Whitepaper: GlobalTester Prove IS Testing of EAC inspection systems By HJP Consulting GmbH Introduction There have been a lot of activities in standardization to define conformity tests for e-passports. Already in April 2007, the ICAO published their testing standards. As these technical reports only covered the mandatory functionality of e-passports, the European Union had set up its own test specification for EAC based passports, which digitally store sensitive fingerprint data. This conformance test specification is stable now. All these activities focus on improving the passports' interoperability. But what does "interoperability" mean? According to IEEE's glossary, "interoperability" is regarded as the ability of two components to exchange information and to use the information that has been exchanged. Thus, full interoperability cannot be achieved without testing the terminals. Although this statement is quite obvious, it has been deemed sufficient to test the terminals' interoperability at different test events. When we study other smart card systems like EMV schemes or the digital tachograph system to name only a few, we can easily observe that cards and terminals are subject to conformance testing and security evaluation before any interoperability test is run. Moreover, the number of possible EAC passport options selected cryptography and data group configurations has simply become too high to handle the problem with passport samples only and the internal status of these samples changes permanently during the tests. Status of conformance testing To achieve interoperability in border control systems it is necessary to test not only passports but also inspection systems. The first test specifications concerning inspection systems were limited to lower levels. The main specifications are BSI-TR03105 (Federal Office for Information Security, BSI) and RF protocol and application test standard for epassports Part 4 (International Civil Aviation Organization, ICAO). Both test specifications include tests of the electrical interface and the contactless ISO 14443 transmission protocol (layers 2-4). In any inspection system, a number of different components have to undergo testing. HJP Consulting 2010 Page 1 of 6
Currently, there is a test standard published by ICAO which defines tests for the electrical interface of the terminal and the contactless ISO 14443 transmission protocol. This technical report is referred to as part 3 of the e-passport test standard and is mainly based on the ISO 10373-6 standard for proximity cards. Working group 8 of ISO/SC17 revises ISO 10373-6 with the contents of this part 3. Besides the electrical communication, it is necessary to ensure that the data page contents, especially the machine-readable zone, are correctly read by the terminal. Currently, there are no test specifications available to verify that the passport s data page conforms to the ICAO standard DOC 9303 or to verify that the optical reader correctly retrieves this information from a data page. All these test specifications are insufficient since they can only guarantee that information is correctly exchanged between passport and reader. It is also necessary to verify that the terminal correctly uses the information exchanged. Thus, a test specification for the application of an inspection system is still missing in order to ensure interoperability. The German BSI and Brussels Interoperability Group (BIG) have recognized this unresolved issue and put it on their agenda. A first version (1.0) of this test specification with more than 200 test cases was discussed at two BIG meetings in 2008. Currently, version 1.2 of TR 03105-5 is available as a complete redesign of the technical guidelines in version 2.0 at the BSI website. General test concepts for inspection systems The wide variety of inspection systems available for use in different scenarios constitutes the main obstacle to a common test specification. There are different types of systems with varying workflows on the market. Test specifications have to cover stand-alone inspection terminals, client-server architectures with centrally managed security as well as mobile inspection solutions. Optical readers could be scanners, cameras or external swipe readers. And there could be an undefined number of external devices, backend and biometric verification systems connected to the system. The question therefore arises: is it practical to have one set of conformity tests for a diverse pool of inspection systems? We can overcome this problem by making the test model as generalized as possible and reusing concepts from existing test strategies where applicable. First of all, we define the device under test. Due to several different inspection system designs, we have to create a functional model (as shown in figure 1) and define which of the functions should be subject to testing and which should not be considered because they do not contribute to interoperability. The inspection application is regarded as the core of the inspection system which defines the functionality of the system, its internal workflow and user interaction. It also handles the inspection HJP Consulting 2010 Page 2 of 6
procedure itself. This procedure is a well defined function according to the technical report TR 03110, which is fundamental to all new EU passports. We have to distinguish between: the standard inspection procedure (SIP), for BAC encoded passports, and the advanced inspection procedure (AIP), for EAC encoded passports. In order to communicate with the e-passport, the inspection procedure makes use of the optical and electrical reading devices as well as a private key storage. It might have an optional test interface, which is used to automate the test procedures. Figure 1: General functional model of an inspection system The inspection application controls a man-machine interface which replicates the interaction with the border control officer. We assume the existence of such an interface because the system must somehow display to the officer the decision as to whether or not the passport is valid. HJP Consulting 2010 Page 3 of 6
