Professional Documents
Culture Documents
Ares(2017)5875948 - 30/11/2017
Version: 1.0
Date: 2017-11-28
Keywords:
PROTECT H2020 Project No. 700259 Deliverable D6.4
Executive summary
This report explores possibilities to store new biometric modalities in electronic passports (eMRTD) to
improve the convenience and speed of the border control process as requested in the call.
The PROTECT project undertook to research the storage and access of the new biometric feature templates
in ePassports through the Logical Data Structure 2 (LDS2) specification and to research new transmission
and access modes for authorized systems which do not require a reading of the MRZ or CAN.
The report details possible approaches to meet the objectives of the call with modified electronic
passports. The objective of “…a most fluent non-intrusive control process…” is hardest to achieve without
giving up any of the data protection or privacy properties of the current system. The Proximity Technology
currently used in electronic passports can only be read out from a distance of approximately 5cm.
Protection Against Tracking, Skimming and Eavesdropping requires the MRZ to be read from the datapage
of the passport. For this the booklet has to be opened and placed on an optical scanner. Together with a
reading time of 5-6 seconds this makes a real non-stop border control process impossible. The largest
impact would be the introduction of secure UHF chips. However, this has major legal and ethical
implications.
For the secure storage of additional biometrics Logical Data Structure 2 seems to be the most promising
approach with the least ethical implications as well as same or higher level of security as the status quo.
Other approaches rely on external data storage in databases. The data in these databases could be
encrypted with keys stored in the document but from the data protection point of view this is still inferior
to a direct storage in the security chip of the document.
The next step will be to specify electronic passport applications for the demonstrators being able to
support the described scenarios. Demonstrator electronic passport applications as well as the
corresponding PKI CAs will be programmed. Finally demo passport booklets with the programmed
applications will be created for demonstration purposes.
Page 2 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Document Information
Project Number H2020 - 700259 Acronym PROTECT
Full Title Pervasive and UseR Focused BiomeTrics BordEr ProjeCT
Project URL http://www.projectprotect.eu/
Document URL
EU Project Officer Agnieszka Marciniak
Date of Delivery Contractual M15 Actual M15
Authors Frank Schmalz(VD)
Page 3 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Table of Contents
Executive summary ........................................................................................................................................... 2
Document Information ...................................................................................................................................... 3
Table of Contents .............................................................................................................................................. 4
Abbreviations .................................................................................................................................................... 6
Definitions ......................................................................................................................................................... 7
1 Introduction ................................................................................................................................................ 8
1.1 Purpose of the document ..................................................................................................................... 8
1.2 Contributions/Outcome ....................................................................................................................... 9
2 Properties of current ICAO compliant electronic passports ....................................................................... 9
2.1 Content ............................................................................................................................................... 10
2.2 Inalterability ....................................................................................................................................... 11
2.3 Data Authenticity ............................................................................................................................... 11
2.4 Protection Against Tracking ............................................................................................................... 12
2.5 Protection Against Skimming ............................................................................................................. 12
2.6 Protection Against Eavesdropping ..................................................................................................... 12
2.7 Protection Against Copying ................................................................................................................ 12
2.8 Access Control for Fingerprints and Iris ............................................................................................. 12
2.9 Data Transfer Speeds ......................................................................................................................... 13
2.10 Passport Generations ....................................................................................................................... 13
3 Properties of EU electronic passports ....................................................................................................... 13
4 Limitations of current electronic passports .............................................................................................. 13
4.1 Limitations affecting the storage of additional biometrics ................................................................ 13
4.1.1 Data structure .............................................................................................................................. 13
4.1.2 Inalterability ................................................................................................................................. 13
4.2 Limitations affecting a non-stop border control process ................................................................... 14
4.2.1 Data Transfer Speeds ................................................................................................................... 14
4.2.2 Proximity Technology .................................................................................................................. 14
4.2.3 Protection Against Tracking, Skimming and Eavesdropping ........................................................ 14
5 Possible improvements for PROTECT ....................................................................................................... 15
5.1 Legal restrictions ................................................................................................................................ 15
5.2 Storage of additional biometrics in datagroup 13 .............................................................................. 15
5.3 Logical Data Structure 2 ..................................................................................................................... 15
5.3.1 The Additional Biometrics Application ........................................................................................ 16
5.3.2 Applicability for PROTECT ............................................................................................................ 18
5.3.3 Probability of availability in the future ........................................................................................ 18
Page 4 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Page 5 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Abbreviations
Certification Authority
CA
CAN Card Access Number
CSCA Country Signing Certification Authority
Data_page The page of a passport booklet containing the machine-readable zone, the passport holder
photo and his biographical data.
DG Datagroup
DV Document Verifier
EAC Extended Access Control
eMRTD electronic Machine-Readable Travel Document. Also the name of the standard electronic
passport application on the chip.
