Inspection systems and extended access control are next hurdles

By Zack Martin, Editor

More than 100 million electronic passports have been issued in the two plus years since governments initiated production of the new travel credentials. The U.S. State Department alone has issued almost 15 million of the contactless documents.

But while there are many e-passports in circulation the inspection systems used to read them have not been widely deployed at border crossings. Putting these systems in place, while not adversely impacting wait times, will be the next challenge for countries.

European Union countries have that and another obstacle to hurdle as well: extended access control (EAC). Since EU countries are storing fingerprint images on e-passports they are using the more advanced security of EAC, a public key infrastructure scheme that secures the biometric data. EU countries are supposed to start issuing passports with EAC by next June.

Even the U.S., the initiator of the move to e-passports after the terrorist attacks of Sept. 11, hasn’t deployed many inspection systems. The U.S. Department of Homeland Security’s Customs and Border Protection (CBP) has requested funding for 5,000 e-passport readers to deploy at 372 air, sea and land border entry points, said Warren Burr, director of the fraudulent document analysis unit at Customs and Border Protection. The new readers would replace the current devices that just read the machine readable zone on the passport.

But so far only 500 of the readers have been purchased and less than half of those, just 247, have been installed, Burr said. The concern is that using the new scanners will adversely impact wait times.

The readers in the field are at the 33 U.S. international airports, which covers 97% of visa waiver country travelers entering the country, Burr says. CBP is analyzing how to deploy e-passport readers to all border entries and assess how it will impact wait times. Burr made these comments at the Future of Secure Document 2008 conference in Chicago.

There are concerns around how long it will take to process travelers with the e-passports. With the older documents customs officials would swipe the machine readable zone, check a few other items in the book and ask the traveler some questions.

E-passports require a little bit of extra finesse, says R. Michael Holly, director of international affairs for passports with the U.S. State Department. “They need to get the inspectors prepared and familiar with how to deal with the new documents,” he says. “They have to deploy full page scanners and you need to let them sit awhile so the data can be accessed.”

The State Department is working on getting sample e-passports to border officials so they can test the systems and train officers, Holly says. When the U.S. introduced e-passports they also changed some of the physical security in the book as well and officers need to be able to spot the different features.

Already, use of the new documents is rising rapidly. Between Oct. 1 and Dec. 31, 2006 Customs and Border Protection scanned 165,921 electronic passports, Burr said. In all of 2007 1.4 million were checked and in the first half of 2008 CBP officers had scanned more than 1 million e-passports.

Inspection challenges trump issuance challenges

But the challenge to deploy these inspection systems is what most countries are facing. The change was evident in September at the E-Passport EAC Conformity and Interoperability Tests in Prague, says Mike Bond, security director at Cryptomathic. “The guys from the inspection side outnumbered the guys on the issuing side,” he said. “Their money has been spent and the project is done, now it’s time for the border control guys to come in.”

The European border control officials have quite the task in front of them. Extended access control is a PKI scheme that secures biometric data on e-passports. EU countries decided to store fingerprint and iris biometrics on the passports as well as the photo and other data. This biometric information is stored as images, not templates, so countries want to take extra steps to make sure the data is protected.

In order to view the biometric on the passport and match it with the traveler the other country will have to have the proper PKI certificate so the data can be unlocked. Vendors and border officials are still trying to figure out how these certificates will be exchanged and read while also making sure that systems from different vendors are interoperable.

While EU countries have to start issuing e-passports with EAC by next June there is no deadline to actually read the biometric data from the passports, Bond says. “With regards to inspecting we’re 18 months away from starting pilots. The UK was talking about initial inspection by the end of 2009, scanning the full biometrics of some people, but only about 1% of travelers, and moving to 30% by 2016.”

There are numerous reasons for the seemingly long timeline. First and foremost, governments don’t know how it will work. This was a reason for the Prague conference in September.

The purpose of the test was to enable European countries to verify the conformity of e-passports using EAC and fingerprint biometric data. A related target is verification of the cross-over interoperability of different EAC inspection systems and e-passports. In addition countries attempted to verify interoperability of EAC PKI infrastructure for national border inspection systems, including official exchange of EAC certificates.

The tests went well, but were not without issues. “Overall results are that not all passports worked with all readers,” says Neville Pattinson, director of government affairs and marketing, identity and security at Gemalto.

Four of the countries participated in a test that put in place a fully-operational PKI infrastructure, says Tim Moses, director of advanced security technology at Entrust, one of the participants. Entrust is supplying the PKI infrastructure to the UK and Slovenia.

Considering it was the first time the infrastructure was checked, the test was pretty successful, Moses says. “There were a few minor issues on the certificate exchange but we resolved them.” Full results from the conference are not expected until December and another test will be scheduled before the June 2009 deadline.

Moses emphasized that countries are going to have to work to make sure EAC is done properly. “The EAC environment requires a lot of interaction among countries,” he says. “The PKI system must be built to manage the trust; it’s not just a set of tools.”

Added security likely to add further delays at inspection points

One of the larger issues with EAC is the time it’s going to take to process travelers. Pattinson says it can take anywhere from two to 15 seconds for the information to transmit.

Cryptomathic has released a new product it claims will accelerate the speed of inspecting electronic passports by a factor of four. The product uses a different type of caching mechanism, a storage area that holds an encrypted version of the e-passport biometric data.

When the e-passport has its initial contact with the border control station, the biometric data is transferred from the chip into the inspection system, and at the same time a unique key is calculated from the e-passport chip which is used to encrypt the stored data.

The storage key is then deleted from the memory of the border control system to make it impossible to retrieve the stored data. In order to recreate the decryption key for the record and view the biometric data, the original e-passport document must be connected to the inspection system.

Long lines at border control points is the fear when countries start deploying inspection technologies for e-passports, Bond says. He saw one presentation at the Prague conference that said wait times at some busy airports during peak times could be as long as 90 minutes.

And some countries are making the problem worse because they’re not standardizing the biometric, Bond says. For example, most EU countries are storing the index fingerprint images on the passport, regardless of the quality of those fingerprints. But Germany is taking the two best quality fingerprints from passport applicants; it may be the index, but it also may be the thumbs.

This may lead to slow-downs at border crossings. German travelers won’t remember what fingerprint image is stored in the book or a border control agent may be asking for the index when he needs the thumb. “When the delays start to happen they’ll either pull the plug or soldier on,” Bond says. He expects a few false starts. Countries will roll out systems and then roll them back and reconfigure as problems arise.

One solution that could potentially alleviate wait times are self-serve kiosks, says Gemalto’s Pattinson. (See Global Entry story) “The consequence of EAC is more automated kiosks for border control,” he says. “Have the document authenticated by the kiosk instead of manual inspection.”

While the focus shifts from issuing e-passports to inspecting them, lines at international border checkpoints may be interesting over the next couple of years as travelers and officials get used to the new documents.