2013 European Intelligence and Security Informatics Conference
Towards e-Passport Duplicate Enrolment Check in the European Union Moazzam Butt∗ , Sandra Marti† , Alexander Nouak∗ , J¨org K¨oplin‡ , R. Raghavendra§ and Guoqiang Li§ ∗ Fraunhofer
Institute for Computer Graphics Research IGD, Germany Email:
[email protected] † Thales Communications and Security, France ‡ Bundespolizei, Germany § Gjøvic Univeristy College, Norway
Abstract—Automated border control gates are now being more and more deployed at airports to smooth border crossings with reduced man power and more convenience to the passenger. In order to use these new gates the traveler is required to present an electronic passport (e-Passport or biometric passport). Lots of efforts have been undertaken to improve the security of the infrastructure at borders or by adding various security features to the passport. However, the weakest point in the passport issuance process is the enrolment step for passport applicant including the breeder documents authenticity and the duplicate enrolment check. The goal of duplicate enrolment check is to prevent the issuance of duplicate illegal passports containing possibly fake identities. A solution to this problem needs to be flexible and precise if the solution is meant for large-scale deployments and eventually standardization. This paper describes how a duplicate enrolment check can be realized securely between European Union member states using distributed databases of alphanumeric data and multiple biometric modalities.
In the following, section-II outlines the proposed cross MSDEC system architecture. In section-III, proposed DEC web services along with their data types and formats are explained. Section-IV contains the security aspects of the DEC communication. Finally, the paper highlights the open challenges, followed by conclusions. II.
C ROSS MS-DEC SYSTEM
The proposed architecture model of cross MS-DEC system is shown in Fig. 1.
Keywords: automated border control, e-Passport, cryptography, identity, biometrics, duplicate enrolment check.
I.
I NTRODUCTION
Passports have been designed secure enough to obfuscate falsification or counterfeits. The issuance process of passports itself, however, is not reliable due to open challenges in the breeder document authenticity and duplicate enrolment check (DEC). Duplicate enrolment check is the process of checking the applicants identity in an attempt to find another illegal passport application or already existing passport issued with the misuse of identity (ID theft) at a different time or country. DEC relies on identification (1 to many comparisons), meaning comparison of applicant alphanumeric and biometric data to references alphanumeric and biometric data stored in member state citizens passports databases. DEC has to be seen as a futuristic functionality because as of this writing not all member states (MS’s) have centralized or distributed citizen databases. This paper has been written based on the following hypothesis for the future: •
Each member state has a citizen passport database, containing alphanumeric and biometric data
•
Member states agree to communicate data of their applicants to process DEC
•
DEC is done on civil databases, meaning, not on databases of wanted people (black lists, watch lists), or criminal databases.
978-0-7695-5062-6/13 $26.00 © 2013 IEEE DOI 10.1109/EISIC.2013.64
Fig. 1.
Architecture model of cross-MS DEC system
The DEC system is composed of multiple entities located in different member states. For clarity reasons, we divide all member states involved in our system into two kinds of member states: native MS and foreign MS. While the citizen files his e-Passport application in a native MS, a foreign MS is any MS except the native MS. It has to be noted that a citizen who applies for an e-Passport should be checked for duplicate enrolment in all foreign MS’s as well as in the native MS. All entities in the system can be desbribed as follows: •
252 249 247
Enrolment Station (ES): Interface to the end users (passport issuance authority and passport applicant) to collect the application request, to perform breeder
document authentication and to forward the applicant case to the native member state back office. The enrolment station is not involved in the DEC process. •
•
Native MS Back Office (Native MSBO): Passport issuance authority office at the native MS that runs a search system via web-server to perform a DEC on the alphanumeric and the biometric databases located internally in the MS. If no duplicate can be found, the native MSBO sends a DEC request to foreign MSBO’s.
Fig. 2.
