A process whereby images (usually personalized ima - that person's document. ges) are created by perforating the substrate with a laser. The images may consist of both text and portrait images and appear as positive ima - Infrared drop-out ink An ink which forms a visible image when illumi- ges when viewed in reflected light and as negative images when viewed nated with light in the visible part of the spectrum and which cannot be in transmitted light. detected in the infrared region. Latent image A hidden image formed within a relief image which is Inspection The act of a State examining an ePassport presented to it by composed of line structures which vary in direction and profile resulting a traveller (the ePassport holder) and verifying its authenticity. in the hidden image appearing at predetermined viewing angles, most commonly achieved by intaglio printing. Intaglio A printing process used in the production of security documents in which high printing pressure and special inks are used to create a relief LDS The Logical Data Structure describing how biometric data is to be image with tactile feel on the surface of the document. written to and formatted in ePassports.

Issuing State The country writing the biometric to enable a receiving Live capture The process of capturing a biometric sample by an interac- State (which could also be itself) to verify it. tion between an ePassport holder and a biometric system. MRTD Report – Number 2 – 2007

46 Machine-verifiable biometric feature A unique physical personal templates on file. It is commonly referred to when matching against a identification feature (e.g. an iris pattern, fingerprint or facial characte- “watch list” of persons who warrant detailed identity investigation or are ristics) stored on a travel document in a form that can be read and known criminals, terrorists, etc. verified by machine. One-to-many Synonym for “Identification”. Match/Matching The process of comparing a biometric sample against a previously stored template and scoring the level of similarity. A decision One-to-one Synonym for “Verification”. to accept or reject is then based upon whether this score exceeds the given threshold. Operating system A programme which manages the various application programmes used by a computer. Metallic ink Ink exhibiting a metallic-like appearance. Optically variable feature (OVF) An image or feature whose appea- Metameric inks A pair of inks formulated to appear to be the same rance in colour and/or design changes dependent upon the angle of colour when viewed under specified conditions, normally daylight illumi- viewing or illumination. Examples are. features including diffraction struc- nation, but which are a mismatch at other wavelengths. tures with high resolution (diffractive optically variable image device/ DOVID), holograms, colour-shifting inks (e.g. ink with optically variable Micro-printed text Very small text printed in positive and or negative properties) and other diffractive or reflective materials. form, which can only be read with the aid of a magnifying glass. Optional data capacity expansion technologies Data storage devi - MRTD Machine Readable Travel Document, e.g. passport, visa or official ces (e.g. integrated circuit chips) that may be added to a travel docu- document of identity accepted for travel purposes. ment to increase the amount of machine readable data stored in the document. See Doc 9303, Part 1, Volume 2, for guidance on the use of Multiple biometric The use of more than one biometric. these technologies.

One-to-a-few A hybrid of one-to-many identification and one-to-one Overlay An ultra-thin film or protective coating that may be applied to verification. Typically the one-to-a-few process involves comparing a sub- the surface of a biographical data or other page of a document in place of mitted biometric sample against a small number of biometric reference a laminate. RDRpr ubr2–2007 2 – Number – MRTD Report

47 Penetrating numbering ink Ink containing a component that pene- Security thread A thin strip of plastic or other material embedded or trates deep into a substrate. partially embedded in the substrate during the paper manufacturing process. The strip may be metallized or partially de-metallized. Personalization The process by which the portrait, signature and biographical data are applied to the document. Tactile feature A surface feature giving a distinctive “feel” to the document.

Phosphorescent ink Ink containing a pigment that glows when exposed Tagged ink Inks containing compounds that are not naturally occurring to light of a specific wavelength, the reactive glow remaining visible and substances and which can be detected using special equipment. then decaying after the light source is removed. Template/Reference template Data which represent the biometric Photochromic ink An ink that undergoes a reversible colour change measurement of an enrollee used by a biometric system for comparison when exposed to UV light. against subsequently submitted biometric samples.

Photo substitution A type of forgery in which the portrait in a document is Template size The amount of computer memory taken up by the bio- substituted for a different one after the document has been issued. metric data.

Physical security The range of security measures applied within the Thermochromic ink An ink which undergoes a reversible colour change production environment to prevent theft and unauthorized access to the when the printed image is exposed to heat (e.g. body heat). process. Threshold A “benchmark” score above which the match between the PKI The Public Key Infrastructure methodology of enabling detection as stored biometric and the person is considered acceptable or below which to whether data in an ePassport has been tampered with. it is considered unacceptable.

Planchettes Small visible (fluorescent) or invisible fluorescent platelets Token image A portrait of the holder of the MRP, typically a full fron tal incorporated into a document mat erial at the time of its manufacture. image, which has been adjusted in size to ensure a fixed distance bet - ween the eyes. It may also have been slightly rotated to ensure that an Probe The biometric template of the enrollee whose identity is sought imaginary horizontal line drawn between the centres of the eyes is paral- to be established. lel to the top edge of the portrait rectangle if this has not been achieved when the original portrait was taken or captured (see Section II, 13 in this Rainbow (split-duct) printing A technique whereby two or more colours volume of Doc 9303, Part 1). of ink are printed simultaneously by the same unit on a press to create a controlled merging of the colours similar to the effect seen in a rainbow. UV Ultraviolet light.

Random access A means of storing data whereby specific items of data UV dull substrate A substrate that exhibits no visibly detectable fluores- can be retrieved without the need to sequence through all the stored data. cence when illuminated with UV light.

Reactive inks Inks that contain security reagents to guard against Validation The process of demonstrating that the system under consi- attempts at tampering by chemical erasure (deletion), such that a detec - deration meets in all respects the specification of that system. table reaction occurs when bleach and solvents come into contact with the document. Variable laser image A feature generated by laser engraving or laser perforation displaying changing information or images dependent upon Read range The maximum practical distance between the contactless IC the viewing angle. with its antenna and the reading device. Verification/Verify The process of comparing a submitted biometric Relief (3-D) design (Medallion) A security background design incor- sample against the biometric reference template of a single enrollee porating an image generated in such a way as to create the illusion that it whose identity is being claimed, to determine whether it matches the is embossed or debossed on the substrate surface. enrollee’s template. Contrast with “Identification”.

Receiving State The country reading the biometric and wanting to verify it. Watermark A custom design, typically containing tonal gradation, formed in the paper or other substrate during its manufacture, crea ted by Registration The process of making a person’s identity known to a bio- the displacement of materials therein, and traditionally viewable by trans- metric system, associating a unique identifier with that identity, and col- mitted light. lecting and recording the person’s relevant attributes into the system.

Wavelet Scalar Quantization A means of compressing data used par- Score A number on a scale from low to high, measuring the success that ticularly in relation to the storage of fingerprint images. a biometric probe record (the person being searched for) matches a particular gallery record (a person previously enrolled).

Secondary image A repeat image of the holder's portrait reproduced MRTD Report – Number 2 – 2007 elsewhere in the document by whatever means.