The Benefits and Limits of Smart Documents & Biometrics
by Thomas Burkhart

There are various ways to secure a document against counterfeiting, but there is no way so far to tell if the holder of a genuine document is the legal owner of this document! Biometrics promises to fill exactly this gap.

If we want to use biometrics in combination with machine-readable travel documents (MRTD) - without a central database - we need a way to store the biometric identity of the legal owner somehow on the document. As there currently is no standard for exchanging biometric templates, it is necessary to store the original biometric image (face, finger, iris). Therefore we are in need of new solutions.

ICAO (International Civil Aviation Organization) recommends since this year that all newly issued documents shall include a high capacity, contactless integrated circuit chip also called RFID (Radio Frequency Identification). According to these recommendations, the chip should have a minimum of 32KB memory although certain user groups already claim that such a capacity is not sufficient. Data on the chip will be organized in a Logical Data Structure (LDS) and will be protected through Private-Public-Key infrastructure. The LDS is a structured standardized repository for data that guarantees global interoperability. The printed MRZ (Machine Readable Zone) data on the passport page is mirrored in the LDS. At least one biometric feature will be stored in the LDS. In its Berlin Resolution, ICAO has recommended that if only one biometric feature will be stored, it should be the digitally stored facial image of the document‘s owner. If more than one biometric feature is stored, ICAO suggests the usage of standardized digital fingerprint and/or iris images.

To read the data from an RFID, the document containing the chip must be brought into a range of 2-4cm to an RFID reader. For that purpose, any RFID reader that supports ISO/IEC 14443 (proximity) and ISO/IEC 15693 (vicinity) can be used. To read 40KB currently takes between 3 and 0.75 seconds. The RFID allows for an easy update of existing data as well as the storage of additional data, as for example electronic visas.
The data stored in the chip has to be secured against alteration and counterfeiting.

For this purpose, ICAO demands the usage of an asymmetric encryption similar to PGP (Pretty Good Privacy). When issuing a new document, the government encrypts the LDS with a “private key“, thus serving as the country’s central signing authority. This “private key“ must be kept absolutely secret, while the government distributes the “public key“ to the border control authorities. This procedure ensures that they can read the data, however, they are not able to create new documents. ICAO announced that they would support this project by distributing the respective keys. (In this case, the terms “private” and “public” are used the opposite way compared to standard PGP).

As successful as the RFID may be, the system still has some limitations as well. Currently only a few transponders on the market have a storage capacity of more than 16KB. Current RFID chips support only 106Mbps; therefore it would take 3 seconds to read 40KB. However, faster chips will be available in the near future.
It is important to protect the chips and antennas against damages caused by stamping and crimping during the entire lifespan of the travel document.
 
The RFIDs have a number of advantages compared to traditional (paper based) documents. First of all, the RFID can store much more data than any barcode and can be read very reliably. Secondly, since biometric applications demand so much storage, no other technology apart from the RFID could fulfil the necessary requirements. Thirdly, RFIDs are very secure concerning counterfeiting as long as the “private” key is kept secret. However, an unauthorized person gaining access to such a “private key” can make reliable checking of a document impossible. In such a case, a forged RFID cannot be distinguished from a genuine one. Another important advantage is the cost: pure RFID readers are very small and inexpensive.

Having described all the advantages of the RFIDs, the question arises whether we are still in need of traditional documents. The answer is definitely YES, because a trained person can always distinguish a forged traditionally secured document from a genuine one even if the embedded RFID is forged. In addition to that, an official should still be in the position to check a travel document without the help of an electronic device.  Given these circumstances, is it necessary to still have optical document readers?

That question can be answered clearly: YES! If we still need traditional documents, we still need optical document verification and reading devices as well. Other reasons why these devices cannot be completely disposed of is the possibility of the RFID being damaged or the “public key” of a country not having been distributed to all checkpoints. Documents of most countries will not even be equipped with an RFID within the next 10-15 years, in some cases even longer. In this case, there must still be a possibility to verify the genuineness of a document. Even if a document does not contain an RFID, a comparison between the holder’s face and the printed picture on the passport page can be carried out.

However, the new smart documents can also cause problems during the control process due to the new technology. It is possible that border control officials will not trust information they cannot see. Another possible scenario is that the RFID is not readable. In such a case, how can the validity of the document be checked? One could imagine the opposite case as well: The document might look as if it was forged but the RFID is valid nonetheless. These unresolved problems will require some attention during the months and years to come. Solutions and accepted procedures will have to be found and agreed upon.

Meanwhile, let us have a look at the ideal document verification scenario: There should be a device that automatically reads the document optically and, at the same time, reads out the RFID including the biometric image. The device should then compare the data of the printed page with that of the RFID and verify traditional security features (e.g. UV, IR). Furthermore, the device should inform the user about any discrepancies between the two sets of data. Capture devices for biometric data, such as cameras or live scanners, should be attachable to the device. The biometric match should be made inside the device so that no external networking is necessary. In addition, the device should host the border management application as a thin client, so that there is as little technology required at the checkpoint as possible. To sum it up, smart documents will increase security provided that the respective infrastructure is established and the users are trained accordingly.