Machine Authentication of MRTDs for Public Sector Applications

Transcription

1 Technical Guideline BSI TR Machine Authentication of MRTDs for Public Sector Applications Part 2: Application profiles for official document inspection systems BSI TR Version 2.1.0

2 Federal Office for Information Security with the Federal Criminal Police Office and the Federal Police Post Box D Bonn Phone: Internet: Federal Office for Information Security 2016

3 TR Part 2 Table of Contents Table of Contents 1 Introduction Terminology Technical terms Operational scenarios Stationary operations Self Service operations Partially mobile operations Fully mobile operations Requirements from TR Requirements on the document checking system Requirements on document checks General requirements for all scenarios Requirements for Stationary operations Requirements for Self Service operations Requirements for Partially Mobile operations Requirements for Fully Mobile operations Requirements on operational monitoring Basic logging profile Standard logging profile Standard logging profile with optical evaluation extensions Standard logging profile with electronic evaluation extensions Full logging profile Requirements on data transmission Conformity Reference Documentation Keywords and Abbreviations Tables Table 1.1: Interpretation of keywords... 5 Table 3.1: Requirements for Stationary operations... 8 Table 3.2: Requirements for Self Service operations... 9 Table 3.3: Requirements for Partially Mobile operations...10 Table 3.4: Requirements for Fully Mobile operations...11 Table 3.5: Set of extended data nodes for different check types...12 Federal Office for Information Security 3

4 Table of Contents 4 Bundesamt für Sicherheit in der Informationstechnik

5 TR Part 2 Introduction 1 1 Introduction This profiling document is part of Technical Guideline TR Machine Authentication of MRTDs for Public Sector Applications. The Technical Guideline specifies and describes necessary requirements for machine assisted document checks on MRTDs in Public Sector Applications. The technical description of the checks referenced in this document are specified in Part 1 of TR-03135, see [TR ]. Regarding official German inspection systems, the profiles specified herein are REQUIRED. 1.1 Terminology The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, NORMATIVE, and OPTIONAL in this document are to be interpreted as described in RFC 2119: Keywords MUST, SHALL, REQUIRED, NORMATIVE MUST NOT, SHALL NOT RECOMMENDED, NOT RECOMMENDED, SHOULD, SHOULD NOT MAY, OPTIONAL Table 1.1: Interpretation of keywords Interpretation of keywords The implementation is an absolute requirement of the specification and must be used/included. A so called requirement is an absolute prohibition of the specification. The requirements are recommendations, this means that there may exist valid reasons in particular circumstances to ignore a particular item or requirement, but the full implications must be understood and carefully weighed before choosing a different course. The requirements are not binding. One operator or vendor may choose to include it, another may omit it. 1.2 Technical terms For clarity, terms were shortened to make this Technical Guideline more readable. Abbreviations can be found in [TR ]. Federal Office for Information Security 5

6 2 Operational scenarios TR Part 2 2 Operational scenarios This profiling refers to operational emrtd inspection scenarios in German Public Sector Applications. In this respect, the operational scenarios are defined in the following chapters. 2.1 Stationary operations Stationary systems are systems which are permanently installed at border crossings, at police stations or at other localities with raised focus concerning security issues (e.a. government buildings, ministries, embassies or official meeting locations) as well as temporary systems in accordingly prepared sites (e.g. for major events such as sports or music events). 2.2 Self Service operations Self Service systems are systems with which automated or semi-automated document and identity checks are performed (e. g. so-called egates/abc systems, automated border control systems/gates). 2.3 Partially mobile operations Partially mobile operations usually takes place at checkpoints, in patrol cars or vessels, but also in rail, air and shipping traffic. This includes, for example portable PC stations, which are the size of a notebook, or a tablet PC. These systems are often equipped with a swipe reader or full-page reader in order to be able to read the MRZ, but also with a RFID reading module in order to read the chip. 2.4 Fully mobile operations Fully mobile operations will be performed in rail, air and shipping traffic as well as during general patrol duty. The systems are carried by the officer, some of them are fixed or strapped on the officers uniform. The devices used have the similar size and design as smartphones or tablet PCs. 6 Federal Office for Information Security

