Document Verification through C-One E-Id - Copy

Document Verification through

C-One E-Id

Prepared by: Rima HAJOU

Supervised by: Dr. Lina OUEIDAT

Date: 13 July 2016

Hosting Company: Inkript R&D Department

(March – June 2016)

Content Objective and Project Definition

Device Used: C-One E-ID

Biometrics ◦ Fingerprint

Machine Readable Passport

◦ Machine Readable Zone (MRZ)

◦ Logical Data Structure

◦ Communication with IC/Chip

◦ E-Passport Security features

◦ Smart Card Security features

Project Development◦ MRZ Project

◦ Smart Card and E-passport projects:

◦ Fingerprint project

Document verification application

Conclusion and Recommendations

2

Objective and Project Definition

Current users are able to do many different tasks on the go using just a small pocket device.

Implement eGovernment mechanisms for documents.

How?

Using handheld device, we will be able to identify a person based on their personal ID or E-Passport.

3

A mobile android application that read an ID document, extract the fingerprint data and compare it to the scanned fingerprint using

the readers integrated in C-One E-ID device.















4

C-One E-ID

Why a handheld

device?

Why C-One E-ID ?

Fingerprint sensor

Contact and Contact less card-readers (RFID Technology)

Barcode Reader

Latest technologies (4G, Wi-Fi, GPS..)

Android 4.2.2

5















6

Biometrics

Distinctive, measurable characteristics

used to label and describe individuals

Face recognition, iris,

fingerprint, DNA,

palm print..

7

Fingerprint

Why fingerprint?

Uniqueness, consistency over time.

Used for identification by automated

systems

Minutias

8















9

Machine Readable Passport (MRP)

Travel document specified by International Civil Aviation Organization

E-passport and Smart cards developed by Inkript are types of MRP.

Lebanon was forced to apply ICAO standards on civil documents to facilitate citizen travelling

10

Machine Readable Zone

Mandatory zone located on the MRP’s

data page

Used to store information used for the

BAC mechanism to read

files of the MRP :

◦ Passport Number

◦ Date of Birth

◦ Expiry date

11

Logical Data Structure

For both IC integrated in E-passport and

in Residency permits

Structured data as files called Data

Groups.

◦ DG1 : Personal Info

◦ DG2 : Owner Photo

◦ DG3 : Fingerprint (optional)

Elementary files required to validate

integrity ( EFcom ; EFSoD )

12

Logical Data Structure (2)

13

Communication with the IC/Chip

IC or Chip will be connected to a Card

Acceptance Device (CAD)

Chip speaks to the outside world using its

own data packages: APDU

APDU contains Command or a

Response message

Master- Slave model.

The Chip always waits for a command

APDU from the terminal

14

E-passport Security Features

while reading the chip

Gain Access to the contactless

Authentication of the data

Authentication of the IC

Additional access control mechanism

15

E-passport Security Features (2) Gain Access to the contactless

To prevent eavesdropping

Chip Access Control mechanism :

◦ Only authorized access.

◦ Using cryptographic protocol

Info are needed from the MRZ to derive the keys.

Two Chip Access Control mechanism:

◦ BAC: Basic Access control

◦ PACE: Password authenticated connection

establishment

16

Read the MRZ_Information visually from MRZ

SHA-1 Hash of MRZ_Information

Take the most significant 16 bytes of SHA-1 Hash as

Key Seed

Derive KEnc and KMAc

Setup a secure connection with

the IC

Granted access to non sensitive data (Personal info and

Photo)

17

E-passport Security Features (3)Gain Access to the contactless (2) – BAC Mechanism

Content of Data security object (SOD)

and LDS are authentic.

Execute the hash of the LDS and compare

it to the existing hash in SOD file.

It’s a passive authentication.

18

E-passport Security Features (4) Authentication of Data

Against Chip substitution

Active Authentication mechanism

Based on challenge-response protocol

19

E-passport Security Features (5)Authentication of the IC/Chip

Access fingerprint (and IRIS) file should be

more restricted.

