Technology Advances in Authentication. Mohamed Lazzouni, SVP & CTO

Similar documents
EU Passport Specification

Verifying emrtd Security Controls

The epassport: What s Next?

Document reader Regula 70X4M

Introduction to Electronic Identity Documents

2 Electronic Passports and Identity Cards

The EAC for MRTD. 26 January 2010

LDS2 Concept and Overview: Exploring Possibilities in Travel Border Clearance

Biometric Passport from a Security Perspective

An Overview of Electronic Passport Security Features

Whitepaper: GlobalTester Prove IS

An Overview of Electronic Passport Security Features

Security Target Lite SK e-pass V1.0

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

Hash-based Encryption Algorithm to Protect Biometric Data in e-passport

Part 9: Deployment of Biometric Identification and Electronic Storage of Data in MRTDs

QC1 VSC. Rapid Travel Document Authentication. foster+freeman. all passports & ID cards. alterations & counterfeits. covert security features

for Questioned Document Examination

for Questioned Document Examination

The New Seventh Edition of Doc Barry J. Kefauver Nairobi, Kenya November 2015

VSC for document examination. foster+freeman. The Essential Video Spectral Comparator

Machine Assisted Document Security Verification

VALIDATING E-PASSPORTS AT THE BORDER: THE ROLE OF THE PKD R RAJESHKUMAR CHIEF EXECUTIVE AUCTORIZIUM PTE LTD

Future Expansion for emrtd PKI Mark Joynes, Entrust

Introduction of the Seventh Edition of Doc 9303

CONFORMITY TESTING OF EAC INSPECTION SYSTEMS

MDR-1 Mobile Document Reader

BSI TR Part 1.1 A framework for Official Electronic ID Document conformity tests

The Future of Smart Cards: Bigger, Faster and More Secure

CREDENTSYS CARD FAMILY

How To Secure Electronic Passports. Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

RTE8000 Getting Started Guide

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

3D Face Project. Overview. Paul Welti. Sagem Défense Sécurité Technical coordinator. ! Background. ! Objectives. ! Workpackages

Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

Verify your customers quickly and easily wherever they are in the world

Machine Readable Travel Documents

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

Electronic passports

ICAO Regional Seminar on MRTDs and Traveller Identification Management Madrid, Spain June

E-PASSPORT SCHEME USING AUTHENTICATION PROTOCOLS ALONG WITH FACE, FINGERPRINT, PALMPRINT AND IRIS BIOMETRICS

Experiences of w S itz w e itz rland

MICROSCOPES & ACCESSORIES. foster+freeman

Module 5: Smart Card Usage Models Identity, Security and Access Control

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

Market Trends and Veridos solutions for epassports & ID Documents

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

Security Mechanisms and Access Control Infrastructure for e-passports and General Purpose e-documents

DATACARD PB6500 PASSPORT ISSUANCE SYSTEM ADVANCED TECHNOLOGY FOR HIGH-SECURITY PASSPORTS

Security Target Lite for CEITEC epassport Module CTC21001 with EAC

Roadmap for Implementation of New Specifications for MRTDs

Austrian State Printing House

Overview of cryptovision's eid Product Offering. Presentation & Demo

Face recognition for enhanced security.

Introduction Morpho The Art of Identification

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

E-Passport Validation: A practical experience

ADAPTIVE RECOGNITION

Der elektronische Personalausweis Mehr oder weniger Sicherheit?

STATUS: For NP ballot for development as a Type 2 Technical Report.

SPass NX V1.0 on S3CT9KW/S3CT9KC/S3CT9K9 Certification Report

Security Target Lite for CEITEC epassport Module CTC21001 with BAC

MULTIAPP V2 PACE - SAC PUBLIC SECURITY TARGET

A National Public Key Directory

DESKO ICON Scanner Technical Specification

Common Criteria Protection Profile. Machine Readable Travel Document with ICAO Application, Extended Access Control BSI-CC-PP-0056

Certification Report. EAL 4+ (ALC_DVS.2) Evaluation of TÜBİTAK BİLGEM UEKAE. AKİS v1.4i PASAPORT

HID Passport Datapage Technology

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

Authentication Technologies

BIOFLEX. Applications

SmartCards as electronic signature devices Progress of standardization. Helmut Scherzer, CEN TC224/WG16 (Editor) IBM Germany

