We live in a time where ID documents are authenticated more and more frequently, with the chip becoming an increasingly popular security feature. Prior to issuing a new document version containing a chip, it is crucial that inspection infrastructures at for example e-gates in airports are tested in order to check how the chip functions. Since tests cannot be executed with real documents, specimen documents should be used. Unfortunately, specimen documents are not always available in time and if they are, they do not always contain a representative chip. In this article René Clerc describes these problems, the consequences and ways of mitigation.
In Doc 9303 the International Civil Aviation Organization (ICAO) has formulated specifications for machine readable travel documents (MRTDs).1 By ensuring that their travel documents comply with these specifications, issuing states make sure that high security is combined with practicality. ICAO recognises the need for specimen MRTDs and recommends that when a state launches a new MRTD design, personalised specimens are distributed to other states.
This way, document inspectors are able to adequately verify the authenticity of recently issued documents, based on their characteristics and security features.
Merriam-Webster defines a specimen as: ‘an item considered typical of a group, class, or whole’.2 The word ‘typical’ is key here: it is of the utmost importance that a specimen (or sample) is perfectly representative. In medical situations, for example, blood, urine, or tissue samples should indeed be typical of the whole. It is on the basis of these samples that patients are diagnosed and that, literally, life and death decisions are made.
Although in the realm of secure documents the (un)availability of specimens is rarely a matter of life and death, they really do matter. For quite some time now, physical security features in secure documents have been the primary means to verify their authenticity and integrity. Examples of these features are the use of special substrates, security printing, optically variable elements and – for identity documents – the personalisation. Based on these features, it is decided whether a banknote is accepted at face value, and whether the bearer of an ID document will be allowed to pass through customs. Knowing how a document should behave is key here, and a specimen is, in principle, first and foremost the way to get familiar with its behaviour.
Variations in MRTDs
If an issuing state has decentralised its passport issuance process or if passport printers are replaced over time, variations in security features may occur. An example of such variation is the use of different printing techniques for the personalisation. The Bulgarian passport (series 2003), for example, is personalised using laser toner, but inkjet printed personalisation also occurs, see figure 1.
Variations in the laminate also occur, often resulting in different UV responses. Consider for example the Romanian ID cards in figure 2. They are of the same model, but their UV response is completely different.
[Not a valid template]Finally, it is possible that only a tiny detail of a security feature might change, effectively creating a new passport model. Note in figure 3 how the pearlescent background of the OVI® in the Estonian passport was removed in the later version. Fortunately, the numbering of the Estonian passports containing this changed feature was updated as well. Fact is however, that these changes should be known among immigration officials and other document inspectors.
[Not a valid template]Variations of a single model can pose great difficulties for both human inspectors and inspection systems: if they are unaware of these changes, they might erroneously regard the document as counterfeited or forged. The availability of specimen documents is crucial here. On a similar note, we should also consider undeliberate errors in identity documents. John Mercer has written an excellent series of articles in this Journal, in which he describes a number of systemic errors in travel documents.3 If an inspector (either a person or a system) is unaware of these variations or errors, a perfectly genuine document can be regarded as a counterfeit – with all due consequences. Again, the availability of specimen documents to allow for learning about these errors is key. As we shall see, variations and errors are not limited to physical security features, but also occur in the RFID chips found in travel documents – and the implications are just as far‑reaching.
Technical conformity of RFID chips in e-MRTDs
One of the relatively new features in MRTDs is the RFID chip. Currently, over 100 states issue electronic MRTDs (e-MRTDs), and this number is increasing steadily. 75% of all MRTDs in circulation today are estimated to be e-MRTDs.
ICAO has published standards for e-MRTDs that should ensure that all documents work with all inspection systems.4 The specifications of the RFID chip to be used in e-MRTDs cover the following security mechanisms:
• Basic Access Control (BAC): to secure the connection between document reader and chip.
• Supplemental Access Control/PACE: the successor of BAC.