It might be connected to other systems such as biometric verification systems or backend databases but these functions do not form part of the testing scope. With this model, we do not presume any specific architectural design or implementation. The scope of conformance testing can now be narrowed to the functionality that is directly involved in the communication between the passport and the inspection system: The contactless reader (proximity coupling device) implementing communication layers 1 to 4. This device should conform to ISO 10373-6 and is functionally tested by the ICAO e- passport test standard, part3. The inspection procedure implementing communication layers 6 and 7 specified by TR 03110. Tests are supposed to be specified by the Brussels Interoperability Group. Optical reading of the MRZ specified by DOC 9303. Tests for this interface will be specified by ISO/SC17/WG3. All other features of the inspection have to tested but not with respect to conformance to the standards and interoperability. With this test approach, the test cases must be in line with the normal inspection procedure. Thus, tests cannot be performed command by command but the test cases always have to run through the whole inspection procedure. Consequently, tests have to be pure black box test. For testing the inspection system, HJP follows the concept of an upper and lower tester as defined in ISO 10373-6 and enhance this concept to test the application layers. The test environment is illustrated in figure 2. Figure 2: Enhanced ISO 10373-6 test environment HJP Consulting 2010 Page 4 of 6
In this test environment, the test engineer starts a test case by placing a simulated passport, i.e. a data page with antenna, in the inspection system. The device under test performs a "normal" inspection procedure and sends commands to the simulated passport, which has been configured to fulfil the requirements of the selected test case. The simulator returns a well-defined response to the system. The observed result (passport valid or not) is entered by the tester into a test management system, which finally generates a test report. With this concept, it is also possible to formally verify the commands sent by the device for a further analysis. The BSI has introduced this test approach in their technical guideline TR-03105, part 5. The essential part of the whole test approach is the passport simulator that can emulate different configurations and behaviour of passports. The concept described above is implemented by HJP Consulting in their product GT Prove IS. This test tool includes a hardware simulator based on Comprion s CLT one product and complete implementation of all test cases from TR-03105, Part 5. This simulator has become the central building block of the GlobalTester Prove IS test tool that provides conformance testing for passport inspection systems according to TR-03105, part 5. The feasibility of the test approach had first been demonstrated at the Prague interoperability test event in 2008 using exactly GT Prove IS. The GT Prove IS has thus become the world's first conformance test tool for inspection systems. Supporting system tests for border control and air travel procedures The verification of e-passports, will primarily take place at border control checkpoints of international sea, land and air borders. E-passports can only be beneficial, if the encrypted information, stored on the chip, is also being read and verified. This requires an interface to a local certification authority (CA), since the inspection system must know the country signing and document signing certificates for each particular e-passport to be able to verify validity and authenticity 1. The amount of data needed and to be verified may depend on the actual application, e.g. may differ for check-in 2 compared to primary border control and secondary border control. To insure interoperability at border control points 1 HJP published a comprehensive white paper which covers the processes for key management and certification exchange in detail. The document has been developed on behalf of ICAO ICBWG to promote the ICAO Public Key Directory and is called A Primer on the ICAO Public Key Directory. The white paper can be downloaded from HJP s website at https://www.hjpconsulting.com/news. 2 The use of e-passport data for other applications than border control may differ by country based on data protection laws. HJP Consulting 2010 Page 5 of 6
worldwide, ICAO has set a number of standards for e-passports and e-passport inspection systems. To insure, that inspection systems perform as required, whereby the handling of encrypted data is of specific concern, test standards for the testing of e-passport inspection systems are in place. HJP s test tools conduct all required conformance tests for inspection systems based on latest ICAO/BSI test standards for the chip application, layer 6-7, which is the core component to verify next generation e-passports. The test tool, GT Prove IS, can be very beneficial for system integrators in the field of border control and air travel security throughout the integration testing of inspection systems. It is specifically designed to test the e-passport application component of the inspection system, thus insure interoperability towards the implementation into the overall border management or air travel security system. The test tool from HJP is based on an open source approach. Besides the standard test cases provided for the inspection system, the system integrator can further configure additional test procedures for layer 6-7 based on the GT platform using the Eclipse development environment for other test routines needed referring to a particular border control or airport specific test standard. HJP Consulting 2010 Page 6 of 6