7 3 Requirements from TR TR Part 2 Requirements from TR This chapter details the requirements from [TR ] which are relevant for these application profiles. 3.1 Requirements on the document checking system The generic requirements of a document checking system SHALL fit the requirements regarding chapters 2 and 3 of [TR ]. 3.2 Requirements on document checks General requirements for all scenarios If a specific check is implemented it SHALL be performed regarding optical checks as specified in [TR ] chapter 4.4 electronic checks as specified in [TR ] chapter 4.5 combined checks as specified in [TR ] chapter 4.6 handling of defects as specified in [TR ] chapter Requirements for Stationary operations Optical Checks Ref. [TR ] Obligation (m/o/e) Notes m For all further checking steps the model shall be identified. Depending on the model identification, document model specific spectrally selective checks SHALL be performed, if defined m MRZ consistency check shall always be possible, regardless of the used technology m/e Spectrally selective checks SHOULD be performed if applicable for the given document model. At least the checks (IR, AB, MR) and (UV, BR, FU) SHALL be performed. Electronic Checks If chip authenticity is guaranteed by the electronic check, the mode of spectrally selective checks CAN be changed to evaluatory m Background Public Key Infrastructures m Defect- and Masterlists m Supported Protocols. Federal Office for Information Security 7

8 3 Requirements from TR TR Part 2 Ref. [TR ] Obligation (m/o/e) Notes m Chip Access Protocols m Checking the chip contents. Combined Checks m Checking the validity of the documents m Comparison of the optical with the electronic biographic data o Checks across document pages o Cross checks across several documents and linking of multiple document checks in a transaction o Comparison of personalization contents is recommended for all documents that are present in a check database. Table 3.1: Requirements for Stationary operations Requirements for Self Service operations Optical Checks Ref. [TR ] Obligation (m/o/e) Notes m For all further checking steps the model shall be identified. Depending on the model identification, document model specific spectrally selective checks SHALL be performed, if defined m MRZ consistency check shall always be possible, regardless of the used technology m/e If applicable, selective checks SHOULD be performed on a given document model. At least the checks (IR, AB, MR) and (UV, BR, FU) SHALL be performed. Electronic Checks If chip authenticity is guaranteed by the electronic check, the mode of certain spectrally selective checks (which are neither REQUIRED nor RECOMMENDED) CAN be changed to evaluatory. At least one check each (IR, TR, ZZ) and (UV, LU, ZZ) SHOULD be performed m Background Public Key Infrastructures m Defect- and Masterlists m Supported Protocols. 8 Federal Office for Information Security

9 TR Part 2 Requirements from TR Ref. [TR ] Obligation (m/o/e) Notes m Chip Access Protocols m Checking the chip contents. Combined Checks m Checking the validity of the documents m Comparison of the optical with the electronic biographic data o Checks across document pages o Cross checks across several documents and linking of multiple document checks in a transaction o Comparison of personalization contents is recommended for all documents that are present in a check database. Table 3.2: Requirements for Self Service operations Federal Office for Information Security 9

10 3 Requirements from TR TR Part Requirements for Partially Mobile operations Optical Checks Ref. [TR ] Obligation (m/o/e) Notes o Depending on the optical reader it may be impossible to determine the model, for example if it is a Swipe-Reader m MRZ consistency check shall always be possible, regardless of the used technology o If the model could not be identified (e.g. because of a Swipe-Reader) the application of spectrally selective check routines is not possible. Electronic Checks m Background Public Key Infrastructures m Defect- and Masterlists m Supported Protocols m Chip Access Protocols m Checking the chip contents. Combined Checks m Checking the validity of the documents m Comparison of the optical with the electronic biographic data o Cross check and linking of multiple document checks in a transaction o Checks across several pages o Comparison of personalization contents is recommended for all documents that are present in a check database. Table 3.3: Requirements for Partially Mobile operations 10 Federal Office for Information Security