EPC Electronic Product Code
EU European Union
eu-LISA The European Agency for the operational management of large-scale IT systems in the area of
freedom, security and justice
ICAO International Civil Aviation Organization
ISM Industrial, Scientific and Medical
LDS Logical Data Structure. This is the storage structure for data on electronic passports. It is
specified in ICAO Doc9303 [5]
LDS2 Logical Data Structure 2. Version 2 of LDS. At the time of writing still draft. Specified in [10]
MRTD Machine-Readable Travel Document
MRZ Machine readable zone
NFC Near Field Communication
NTWG New Technology Working Group
PA passive authentication
PACE Password Authenticated Connection Establishment
PICC Proximity Integrated Circuit Card
PKI Public Key Infrastructure
PUPI Pseudo-Unique PICC Identifier
RFID Radio Frequency Identification
RFID Radio Frequency Identification
SUHF Secure UHF technology. Adding protection against unauthorized tracking of UHF tokens.
UHF Ultra-High Frequency. In the context of RFID a technology working over longer distances than
proximity cards. Up to 12m distance for passive transponders.
UID Unique Identifier
Page 6 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Definitions
Biometric Capture Area is a short corridor with biometric sensors that capture biometric modalities on the
move. The Biometric Capture Area is specified in Deliverable D6.2.
Database Pointer Application is a secure electronic passport application similar to the Logical Data
Structure 2 application that carries indices to database records and encryption keys for these records.
Page 7 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
1 Introduction
The PROTECT project researches new biometric modalities and finally aims to present the most promising
ones in two border control scenarios. A crucial point for the demonstration will be how the biometric data
could be stored and processed. Relevant statements for this task in the call [1] are:
1. “For non-critical travellers (EU, bona-fide, etc.) a most fluent non-intrusive control process is
desired.”
2. “Research is needed in order to explore whether it is possible to use other biometric data … than
fingerprint, iris or facial picture to store in the e-Passport chip, …”
3. “…which would guarantee the same or higher level of security…”
4. “…an integral part of the research should also embrace the related ethical, societal and data
protection aspects.”
Electronic passports are state of the art in storing biometric modalities for border control processes. Their
broad acceptance, interoperability and the availability of free and open specifications makes them the first
choice to look at when storing and processing the additional biometrics used in PROTECT.
Document independent storage methods (mobile devices /databases) will be discussed in Deliverable D6.7.
This report concentrates on what could be done with the classic document form factor.
Concerning “Progress beyond the state of the art” relevant to Task 6.4 “E-document solutions” the
PROTECT proposal [2] states:
• Storage and access of the new biometric feature templates researched in PROTECT in ePassports
through the Logical Data Structure 2 (LDS2) specification.
• Research in new access and transmission modes to electronic passports to increase efficiency.
• New access mode of authorized systems not requiring the MRZ or CAN.
As described in the “Description of the Action” [3], the majority of work in Task 6.4 “E-document solutions”
is related to the implementation of a Logical Data Structure 2 chip application to be used for the storage of
the new biometric modalities in the final demonstrators.
Page 8 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
1.2 Contributions/Outcome
The International Civil Aviation Organization (ICAO), a specialized United Nations agency, issues
specifications for Machine Readable Travel Documents (MRTDs) including passports with a contactless chip
(so called ePassports). For the development of these specifications ICAO has a liaison with the
standardization group ISO/IEC JTC 1 / SC 17 / WG3 "Machine Readable Travel Documents", which develops
the MRTD standards according to ICAO's requirements. These standards are finally endorsed by ICAO.
Jens Urmann is member of ISO/IEC JTC 1/SC17 WG3. In the standardization process Veridos and G+D placed
numerous comments and contributions on the drafts of the LDS2 [10].
Frank Schmalz is a member of the ICAO New Technology Working Group (NTWG) and supported the
ISO/IEC JTC 1/SC17 WG3 inputs during the NTWG meetings. A presentation on the PROTECT project for
ICAO member state representatives has been held during the ICAO Symposium 2017 in Montreal. Another
presentation is planned for 29th November 2017 at the ICAO New Technology Working Group Meeting.
The outcome of Task 6.4 will be electronic passport chip applications as well as software for accessing
(reading out) the new biometric features, as well as software for Public Key Infrastructure (PKI)
management to control the access to the files.
Figure 1 An electronic passport with RFID inlay
The chips operate at a radio frequency of 13.56 MHz. The RFID category is proximity cards. The maximum
reading distance with standard devices is around 5cm. Eavesdropping of the communication can be
achieved over several metres distance. To distinguish several chips in the electromagnetic field each chip
should have a universal unique identification number (UID or PUPI). The reading device can select specific
chips in the field with this UID. The used RFID technology is specified in [13][14][15][16].
