IBPC - ABC based on eMRTDs - NIST Visual Image Processing Group

OutlineUpdate on EasyPASSOperational experiences/figuresEasyPASS PLUS pilot projectSupport for the new German ID cardBackground infrastructure (EAC PKI)<strong>ABC</strong> in Europe<strong>ABC</strong> installationsFrontex <strong>ABC</strong> guidelinesMarkus NuppeneyGaithersburg, March 6. 2012 2

EasyPASS –overview<strong>ABC</strong> system operated by the German FederalPoliceLocated at Frankfurt Airport4 self-service eGates, 1 monitoring stationOpen for citizens from 31 European countries(18+ years old)TimetableStart of operation was in August 2009Pilot phase until March 2010Since April 2010 regular operationMarkus NuppeneyGaithersburg, March 6. 2012 3

EasyPASS –system architectureSoftware integration platform BioMiddleModular and platform independent architecture forbiometric applicationsStandard interfaces and protocols(SOAP, BioAPI 2.0, ISO/IEC 19794-x, etc.)Allows for an easy integration of document readers,biometric components and background systemsImage acquisitionIntegration of camera via BioAPI Capture BSPInternal pre-qualification regarding ISO19794-5Face verificationDifferent face comparison algorithms for the pilotphase, each integrated as BioAPI Verification BSPMarkus NuppeneyGaithersburg, March 6. 2012 4

EasyPASS –operational figures (2)≈ 18 sec. average time period to pass the eGateTime from presenting the ePassport on the DocReaderuntil the system is ready to process next travellerAverage time periods for main sub-processes5 - 6 sec. for Reading and checking ePassport data(optical and electronic checks)5 - 6 sec. for the traveller to enter the eGate1 sec. for biometrics (face capture and comparison)5 - 6 sec. for the traveller to leave the eGateMarkus NuppeneyGaithersburg, March 6. 2012 6

EasyPASS –main lessons learnedVerification thresholds recommended by vendors didnot fit to the actual application scenarioAppropriate thresholds have to be calculated <strong>based</strong> on thereal user group and the actual system setupElectronic document checks are reliable< 0,1% of the travellers are rejected due to failures of theelectronic document checksAvailability of CSCA certificates is a key issueTravellersdo not know if they carry an ePassportare not familiar with the document readerare happy with the fast and easy processMarkus NuppeneyGaithersburg, March 6. 2012 7

EasyPASS PLUS pilot projectPilot project of BSI and the German Federal PoliceMain goalsSupport for the new German national ID card inEasyPASSDevelopment and implementation of the backgroundinfrastructure (EAC-PKI)Terminal Control Center - TCCTimetablePilot operation since August 2011Pilot phase until June 2012Markus NuppeneyGaithersburg, March 6. 2012 8

New German ID cardCard bodyElectronic functionsAccess to all electronic functions/data viaExtended Access Control Version 2 (EAC 2)• access certificates are mandatory (EAC-PKI)1. eMRTD function incl. biometrics• digital photograph and (upon request) twofingerprints• only for entitled authorities, e.g. border controlSince Nov. 2010:credit-card-size ID 1 format2. Electronic ID function• for E-Business- and E-Government• access only to certain non-biometric data fields3. Qualified electronic signature• upon requestMarkus NuppeneyGaithersburg, March 6. 2012 9

TCC –Terminal Control CenterTCC as central PKI componentManagement of certificates and cryptographic keysAuthentication of connected terminalsCommunication to DVCA and terminals via standardizedinterfacesICAO-PKI (TCC for Passive Authentication)Central storage of trusted CSCA certificatesCentralized checking of DS certificatesEAC-PKI (TCC as core of the Inspection System)Central storage of private keys in HSMEasy certificate management incl. renewalMarkus NuppeneyGaithersburg, March 6. 2012 11

eMRTD PKI landscape incl.Terminal Control CenterEasyPASS since Q4/2011Markus NuppeneyGaithersburg, March 6. 2012 12

EasyPASS –summing-upCombination of different checks to ensure a secure <strong>ABC</strong> processComplete checking of eMRTD electronic security features at ahigh reliability levelBiometrics are of no use, if not authenticated!Fast and easy process (approx. 18 sec)Innovative software architecture (BioMiddle)Detailed monitoring of real life performanceSince Q4/2011 support for the German ID cardCentralized checking of DS certificates andEAC via Terminal Control Center (TCC)Future challenges in the <strong>ABC</strong> / eGate areaMultiapplication (eMRTD, Visa, RTP)Multibiometric (face, fingerprint, iris)Markus NuppeneyGaithersburg, March 6. 2012 13

<strong>ABC</strong> installations in EuropeCountrySystemStart ofOperationLocationsTokenBiometricsPTRAPID2007all int. airportsePassportfaceUKePassportGates2008all major int.airportsePassportfaceFI<strong>ABC</strong> lines2008Helsinki airportand Vaalimaa BCPePassportfaceFRPARAFES20092 airports (ParisCDG and Orly)RTP / ePassportfrom 2012 onfingerprintDEEasyPASS2010Frankfurt airportePassport /German ID cardfaceES<strong>ABC</strong>system20102 airports (Madridand Barcelona)ePassport /Spanish ID cardface /fingerprintCZEasyGO2011Prague airportePassportfaceNLNo-Q2012Amsterdam airportePassportfaceMarkus NuppeneyGaithersburg, March 6. 2012 14

Frontex <strong>ABC</strong> Guidelines<strong>ABC</strong> Working GroupNL, UK, FI, ES, PT, FR and DEWG started in Feb. 2010*Best Practice Guidelines on the Design,Deployment and Operation of <strong>ABC</strong> SystemsVersion 1.1, March 2011Biometrics: face verification only<strong>ABC</strong> Guidelines version 2.0 (coming in Q2/2012)Two separate documents (technical / operational)Biometrics: face and fingerprint*http://www.frontex.europa.eu/gfx/frontex/files/abc_best_practice_guidelines_v1.1.pdfMarkus NuppeneyGaithersburg, March 6. 2012 15

Thank you!Federal Office for InformationSecurity (BSI)Inspection Infrastructures andArchitecturesMarkus Nuppeneymarkus.nuppeney@bsi.bund.dewww.bsi.deMarkus NuppeneyGaithersburg, March 6. 2012 16