Technology Advances in Authentication Mohamed Lazzouni, SVP & CTO
Outline Optical Authentication Complexity of security features and their evolution Computing and optics Document analysis techniques Automation and front office (real-time) forensic capabilities Complementary technologies Electronic Authentication End 2 Standards and regulatory requirements Threats and countermeasures epassport authentication process Reader hardware from retrofit to redesign Emerging trends
Machine-Based Document authentication Definition: The equipment needs to provide good evidence of the authenticity of the document by making it impracticable to falsify or alter without detection. Electronic Authentication Value Optical Authentication 3 Time
Document Authentication Value Adjudication Authenticity of breeder documents Lower transaction and transaction speed High degree of automation Font office/real time forensic capability 4
Optical Authentication
Optical Authentication Evolution in Multiple Dimensions Document Security Features/Technologies Computing and Optics (Enabling Technologies) Document Analysis Techniques Automation / Simplicity of Operation Complimentary Technologies (Biometrics, Smartchips, PKI) 6
Optical Authentication Document Security Features/Technologies Electronic Contact/Contactless Chips ICAO Security Protocols PKI Traditional Optical Microprint, Watermarks Security Inks and Papers Security Laminates Seals / Patterns Embossing Serialized Perforations Advanced Optical Holograms / Kinegrams Digital Watermarks Taggants 7
Optical Authentication Computing and Optics / Enabling Technologies Image Acquisition Image Processing Applications Lighting Visible Infrared Ultraviolet Coaxial Firmware / Control Camera Module Lens System USB / Firewire Data Acquisition OCR Pattern Recognition Barcode Reads Compression / Decompression Processing Platform Authentication Transaction Processor Workflow Management Transaction Audits/Reports Security Adjudication Support Multi-Threaded, Multi-Processing Operating System Multi-Processor PC Platform Device Drivers High-Speed Driver Interfaces Smartchip Reader Magstripe / Barcode Data Repositories Document Test Profiles Reference Databases Transaction Status/Audits 8
Optical Authentication Computing and Optics / Document Reader Technology MRZ Slot Reader (MRZ OCR), Embedded Processor Full-Page Monochrome Reader (Vis, IR, UV Coaxial Lights) Full-Page Color Reader, High- Res USB CMOS Sensor Full-Page Color with Integrated Contactless Chip Reader for e-passports 400 DPI Resolution, 2D Barcodes from Image 1980s 1998 2002 2005 2008 9
Optical Authentication Document Analysis Techniques ICAO MRZ Tests (Analysis of OCR results) Checksum verification, expiration checks, B900 test Multi-Spectrum Pattern Recognition/Analysis Verify that expected patterns are present under a given light source Verify that prohibited patterns do not appear under a given light source Tests performed on security features and other expected document behaviors Tamper Tests Analyze document for signs of laminate violation and other tamper evidence Paper Stock Tests Verify use of proper papers (primary applications include photocopy detection) Color Fidelity Tests Verify that document patterns/regions are within expected color range Data Crosschecks Perform consistency check of redundant data sources (optical and electronic) Watchlist checks 10
Optical Authentication Document Analysis Techniques Image and text tests are performed automatically in seconds Optical recognition systems present challenges similar to those of biometrics systems Recognition accuracy and performance continue to improve with hardware/software platform advances Combination of optical and electronic authentication provides a powerful composite solution 11
Optical Authentication Process Automation / Problems with Manual Processes Legacy Document Forensics Manual process performed by trained specialists Elementary tools of the trade Magnifiers UV lamps Printed reference books and watchlists Libraries of good/bad documents Effective, but time-consuming process reserved for selectees from the front line This model only works for large government agencies and commercial institutions The selectee process can be very subjective and inconsistent, many will slip through the cracks as non-selectees Difficult to keep printed reference materials and document libraries up to date Difficult to scale the process to meet growing transaction volumes and pressures to improve customer service Imaging technology and automation were introduced to move document forensics analysis from back room to the front lines 12
Optical Authentication Process Automation / Increasing Degrees of Automation None Simple data capture, no authentication Minimal Basic authentication of the captured data (bearer age check and document expiration date) Low Capture full-page document image Data authentication including validating data checksums and checking for data consistency across redundant data sets Medium Verification of both visible and encoded biometric information Data consistency checks to detect discrepancies between visible and encoded information Special light sources, image analysis left to the operation High Extraction and analysis of security-pattern features using multi-spectrum light sources Detection of forgery / tampering based on feature recognition Extended data capture, including areas outside the machine-readable zone (MRZ) Automated tests, including pattern recognition, color fidelity checks and data crosschecks Adjudication tools for expanded forensic examination at a secondary workstation Highest Wide-area enterprise deployment (system configuration, monitoring, and maintenance) Secure access to databases containing document security profiles, intelligence data such as watch lists and related security alerts, and issuance databases Issuer verification using real-time and batch access to authorities responsible for issuing secure documents 13
Optical Authentication Process Automation / User Profiles Increased levels of automation are critical as the user profile changes Security requirements must be met while meeting customer service demands User Profile Qualifications / Limitations 1) Forensics Analyst The original user for optical authentication Forensics specialist Access to document libraries and intelligence data 2) Frontline Operator Automated authentication brought optical authentication from back room to the front line Minimal forensics training Under pressure to keep customers moving Susceptible to fatigue, coercion, fraud 3) Customer (Self-Service) Self-service applications are the future and will achieve new levels of customer service No training Process must be extremely simple and well defined 14