• Passive Authentication: to verify the integrity and authenticity of the personalised data in the chip.
• Active Authentication: to verify the authenticity of the personalised data in the chip (detect cloning).
• Extended Access Control:
– Chip Authentication: to detect cloning and enhance the security of communication.
– Terminal Authentication: the chip only releases its more sensitive information such as fingerprints to an inspection system that is trusted by its issuer.
Some of these features are marked as required by ICAO, others are left at the discretion of member States or supranational bodies such as the European Union. When correctly implemented, these protocols offer good performance, both in speed and security. With respect to specimen documents, however, problems can occur, for example when the RFID chip in the specimen document does not (completely) follow the specifications as laid out in the standards. If that is the case, the extensive testing of inspection infrastructures becomes problematic, because the specimen is not representative of the real-life situation.
Problems with specimen e-MRTDs
Some specific examples of the difficulties that have been encountered with specimen e-MRTDs are listed in table 1.
|Conformity||The specimen does not adhere to ICAO standards||• Basic chip errors: the specimen does not contain an RFID chip at all, the chip does not contain any data or the chip contains operating software, but no data.
• The chip does not follow the ICAO communication standards.
|Personalisation||Data are printed physically on the bearer page, and stored electronically on the RFID chip.||• The personal data on the bearer page do not match the personal data stored on the RFID chip.
• Errors in the printed MRZ: these will result in inaccessibility of the RFID chip, since Basic Access Control will fail.
• Certificates that contain data of the implementing supplier erroneously end up on the specimen.
|Completeness||The specimen lacks relevant information||Certificates that are required to verify the authenticity and integrity of the chip’s contents are not distributed alongside the specimen.|
|Representativeness||The chip in the specimen is not representative of the chip in the issued documents.||• The chip in the issued documents runs an operating system and/or passport application different from the one in the specimen document.
• The chip in the issued documents uses other cryptography algorithms than the chip in the specimen, or the length of the cryptographic keys is different.
|Timeliness||Sometimes specimens are manufactured years after the document was first issued, or not manufactured at all.|
If an e-MRTD specimen contains an RFID chip dissimilar to the one in the document it represents, it is impossible to prepare an inspection infrastructure to validate the correct functioning of the chip in that new document during inspection. It prohibits inspection systems from being adequately tested and trained before the document enters circulation. The absence of representative chips in specimen documents is bound to result in a negative user experience at best, and downright security problems at worst.
Admittedly, if the process of checking the electronic security of the chip returns errors, ICAO recommends treating the document as a standard MRTD and examining it on that basis. This is obviously a necessary step to make a conclusive judgment on the authenticity of the e-MRTD, but it does come with a cost. For example:
• It requires more personnel, who need to be thoroughly trained to assess the cause of the chip reading problem.
• It requires additional (specialised) equipment and software.
• Document bearers get frustrated with the delay, which might negatively impact their opinion on the country or company.
• Document bearers may unjustifiably be denied access to a country or product, which can subsequently lead to claims.
• It leads to a decreased trust level in automated document checking and can hamper the acceptance of new border crossing technologies such as e‑gates.
Analysis of causes and mitigation
There are various reasons for the problems surrounding the chips in specimen e-MRTDs, ranging from inexperience to the topic of time pressure. Below a number of problems are discussed, as well as possible ways to mitigate them.
New and complex matter
Although the security and communication protocols of the RFID chip are, on the whole, well‑defined, implementing them correctly could prove difficult. This is not necessarily the protocol’s fault, nor the implementer’s. The fact is, it is complicated matter, and it is relatively new – especially compared to traditional security features. The protocols leave room for implementation choices, the specifications could be clearer, examples accidently contained errors.
To detect incorrect implementations, conformity testing is the magic word. Events such as the Frontex Document Challenge and the e‑Passport Interoperability Testing are crucial to learn about variations or errors in implementations and to detect interoperability problems. These tests should not be limited to issued documents, but preferably include specimen e-MRTDs as much as possible.
