Get documents about "A Standard Interface for Electronic Machine Readable Travel Documents
Document Sample
ePassportAPI
A Standard Interface for Electronic
Machine Readable Travel Documents
Benefits:
» Accredited evaluation
laboratory
» Comprehensive know-how
in the fields of electronic
passport and biometrics
» Vendor-independence
In the new generation of electronic machine readable travel documents (eMRTDs) a
RFID chip is implemented which contains a personal identity and biometric information.
Data integrity, authenticity and confidentiality have to be ensured.
The realisation of suitable security mechanisms requires different crypto- The passport interface supports the following mechanisms:
graphic algorithms in combination with several types of key and certificate
storages. eMRTDs are accessed using RFID capable reading devices. ▀ Passive Authentication (PA)
» Certificate Chain validation (CSCA, DS)
To reduce the complexity and diversity of the reading process, the » Certificate Revocation List check
ePassportAPI provides a vendor-independent and easy-to-use standard » RSA with SHA-1, SHA-224 and SHA-256
interface to eMRTDs. The application interface comprises three main » RSA PSS, RSA PKCS#1
parts: » ECDSA with SHA-1, SHA-224 and SHA-256
Passport Interface ▀ Active Authentication (AA)
The passport interface provides functions to perform all security mecha- » RSA
nisms and to retrieve the electronically stored data on the chip. The » ECDSA
ePassportAPI supports both, security mechanisms defined by the ICAO
and the EU. Last-mentioned regulations refer to the Extended Access ▀ Basic Access Control (BAC)
Control mechanisms (EAC) which specify the access to sensitive biome- » Two line MRZ
tric data. » Three line MRZ for ID-cards
To get direct access to all Data Groups stored on the chip, the following ▀ Extended Access Control (EAC) Version 1.11
security mechanisms have to be performed at first. The data are provided » Chip Authentication (DH and ECDH)
in a raw binary form which makes further handling much easier: Data can » Terminal Authentication (RSA and ECDSA)
either forwarded to another related system or further processed using the » Handling of CVCA-Link-Certificate for eMRTD-Trust-Point update
ePassportAPI Data Group Interface.
ePassportAPI
Data Group Interface The main ePassportAPI functionality is extended by two further compo-
The data elements on the chip are coded according to the ICAO LDS nents:
specification. The Data Group Interface allows detailed access to the
individual elements stored inside each data group. Specific access Crypto Library
functions are available for the following data groups: Many functions of the ePassportAPI are based on a secure and stable im-
plementation of the cryptographic algorithms, e. g. Passive Authentication
▀ Data Group 1 (Machine Readable Zone) including the certificate. For each specific need several implementations
▀ Data Group 2 (Facial Image) of such cryptographic algorithms are available which are different in the
▀ Data Group 3 (Fingerprint Image) level of trust and transparency.
▀ Data Group 4 (Iris Image)
▀ Data Group 11 (Additional Personal Details) Reader Module
▀ Data Group 12 (Additional Document Details) The ePassportAPI accesses the chip inside the ePassport by using RFID
▀ Data Group 14 (Security Infos for EAC) reading devices. Currently there is a wide range of readers available on the
▀ Data Group 15 (Active Authentication Info) market; specific organisational requirements determine the type of reader.
They differ in structural shape and functional capabilities. The ePassport-
For the biometric features the Data Group Interface delivers the following API therefore defines a standard interface which supports both, all PC/SC
elements according to the CBEFF standard published by ISO: compliant readers and many proprietary readers.
▀ Biometric Information Template (BIT) Security mechanisms often require the management of cryptographic
▀ Biometric Header Template (BHT) keys. Those keys can either be stored locally or remote. This means:
▀ Biometric Data Block (BDB) the application of HSMs or Public Key Servers is of special interest.
The Biometric Header Template contains additional information while the ISPKI Interface
Biometric Data Block is used for the coding of the actual biometric feature. The access to sensitive biometric data is based on Terminal Authentication
Further processing of the biometric data is possible using the Biometric (EAC) requiring secure storage of the private key. An appropriate sol-
Data Interface. ution depends to a large extend on environmental factors as legal and/
or organisational restrictions. The API supports a flexible interface for the
Biometric Data Interface EAC-specific PKI functions, which enables an easy adaption to individual
The Biometric Data Interface supports biometric data blocks encoded scenarios. Within this scope the so called ISPKI Interface was defined:
according to the following standards: it works independently from storage location, i. e. it supports the private
key storage on a smart card as well as the storage within a HSM. secunet
▀ ISO 19794-4 (Fingerprint image) offers a set of existing solutions for implementation of ISPKI interface.
▀ ISO 19794-5 (Facial image)
▀ ISO 19794-6 (Iris image) Supported Development Environments
The entire ePassportAPI C++ implementation is modular designed and
It provides access to the current biometric image as well as further infor- therefore suitable for many different platforms including mobile de-
mation related to the biometric features, such as for example colour of hair vices. There is just one condition: the necessary reader device drivers
or eye and facial feature points. have to be available. The standard versions of the ePassport-API are
available for: Microsoft Visual Studio 2003/2005/2008. Java and .NET
interfaces are available on request.
More information: secunet Security Networks AG
Kronprinzenstraße 30
www.secunet.com/en/eID 45128 Essen, Germany
Phone: +49 - 201- 54 54 - 0
Fax: +49 - 201- 54 54 -1000
E-mail: info@secunet.com
www.secunet.com
ePA_V 1_02 / 10_GB