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

Past & Future Issues in Smartcard Industry

E-Passport: Cracking Basic Access Control Keys with COPACOBANA

Evolution of Electronic Passport Scheme using Cryptographic Protocol along with Biometrics Authentication System

The European Union approach to Biometrics

PRIVACY ISSUES OF ELECTRONIC PASSPORTS 1. INTRODUCTION

E-Passport validation: A practical experience

Safety & Mobility. Communication. Intelligent Interactivity. through Visual. Advancements in License Plate Technology for EVR

Card Issuance/Encoding & PIN Pads

Security Target Lite

Lecture 9 User Authentication

Machine Readable Travel Document with ICAO Application", Basic Access Control

An emrtd inspection system on Android. Design, implementation and evaluation

ID 1xx Series Cryptoterminals Trusted Hardware Security for Mobile Identity Solutions

Credentialing Project Technical Architecture

SECURITY TARGET LITE FOR IDEAL PASS V2.0.1 EAC WITH PACE APPLICATION

PRODUCT INFORMATION BULLETIN

XSmart e-passport V1.2

ID-Star 4054 epassport Reader

Thirteenth Symposium and Exhibition on the ICAO Traveller Identification Programme (TRIP)

CONFORMANCE TESTING OF SECOND GENERATION E-PASSPORTS ISSUED BY THE NETHERLANDS. Authors: J.-M. Chareau, M. Van den Steen Editor: P.

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

A Trust Infrastructure for epassports

September OID: Public Document

COMPUTER NETWORK SECURITY

Biometrics. Overview of Authentication

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Biometric information protection

Transcription:

Technology Advances in Authentication Mohamed Lazzouni, SVP & CTO

Outline Optical Authentication Complexity of security features and their evolution Computing and optics Document analysis techniques Automation and front office (real-time) forensic capabilities Complementary technologies Electronic Authentication End 2 Standards and regulatory requirements Threats and countermeasures epassport authentication process Reader hardware from retrofit to redesign Emerging trends

Machine-Based Document authentication Definition: The equipment needs to provide good evidence of the authenticity of the document by making it impracticable to falsify or alter without detection. Electronic Authentication Value Optical Authentication 3 Time

Document Authentication Value Adjudication Authenticity of breeder documents Lower transaction and transaction speed High degree of automation Font office/real time forensic capability 4

Optical Authentication

Optical Authentication Evolution in Multiple Dimensions Document Security Features/Technologies Computing and Optics (Enabling Technologies) Document Analysis Techniques Automation / Simplicity of Operation Complimentary Technologies (Biometrics, Smartchips, PKI) 6

Optical Authentication Document Security Features/Technologies Electronic Contact/Contactless Chips ICAO Security Protocols PKI Traditional Optical Microprint, Watermarks Security Inks and Papers Security Laminates Seals / Patterns Embossing Serialized Perforations Advanced Optical Holograms / Kinegrams Digital Watermarks Taggants 7

Optical Authentication Computing and Optics / Enabling Technologies Image Acquisition Image Processing Applications Lighting Visible Infrared Ultraviolet Coaxial Firmware / Control Camera Module Lens System USB / Firewire Data Acquisition OCR Pattern Recognition Barcode Reads Compression / Decompression Processing Platform Authentication Transaction Processor Workflow Management Transaction Audits/Reports Security Adjudication Support Multi-Threaded, Multi-Processing Operating System Multi-Processor PC Platform Device Drivers High-Speed Driver Interfaces Smartchip Reader Magstripe / Barcode Data Repositories Document Test Profiles Reference Databases Transaction Status/Audits 8

Optical Authentication Computing and Optics / Document Reader Technology MRZ Slot Reader (MRZ OCR), Embedded Processor Full-Page Monochrome Reader (Vis, IR, UV Coaxial Lights) Full-Page Color Reader, High- Res USB CMOS Sensor Full-Page Color with Integrated Contactless Chip Reader for e-passports 400 DPI Resolution, 2D Barcodes from Image 1980s 1998 2002 2005 2008 9

