Identity - The next generation electronic passport

More than 100 million electronic passports have been issued in the two plus years since governments initiated production of the new travel credentials. The U.S. State Department alone has issued almost 15 million of the contactless documents.

But while there are many e-passports in circulation the inspection systems used to read them have not been widely deployed at border crossings. Putting these systems in place, while not adversely impacting wait times, will be the next challenge for countries.

European Union countries have that and another obstacle to hurdle as well: extended access control (EAC). Since EU countries are storing fingerprint images on e-passports they are using the more advanced security of EAC, a public key infrastructure scheme that secures the biometric data. EU countries are supposed to start issuing passports with EAC by next June.

Even the U.S., the initiator of the move to e-passports after the terrorist attacks of Sept. 11, hasn't deployed many inspection systems. The U.S. Department of Homeland Security's Customs and Border Protection (CBP) has requested funding for 5,000 e-passport readers to deploy at 372 air, sea and land border entry points, said Warren Burr, director of the fraudulent document analysis unit at Customs and Border Protection. The new readers would replace the current devices that just read the machine readable zone on the passport.

But so far only 500 of the readers have been purchased and less than half of those, just 247, have been installed, Burr said. The concern is that using the new scanners will adversely impact wait times.

The readers in the field are at the 33 U.S. international airports, which covers 97% of visa waiver country travelers entering the country, Burr says. CBP is analyzing how to deploy e-passport readers to all border entries and assess how it will impact wait times. Burr made these comments at the Future of Secure Document 2008 conference in Chicago.

There are concerns around how long it will take to process travelers with the e-passports. With the older documents customs officials would swipe the machine readable zone, check a few other items in the book and ask the traveler some questions.

E-passports require a little bit of extra finesse, says R. Michael Holly, director of international affairs for passports with the U.S. State Department. "They need to get the inspectors prepared and familiar with how to deal with the new documents," he says. "They have to deploy full page scanners and you need to let them sit awhile so the data can be accessed."

The State Department is working on getting sample e-passports to border officials so they can test the systems and train officers, Holly says. When the U.S. introduced e-passports they also changed some of the physical security in the book as well and officers need to be able to spot the different features.

Already, use of the new documents is rising rapidly. Between Oct. 1 and Dec. 31, 2006 Customs and Border Protection scanned 165,921 electronic passports, Burr said. In all of 2007 1.4 million were checked and in the first half of 2008 CBP officers had scanned more than 1 million e-passports.

Inspection challenges trump issuance challenges

But the challenge to deploy these inspection systems is what most countries are facing. The change was evident in September at the E-Passport EAC Conformity and Interoperability Tests in Prague, says Mike Bond, security director at Cryptomathic. "The guys from the inspection side outnumbered the guys on the issuing side," he said. "Their money has been spent and the project is done, now it's time for the border control guys to come in."

The European border control officials have quite the task in front of them. Extended access control is a PKI scheme that secures biometric data on e-passports. EU countries decided to store fingerprint and iris biometrics on the passports as well as the photo and other data. This biometric information is stored as images, not templates, so countries want to take extra steps to make sure the data is protected.

In order to view the biometric on the passport and match it with the traveler the other country will have to have the proper PKI certificate so the data can be unlocked. Vendors and border officials are still trying to figure out how these certificates will be exchanged and read while also making sure that systems from different vendors are interoperable.

While EU countries have to start issuing e-passports with EAC by next June there is no deadline to actually read the biometric data from the passports, Bond says. "With regards to inspecting we're 18 months away from starting pilots. The UK was talking about initial inspection by the end of 2009, scanning the full biometrics of some people, but only about 1% of travelers, and moving to 30% by 2016."

There are numerous reasons for the seemingly long timeline. First and foremost, governments don't know how it will work. This was a reason for the Prague conference in September.

The purpose of the test was to enable European countries to verify the conformity of e-passports using EAC and fingerprint biometric data. A related target is verification of the cross-over interoperability of different EAC inspection systems and e-passports. In addition countries attempted to verify interoperability of EAC PKI infrastructure for national border inspection systems, including official exchange of EAC certificates.

The tests went well, but were not without issues. "Overall results are that not all passports worked with all readers," says Neville Pattinson, director of government affairs and marketing, identity and security at Gemalto.

Four of the countries participated in a test that put in place a fully-operational PKI infrastructure, says Tim Moses, director of advanced security technology at Entrust, one of the participants. Entrust is supplying the PKI infrastructure to the UK and Slovenia.

Considering it was the first time the infrastructure was checked, the test was pretty successful, Moses says. "There were a few minor issues on the certificate exchange but we resolved them." Full results from the conference are not expected until December and another test will be scheduled before the June 2009 deadline.

Moses emphasized that countries are going to have to work to make sure EAC is done properly. "The EAC environment requires a lot of interaction among countries," he says. "The PKI system must be built to manage the trust; it's not just a set of tools."

