Biometric passport

From Wikipedia, the free encyclopedia

Symbol for biometric passports, usually printed on the cover of the passports

A biometric passport is a combined paper and electronic identity document that uses biometrics to authenticate the citizenship of travelers. The passport's critical information is stored on a tiny RFID computer chip, much like information stored on smartcards. Like some smartcards, the passport book design calls for an embedded contactless chip that is able to hold digital signature data to ensure the integrity of the passport and the biometric data.

Norwegian biometric passport

The current staged biometrics for this type of identification system is facial recognition, fingerprint recognition, and iris scans. The International Civil Aviation Organisation defines the biometric standards to be used in passports. ICAO does not currently have plans to use retinal scanning. Only the digital image (usually in jpeg format) of each biometric feature is actually stored in the chip. The biometric algorithm is computed outside of the passport chip by electronic border control systems (e-borders). To store biometric data on the contactless chip, it includes a minimum of 32 kilobytes of EEPROM storage memory, and runs on an interface in accordance with the ISO 14443 international standard, amongst others. These standards ensure interoperability between the different countries and the different manufacturers of the passport books.

1 Types of biometric passports
2 Opposition
- 2.1 Dutch biometric passports
- 2.2 Other passports
3 See also
4 References
5 External links

[edit] Types of biometric passports

The contactless chip of the British National (Overseas) Passport.

German biometric passport

[edit] European biometric passports

Cover of an Italian Biometric passport issued in 2006

Inside cover of an Italian Biometric passport issued in 2006

The European version of the passport is planned to have digital imaging and fingerprint scan biometrics placed on the contactless chip. This combination of the biometrics aims to create an unrivaled level of security and protection against counterfeit and fraudulent identification papers. Currently, the British biometric passport only uses a digital image and not fingerprinting, however this is being considered by the United Kingdom Passport Service. The price of the passport will be:

UK (compulsory for UK citizens applying to the British Embassy in France from 21 April 2006): €142 for Adults (valid 10 years), €92 for Children (under age 16, valid 5 years). The UK Identity and Passport Service is introducing biometric passports to normal British applicants "over a period of six to nine months in 2006" for the same price as normal British passports (i.e. £51 for adults and £34 for children under the age of 16.). The Identity and Passport Service details this here.
Germany (available since November 2005): <=25 years (valid for 5 years) €37.50, >26 years (valid 10 years) €59.00
Spain (available since 28 August 2006) There are plans to include fingerprints of both index fingers in three years < 30 years (valid for 5 years) >= 30 (valid 10 years) €16.50
Greece (available since 26 August 2006) €76,40 (valid for 5 years)
Netherlands (introduction before 28 Aug. 2006): Approximately €11 on top of regular passport (€38.33) cost €49.33
Sweden (available since October 2005): SEK 400 (valid for 5 years)
Denmark (available from 1 August 2006): DKK 600, 155 DKK for under 18 and 350 DKK for over 65
Austria (available from 16 June 2006) An adult passport costs €69, while a chip-free child's version costs €26.
Belgium (introduced in October 2004): €71 or €41 for children + local taxes. Passports are valid for 5 years.
France (available since April 2006): €60
Iceland (available from 23 May 2006): ISK 5100, ISK 1900 for under 18 and over 67.
Finland (available since 21 August 2006) €46 (valid for max. 5 years)
Lithuania[1] (available since 28 August 2006) LTL 60 (€17)
Portugal[2] (available since 31 July - special passport; 28 August ordinary passport), valid fo max. 5 years,€ 60 adults (for those who are 65 years old €50),€40 children under 12.All passports have 32 pages.
Slovenia (available since 28 August 2006): 8635 SIT (€36) for adults, valid for 10 years. 7360 SIT (€31) for children from 3 to 18 years of age, valid for 5 years. 6595 SIT (€28) for children up to 3 years of age, valid for 3 years. All passports have 32 pages, a 48-page version is available at a 500 SIT (€2) surcharge.
Poland (available since 28 August 2006): 140 PLN (€35) for adults, valid 10 years.
Ireland (available since 16 October 2006): €75, valid for 10 years. Free for people over 65.
Italy (available after 26 October 2006: €44.66 for 32 page book, €45.62 for 48 page book, valid for 10 years. [3]

None of the issued biometric passports mentioned above include fingerprints. Addition of digital fingerscans to German passports is planned for March 2007.[4]

[edit] United States biometric passports

The U.S. version of the biometric passport (which is also referred to as an "Electronic Passport") will only have digital imaging placed onto the contactless chip, as opposed to tbe European version. However, the chip used in the U.S. passport will be large enough (64 kilobytes) to allow it to contain additional biometric identifiers should the need arise in the future. The U.S. Department of State began issuing biometric passports to government officials and diplomats in early 2006. It began issuing regular biometic passports at its Colorado Passport Agency on August 14, 2006; though they still expect that nearly all new or renewed passports issued by the department to American citizens will be biometric by the end of 2006, other sources say it won't happen until mid-2007. [5] [6] [7] [8]

A high level of security became a top priority in late 2001 for the United States. This tightened security required border control to take steps in cracking down on counterfeit paper passports. In October 2004, the production stages of this high-tech passport commenced as the U.S. Government Printing Office (GPO) issued awards to the top bidders of the program. The awards totaled to roughly $1,000,000 for startup, development, and testing. The driving force of the initiative is the U.S. Enhanced Border Security and Visa Entry Reform Act of 2002 (also known as the "Border Security Act"), which states that such smartcard IDs will be able to replace visas. As for foreigners traveling to the U.S., if they wish to enter U.S. visa-free under the Visa Waiver Program (VWP), they are now are required to possess machine-readable passports that comply with international standards. Additionally, for travelers holding a valid passport issued on or after October 26, 2006, such a passport must be a biometic passport if used to enter the U.S. visa-free under the VWP.