Alphanumeric data is composed of attributes like name, surname, date of birth, gender, nationality. Language of these alphanumeric attributes is considered to be English. As citizens from multiple member states may have names in different characters, it becomes challenging to find a duplicate enrolment when a person having originally his name in English alphabets applies for a second passport with another name but in a different language. On other hand, two persons in different countries may have same names but with slightly different spellings. In such cases, alphanumeric data is not enough to perform a duplicate enrolment check, hence biometric data of persons is also used to detect duplicate persons.
Foreign MS Back Office (Foreign MSBO): Passport issuance authority office located at any foreign MS that performs a DEC via web-server on foreign alphanumeric and biometric databases. Once the DEC is finished, it sends a found or not found message to the native MSBO. The native MSBO then takes a final decision after defined checks, whether a passport is to be issued or not. Note that the DEC is asynchronous, meaning that alphanumeric and biometric comparisons are not done in real time, mainly due to the huge size of MS citizens databases (several dozen of millions). Once enrolment process is complete, the applicant has to collect his personalized e-Passport from Enrolment Station. III.
Biometric data is considered to be from multiple biometric modalities like face, fingerprints are mandatory samples for an applicant to enroll while applying for an e-Passport currently and iris may be included in future e-Passport too. Standards regarding biometric data interchange format [2], biometric liveness detection (or spoofness) [3] and quality of acquired biometric samples [4] are nevertheless important and must be considered for improved performance of the large-scale interoperable DEC system.
DEC W EB SERVICES
For DEC deployment, we propose two kinds of web services [1] as shown in Fig. 2. •
DEC request web service: sends alphanumeric and biometric data of the applicant as a DEC request to the foreign MSBO, ◦ The foreign MS provides an interface for the native MS to request a DEC. ◦ One DEC request is made for each applicant and for each chosen foreign MS. ◦ A DEC request contains the applicants biometrics data (face, fingerprints, iris (optional)) in a format compliant to ISO/IEC 19794 [2] and alphanumeric data (name, surname, date of birth, gender, nationality) in an interoperable format.
•
DEC response web service: provides the result back to the native MSBO, ◦ The native MS provides an interface for the foreign MS to send a DEC response. ◦ Each foreign MS sends one DEC response for each applicant. ◦ A DEC response contains the duplicate search results: only a hit or no-hit information no profile of duplicate candidates will be sent to preserve privacy in case of a hit
DEC web services
Biometric recognition never is perfectly accurate due to intra-class variance and inter-class similarities in biometric data. Errors in biometric recognition are quantified in terms of false accept rate and false reject rate (a.k.a false match rate and false non-match rate respectively in [5]). To overcome these bottlenecks in biometric performance one can use alphanumeric data to check if the person detected biometrically duplicate from the system is also an alphanumerically duplicate. This would affirm the duplicate enrolment check result. Similarly the fusion of multiple biometric modalities will also overcome the errors that otherwise may arise due to use of a single biometric modality like face or fingerprint. It is proposed that multi-biometric search is done first and followed by the alphanumeric search. This sequence order will reduce the processing time due to the fact that multi-biometric fusion [6] would decrease the No. of false matches and later on the No. of false matches may further be reduced on basis of alphanumeric check based on indexing. The No. of false matches may further be reduced manually by visual inspection. After this manual check (visual inspection) the foreign MS should then provide a reliable decision for each candidate: hit (true positive) or no-hit (false positive). Once every candidate has been analyzed using manual check, the foreign MS can provide a reliable binary answer to native MS for each DEC request. Each member state is assumed to have multiple databases owned by different entities. An example of such databases can be databases containing face templates, fingerprint templates, alphanumeric data of citizens towards which duplicate check needs to be performed. These databases may also have different access rules, as the databases may be operated by different
A. Data types and formats Two types of data are proposed to be used in the DEC process: Alphanumeric data and Biometric data.
248 250 253
TABLE I.
entities following different security and privacy restrictions. Due to the presence of distributed biometric databases, results of duplicate checks performed on these databases are fused to retrieve final DEC response.