Page 9 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Vicinity
ISO14443 / NFC
Close-Coupling
ISO11784/5
ISO10536-1
Antenna
Long Range
Proximity
2.1 Content
The content of the electronic passport is stored in a Logical Data Structure (LDS). The Logical Data Structure
is similar to a file system on a computer with files and directories. The files are called datagroups (DG).
Access to the datagroups is usually controlled by cryptographic access control protocols. The Logical Data
Structure is defined in Doc9303 part 10 [5]. The current version of the Logical Data Structure at the time of
writing is version 1.8.
The current version foresees 3 datagroups for the storage of biometric information usable for automated
border control:
• Datagroup 2 for a face image
• Datagroup 3 for fingerprints
• Datagroup 4 for iris
Currently all biometric features are stored as images not templates. This has been done to benefit from
advancements in recognition algorithms after the documents are issued. Technical advancements in
recognition technology could have been blocked for a very long time if the used template does not provide
the necessary information. Passports are usually issued for 10 years. See [4].
Figure 3 below shows a schematic of files and directories on an electronic passport. Some administrative
files like EF.COM or EF.SOD are not shown for the sake of clarity. For a full overview consult [5].
Page 10 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Master File
Datagroup 1
Detail(s) Recorded in MRZ
eMRTD
Datagroup 2
Encoded Face
Datagroup 3
Encoded Finger(s)
Datagroup 4
Encoded Eye(s)
Datagroup 5
…
…
…
Datagroup 12
Datagroup 13
Optional Detail(s)
Datagroup 14
…
…
…
Datagroup 16
Figure 3 Illustration of a schematic of files and directories in an ePassport
2.2 Inalterability
Current electronic passports are personalized before issuance. It is currently not possible to change or add
data after issuance.
Page 11 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Support of Passive Authentication is the only mandatory requirement from ICAO for the protection of the
chip and its data. See [6] Section 3. An electronic passport with minimal required standard conformance
could be implemented without cryptographic capabilities of chip and chip software. In this case there are
no security requirements to the chip.
Passive Authentication is specified in [6] Section 5.
Any system to add additional biometrics has to guarantee the data authenticity of the additional biometrics
with the same or equally secure mechanisms.
Page 12 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
itself is not specified by ICAO. The most popular implementation is according to BSI Technical Guideline TR-
03110 [8]. Storing of these additional biometrics is not mandatory according to ICAO Doc9303.
The current Logical Data Structure defines only face, fingerprint and iris as possible biometric identifiers.
There is no standardized way to add further biometric features.
4.1.2 Inalterability
Current electronic passports are personalized prior to issuance and cannot be changed after issuance. New
biometric features can only be added with a reissuance of the document. With a usual lifetime of 10 years
Page 13 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
for electronic passports the introduction of new features would take a significant amount of time. This
policy is very inflexible for reacting to new needs in automated border control processes.
Current electronic passport readout times for biographic data and biometric face are around 5 to 6
seconds.
The introduction of very high bitrates (VHBR) with up to 6,78 Mbit/s would, in theory, allow an 8 times
faster data transfer speed. However, in reality data transfer speed is not only limited by the transfer
bitrate, but also the ability to fetch the data from the chip’s memory and encrypt it for secure data
transmission.
Existing attack scenarios on security chips do not allow the direct usage of the cryptographic coprocessors.
Additional measures in software have to be implemented to avoid the leakage of cryptographic keys
through side channel attacks. Profiling tests done by Giesecke & Devrient in 2006 showed that at that time
60% of a single transmitted package has been spent for secure fetching and encryption of the data package,
not the actual radio transmission (at 848 kbit/s). Since then a significant amount of effort has been made in
improving this part. However even recent security chips cannot provide a secure common criteria
certifiable direct usage of the coprocessors without additional software countermeasures. Therefore, it is
questionable if this increase in pure data transfer speed (bitrate) can be leveraged.
In addition, with higher bitrates the communication between chip and reader becomes more vulnerable to
noise.
4.2.2 Proximity Technology
Due to the use of proximity technology electronic passports can only be read up to a distance of
approximately 5cm. In combination with a reading time of 5-6 seconds this makes a real non-stop border
control process impossible.
4.2.3 Protection Against Tracking, Skimming and Eavesdropping
The current mechanisms for protection against tracking, skimming and eavesdropping requires the MRZ to
be read from the datapage of the passport. For this the booklet has to be opened and placed on an optical
scanner. The process of opening the document, selecting the correct page to place on the scanner, the
necessity to keep the document placed on the reader for several seconds, is error prone. Even though the
holders do not see passport handling as an issue the border control staff has to cope with problems in
document handling on a constant basis. The current mechanisms prevent a real non-stop border control
process.