11 TR Part 2 Requirements from TR Requirements for Fully Mobile operations Optical Checks Ref. [TR ] Obligation (m/o/e) Notes o Depending on the optical reader it may be impossible to determine the model, for example if it is a Swipe-Reader m MRZ consistency check shall always be possible, regardless of the used technology o If the model could not be identified (e.g. because of a Swipe-Reader) the application of spectrally selective check routines is not possible. Electronic Checks m Background Public Key Infrastructures m Defect- and Masterlists m Supported Protocols m Chip Access Protocols m Checking the chip contents. Combined Checks m Checking the validity of the documents m Comparison of the optical with the electronic biographic data o Checks across document pages o Cross checks across several documents and linking of multiple document checks in a transaction o Comparison of personalization contents is recommended for all documents that are present in a check database Table 3.4: Requirements for Fully Mobile operations 3.3 Requirements on operational monitoring The document check system SHALL implement the logging schema according to [TR ], chapter 5. This document defines the following levels of logging configurations: 1. Basic logging profile 2. Standard logging profile 3. Standard logging profile with optical evaluation extensions Federal Office for Information Security 11

12 3 Requirements from TR TR Part 2 4. Standard logging profile with electronic evaluation extensions 5. Full logging profile The set of extended data nodes is defined for the corresponding checks in table 3.5. Type of failed check Optical Check Electronic Check Combined Check Biometric Check Extended data nodes (XPath expression) //dco:basiccheckresult/dco:scannedarea //dco:scannedimages //dc:documentdetails //dce:chipfiles //dce:trace //dcc:mismatch/* //dc:image Table 3.5: Set of extended data nodes for different check types The document check system SHALL implement all defined logging configurations. Setting the actual logging configuration SHALL be configurable by the application Basic logging profile Basic logging SHALL contain all non-person related data from a check, including all check results. All data items from the XML schema SHALL be filled, with the exception of the set of extended data nodes Standard logging profile Standard logging SHALL contain all available information from Basic logging profile and SHALL provide additional information on the specific failed and undetermined check(s). Depending on the type of error, the relevant sets of extended data nodes detailling the error SHALL be present in the log. Note that extended data nodes are not present if the corresponding check was aborted Standard logging profile with optical evaluation extensions Standard logging with optical evaluation extensions SHALL contain all information from Standard logging and SHALL contain all extended data nodes for the optical check regardless of the optical check result Standard logging profile with electronic evaluation extensions Standard logging with optical evaluation extensions SHALL contain all information from Standard logging and SHALL contain all extended data nodes for the electronic check check regardless of the electronic check result Full logging profile Full logging SHALL contain all available information including all extended nodes, regardless of the check results. 12 Federal Office for Information Security

13 TR Part 2 Requirements from TR Requirements on data transmission The document check system SHALL implement the transmission and log specification according to [TR ], chapter 6. This requirement is REQUIRED for Stationary and Self Service operations and RECOMMENDED for Partially Mobile and Fully Mobile operations. Federal Office for Information Security 13

14 4 Conformity TR Part 2 4 Conformity In order to conform to this Technical Guideline, an Inspection System and Inspection Application SHALL completely implement and meet all requirements from chapters 3 for the used scenario. 14 Federal Office for Information Security

15 TR Part 2 Reference Documentation Reference Documentation [TR ] Bundesamt für Sicherheit in der Informationstechnik (BSI): Technische Richtlinie TR-03135, Machine Authentication of MRTDs for Public Sector Applications Part 1: Overview and Functional Requirements, 2016, Version Federal Office for Information Security 15

16 Keywords and Abbreviations TR Part 2 Keywords and Abbreviations For Keywords and Abbreviations see [TR ]. 16 Federal Office for Information Security