Biometric modality Fingerprints Face Iris (optional)
B IOMETRIC DATA INTERCHANGE FORMATS Number Up to 10 1 Up to 2
Interchange format ISO/IEC 19794-4 ISO/IEC 19794-5 ISO/IEC 19794-6
Compression WSQ recommended JPEG2000 recommended JPEG2000 recommended
In the following, we mention the details of data types and formats of the two proposed web services, •
•
accurate. In order to ensure privacy, the list of candidates with associated data should not be sent back to foreign MS. To handle this problem, the foreign MS should analyze the list of candidates using a manual check module at their respective backoffice. After this manual check (visual inspection) the foreign MS should then provide a decision for each candidate: hit or no-hit. The DEC response will be composed of only this binary hit or no-hit decision.
For DEC request from native MS to foreign MS: Duplicate enrolment check process implies data transmission from native MS to foreign MS. Data mean here applicants data: alphanumeric data to run alphanumeric search and biometric data to run biometric search. Biometric data send from native MS to foreign MS could be different types: images or templates (features). Templates could be two types: features extracted by native MS using native MS extractor module and features extracted by native MS using foreign MS extractor module. Whatever images or templates, biometric data should comply to ISO/IEC 19794 [2] standards to ensure interoperability. Both have advantages and drawbacks: ◦ Images: Advantages: each modality has ISO/IEC 19794 format for images contrary to templates. Drawbacks: images means compressed images (for instance WSQ for fingerprints), compressed images make slightly decrease recognition performances. ◦ Templates generated by native MS features extractor: Advantages: features are extracted from raw images. Drawbacks: this solution makes decrease recognition performances because the produced template will not contain proprietary field that foreign MS could use to enhance recognition performances. ◦ Templates generated by foreign MS features extractor: Advantages: this solution provides interoperable biometric data optimizing recognition performances because produced templates will contain proprietary fields that foreign MS could use to enhance recognition performances. Drawbacks: this solution implies that each foreign MS provides its own features extractor module to native MS. The native MS shall then extract features with each foreign MS extractor and send each produced template to the appropriate foreign MS. For the first version of duplicate enrolment check, we propose to use biometric images because it is the simplest solution.
IV.
S ECURITY FOR CROSS -MS DEC COMMUNICATION
The above described architecture to function implies transmission of the applicant’s data from the native MS to foreign MS for the purpose of DEC. Applicant data is considered to be personal data as defined in the Directive 95/46/EC [7]. Personal data also holds the right to privacy preservation under article 8 ECHR [8]. To exchange data securely, we propose that member states should communicate with each other by using a virtual private network (VPN) [9]. Cross-MS communications are run through web services. To ensure the security in the communication, web service transactions must be secured. Applicants data security is implemented based on the following mechanisms: •
For DEC response, from foreign MS to native MS: Outputs of alphanumeric and biometric searches are list of candidates, mainly due to false positives because recognition algorithms are never perfectly
249 251 254
Secured data separation principle: Data is separated in different parts (alphanumeric, fingerprints, face and iris(optional)), stored separately in different databases, and only the appropriate MS can reconstruct the full record. It also prevents an attacker from establishing the identity of a person only from his biometrics data. The mechanism of secured data separation is implemented in two steps. ◦ Step1 - Data serialization to create identifier: Alphanumeric data contains an identifier that links to biometric data of the applicant as shown in Fig. 3. These identifiers are hashed to ensure integrity and are encrypted before storage. The technique used for encryption is based on asymmetric cryptography [10]. A pair of keys is used to encrypt and decrypt links between data. Only the owner of the private key is able to decrypt encrypted data, and to reconstruct the full record. The key pair is stored in a hardware security module (HSM) [11] hosted by the native and the foreign MSBO. A hardware security module provides physical and logical protection for digital key management. Key-pair used for encryption are sensitive data and therefore should be protected (especially private keys). The HSM is used to protect these cryptographic keys. The private keys are stored on the device and cannot be exported. Therefore, operation requiring the usage of a private key cannot be done without the HSM.
Each member state should host a least one HSM to store their cryptographic keys.
Fig. 3.
•
Network infrastructure for cross-MS DEC communication
Fig. 5.