Figure 4 Placing the electronic passport on a full page document scanner to access the MRZ
Page 14 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Page 15 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Master File
The additional applications enable the storage of travel stamps, visas and additional biometrics in the
electronic passport chips. For this additional applications are added to the chip in parallel to the existing
eMRTD application.
The Travel Records Application, Visa Records Application and Additional Biometrics Application are all
optional to electronic passports. No country is required to implement these applications.
5.3.1 The Additional Biometrics Application
For the focus of the PROTECT project Travel Records Application and Visa Records Application are of low
relevance, however the Additional Biometrics Application offers a unique opportunity to address the
requirements of the initial call.
5.3.1.1 Storage
Additional Biometrics are stored in binary files located in the Additional Biometrics Application.
Master File
Additional
Biometrics
Reading and writing to these files is controlled by a new version of extended access control. The basis of
this access control mechanism is extended access control according to TR-03110 [8]. Document Verifier
(DV) Certificates issued by the issuing state or organization to the verifying state allow read and write
access to the files.
Page 16 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Figure 7 Illustration of access control
For the Additional Biometrics application, special object identifiers and certificate holder authorization
templates have been created:
id-icao-lds2-additionalBiometrics OBJECT IDENTIFIER ::= {id-icao-lds2 3}
id-icao-lds2-additionalBiometrics-access OBJECT IDENTIFIER::= {id-icao-lds2-additionalBiometrics 3}
The following table shows the bitmap used in the certificate holder authorization templates (additional
bytes may be used for further EF.Biometrics files):
Table 2 Bitmap used in the certificate holder authorization templates
Description Authorizations
7 6 5 4 3 2 1 0
RFU
RFU
RFU
RFU
Byte 1
RFU
RFU
Append EF.Certificates 1
Select/read/search 1
EF.Certificates
Write EF.Biometrics1 1
Read EF.Biometrics1 1
Write EF.Biometrics2 1
Byte 2
Read EF.Biometrics2 1
Write EF.Biometrics3 1
Read EF.Biometrics3 1
Write EF.Biometrics4 1
Read EF.Biometrics4 1
Write EF.Biometrics5 1
Byte 3
Read EF.Biometrics5 1
Write EF.Biometrics6 1
Page 17 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Read EF.Biometrics6 1
Write EF.Biometrics7 1
Read EF.Biometrics7 1
Write EF.Biometrics8 1
Read EF.Biometrics8 1
The bitmaps allow the issuing State or organization to control the action another state can perform on the
specified EF.Biometrics. A set bit allows the partner state to read or write the file.
Some details of the Additional Biometrics Application are still open e.g. the memory allocation of the
EF.Biometrics files: The file sizes could be either set by the issuing State or organization before the
ePassport is issued or the file sizes could be set after issuance according to the memory requirements of
the additional biometrics. In the first case memory may be unused if the additional biometrics requires less
memory than the file size or the additional biometrics may be too large for the files; in the latter case the
issuer has to trust the party setting the file size. Task 6.4 will make best practice proposals for these open
issues, contribute them to the standardization groups and implement the demonstrators accordingly.
5.3.2 Applicability for PROTECT
Logical Data Structure 2 and the Additional Biometrics Application offers the possibility for storing the new
biometric modalities in the electronic passport chip as requested by the call [1]. It will not offer a solution
to enable a more fluent border control process. The retrieval of data from the passport is expected to take
significant time depending on the size and amount of data to be retrieved.
5.3.3 Probability of availability in the future
The additional applications in Logical Data Structure 2 are optional. However, interviews with Veridos
customers have shown strong interest in Logical Data Structure 2. Several customers have expressed the
assumption that Logical Data Structure 2 is supposed to become a standard feature of future electronic
passports.
eu-dLISA, the European Agency for the operational management of large-scale IT systems in the area of
freedom, security and justice, recommends the use of multimodal biometrics [21], which lead to enhanced
performance and security of systems. However, questions on the cost effectiveness of the 4th generation
of eMRTD (LDS2) have been raised compared to the development of large scale IT systems. Many experts in
the EU Commission and member states would prefer a large biometric database but all attempts to create
such a solution failed due to strong data protection concerns in the EU Parliament.
Logical Data Structure 2 could be a way out of this current deadlock.
5.3.4 Traveller experience with LDS2 in PROTECT
To enable the PROTECT solution with LDS2 the European Union would have to offer third countries a fast-
track program called “PROTECT” for their citizens if they issue a LDS2 enabled passport with sufficient
storage capacities. The issuing State or organization has provided the European Union border guards with
authorization certificates to read and write one of the EF.Biometrics files in this new 4th generation
passport.
The traveller experience with LDS2 in PROTECT can then be described in the following steps:
5.3.4.1 Enrolment Process
This process has only to be done once during the lifetime of the electronic passport.