[edit] Australian biometric passports

The Australian biometric passport was introduced in October 2005. Like the U.S. version, the chip will only have a digital image of the bearer's face as on their passport photo. Airport security has been upgraded to allow Australian ePassport bearers to clear immigration controls more rapidly, and face recognition technology has been installed at immigration gates.^[1]

[edit] Canadian biometric passports

Canada has recently introduced biometrics in the use of passports with the help of digitized photos. The future passports may contain a chip that holds a picture of the person and personal information such as name and date of birth.

This technology is being used at border crossings that have electronic readers that are able to read the chip in the cards and verify the information present in the card and on the passport. This method allows for increased efficiency and accuracy of identifying people at the border crossing. CANPASS, developed by Canada Border Services Agency, is currently being used by some major airports that have kiosks set up to take digital pictures of a person’s eye as a means of identification. [9]

[edit] Singapore biometric passports

See also: Singapore passport

The Immigation & Checkpoints Authority (ICA) of Singapore will introduce the Singapore Biometric Passport (BioPass) on 15 August 2006. Following this, Singapore has met requirements under the US Visa Waiver Programme which calls for countries to roll out their Biometric Passport before 26 October 2006 [10].

[edit] Opposition

Privacy activists in many countries question and protest the lack of information about exactly what the passports' chip will contain, and whether they impact civil liberties. The main problem they point out is that data on the passports can be transferred with touchless RFID technology (like wireless technology) which can become a major vulnerability. Although this would allow ID-check computers to obtain your information without a physical connection, it may also allow anyone with the necessary equipment to perform the same task. If the personal information and passport numbers on the chip aren't encrypted, the information might wind up in the wrong hands.

A Turkish cartoon released after Turkey decided to use RFID chips in passports.

To protect against such unauthorized reading, or "skimming", in addition to employing encryption the U.S. has also undertaken the additional step of integrating a very thin metal mesh into the passport's cover to act as a shield to make it even more difficult (the State Department claims "nearly impossible"^{[citation needed]}) to read the passport's chip when the passport is closed. Research students from Vrije University in the Netherlands speaking at the August 2006 Black Hat conference in Las Vegas showed that RFID passports can be cloned relatively easily, and can be remotely spied upon despite the radio-blocking shields included in US designs. They found they could read the passports from 60 centimetres away if they are opened by just 1 cm, using a device which can be used to hijack radio signals that manufacturers have touted as unreadable by anything other than proprietary scanners. ^[2]^[3]^[4]

At the same conference, Lukas Grunwald demonstrated that it is trivial to copy the biometric certificate from an open e-passport into a standard ISO 14443 smartcard using a standard contact-less card interface and a simple file transfer tool. This is hardly surprising, given that the certificate is simply stored as a file, and had been obvious to those involved in the design of the ICAO e-passport standard throughout its development. In particular, Grunewald did not change the data held on the copied chip, which binds biometric data (e.g., photo) to identity data (e.g., name and date of birth), without invalidating its cryptographic signature, which means at present the use of this technique does not allow reprogramming of fake biometric data to match a different user. Grunewald also did not clone the Active Authentication functionality, an optional feature of the ICAO e-passport standard that some countries implement such that the embedded microprocessor is not only a floppy-disk-like data carrier for a biometric certificate, but also a tamper-resistant authentication token that can participate in a public-key-cryptography based challenge-response protocol. Nevertheless, Grunewald created international media headlines with his claim that such copying of the biometric certificate constitutes the creation of a "false passport" using equipment costing around USD$200,^[5] which illustrates the difficulties that journalists face in accurately reporting on complex topics such as computer security.

A group of German privacy hackers have come up with a portable device that can wipe a passive RFID-Tag permanently, called the RFID-Zapper.

[edit] Dutch biometric passports

The encryption scheme used to protect the flow of information between the Dutch biometric passport and a passport reader was cracked on July 28 2005. Though it hasn't been attempted in practice yet, in theory and under ideal conditions some of the data exchanged wirelessly between the passport's built-in contactless chip and a reader (more precisely, the one-way flow of data from the reader to the passport) may be picked up from up to 10 meters away. Once captured and stored, the data then can then be cracked in 2 hours on a PC [11]. This is due to the Dutch passport numbering scheme which does not provide sufficient randomness to generate a strong enough key to secure the exchange of information between the passport and reader.

[edit] Other passports

Other passports such as the U.S. passport do not contain this flaw as they use a stronger key to encrypt the data exchange. Also, some readers provide shielding for the passport while it is being read, thus preventing signal leakage that might be intercepted by another device. Moreoever, the fairly secure and monitored environment of the passport control area in airports would make it difficult for someone to illicitly set up the sensitive equipment necessary to eavesdrop on the communication between passports and readers from any significant distance. However the same would not be true for hotels or other places that may ask to see passports.