Optical Authentication Document Analysis Techniques ICAO MRZ Tests (Analysis of OCR results) Checksum verification, expiration checks, B900 test Multi-Spectrum Pattern Recognition/Analysis Verify that expected patterns are present under a given light source Verify that prohibited patterns do not appear under a given light source Tests performed on security features and other expected document behaviors Tamper Tests Analyze document for signs of laminate violation and other tamper evidence Paper Stock Tests Verify use of proper papers (primary applications include photocopy detection) Color Fidelity Tests Verify that document patterns/regions are within expected color range Data Crosschecks Perform consistency check of redundant data sources (optical and electronic) Watchlist checks 10

Optical Authentication Document Analysis Techniques Image and text tests are performed automatically in seconds Optical recognition systems present challenges similar to those of biometrics systems Recognition accuracy and performance continue to improve with hardware/software platform advances Combination of optical and electronic authentication provides a powerful composite solution 11

Optical Authentication Process Automation / Problems with Manual Processes Legacy Document Forensics Manual process performed by trained specialists Elementary tools of the trade Magnifiers UV lamps Printed reference books and watchlists Libraries of good/bad documents Effective, but time-consuming process reserved for selectees from the front line This model only works for large government agencies and commercial institutions The selectee process can be very subjective and inconsistent, many will slip through the cracks as non-selectees Difficult to keep printed reference materials and document libraries up to date Difficult to scale the process to meet growing transaction volumes and pressures to improve customer service Imaging technology and automation were introduced to move document forensics analysis from back room to the front lines 12

Optical Authentication Process Automation / Increasing Degrees of Automation None Simple data capture, no authentication Minimal Basic authentication of the captured data (bearer age check and document expiration date) Low Capture full-page document image Data authentication including validating data checksums and checking for data consistency across redundant data sets Medium Verification of both visible and encoded biometric information Data consistency checks to detect discrepancies between visible and encoded information Special light sources, image analysis left to the operation High Extraction and analysis of security-pattern features using multi-spectrum light sources Detection of forgery / tampering based on feature recognition Extended data capture, including areas outside the machine-readable zone (MRZ) Automated tests, including pattern recognition, color fidelity checks and data crosschecks Adjudication tools for expanded forensic examination at a secondary workstation Highest Wide-area enterprise deployment (system configuration, monitoring, and maintenance) Secure access to databases containing document security profiles, intelligence data such as watch lists and related security alerts, and issuance databases Issuer verification using real-time and batch access to authorities responsible for issuing secure documents 13

Optical Authentication Process Automation / User Profiles Increased levels of automation are critical as the user profile changes Security requirements must be met while meeting customer service demands User Profile Qualifications / Limitations 1) Forensics Analyst The original user for optical authentication Forensics specialist Access to document libraries and intelligence data 2) Frontline Operator Automated authentication brought optical authentication from back room to the front line Minimal forensics training Under pressure to keep customers moving Susceptible to fatigue, coercion, fraud 3) Customer (Self-Service) Self-service applications are the future and will achieve new levels of customer service No training Process must be extremely simple and well defined 14

Optical Authentication Process Automation / Critical Success Factors Simple operation that can be performed by trained and untrained operators Extensive documetrics databases with breadth and depth to cover large variety of documents in circulation Robust recovery and adjudication procedures to maintain efficient operations Transaction times within acceptable limits (5 seconds or less for most applications) Sufficient accuracy to keep secondary inspections at or below acceptable levels Security to ensure privacy and system integrity Flexibility to accommodate customer-specific business rules 15

Optical Authentication Introduction of Complimentary Technologies Biometrics Smartchips Biometrics establish the link between the bearer and the document. Smartchips provide a secure storage and communications medium for electronic information. Electronic ID 16

Electronic Authentication

Electronic Authentication Standards and Regulatory Requirements Driving towards standards on Security, Privacy and Interoperability International body that guides and regulates international civil aviation Driving force behind international document specifications and e- Passports Established in 1944 189 member countries Provides specifications for machine readable passports and visas Works in cooperation with International Organization for Standardization (ISO) Works in cooperation with International Air Transport Association (IATA)