1. The third country national holding a 4th generation electronic passport eligible for the PROTECT
programme wishes to travel to the European Union and would like to use the “PROTECT” solution
Page 18 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
for the first time. The traveller approaches a PROTECT enrolment kiosk. The kiosk could be located
at the source or destination airport / border post. (S)he starts the enrolment process.
Traveller PROTECT
Traveller Enrolment Kiosk
Passport
2. Thorough checks on background, electronic passport and biometric verification with available
biometric templates will be performed by the enrolment kiosk. The kiosk could be supervised by a
border guard.
Border Guard
Traveller PROTECT
Standard Biometrics
Enrolment Kiosk
3. If successful, the new biometric modalities of the traveller will be enrolled.
Border Guard
Traveller PROTECT
Enrolment Kiosk
Additional Biometrics
4. The acquired templates of the new biometric modalities will be written to the traveller’s electronic
passport.
Page 19 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Border Guard
Traveller
PROTECT
Enrolment Kiosk
Additional Biometrics
5.3.4.2 Verification Process at the Air/Sea Border
Traveller PROTECT
Traveller Entry Kiosk
Passport
Traveller PROTECT
Entry
Kiosk
Page 20 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Border Guard
Traveller
Traveller
Page 21 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
2. The travellers are using their NFC enabled smartphones or terminals in front of the window to
retrieve the new biometric modalities from the 4th generation passport. The data is transmitted to
the border control system via a secure communication channel. If necessary additional information
can be provided by the smartphone or terminal.
3. Verification of all applicable biometrics is done by presenting the biometrics to the biometric
capture terminals in front of the car windows or biometric data acquisition might be done by the
travellers smartphone.1
4. The border guard checks the verification process for errors at their border control screen.
1
The feasibility of biometric data acquisition with mobile phones in this use case is questionable. For a
detailed discussion the reader is referred to Deliverable D6.7.
Page 22 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Border Guard
5. The border guard approaches the car to locate additional travellers who did not submit any data.
6. After successful verification the travellers’ biometric data is deleted from the local border control
system. The car proceeds out of the border control area.
7. In case of an error the border guard is directing the car to a second line of control. Manual
verification is done in this case.
5.3.5 Advantages and Disadvantages
5.3.5.1 Advantages
Logical Data Structure 2 and the included Additional Biometrics Application will become an official ICAO
standard in the near future. Additional biometrics can be stored in a most secure way. The solution does
not require connection to a central database. It would work in offline border control scenarios. The
traveller is in control of his data as long as they have control over their travel document.
From the legal and ethical point of view these properties are very valuable making it easier for data
protection advocates to accept the solution.
5.3.5.2 Disadvantages
Increasing the storage capabilities of electronic passport chips is expensive and inflexible. With a usual
document lifetime of 10 years estimations on the required free memory will most likely be wrong in the
long run. This will either lead to unnecessary investments if too much memory has been reserved or system
failure if the document runs out of memory.
In any case Logical Data Structure 2 would require a significant investment of the passport issuing State or
organization since increased storage capabilities and the required CVCA PKI for EAC are more expensive
than standard 2nd or 3rd generation passports without EAC and a simple CSCA PKI for passive authentication.
In the case of third country nationals the issuing State or organization would have to be convinced that the
increase in convenience and speed during the border control process is worth the investment.
Taking this into account, there is also the issue of increased reading time for the additional biometrics. The
gain in speed due to, for example, the biometric capture area might not compensate for this increased
reading time of the document.
Page 23 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
be stored in a central database. With the eGK the patient could give a doctor access to this information
without the need to carry all the information with them.
Applied to the PROTECT system a document individual symmetric encryption key KBIO and an index IBIO
would be stored in the electronic passport during the enrolment process of the new biometric modalities.
The key and the index is protected by cryptographic access control protocols and can only be retrieved by
the relevant border control system. The key KBIO is used to encrypt and decrypt the additional biometric
modalities and the encrypted modalities are stored in a EU wide database with the index IBIO pointing to the
record.
Access to key and index have to be protected. The protocol should have countermeasures if the
cryptographic keys to access KBIO and IBIO are compromised. PKI systems with short living certificates like
extended access control according to [9] fulfil this requirement.
Master File
This approach would be a solution of the increased reading times for additional biometrics with Logical
Data Structure 2 and the investment risk in bigger chip memory. Database access with a unique index IBIO
and decryption of the rather small record with KBIO would take almost no time. The storage capabilities
necessary for IBIO and KBIO are way below 100 bytes. Protection Against Tracking, Skimming, Eavesdropping
and Copying would still be in place. If all biometric identifiers are stored encrypted in the database reading
time for IBIO, KBIO and MRZ data would drop to approx. 1-2 seconds. However correct placement of the
electronic passport datapage on a fullpage reader would still be required.
