A Standard Interface for Electronic Machine Readable Travel Documents by mtc13769



A Standard Interface for Electronic
Machine Readable Travel Documents

                                                                                                          » Accredited evaluation

                                                                                                          » Comprehensive know-how
                                                                                                            in the fields of electronic
                                                                                                            passport and biometrics

                                                                                                          » Vendor-independence

In the new generation of electronic machine readable travel documents (eMRTDs) a
RFID chip is implemented which contains a personal identity and biometric information.
Data integrity, authenticity and confidentiality have to be ensured.

The realisation of suitable security mechanisms requires different crypto-    The passport interface supports the following mechanisms:
graphic algorithms in combination with several types of key and certificate
storages. eMRTDs are accessed using RFID capable reading devices.             ▀ Passive Authentication (PA)
                                                                                » Certificate Chain validation (CSCA, DS)
To reduce the complexity and diversity of the reading process, the              » Certificate Revocation List check
ePassportAPI provides a vendor-independent and easy-to-use standard             » RSA with SHA-1, SHA-224 and SHA-256
interface to eMRTDs. The application interface comprises three main             » RSA PSS, RSA PKCS#1
parts:                                                                          » ECDSA with SHA-1, SHA-224 and SHA-256

Passport Interface                                                            ▀ Active Authentication (AA)
The passport interface provides functions to perform all security mecha-        » RSA
nisms and to retrieve the electronically stored data on the chip. The           » ECDSA
ePassportAPI supports both, security mechanisms defined by the ICAO
and the EU. Last-mentioned regulations refer to the Extended Access           ▀ Basic Access Control (BAC)
Control mechanisms (EAC) which specify the access to sensitive biome-           » Two line MRZ
tric data.                                                                      » Three line MRZ for ID-cards

To get direct access to all Data Groups stored on the chip, the following     ▀ Extended Access Control (EAC) Version 1.11
security mechanisms have to be performed at first. The data are provided        » Chip Authentication (DH and ECDH)
in a raw binary form which makes further handling much easier: Data can         » Terminal Authentication (RSA and ECDSA)
either forwarded to another related system or further processed using the       » Handling of CVCA-Link-Certificate for eMRTD-Trust-Point update
ePassportAPI Data Group Interface.

Data Group Interface                                                           The main ePassportAPI functionality is extended by two further compo-
The data elements on the chip are coded according to the ICAO LDS              nents:
specification. The Data Group Interface allows detailed access to the
individual elements stored inside each data group. Specific access             Crypto Library
functions are available for the following data groups:                         Many functions of the ePassportAPI are based on a secure and stable im-
                                                                               plementation of the cryptographic algorithms, e. g. Passive Authentication
▀   Data Group 1 (Machine Readable Zone)                                       including the certificate. For each specific need several implementations
▀   Data Group 2 (Facial Image)                                                of such cryptographic algorithms are available which are different in the
▀   Data Group 3 (Fingerprint Image)                                           level of trust and transparency.
▀   Data Group 4 (Iris Image)
▀   Data Group 11 (Additional Personal Details)                                Reader Module
▀   Data Group 12 (Additional Document Details)                                The ePassportAPI accesses the chip inside the ePassport by using RFID
▀   Data Group 14 (Security Infos for EAC)                                     reading devices. Currently there is a wide range of readers available on the
▀   Data Group 15 (Active Authentication Info)                                 market; specific organisational requirements determine the type of reader.
                                                                               They differ in structural shape and functional capabilities. The ePassport-
For the biometric features the Data Group Interface delivers the following     API therefore defines a standard interface which supports both, all PC/SC
elements according to the CBEFF standard published by ISO:                     compliant readers and many proprietary readers.

▀ Biometric Information Template (BIT)                                         Security mechanisms often require the management of cryptographic
▀ Biometric Header Template (BHT)                                              keys. Those keys can either be stored locally or remote. This means:
▀ Biometric Data Block (BDB)                                                   the application of HSMs or Public Key Servers is of special interest.

The Biometric Header Template contains additional information while the        ISPKI Interface
Biometric Data Block is used for the coding of the actual biometric feature.   The access to sensitive biometric data is based on Terminal Authentication
Further processing of the biometric data is possible using the Biometric       (EAC) requiring secure storage of the private key. An appropriate sol-
Data Interface.                                                                ution depends to a large extend on environmental factors as legal and/
                                                                               or organisational restrictions. The API supports a flexible interface for the
Biometric Data Interface                                                       EAC-specific PKI functions, which enables an easy adaption to individual
The Biometric Data Interface supports biometric data blocks encoded            scenarios. Within this scope the so called ISPKI Interface was defined:
according to the following standards:                                          it works independently from storage location, i. e. it supports the private
                                                                               key storage on a smart card as well as the storage within a HSM. secunet
▀ ISO 19794-4 (Fingerprint image)                                              offers a set of existing solutions for implementation of ISPKI interface.
▀ ISO 19794-5 (Facial image)
▀ ISO 19794-6 (Iris image)                                                     Supported Development Environments
                                                                               The entire ePassportAPI C++ implementation is modular designed and
It provides access to the current biometric image as well as further infor-    therefore suitable for many different platforms including mobile de-
mation related to the biometric features, such as for example colour of hair   vices. There is just one condition: the necessary reader device drivers
or eye and facial feature points.                                              have to be available. The standard versions of the ePassport-API are
                                                                               available for: Microsoft Visual Studio 2003/2005/2008. Java and .NET
                                                                               interfaces are available on request.

More information:                                                                                                    secunet Security Networks AG
                                                                                                                     Kronprinzenstraße 30
www.secunet.com/en/eID                                                                                               45128 Essen, Germany

                                                                                                                     Phone: +49 - 201- 54 54 - 0
                                                                                                                     Fax:    +49 - 201- 54 54 -1000
                                                                                                                     E-mail: info@secunet.com
ePA_V 1_02 / 10_GB

To top