Data security mechanism
Identifier between alphanumeric and biometric data
◦
•
Fig. 4.
Step2 - Data encryption (secure links are created by encrypting the identifier): Encryption is made with different public keys in order to encrypt the link between alphanumeric data and face data, the link between alphanumeric data and fingerprints data and the link between alphanumeric data and iris data. Then the data is encrypted to ensure confidentiality. Those keys, which are contained in a certificate, are issued and should be managed by a trusted public-key infrastructure. An additional fixed initialization vector is used to encrypt the keys used for secured data separation mechanism.
design of privacy preserved biometric and alphanumeric search algorithms will be explained. Common guidelines for all MS’s regarding biometric sample quality, biometric comparison and key managment infrastructure that ensures wide deployment of proposed system will be outlined. Biometric recognition never is perfectly accurate, so a use-case minimizing the required No. of manual checks and minimizing network flows will be part of future work. ACKNOWLEDGMENT This work is carried out under the funding of the EU-FP7 FIDELITY large-scale integrating project (Grant No. SEC2011-284862). The authors would like to thank their colleagues who gave their valuable time in reviewing the paper.
Data separation for data transmission: Each type of data is transmitted separately, so four authentication phases are done and four different secure channels encryption keys are generated. At least four TLS/SSL [10] channels as shown in Fig. 4 are created to transfer one complete DEC request: ◦ One channel is dedicated for alphanumeric data transfer. ◦ One channel is dedicated for face data transfer. ◦ One channel is dedicated for fingerprints data transfer. ◦ One channel is dedicated for iris data transfer. (optional) Once the data is sent and acknowledgement is received, the communication is closed.
R EFERENCES [1]
[2]
[3]
[4]
Digital signature: data is digitally signed to ensure integrity and source identity as shown in Fig. IV.
[5]
V.
C ONCLUSION AND FUTURE WORK [6]
This paper presents how a DEC can be realized securely among member states by having distributed databases. In future work, specifications of proposed web services and the
250 252 255
ISO/IEC TC, ISO/IEC 30108-1 Biometric Identity Assurance Services (BIAS), International Organization for Standardization and International Electrotechnical Committee. [Online]. Available: https://www.oasis-open.org/committees/tc home.php?wg abbrev=bias ISO/IEC TC JTC1 SC37 Biometrics, ISO/IEC 19794: Information technology – Biometric data interchange formats, International Organization for Standardization and International Electrotechnical Committee. ——, ISO/IEC WD4 30107: Information technology – Biometrics – Presentation attack detection, International Organization for Standardization and International Electrotechnical Committee. ——, ISO/IEC 29794-1:2009. Information technology – Biometric sample quality – Part 1: Framework, International Organization for Standardization and International Electrotechnical Committee, 2009. ——, ISO/IEC 2382-37:2012: Information technology – Vocabulary – Part 37: Biometrics, International Organization for Standardization and International Electrotechnical Committee, Dec. 2012. S. G.-S. Lorene Allano, Bernadette Dorizzi, Tuning cost and performance in multi-biometric systems: A novel and consistent view of fusion strategies based on the Sequential Probability Ratio Test (SPRT), Pattern Recognition Letters, Volume 31, Issue 9, July 2010.
[7]
[8]
[9] [10]
[11]
European Parliament, “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data,” Oct. 1995. [Online]. Available: http://eur-lex.europa.eu/ LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML European Convention on Human Rights, Dec. 1950. [Online]. Available: http://www.echr.coe.int/ECHR/EN/Header/Basic+ Texts/The+Convention+and+additional+protocols/The+European+ Convention+on+Human+Rights/ Virtual Private Networking: An Overview. [Online]. Available: http://technet.microsoft.com/en-us/library/bb742566.aspx V. Gupta, D. Stebila, S. Fung, S. Chang, N. Gura, and H. Eberlei, Speeding up secure web transactions using elliptic curve cryptography, 2004. (2013) Hardware security module. Thales e-Security Inc. [Online]. Available: http://www.thales-esecurity.com/products-and-services/ products-and-services/hardware-security-modules
251 253 256