Extended Access Control mechanism is

used.◦ EAC = Chip Authentication + Terminal Authentication

Terminal authentication: two move

challenge response protocol

20

E-passport Security Features (6)Additional control access mechanism

Used Smart Card Security Featuresspecifically in this project

Same structure of internal chip.

◦ LDS

◦ Apdu commands

Smart Card: another confidential info instead of the

MRZ_Information to perform BAC mechanism

21

E-passport Smart Card

Standard ICAO ICAOExtract BAC key- and thus

accessing DG1 and DG2 -

using

MRZ Another Confidential

info

Security Features to access

DG1,DG2 ICAO Standard ICAO Standard

Security Feature to access

DG3 (Fingerprints)EAC – Mentioned and

explained by ICAO

No security















22

Project Development

Read the MRZ

• OCR Tesseract

• Regula Document Reader

Read E-Passport or Smart Card

Scan fingerprint

Compare the two fingerprints

23

Project Development (2)MRZ Project

OCR Tesseract Project:

◦ Open source project /Use online trained data.

Regula Document Reader:

◦ Proprietary project for Regula Forensic.

24

Unsuccessful trials which leads to:

Enter manually the MRZ_informationneeded for BAC mechanism

Project Development (3)

Read the MRZ

• OCR Tesseract


• Enter It Manually


• JMRTD Solution

• Coppernic Solution

• The integration of two solutions

25

Project Development (4)Smart Card and E-passport projects

Java Machine Readable Travel Document

Most popular to read

E-passport.

◦ Android supported : AJMRTD

◦ Uses NFC to read E-passport.

◦ Read DG1 and DG2.

26

Incompatibility between NFC and RFID technology


Coppernic solution:

◦ Able to read DG1 and DG2 file from the E-

passport.

◦ Complexity of integrating the EAC

mechanism to read DG3. (Fingerprint DG)

◦ Unsuccessful trial to read Fingerprint from E-

passport

27

We managed to develop a similar application that reads only Smart Card

Coppernic Sample E-Passport Smart Card

Power Management Power up the RFId Power Up the Smart Card Reader

Keys for BAC mechanism MRZ_Information Another Confidential Info

Reading DG1 (Personal

Information

Extracting these info using

Coppernic methodology

Implementing JMRTD to extract the response

Reading DG2(Display

Picture)

Implementing JMRTD to parse the response

Reading DG3 Not supported yet due

the need of additional

security mechanisms

I managed to read DG3 since it does not

require any additional security and I

extracted the fingerprint template using

JMRTD

28


Project Development (7)

Read the MRZ

• OCR Tesseract


• Enter It Manually


• JMRTD Solution

• Coppernic Solution

• The integration of 2

Scan fingerprint

• Neurotechnology

Compare the two

fingerprints

• Neurotechnology

29

Fingerprint Sample

Neurotech Solution

Features:

◦ Reading fingerprint

◦ Extracting its minutias

◦ One to One verification One finger to another finger (Ex: Thumb to Thumb)

One finger to the 2 hands (Ex: Index to a person’s finger)

◦ One to Many verification One finger to a database of fingers (Ex: Thumb to many

Thumbs)

30

Content

Objective and Project Definition














31


32

Real Situation

33

Real Situation (2)

34

Real Situation (3)

35

Real Situation (4)

36

Successful implementation of the project















37

Conclusion

Importance of such a device with these

advanced capabilities lies in the increased

need to control borders and critical areas

in such a country.

Enhance catching terrorists and forgers

over borders controls.

38

Recommendations

More research to read E-passports using C-One E-ID

Reading MRZ visually and using the camera by a well trained data.

Compare the fingerprint of any person remotely with the database available on the server

One level of security can be added to prevent non authorized agents to use the device.

39

THANK YOU

40

Document Verification through C-One E-Id - Copy

Documents