www.asverk.is the icelandic biometric passport the porvoo group 7th seminar hotel loftleidir,...
Post on 18-Dec-2015
215 views
TRANSCRIPT
www.asverk.is
The Icelandic biometric passport
The Porvoo Group 7th Seminar
Hotel Loftleidir, Reykjavik, Iceland26.-27. May 2005
Þorsteinn Helgi Steinarsson Ásverk Consulting - www.asverk.is
www.asverk.is
Icelandic Passports
Directorate of Immigration issues passports – Same authority issues resident permits and visas– One centralized personalization location– Last year over 40.000 passports were issued
Last time the passport changed was in June 1999– New design and added security features– Booklet: Canadian Banknote Company– Personalization: Canadian Banknote Company– Enrollment: Origo (Icelandic SW house)
www.asverk.is
Biometric update dates
Iceland is not part of EU But is part of the EU Schengen cooperation
– Biometrics Passports: July 2006 (Fingerprints Dec. 2008) Visas: 2006 (Fingerprints 2007) Residence permits: 2006 (Fingerprints 2007)
USA demands– Biometrics
Passports: 26. Oct. 2005
www.asverk.is
The Icelandic approach
Updated passport production– Basically the same passport (current contract)
Adding a polycarbonate page after the data page– Update the enrollment system (current contract)– Update the personalization system (tender)
Flexible approach with a transition period– Use existing PKI infrastructure
We aim for issuing first passports in October– Adding fingerprints by end of 2008– Mission impossible ...?
www.asverk.is
Price
Current prices are– 60 EURO for normal processing time (1 week)– 120 EURO for fast processing (~1 hour)
40% of all passports are ‘fast production’– Would like to keep the fast production option– Although not from day 1
Expected price for new passports: – 80-120 EURO for normal processing time (1 week)– x2 for fast processing (~1 hour)
www.asverk.is
Passport productionEnrollment site
TMD
Document Signer(Passport producer)
ActiveAuth. PKI
HW
Camera
Fingerprintscanner
SignatureScanner
Biometrie moduls
GUI
HW interface
Passport enrollmentclient
Passport enrollmentservice
Passportenrollmentdatabase
Out
In
Production service
Passportproductiontemporarydatabase
Biometrie modules andPKI management
PKI management
HSM DocumentSigner
CertificateDocumentSequrityObject
National PKI authority
DocumentSigner
Certificate
HW
Print inlay
Print front
Print back
Write to chip
QA
Lamination
A
B
E
D
F
C
1 2 3
5
4
6
www.asverk.is
Enrollment
29 locations around Iceland– Will be 10-14
Fast production will be possible in 2006 Will provide facilities at enrollment sites for
biometric sampling (image, signature, and later also fingerprints)
www.asverk.is
Booklet and personalization
New polycarbonate page added– Including chip and antenna
Data page stays the same Patches to current facilities
– Write the chip and QA– Certificate management
Distribution of our Document Signer CA Certificate Reception of foreign DSCAC and redistribution Maintaining revocation lists
www.asverk.is
Border control
Currently no plans for controlling biometrics electronically– When the new passports will start appearing at
the border we will reconsider– Probably in 2009 or later
www.asverk.is
The Icelandic PKI trust structure
Country SigningCertification Authority
RootIntermediat e
BodyCertificate
Intermediate Body
Pr.key
Pr.key
CountrySigning
CACertificate Self signed
Diplomaticdelivery
For passportsand visas
Proposed 'flat' PKI infrastructure model forpassport production and visas issuing
Verkfræðistofan Ásverk ehf - 2005
DocumentSigner
Certificate
Document Signer(Passport producer)
DocumentSequrityObject
Pr.key
ActiveAuth. PKI
Used for unique ID of chiptogether with a challenge andresponse authentication. Nokey management needed.
www.asverk.is
Are we more secure?
See the picture Compare the
biometrics Read the bookBut... Do we trust what
we see?
www.asverk.is
Holistic solution
Biometrics and technology not enough Need to
– Trust origin of information– Distribute certificates
Distribution of certificates still not fully resolved
– Follow operational procedures Enrollment, production, control
Human factor important
www.asverk.is
Need to distribute cerificates
– National CA Certificate (n-lateral & ICAO) Diplomatic means
– Document Signer CA Certificate (ICAO for repository)
Done electronically every 3 months
– Revocation lists (n-lateral & ICAO for repository) For Document Signer CA Certificate
– Revocation of National CA Certificate is a disaster!
www.asverk.is
Overprotecting our fingerprints?
Extended Access Control
www.asverk.is
The ugly duckling becomes a swan