As the matter is still new and complex, even for manufacturers of chips and inspection systems, it is perhaps not surprising that many issuing organisations have close to zero experience with the topic of RFID chips. When they issue a tender for an e-MRTD, chances are that they are compelled (by suppliers) or forced (by supranational bodies) to include the RFID chip in their tender, in a certain configuration.
The fact that issuing an e-MRTD means a lot more than just manufacturing and personalisation, is often overseen in this process. It requires steps such as the establishment of Hardware Security Modules, Certificate Authorities, a Public Key Infrastructure including Certificate Revocation and preferably ICAO PKD participation. Generating correct certificates is very important, also for the specimen documents.
Issuers need to be well aware of the implications of embarking on an e-MRTD programme. By learning from other similar projects, the programme can be budgeted, planned and managed better. By enlisting the help of parties that are experienced in implementing e-MRTD programmes, the issuing state can be more confident that all operational and quality conditions are met, instead of being used to balance the budget.
Changing chip behaviour in physical models
As discussed earlier, variations may occur in the security features of an ID document, even during the lifetime of a series. This is also the case for the RFID chip’s behaviour in e-MRTDs. As a change in security features is usually more visible, the issuer is more likely to advertise it, but in the case of changing behaviour of an RFID chip, the interested parties are seldom notified.
During the lifetime of a passport series, the supplier of the RFID chip or the type of chip may change, resulting in, for example performance changes, other cryptographic algorithms being used, or other communication responses and applets. In order to mitigate the possible effects of a different chip supplier or type of chip, it is key that stakeholders are notified. Tests should be conducted to determine whether the behaviour of the chip has changed and if this is the case, the change should be communicated and a new specimen distributed.
Lack of quality assurance
As with all identity documents, a robust quality assurance (QA) process is of the utmost importance in order to verify that the documents are produced in accordance with ICAO standards and will be accepted by inspection systems. Since an RFID chip is verified automatically and not manually, a QA process is even more important for e-MRTDs. Needless to say, the specimen e-MRTD should be tested in the same way.
Unfortunately, this last step is often omitted. An e-MRTD with a blank chip is rarely issued, however, regrettably with specimens this is quite common. For some of the specimens that we have encountered at Keesing Technologies, it seems as if they were created in a hurry: the RFID chip personalisation was omitted for the specimen, rendering it useless from a chip verification perspective.
Specimens are indispensable, either when physical security features have changed, the behaviour of the RFID chip has changed or when a new or changed e-MRTD is issued. It is key that the specimen is representative: it should really be a ‘look‑alike’ of the documents that are being issued to citizens.
ICAO recognises the need for representative specimens. The Implementation and Capacity Building Working Group (ICBWG) of its Technical Advisory Group (TAG) on MRTDs is in the process of drafting guidance to member States on the circulation of specimens.5 In this proposed guidance, it is specifically recommended that the RFID chip in e-MRTDs is representative. We welcome ICAO’s efforts in this respect and urge states issuing e-MRTDs to supply all relevant parties with representative specimens, for the sake of facilitating easy and correct identification, around the globe.
1 International Civil Aviation Organization (ICAO), Doc 9303: Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 1: Passports with Machine Readable Data Stored in Optical Character Recognition Format. Current version: sixth edition 2006; http://www.icao.int/publications/Documents/9303_p1_v1_cons_en.pdf.
3 Mercer, J. Errors in travel documents, Part 1, 2, 3 and 4. Keesing Journal of Documents & Identity, Issues 26 (2008), 27 (2008), 34 (2011) & 44 (2014) respectively.
4 International Civil Aviation Organization (ICAO), Doc 9303: Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability. Current version: sixth edition 2006; http://www.icao.int/publications/Documents/9303_p1_v2_cons_en.pdf.
5 ICAO TAG/MRTD 22nd meeting, 21-23 May 2014, Working Paper 18.