Electronic Authentication Benefits Primary goal is to enhance the capabilities and security of traditional identification documents Facilitate global economy via safe travel across international borders Extend support for machine-assisted identity verification Specify secure storage mediums for biometrics and other sensitive identity information Ensure document authenticity/uniqueness and data privacy Establish international interoperability standards Standards for machine-readable extensions using magnetic stripe, 2D barcode, optical memory, and contact/contactless smartchips ICAO New Orleans Resolution (March 2003) endorses face as the international interoperable biometric with fingerprint and iris recognized as additional supporting biometrics. Contactless smartchips recommended as the onboard storage medium. Logical Data Structure (LDS) is specified as standard interoperable format to store MRTD electronic data (2002) Privacy 19

Electronic Authentication e-passport Technologies e-passports contain a contactless RFID chip: Chip Module Antenna Contactless inlay (chip+antenna) can be located in: book cover center pages data page (where the photo and MRZ is located) Physical Layout Specifications: ICAO 9303 ISO/IEC 7810/7811 Contactless Specification: ISO14443 (Type A & B) ISO7816 Construction Data in the Chip Data is stored in the chip as files, called Data Groups (DG): DG1: MRZ data (name, DOB, sex, ) DG2: Face image, in JPEG or JPEG2000 format typical 16Kbytes DG3: Fingerprint image, in WSQ format typical 8Kbyte/fingerprint DG4: Iris image Secure Object Data (SOD): contains hashes, a digital signature of the data groups above These files are also referred as to the LDS (Logical Data Structure) DG1 (MRZ) and DG2 (Face Image) are mandatory, others are optional. For the EU, after June 2009 the use of DG3 (Fingerprints) is mandatory. EAC (Extended Access Control) is used to secure these. Chip contains: ROM, RAM, EEPROM, Crypto Engine, IO 20

Electronic Authentication e-passport Threats and Countermeasures (Security/Privacy) Threat Forgery / Tampering Skimming Eavesdropping Tracking Cloning Unauthorized Access Countermeasure Passive Authentication Verifies authenticity via digital signature and data group hash values. Mandatory feature for ICAO e-passports. Basic Access Control (BAC) -- Requires optically read MRZ to unlock the document s chip. Optional feature for ICAO e- Passports. RF shield built into the document or the sleeve that houses it while not in use. Used for US e-passport. BAC establishes secure communication channel between the reader and the chip. Random chip unique identifier (UID) is generated for each read access. Active Authentication Asymmetric key pair used with challenge-response protocol. Optional feature for ICAO. Extended Access Control (EAC) Uses symmetric/asymmetric cryptography used to secure sensitive data. The chip must authenticate the Inspection System before delivering the biometric data. Optional feature for ICAO e-passports. 21

Electronic Authentication e-passport Authentication Process epassport 1. Document is inserted 2. IS reads MRZ (OCR) 3. IS open BAC chip 4. IS reads SOD 5. IS reads DG14 Inspection System (IS) 10. IS asks for CSCA 11. IS performs Passive Authentication Local PKD PKD updated periodically ICAO PKD (CSCA) 6. Chip Authentication 7. IS reads DG1 & DG2 8. Terminal Authentication 9. IS reads DG3 Countries upload their CSCAs DV Server Note: EAC only CVCA Server Other Countries CVCAs 22

Electronic Authentication Reader Hardware Enhancements First Generation of ID Authentication: No RFID capabilities In 2003, the need for electronic authentication started. A new hardware platform was necessary to support the RFID chips. Migration to RFID Second Generation: RFID capabilities Third Generation: Enhanced Design for RFID New antenna design: Single PCB dual antenna Improved RFID tuning Fixed components Improved RFID interoperability Faster detection time 23

Electronic Authentication e-passport Interoperability Testing Interoperability Tests Tsukuba Singapore Berlin Paris Paris Ispra Prague 2004 2005 2006 2007 2008 2009 BAC (Basic Access Control) Active Authentication Passive Authentication Inspection System EAC API EAC Ready EAC Back End System EAC API IS Workstation DV Centralizer CVCA IS and DV cert s reside in secure area (backend system / HSM) Flexible support for multiple integrators/back end systems 24

Electronic Authentication Emerging trends 1) Migration from point solutions to total solutions. 2) Possibly increasing levels of front-end device security 3) Decreasing levels of front-end device application footprint (e.g. thin client) 4) Multi-functional devices 5) Miniaturization, mobility and portability 6) Self-service 25

Thank you Mohamed Lazzouni Ph.D. SVP and CTO L1 Identity Solutions 296 Concord Road Billerica, MA 01832 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback