Biometric passport

From Wikipedia, the free encyclopedia

Main article: Passport
Symbol for biometric passports, usually printed on the cover of passports
Symbol for biometric passports, usually printed on the cover of passports
The contactless chip found in British passports
The contactless chip found in British passports

A biometric passport is a combined paper and electronic identity document that uses biometrics to authenticate the citizenship of travelers. The passport's critical information is stored on a tiny RFID computer chip, much like information stored on smartcards. Like some smartcards, the passport book design calls for an embedded contactless chip that is able to hold digital signature data to ensure the integrity of the passport and the biometric data.

The currently standardized biometrics used for this type of identification system are facial recognition, fingerprint recognition, and iris recognition. These were adopted after assessment of several different kinds of biometrics including retinal scan. The International Civil Aviation Organisation defines the biometric file formats and communication protocols to be used in passports. Only the digital image (usually in JPEG or JPEG2000 format) of each biometric feature is actually stored in the chip. The comparison of biometric features is performed outside the passport chip by electronic border control systems (e-borders). To store biometric data on the contactless chip, it includes a minimum of 32 kilobytes of EEPROM storage memory, and runs on an interface in accordance with the ISO/IEC 14443 international standard, amongst others. These standards ensure interoperability between different countries and different manufacturers of passport books.

Contents

[edit] Types

[edit] European Union

European passports planned to have digital imaging and fingerprint scan biometrics placed on the contactless chip.[1] This combination of the biometrics aims to create an unrivaled level of security and protection against counterfeit and fraudulent identification papers. Currently, the British biometric passport only uses a digital image and not fingerprinting, however this is being considered by the United Kingdom Passport Service. The German passports printed after November 1, 2007 contain two fingerprints, one from each hand, in addition to a digital photograph. In these EU nations, the price of the passport will be:

  • Austria (available since 16 June 2006) An adult passport costs €69, while a chip-free child's version costs €26.
  • Belgium (introduced in October 2004): €71 or €41 for children + local taxes. Passports are valid for 5 years.
  • Czech Republic (available since 1 September 2006): 600 CZK for adults (valid 10 years), 100 CZK for children (valid 5 years)
  • Denmark (available since 1 August 2006): DKK 600, 155 DKK for under 18 and 350 DKK for over 65 (valid for 10 years).
  • Estonia (available since 22 May 2007): EEK 450 (valid for 5 years)
  • Finland (available since 21 August 2006) €46 (valid for max. 5 years)
  • France (available since April 2006): €60 (valid for 10 years)
  • Germany (available since November 2005): ≤23 year old applicants (valid for 6 years) €37.50, >24 years (valid 10 years) €59.00 [1]
  • Greece (available since 26 August 2006) €76,40 (valid for 5 years)
  • Hungary (available since 29 August 2006): 6000 HUF (€24), valid for 5 years, 10000 HUF (€40) valid for 10 years.
  • Ireland, Republic of (available since 16 October 2006): €75, valid for 10 years. Free for people over 65.
  • Italy (available since 26 October 2006): €44.66 for 32 page book, €45.62 for 48 page book, valid for 10 years. [2]
  • Latvia (available since 20 November 2007): An adult passport costs €21.50, valid for 5 years.
  • Lithuania[3] (available since 28 August 2006) LTL 100 (€29). For children up to 16 years old, valid max 5 years. For persons over 16 years old, valid for 10 years.
  • Netherlands (available since 28 August 2006): Approximately €11 on top of regular passport (€38.33) cost €49.33
  • Poland (available since 28 August 2006): 140 PLN (€35) for adults, valid 10 years.
  • Portugal (available since July 31, 2006 - special passport; August 28, 2006 - ordinary passport): €60 for adults (€50 for those who are over 65 years old), valid for 5 years. €40 for children under 12, valid for 2 years. All passports have 32 pages.
  • Slovakia (available since 15 January 2008) An adult passport(>13years costs 1000Sk(€33)valid for 10 years, while a chip-free child's(5-13 years) version costs 400Sk(€12)valid for 5 years and for children under 5 years 250Sk(€7,5), but valid only for 2 years.
  • Slovenia (available since 28 August 2006): €36 for adults, valid for 10 years. €31 for children from 3 to 18 years of age, valid for 5 years. €28 for children up to 3 years of age, valid for 3 years. All passports have 32 pages, a 48-page version is available at a €2 surcharge.
  • Spain (available since 28 August 2006) at a price of €16.50. There are plans to include fingerprints of both index fingers in three years time. (Aged 30 or less a Spanish passport is valid for 5 years, otherwise they remain valid for 10 years).
  • Sweden (available since October 2005): SEK 400 (valid for 5 years)
  • UK (introduced March 2006 [4]) £72 for adults and £46 for children under the age of 16.) [5].
Unless otherwise noted, None of the issued biometric passports mentioned above include fingerprints as of 11. November 2007.