Optical Authentication Process Automation / Critical Success Factors Simple operation that can be performed by trained and untrained operators Extensive documetrics databases with breadth and depth to cover large variety of documents in circulation Robust recovery and adjudication procedures to maintain efficient operations Transaction times within acceptable limits (5 seconds or less for most applications) Sufficient accuracy to keep secondary inspections at or below acceptable levels Security to ensure privacy and system integrity Flexibility to accommodate customer-specific business rules 15
Optical Authentication Introduction of Complimentary Technologies Biometrics Smartchips Biometrics establish the link between the bearer and the document. Smartchips provide a secure storage and communications medium for electronic information. Electronic ID 16
Electronic Authentication
Electronic Authentication Standards and Regulatory Requirements Driving towards standards on Security, Privacy and Interoperability International body that guides and regulates international civil aviation Driving force behind international document specifications and e- Passports Established in 1944 189 member countries Provides specifications for machine readable passports and visas Works in cooperation with International Organization for Standardization (ISO) Works in cooperation with International Air Transport Association (IATA)
Electronic Authentication Benefits Primary goal is to enhance the capabilities and security of traditional identification documents Facilitate global economy via safe travel across international borders Extend support for machine-assisted identity verification Specify secure storage mediums for biometrics and other sensitive identity information Ensure document authenticity/uniqueness and data privacy Establish international interoperability standards Standards for machine-readable extensions using magnetic stripe, 2D barcode, optical memory, and contact/contactless smartchips ICAO New Orleans Resolution (March 2003) endorses face as the international interoperable biometric with fingerprint and iris recognized as additional supporting biometrics. Contactless smartchips recommended as the onboard storage medium. Logical Data Structure (LDS) is specified as standard interoperable format to store MRTD electronic data (2002) Privacy 19
Electronic Authentication e-passport Technologies e-passports contain a contactless RFID chip: Chip Module Antenna Contactless inlay (chip+antenna) can be located in: book cover center pages data page (where the photo and MRZ is located) Physical Layout Specifications: ICAO 9303 ISO/IEC 7810/7811 Contactless Specification: ISO14443 (Type A & B) ISO7816 Construction Data in the Chip Data is stored in the chip as files, called Data Groups (DG): DG1: MRZ data (name, DOB, sex, ) DG2: Face image, in JPEG or JPEG2000 format typical 16Kbytes DG3: Fingerprint image, in WSQ format typical 8Kbyte/fingerprint DG4: Iris image Secure Object Data (SOD): contains hashes, a digital signature of the data groups above These files are also referred as to the LDS (Logical Data Structure) DG1 (MRZ) and DG2 (Face Image) are mandatory, others are optional. For the EU, after June 2009 the use of DG3 (Fingerprints) is mandatory. EAC (Extended Access Control) is used to secure these. Chip contains: ROM, RAM, EEPROM, Crypto Engine, IO 20
Electronic Authentication e-passport Threats and Countermeasures (Security/Privacy) Threat Forgery / Tampering Skimming Eavesdropping Tracking Cloning Unauthorized Access Countermeasure Passive Authentication Verifies authenticity via digital signature and data group hash values. Mandatory feature for ICAO e-passports. Basic Access Control (BAC) -- Requires optically read MRZ to unlock the document s chip. Optional feature for ICAO e- Passports. RF shield built into the document or the sleeve that houses it while not in use. Used for US e-passport. BAC establishes secure communication channel between the reader and the chip. Random chip unique identifier (UID) is generated for each read access. Active Authentication Asymmetric key pair used with challenge-response protocol. Optional feature for ICAO. Extended Access Control (EAC) Uses symmetric/asymmetric cryptography used to secure sensitive data. The chip must authenticate the Inspection System before delivering the biometric data. Optional feature for ICAO e-passports. 21
Electronic Authentication e-passport Authentication Process epassport 1. Document is inserted 2. IS reads MRZ (OCR) 3. IS open BAC chip 4. IS reads SOD 5. IS reads DG14 Inspection System (IS) 10. IS asks for CSCA 11. IS performs Passive Authentication Local PKD PKD updated periodically ICAO PKD (CSCA) 6. Chip Authentication 7. IS reads DG1 & DG2 8. Terminal Authentication 9. IS reads DG3 Countries upload their CSCAs DV Server Note: EAC only CVCA Server Other Countries CVCAs 22
Electronic Authentication Reader Hardware Enhancements First Generation of ID Authentication: No RFID capabilities In 2003, the need for electronic authentication started. A new hardware platform was necessary to support the RFID chips. Migration to RFID Second Generation: RFID capabilities Third Generation: Enhanced Design for RFID New antenna design: Single PCB dual antenna Improved RFID tuning Fixed components Improved RFID interoperability Faster detection time 23
Electronic Authentication e-passport Interoperability Testing Interoperability Tests Tsukuba Singapore Berlin Paris Paris Ispra Prague 2004 2005 2006 2007 2008 2009 BAC (Basic Access Control) Active Authentication Passive Authentication Inspection System EAC API EAC Ready EAC Back End System EAC API IS Workstation DV Centralizer CVCA IS and DV cert s reside in secure area (backend system / HSM) Flexible support for multiple integrators/back end systems 24
Electronic Authentication Emerging trends 1) Migration from point solutions to total solutions. 2) Possibly increasing levels of front-end device security 3) Decreasing levels of front-end device application footprint (e.g. thin client) 4) Multi-functional devices 5) Miniaturization, mobility and portability 6) Self-service 25
Thank you Mohamed Lazzouni Ph.D. SVP and CTO L1 Identity Solutions 296 Concord Road Billerica, MA 01832 26