Machine Readable Travel Documents (MRTDs) like ePassports or National ID cards, are documents that contain a smartcard, which holds essential information of the document holder, including biographic data and biometric information like facial and fingerprint images. The International Civil Aviation Organization (ICAO) specifies in Document 9303, the general layout of MRTD’s including the Logical Data Structure (LDS) in the smartcard.
Security measures in MRTDs do not meet today’s requirements for availability, security and privacy
The information in the LDS is protected using a variety of security measures.
- Passive Authentication (PA) allows the document reader to verify if the LDS content is authentic and unmodified.
- Basic Access Control (BAC) protects the communication between the MRTD and the document reader.
- Extended Access Control (EAC) is a Public Key Infrastructure that makes use of a Public Key Directory and is intended to protect the biometric information stored in data groups 3 and 4.
The implementation and maintenance of EAC with a public key directory is very complex, requiring updating of the directory by individual countries and regular downloading of certificates by the document readers. Especially in countries with limited connectivity and in remote locations, the proper use of this approach is likely to fail.
In addition to the EAC complexity, the MRTDs release the biometric information in the form of a fingerprint image. The fingerprint image is required for the biometric matching, making the privacy sensitive information vulnerable for misuse like identity fraud.
Fit in Existing Process
GenKey’s BioHASH® solution protects the biometric information using a cryptographic hash function, which avoids the maintenance-intensive EAC, while it can still benefit from security mechanisms like Passive Authentication and Basic Access Control. Within the LDS, data group 13 is reserved as a field to store optional information like a BioHASH® template. During the registration process, in which a citizen is applying for a MRTD, the fingerprints are captured and stored in data group 3. Depending on the country, this data group is protected with EAC. In the same enrollment process, the BioHASH® template can be derived from the same finger and stored in data group 13. From that moment on, without changing the enrollment infrastructure and workflow, it will be possible to perform a biometric verification using the BioHASH® template that is stored in the MRTD.
Benefits
Backward compatibility with existing MRTD processes: BioHASH® template can be integrated with any MRTD in an ICAO compliant and backward compatible manner, without changing the enrollment infrastructure and procedure.
- Low-complex and off-line solution: The BioHASH® template in data group 13 can be used as a full replacement of Extended Access Control, especially for developing countries with limited connectivity. Without a complex public key infrastructure, terminals are able to verify a biometric identity of the cardholder, without any connectivity requirements
- Biometric verification beyond border control: In countries that want to comply with international agreements to deploy EAC (like the European Union), the storage of BioHASH® templates in data group 13 can complement the storage of fingerprint images in the EAC protected data group 3. This provides an option to perform a convenient and fully off-line biometric verification outside the EAC protocol.
Products
GenKey® SecureID contains all the necessary components to use BioHASH® protected fingerprint templates in combination with MRTD’s like ePassports and National ID Cards. The enrollment SDK translates the fingerprint images into BioHASH® templates. This component needs to be installed at the personalization or enrollment facility. The feature extraction and verification SDK can be integrated in any computer terminal which needs to perform a biometric check on a MRTD.