[edit] Australian

See also: Australian passport

The Australian biometric passport was introduced in October 2005. Like the U.S. version, the chip will only have a digital image of the bearer's face as on their passport photo. Airport security has been upgraded to allow Australian ePassport bearers to clear immigration controls more rapidly, and face recognition technology has been installed at immigration gates.[2]

[edit] Bruneian

See also: Bruneian passport

The Bruneian biometric passport was introduced on February 17, 2007. It was produced by German printer Giesecke & Devrient (G&D) following the Visa Waiver Program's requirements. The Bruneian ePassport has the same functions as the other biometric passports.[3]

[edit] Canadian

See also: Canadian passport

Canada has recently introduced biometrics in the use of passports with the help of digitized photos. The future passports may contain a chip that holds a picture of the person and personal information such as name and date of birth. In the 2008 Federal Budget, Jim Flaherty, Minister of Finance announced electronic passport will be introduced in 2011.[4]

This technology is being used at border crossings that have electronic readers that are able to read the chip in the cards and verify the information present in the card and on the passport. This method aims at increasing efficiency and accuracy of identifying people at the border crossing. CANPASS, developed by Canada Border Services Agency, is currently being used by some major airports that have kiosks set up to take digital pictures of a person’s eye as a means of identification. [6]

[edit] Republic of China (Taiwan)

See also: Republic of China passport

Available since 2008 and costing NT$1,200 (Chinese) [7]

[edit] Dominican Republic

See also: Dominican Republic Passport

In the Dominican Republic, biometric passports began to be issued in May 2004.

The Dominican Republic is the only country whose passport does not have the biometric symbol on its cover.

[edit] Hong Kong SAR

See also: HKSAR Passport

The Hong Kong Immigration Department has, from 5 February 2007, introduced the electronic Passport (e-Passport) and electronic Document of Identity for Visa Purposes (e-Doc/I) which are compliant with the standard of the International Civil Aviation Organization (ICAO). Digital data including holder's personal data and facial image will be contained in the contactless chip embedded in the back cover of e-Passport and e-Doc/I.

Application fees & procedures remains unchanged. The Immigration Department pledges to complete the process of an application within 10 working days. For children under 11 year of age not holding a Hong Kong Permanent Identity Card, the processing time is 19 working days. Existing HKSAR Passports and Documents of Identity for Visa Purposes will remain valid until their expiry. [5]

[edit] Icelandic

See also: Icelandic passport

Available since 23 May 2006 and costing ISK 5100 (ISK 1900 for under 18 and over 67).

[edit] Iranian

See also: Iranian passport

On July 1, 2007, the Ministry of Foreign Affairs of Iran announced that the diplomatic biometric passports will be issued on July 10 this year. In 2008 there will be 15,000 biometric passport available to the frequent travelers. In the beginning of 2009 ordinary and service biometric passports will be issued on a regular basis to the public. Ordinary biometric passports cost 450,000Rls[6].

[edit] Macedonian

See also: Macedonian passport

Available since 2 April 2007 and costing 1500 MKD or c. €25.

[edit] Malaysian

See also: Malaysian passport

Malaysia is not a member of the Visa Waiver Program (VWP) and its biometric passport does not conform to the same standards as the VWP biometric document.[citation needed]

[edit] Moldavian

See also: Moldavian passport

The Moldavian biometric passport is available from January 1, 2008. The first bearer of the Moldavian biometric passport became President of the Republic of Moldova Mr. Vladimir Voronin[8]. The new Moldavian biometric passport costs approximately 800MDL (€49)[9] and is not obligatory, as it remains valid along with the existing passports. The passport of the Republic of Moldova with biometric data contains a chip in which, additionally to the traditional information, the digital information, as well as the holder's signature are stocked.

[edit] Montenegro

See also: Montenegrin passport

The Montenegrin biometric passport was introduced in 2008. It costs approximately €40.

[edit] New Zealand

See also: New Zealand passport

Like Australia or the USA, New Zealand is using the facial biometric identifier. There are two identifying factors - the small symbol on the front cover indicating that an electronic chip has been embedded in the passport, and the polycarbonate leaf in the back of the book inside which the chip is located.