5.4.1 Limiting protection against tracking for increase speed and convenience
A further increase in convenience and speed can only be achieved by removing the necessity to read the
MRZ for accessing IBIO and KBIO. In this case IBIO and KBIO could be read from the electronic passport by an
authorized system without opening the booklet. Holding the closed booklet to a reader for a short time
would be sufficient. This would support the objective of a most fluent non-intrusive control process.
However, the electronic passport would lose the protection against tracking in respect to this authorized
system. Unauthorized reading devices would still not be able to track the electronic passport holder.
Extended Access Control With Terminal Authentication Version 1 according to BSI TR-03110 [8][9] requires
the MRZ to establish a secure channel. This channel protects the following chip authentication that delivers
a unique identifier (the chip’s public key) that otherwise could be used for tracking. Therefore, Extended
Access Control with Terminal Authentication Version 1 is not a suitable protocol to protect IBIO and KBIO in
this scenario. Terminal Authentication Version 2 is changing the sequence so the Terminal Authentication
Page 24 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
before Chip Authentication however PACE is still necessary. A suitable protocol will be specified in
Deliverable D6.5.
5.4.2 Traveller experience with Database Pointer Application in PROTECT
This process has only to be done once during the lifetime of the electronic passport.
1. The third country national holding an electronic passport with database pointer application eligible
for the PROTECT programme wishes to travel to the European Union and would like to use the
“PROTECT” solution for the first time. The traveller approaches a PROTECT enrolment kiosk. The
kiosk could be located at the source or destination airport / border post. S(h)e starts the enrolment
process.
Traveller Protect
Traveller Enrollment Kiosk
Passport
2. Thorough checks on background, electronic passport and biometric verification with available
biometric templates will be done by the enrolment kiosk. The kiosk could be supervised by a border
guard.
Border Guard
Traveller Protect
Standard Biometrics
Enrollment Kiosk
3. If successful, the new biometric modalities of the traveller will be enrolled.
4. A symmetric cryptographic key KBIO will be diced. A new record with index IBIO will be created in the
database.
Protect
Enrollment Kiosk
IBIO
Additional Biometrics
5. KBIO and IBIO will be written in the electronic passport using the DV certificates provided by the
issuing State or organization.
Page 25 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
Traveller IBIO
KBIO Protect
Enrollment Kiosk
6. The acquired templates of the new biometric modalities will be encrypted with KBIO and written in
the database under index IBIO.
Protect
Enrollment Kiosk
IBIO
KBIO
5.4.2.2 Verification Process at the Air/Sea Border
Traveller Protect
Traveller Entry Kiosk
Passport
2. The border control system accesses the data stored in the biometric database under index IBIO and
decrypts the data with KBIO.
Page 26 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Border Guard
Traveller
The approach overcomes the limitations of LDS2 by reducing the reading time for the additional biometrics.
It also removes the investment risk in chips with higher storage capabilities. The traveller is still in control of
his data as long as he has control over his travel document.
Removing the necessity of reading the MRZ to access KBIO and IBIO would give a significant advantage for a
most fluent non-intrusive control process.
From the legal and ethical point of view the traveller is still in control of their data. A database is used but it
is encrypted.
Page 27 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
5.4.2.5 Disadvantages
The solution does require connection to a central database. It is not offline capable. There is currently no
standardization ongoing for such an application.
Removing the necessity of reading the MRZ to access KBIO and IBIO introduces the possibility of tracking for
the authorized border control process.
From the legal and ethical point of view there is the drawback of a centralized biometric database and the
possibility of tracking even if restricted to authorized systems might not be acceptable.
Vicinity
ISO14443 / NFC
Close-Coupling
ISO11784/5
ISO10536-1
Antenna
Long Range
Proximity
Figure 9 Communication distance limit against radio frequency
Standard tags of this class can only store an electronic product code (EPC) and offer no protection against
tracking or any kind of cryptography. They are for example used for tracking products in supply chain
management. These limitations make them unsuitable for use in the border control process.
G+D is currently developing a new secure UHF tag with standardized encryption capabilities according to
[23]. These chips produce pseudo random EPC codes generated from a RAMON cipher. Every secure UHF
chip contains a RAMON public key and encrypts its stored unique identifier together with random data to
produce this pseudo random EPC code. Only reading devices with access to the corresponding RAMON
private keys can decrypt the message and extract the unique identifier. This makes the tag untraceable for
unauthorized readers.
Page 28 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
Figure 10 G+D secure UHF prototype
Adding a secure UHF chip to an electronic passport could supply a border control system with IBIO and KBIO
as described in 5.4 by deriving them from the unique identifier. KBIO is generated by adding a unique seed
only known to the border control system to the unique identifier retrieved from the decrypted EPC code
and processing it with a SHA256 hash algorithm. The result is KBIO. IBIO can be generated with the same
method but a different seed. The secure UHF tag can coexist with the 13,56 MHz proximity chip in the
electronic passport.