Added security likely to add further delays at inspection points

One of the larger issues with EAC is the time it's going to take to process travelers. Pattinson says it can take anywhere from two to 15 seconds for the information to transmit.

Cryptomathic has released a new product it claims will accelerate the speed of inspecting electronic passports by a factor of four. The product uses a different type of caching mechanism, a storage area that holds an encrypted version of the e-passport biometric data.

When the e-passport has its initial contact with the border control station, the biometric data is transferred from the chip into the inspection system, and at the same time a unique key is calculated from the e-passport chip which is used to encrypt the stored data.

The storage key is then deleted from the memory of the border control system to make it impossible to retrieve the stored data. In order to recreate the decryption key for the record and view the biometric data, the original e-passport document must be connected to the inspection system.

Long lines at border control points is the fear when countries start deploying inspection technologies for e-passports, Bond says. He saw one presentation at the Prague conference that said wait times at some busy airports during peak times could be as long as 90 minutes.

And some countries are making the problem worse because they're not standardizing the biometric, Bond says. For example, most EU countries are storing the index fingerprint images on the passport, regardless of the quality of those fingerprints. But Germany is taking the two best quality fingerprints from passport applicants; it may be the index, but it also may be the thumbs.

This may lead to slow-downs at border crossings. German travelers won't remember what fingerprint image is stored in the book or a border control agent may be asking for the index when he needs the thumb. "When the delays start to happen they'll either pull the plug or soldier on," Bond says. He expects a few false starts. Countries will roll out systems and then roll them back and reconfigure as problems arise.

One solution that could potentially alleviate wait times are self-serve kiosks, says Gemalto's Pattinson. (See Global Entry story) "The consequence of EAC is more automated kiosks for border control," he says. "Have the document authenticated by the kiosk instead of manual inspection."

While the focus shifts from issuing e-passports to inspecting them, lines at international border checkpoints may be interesting over the next couple of years as travelers and officials get used to the new documents

Recent Entries

CUPPS: The Platform of the Future (Airline Kiosk)
CUPPS has been architected as the platform of the future, able to accommodate many things even beyond the agent-facing applications…
EMV takes aim at U.S.
Nice article on SecureIDnews covering EMV. by Andy Williams, Associate Editor, Avisian PublicationsLike a massive tidal wave, EMV continues to roll…
Tokenization and Enterprise Security
Nice article on tokenization which also highlights lack of formal standards for tokenization at this time. Credit Card Tokenization: Put All…
Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues
Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units…
Proximity (NFC) Mobile Payment Technology - Security Whitepaper
The opportunities offered by the advent of proximity mobile payments are clear; differentiated payment services, increased transaction volumes, faster transactions,…
Look Beyond Hospitality Touch Screen Solutions
Whether you realize it or not, touch technology quickly is becoming the intuitive input delivery method of choice. Look no…
Level 4: The small-merchant PCI challenge
While sensational data breaches experienced by big-box retailers and processors fill the headlines, 85 percent of reported data compromises involve…
ATM Card Skimming and Pin Capture
ATM Card Skimming is a method used by criminals to capture data from the magnetic stripe on the back of…
Background - Use of Electronic Health Records in U.S. Hospitals
Report from New England Journal of Medicine on Electronic Health Records. Concludes - very low levels of adoption in U.S.…
PCI DSS in real life -- Requirement 1 Firewall
Excerpt: Critical to the selection was choosing a vendor that best met PCI DSS (Payment Card Industry Data Security Standard)…
User Interface & Content - Can I Use My Website?
Web sites, self-service can play nicely together according to Jim Kruper of Kioware.  With the increasing number of devices that…
Resource Link - Understanding credit card transaction fees
Merchants accounts, gateways and rates. Having your kiosk process credits cards swiped locally (card present) come with regulatory standard considerations…
Whitepaper - Introduction to CFM or Customer Flow Management
CFM or Customer Flow Management systems are found in more verticals/markets than any other application. Here is a technical document…
Compliance Resource: ETA and Electronic Transaction Compliance
Worth noting Heartland Payment Systems and RBS Worldpay have been removed from Visa Inc.'s list of PCI compliant service providers and…
Going beyond current PCI security standards
Acknowledging the need for controls that go beyond those offered by the Payment Card Industry (PCI) Data Security Standard, a senior…
ADA Requirements - Changes in California
In late 2008 the California legislature passed a stronger version of ADA which was Senate Bill 1608. This bill became…
Opinion - Why is Redbox Afraid of the iPhone?
Over the last few years, Redbox has been able to build an impressive DVD rental network by being innovative and…
Research Report - Touchscreen Check-In: Kiosks Speed Hospital Registration
March 2009 -- Patient self-service kiosks are being used with growing frequency in hospital ambulatory settings and emergency departments. These interactive…
Cloud Computing - What is it?
Cloud computing resources question was raised by a member of Health Infomatics group we participate in. Health technology right now…
Heartland Put on Probation for Security Breach
Heartland Payment Systems (HPY), one of the largest credit card processors in North America, is finally being called to the…