[edit] Norway

See also: Norwegian passport

Available since 1 October 2005 and costing 450 NOK for adults, or c. €60, 270 NOK for children.

[edit] Pakistani

See also: Pakistani passport

The Directorate General Immigration & Passports introduced a multi-biometric passport on October 25, 2004. The machine-readable "e-passport" was developed by the National Database and Registration Authority (NADRA), and began distribution through 25 regional passport offices within Pakistan and 10 foreign missions.

[edit] Russia

See also: Russian passport

Russian biometric passport was introduced in 2006. As of 2008, it costs 1.000 RUB or approximately 40 US.

[edit] Serbia

See also: Serbian passport

Available from May 2008 and costing 2.000 RSD or approx. €25.

[edit] Singaporean

See also: Singapore passport

The Immigation & Checkpoints Authority (ICA) of Singapore has introduced the Singapore Biometric Passport (BioPass) on 15 August 2006. Following this, Singapore has met requirements under the US Visa Waiver Programme which calls for countries to roll out their Biometric Passport before 26 October 2006 [10].

[edit] Somalia

The new "e-passport" of Somalia has been introduced and approved by the Transitional Federal Government Of Somalia on 10th October 2006. It will cost $100 US Dollars to apply for Somali inside Somalia and $150 US Dollars for Somalis living abroad. Somalia becomes the first country to introduce "e-passport" in Africa. [11]

[edit] Swiss

See also: Swiss passport

The Swiss biometric passport has been available since 4 September 2006. It is still a pilot project and is optional. The RFID chip contains only the photo, fingerprints will be introduced when an EU standard is fixed. The price (250 SFr.) is roughly double the price of a normal passport. [12]

[edit] Thai

See also: Thailand passport

The Ministry of Foreign Affairs of Thailand introduced the first biometric passport for Diplomats and Government officials on 26 May 2005. From 1 June 2005, a limited quantity of 100 passports a day was issued for Thai citizens, however, on 1 August 2005 a full operational service was installed and Thailand became the first country in Asia to issue an ICAO compliant biometric passport.[13]

[edit] Ukrainian

See also: Ukrainian passport

Available since June 2007 and costing 170 UAH (about €25), valid for 10 years.[7]

[edit] United States

See also: United States passport and Basic Access Control

The U.S. version of the biometric passport (sometimes referred to as an electronic passport) has descriptive data and a digitized passport photo on its contactless chips, and does not have fingerprint information placed onto the contactless chip. However, the chip is large enough (64 kilobytes) for inclusion of biometric identifiers. The U.S. Department of State now issues biometric passports only. Passports without chips remain valid for the entirety of their respective periods of validity.[8]

Although a system able to perform a facial-recognition match between the bearer and his or her image stored on the contactless chip is desired, it is unclear when such a system will be deployed by the U.S. Department of Homeland Security at its ports of entry.[9]

A high level of security became a priority for the United States after the attacks of September 11, 2001. High security required cracking down on counterfeit passports. In October 2004, the production stages of this high-tech passport commenced as the U.S. Government Printing Office (GPO) issued awards to the top bidders of the program. The awards totaled to roughly $1,000,000 for startup, development, and testing. The driving force of the initiative is the U.S. Enhanced Border Security and Visa Entry Reform Act of 2002 (also known as the "Border Security Act"), which states that such smartcard IDs will be able to replace visas. As for foreigners traveling to the U.S., if they wish to enter U.S. visa-free under the Visa Waiver Program (VWP), they are now required to possess machine-readable passports that comply with international standards. Additionally, for travelers holding a valid passport issued on or after October 26, 2006, such a passport must be a biometric passport if used to enter the U.S. visa-free under the VWP.

[edit] Venezuelan

See also: Venezuelan passport

Issued after July 2007, RFID chip has photo and fingerprints[14]

[edit] Opposition

Privacy activists in many countries question and protest the lack of information about exactly what the passports' chip will contain, and whether they impact civil liberties. The main problem they point out is that data on the passports can be transferred with wireless RFID technology, which can become a major vulnerability. Although this could allow ID-check computers to obtain your information without a physical connection, it may also allow anyone with the necessary equipment to perform the same task. If the personal information and passport numbers on the chip aren't encrypted, the information might wind up in the wrong hands.