Tags in inlay form factor will be available in 1/2018.
5.5.1 Traveller experience with secure UHF in Protect
This process has only to be done once during the lifetime of the electronic passport.
1. The third country national holding an electronic passport with SUHF chip eligible for the PROTECT
programme wishes to travel to the European Union and would like to use the “PROTECT” solution
for the first time. The traveller approaches a PROTECT enrolment kiosk. The kiosk could be located
at the source or destination airport / border post. The traveller starts the enrolment process.
2. Thorough checks on background, electronic passport and biometric verification with available
biometric templates will be done by the enrolment kiosk. The kiosk could be supervised by a border
guard.
3. If successful, the new biometric modalities of the traveller will be enrolled.
4. A symmetric cryptographic key KBIO will be generated from the unique identifier of the secure UHF
chip. A new record with index IBIO will be created in the database.
5. The acquired templates of the new biometric modalities will be encrypted with KBIO and written in
the database under index IBIO.
5.5.1.2 Verification Process at the Air/Sea Border
Page 29 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
KBIO IBIO
Traveller
EPC
Border Control System
2. The border control system accesses the data stored in the biometric database under index IBIO and
decrypts the data with KBIO.
3. Verification of all applicable biometrics is done by walking through the biometric capture area at
the air/sea border.
Border Guard
Traveller
Traveller
Page 30 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
3. The border control system accesses the data stored in the biometric database under index IBIO and
decrypts the data with KBIO.
4. Verification of all applicable biometrics is done by presenting the biometrics to the biometric
capture terminals in front of the car.
5. The border guard checks the verification process for errors at their border control screen.
6. The border guard approaches the car to locate any additional travellers who did not submit any
data.
7. After successful verification the travellers’ biometric data is deleted from the local border control
system. The car proceeds out of the border control area.
8. In case of an error the border guard is directing the car to a second line of control. Manual
verification is done in this case.
5.5.1.4 Advantages
The approach overcomes the limitations of LDS2 by reducing the reading time for the additional biometrics.
It also removes the investment risk in chips with higher storage capabilities. The traveller is still in control of
their data as long as they have control over their travel document.
Removing the necessity of reading the MRZ to access KBIO and IBIO would give a significant advantage for a
most fluent non-intrusive control process.
From the legal and ethical point of view the traveller is still in control of his data. A database is used but it is
encrypted.
5.5.1.5 Disadvantages
The solution does require connection to a central database. It is not offline capable. There is currently no
standardization ongoing for such an application.
Removing the necessity of reading the MRZ to access KBIO and IBIO introduces the possibility of tracking for
the authorized border control process.
From the legal and ethical point of view there is the drawback of a centralized biometric database and the
possibility of tracking even if restricted to authorized systems might not be acceptable.
6 Summary/Conclusion
This document has described possible approaches to meet the objectives from the call with modified
electronic passports. The objective of “…a most fluent non-intrusive control process…” is the hardest to
achieve without giving up any data protection or privacy properties of the current system.
For the secure storage of additional biometrics 2 promising approaches have been shown. With Logical
Data Structure 2 being the one with the least ethical implications as well as same or higher level of security
as the current solution.
The next step will be to specify electronic passport applications for the demonstrators being able to
support the described scenarios. Demonstrator electronic passport applications as well as the
corresponding PKI CAs will be programmed. Finally demo passport booklets with the implemented and
personalized applications will be created for demonstration purposes.
Page 31 of 33
PROTECT H2020 Project No. 700259 Deliverable D6.4
References
[1] H2020 BES-06-2015 Call: Border crossing points topic 2: Exploring new modalities in biometric-
based border checks (http://ec.europa.eu/research/participants/portal/desktop/en/opportunities/h
2020 /topics/bes-06-2015.html)
[2] H2020 BES-06-2015 Proposal: Pervasive and UseR Focused BiomeTrics BordEr ProjeCT (H2020-BES-
2015_700259_SEALED_PROPOSAL.PDF)
[3] Grant Agreement 700259_Annex 1 - Description of the action (part A)
[4] Doc 9303 Machine Readable Travel Documents Part 9: Deployment of Biometric Identification and El
ectronic Storage of Data in eMRTDs (https://www.icao.int/publications/pages/publication.aspx? doc
num=9303)
[5] Doc 9303 Machine Readable Travel Documents Part 10: Logical Data Structure (LDS) for Storage of Bi
ometrics and Other Data in the Contactless Integrated Circuit (IC) (https://www.icao.int/ publications
/pages/publication.aspx?docnum=9303)
[6] Doc 9303 Machine Readable Travel Documents Part 11: Security Mechanisms for MRTDs (https://ww
w.icao.int/publications/pages/publication.aspx?docnum=9303)
[7] Doc 9303 Machine Readable Travel Documents Part 12: Public Key Infrastructure for MRTDs (https://
www.icao.int/publications/pages/publication.aspx?docnum=9303)
[8] BSI TR-03110-
1 Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token–
Part 1 – Version 2.20
(https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/ TechGuidelines/ TR03110/
BSI_TR-03110_Part-1_V2-2.pdf?__blob=publicationFile&v=1)
[9] BSI TR-03110-
3 Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token–
Part 3 –
Version 2.21 (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuideline
s/TR03110/BSI_TR-03110_Part-3-V2_2.pdf?__blob=publicationFile&v=2)
[10] Logical Data Structure (LDS) for Storage of Data in the Contactless IC Doc 9303-10 LDS 2 –
New Applications Version – 18.0 Date – August 12 , 2017
[11] International Civil Aviation Organization LDS2 –
PKI Draft 0.82 September 2017 (Reflects removal of Sub CA for LDS2 as agreed in NTWG me
eting – April 2017)
[12] Machine Readable Travel Documents – Technical Report - LDS2 – Protocols Version – 0.8 Date –
27 April 2017
[13] ISO/IEC 14443-1:2016 Identification cards -- Contactless integrated circuit cards -- Proximity cards --
Part 1: Physical characteristics
[14] ISO/IEC 14443-2:2016 Identification cards -- Contactless integrated circuit cards -- Proximity cards --
Part 2: Radio frequency power and signal interface
[15] ISO/IEC 14443-3:2016 Identification cards -- Contactless integrated circuit cards -- Proximity cards --
Part 3: Initialization and anticollision
[16] ISO/IEC 14443-4:2016 Identification cards -- Contactless integrated circuit cards -- Proximity cards --
Part 4: Transmission protocol
Page 32 of 33
Deliverable D6.4 PROTECT H2020 Project No. 700259
[17] COUNCIL REGULATION (EC) No 2252/2004 of 13 December 2004 on standards for security features a
nd biometrics in passports and travel documents issued by Member States. (http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004R2252:EN:HTML)
[18] Commission Decision C(2006) 2909 of 28.06.2006, adopting technical specification on standards for s
ecurity features and biometrics in passports and travel documents issued by Member States
[19] Protection Profile Machine Readable Travel Document with "ICAO Application", Extended Access Con
trol with PACE, Version 1.3.2 BSI-CC-PP-0056-V2-2012
[20] E.g. WG3TF5_N0220, WG3TF5_N0230, WG3TF5_N0237, WG3TF5_N0238
[21] EU Lisa - Biometrics in Large-Scale IT -
Recent trends, current performance capabilities, recommendations for the near future - ISBN: 978-
92-95203-88-4
[22] ISO/IEC 18000-6:2013 Information technology --
Radio frequency identification for item management --
Part 6: Parameters for air interface communications at 860 MHz to 960 MHz General
[23] ISO/IEC 29167-19:2016 Information technology --
Automatic identification and data capture techniques --
Part 19: Crypto suite RAMON security services for air interface communications
Page 33 of 33
PROTECT
Objective
This form is related to the Security Sensitivity Assessment procedure which will assure that no sensitive
information will be included in the publications and deliverables of the PROTECT project.
Security sensitive information means here all information in whatever form or mode of transmission that is
classified by Council Decision on the security rules for protecting EU classified information (2011/292/EU)
and all relevant national laws and regulations. The information can be already classified, or such that it
should be classified.
In practice the following criteria is used:
- Information is already classified
- Information may describe shortcomings of existing safety, security or operating systems
- Information is such, that it might be misused.
- Information that can cause harm to
o European Union
o a Member State
o society
o industry and companies
o third country
o citizen or an individual person of a country.
Page 2 of 5
Deliverable D<xxx> PROTECT H2020 Project No. 700259
Document Information
Project Number H2020 - 700259 Acronym PROTECT
Full Title Pervasive and UseR Focused BiomeTrics BordEr ProjeCT
Project URL http://www.projectprotect.eu/
Document URL Report on improvements to electronic passports
EU Project Officer Agnieszka Marciniak
Page 3 of 5
PROTECT H2020 Project No. 700259 Deliverable D<xxx>
This publication does not include any data or information that could be interpreted as
security sensitive.
X True
□ Not sure
If not sure, please specify what are the material / results that you are not sure if they are security sensitive?
Why?
Date: 29.11.2017
Signature of the Responsible Author:
Page 4 of 5
Deliverable D<xxx> PROTECT H2020 Project No. 700259
Date 30.11.2017
Name: Jürgen Bonfert
On behalf of the Security Advisory
Board (SAB)
Page 5 of 5