To protect against such unauthorized reading, or "skimming", in addition to employing encryption the U.S. has also undertaken the additional step of integrating a very thin metal mesh into the passport's cover to act as a shield to make it more difficult to read the passport's chip when the passport is closed.[10] A U.S. company, Identity Stronghold, is now manufacturing an RFID-blocking sleeve to prevent any skimming while the passport is inside the sleeve. Research students from Vrije University in the Netherlands speaking at the August 2006 Black Hat conference in Las Vegas showed that RFID passports can be cloned relatively easily, and can be remotely spied upon despite the radio-blocking shields included in US designs. They found they could read the passports from 60 centimetres (23.6 inches) away if they are opened by just 1 cm (0.39 inches), using a device which can be used to hijack radio signals that manufacturers have touted as unreadable by anything other than proprietary scanners.[11][12][13]

At the same conference, Lukas Grunwald demonstrated that it is trivial to copy the biometric certificate from an open e-passport into a standard ISO 14443 smartcard using a standard contact-less card interface and a simple file transfer tool. This is hardly surprising, given that the certificate is simply stored as a file, and had been obvious to those involved in the design of the ICAO e-passport standard throughout its development. In particular, Grunewald did not change the data held on the copied chip, which binds biometric data (e.g., photo) to identity data (e.g., name and date of birth), without invalidating its cryptographic signature, which means at present the use of this technique does not allow reprogramming of fake biometric data to match a different user. Grunewald also did not clone the Active Authentication functionality, an optional feature of the ICAO e-passport standard that some countries implement such that the embedded microprocessor is not only a floppy-disk-like data carrier for a biometric certificate, but also a tamper-resistant authentication token that can participate in a public-key cryptography based challenge-response protocol. Nevertheless, Grunewald created international media headlines with his claim that such copying of the biometric certificate constitutes the creation of a "false passport" using equipment costing around USD$200.[14]

On December 15, 2006, the BBC published an article on the British ePassport, citing the above stories and adding that:

"Nearly every country issuing this passport has a few security experts who are yelling at the top of their lungs and trying to shout out: 'This is not secure. This is not a good idea to use this technology'", citing a specialist who states "It is much too complicated. It is in places done the wrong way round - reading data first, parsing data, interpreting data, then verifying whether it is right. There are lots of technical flaws in it and there are things that have just been forgotten, so it is basically not doing what it is supposed to do. It is supposed to get a higher security level. It is not."

and adding that the Future of Identity in the Information Society (FIDIS) network's research team (a body of IT security experts funded by the European Union) has "also come out against the ePassport scheme... [stating that] European governments have forced a document on its citizens that dramatically decreases security and increases the risk of identity theft." [15]

The encryption scheme used to protect the flow of information between the Dutch biometric passport and a passport reader was cracked on July 28, 2005. Though it hasn't been attempted in practice yet, in theory and under ideal conditions some of the data exchanged wirelessly between the passport's built-in contactless chip and a reader (more precisely, the one-way flow of data from the reader to the passport) may be picked up from up to 10 meters away. Once captured and stored, the data then can then be cracked in 2 hours on a PC [15]. This is due to the Dutch passport numbering scheme which does not provide sufficient randomness to generate a strong enough key to secure the exchange of information between the passport and reader.

Other passports such as the U.S. passport do not contain this particular flaw as they use a stronger key to encrypt the data exchange. Also, some readers provide shielding for the passport while it is being read, thus preventing signal leakage that might be intercepted by another device. Moreover, the fairly secure and monitored environment of the passport control area in airports would make it difficult for someone to illicitly set up the sensitive equipment necessary to eavesdrop on the communication between passports and readers from any significant distance. However, the same would not be true for hotels or other places that may ask to see passports.

[edit] Protections

Recent biometric passports are equipped with electronic protections to avoid attacks. These protections are :

  • Basic Access Control (BAC): the chip has to be unlocked using the Machine Readable Zone printed into the passport (prevents skimming). This protection also brings a medium level of encryption to the communication channel between the chip and the reader.
  • Random identification number (along with BAC): the passport number provided by the chip is random until the BAC is unlocked.
  • Active Authentication: the chip contains a private key that cannot be read or copied, but its existence can easily be proven (prevents cloning).
  • Extended Access Control (EAC): the chip reader must authenticate using a strong encryption certificate to access sensitive biometric information (fingerprints, iris...). This protection also brings strong encryption to the communication channel. This protection level is the most secure, but is still rare today.

[edit] Gallery

Covers of various biometric passports.

[edit] See also

[edit] References

ICAO Document 9303, Part 1, Volume 1 (OCR machine-readable passports)
ICAO Document 9303, Part 1, Volume 2 (e-passports)
ICAO Document 9303, Part 3 (credit-card sized ID cards)

[edit] External links