Presentation is loading. Please wait.

Presentation is loading. Please wait.

Trusted identities | secure transactions™

Published byAllen Lucas Modified over 8 years ago

Similar presentations

Presentation on theme: "Trusted identities | secure transactions™"— Presentation transcript:

1 Trusted identities | secure transactions™
Passport & Borders Market drivers and evolution

2 Market Drivers

3 Evidence of Rapid Change
PLANE CAPACITIES Airbus A380 550+ travelers Boeing 747 416+ travelers Boeing 777 386+ travelers INTERNATIONAL TOURIST ARRIVALS AIRPORT VOLUMES 70.5M Passengers in 2014 DUBAI HEATHROW HONG KONG 68.1M Passengers in 2014 61.8M Passengers in 2014 45 120 countries issuing eMRTD in ICAO PKD We live in a rapidly changing world, with all parts of the globe targeted as a tourist destination: ecotours in to the rainforests, adventure tours to the remotest regions, and families distributed around the globe. In this respect the world has become a lot smaller …and tourist and business travellers alike are sought by cities and countries to increase their economic standing in the world. And airports and flight paths are the highways for this rapidly increasing flow of humanity back-and-forth across the globe. As a result there is greater pressure being put on airports around the world, and consequently border control processes. Dubai for the first time in 2014 became the busiest airport in the world with more than 70 million travelers passing through its gates. London Heathrow, historically the busiest airport was very close to the volumes in Dubai with over 68 million travelers. And in Asia, Hong Kong remains the busiest airport in the region with nearly 62 million travelers. It should come as no surprise that as a result of the increases in travel, the airliners themselves are getting bigger. Anyone who travels internationally has probably seen the Airbus A380 with the capacity to hold nearly 600 people. If we go back to our airport examples and look at Dubai a little more closely we discover that the Dubai Terminal 3 is exclusively dedicated to the A380 with 23 gates specially designed for these giant aircraft. Now imagine the impact of 2, 3, 5 or more A380 flights arriving at approximately the same time on the customs, immigration and transit process. But its not just the major hubs; passenger and freight volumes are rising generally around the globe, and many of the smaller airports are less equipped to deal with the rising influx of travelers. The good news is that our travel documents are getting better with this November being the ICAO set deadline for all countries to be issuing Machine Readable passports. Further the number of countries issuing electronic passports now stands at more than 120 countries – well over 50% of countries, with 45 countries as members of the PKD, meaning they are uploading validation materials so allow countries to easily access to validate their ePassports. So 120 issuing ePassports that are enabled with technology to prove their integrity and authenticity; yet there are only 10 or so countries that routinely leverage that technology at border control. Furthermore, INTERPOL’s facility designed specifically to provide advice on the standing of a document, i.e. whether it has been identified as lost or stolen, as well as to identify other concerns for identity in transit, is also used consistently by only a handful of countries We are not using the facilities we have! ? validating against SLTD ? e-validating at borders

4 43% $320B $32B $320M 40,000,000 THREAT insights OVERWHELMING SITUATION
DRUG TRAFFICKING 43% Growth in Terrorism in 2013 $32B HUMAN TRAFFICKING Foreign Fighters by Jan ,000 $320M FIREARMS 40,000,000 Lost or stolen travel documents as of March 2014 OVERWHELMING SITUATION for current border control infrastructure Why is the authenticity of the document so important. Its important because this highway for transit around the globe, that we’re anxious to promote for business and tourist travel, is the very same highway that is used or perhaps I should say exploited by criminal and terrorist elements for furthering their goals. Terroristic acts were up 43% in A frightening statistic in and of itself, but perhaps even more frightening is the morphing of the terrorist threat around the issue of foreign fighters, given the nearly invisible nature of an individual who wants to leave one country to fight in another, the figure of 16,000 foreign fighters as of January 2014; now estimated at 25,000. …. UN indicating 71% increase since mid So not just who is coming in , but understanding who is leaving to represent a threat in another geography. …and identifying these individuals is a different game…. A combination of previous travel history, in conjunction with their current itinerary, combined with other data on the person captured by local or international watch lists. The motivators for these behaviors are obvious. In addition to rampant nationalism and fundamentalism, there is a great deal of money to be made in these illicit activities – billions or dollars in drugs, firearms and human trafficking alone. All of these threats involve the movement of people and products across borders, and today the most prevalent form of passport fraud isn’t counterfeiting or alteration, but the use by imposters of a legitimate document. Interpol states that over 40,000,000 passports that have been reported as lost or stolen as of March of Unfortunately, while growing, the number of airports and immigration authorities that are actively checking all travel documents against the lost and stolen database is very small. The rapidly changing face of international travel and volumes/and throughput requirements, the lack of comprehensive validation (even given the means to do so), coupled with a growing and morphing threat environment represents an over whelming situation for Border Control. ? validating against SLTD

5 EVOLUTION OF ePASSPORTS
IMPACT ON BORDER CONTROL

6 LDS2 EAC PACE AA BAC PA LDS1 Machine Readable
CERT-BASED ACCESS CONTROL EAC STRONGER SESSION SECURITY PACE CHIP AUTHENTICITY AA SESSION SECURITY ACCESS CONTROL BAC DATA INTEGRITY AUTHENTICITY PA LDS1 Machine Readable

7 three generations of epassport deployment
Two ePassport standards commonly deployed today 1st Generation Electronic “data page” and associated security 2nd Generation Digital Biographics Enhanced Security Future profile based on ongoing standards for LDS2 3rd Generation Chip can be written to post-issuance Electronic entry/exit travel stamps, visas, additional biometrics Additional security

8 PKI in BAC “1st Gen” eMRTD Applications
SUPPORTING PASSIVE AUTHENTICATION Based on X.509 PKI technology One Country Signing CA (CSCA) per country ~120 Countries deployed Ensures integrity and authenticity of personal data on chip to counter threat of forgery CSCA Issues one or more Document Signers that sign a hash of the personal data Data & Digital signature verified by Inspection System (IS) at border control TRUST PASSIVE AUTHENTICATION

9 1st generation ePassport
Data Authenticity & Integrity (Passive Authentication) SOD Data Privacy & Access Control (Basic Access Control) Chip Authenticity (Active Authentication) Electronic data: Most MRZ data and facial image mandatory Security features for 1st generation Passive Authentication (X.509 PKI infrastructure) Digital Signature applied to electronic data PKI used by terminal to verify signature and ensure that Electronic Data was signed and written by passport issuer Electronic Data has not been altered since being written Basic Access Control MRZ data used as password to initialize secure messaging Verifier must be in possession of passport to access data Secure session established between terminal and chip Skimming and eavesdropping prevented Anyone in possession of passport can access data Active Authentication – Challenge response – risk is that the data goes from reader is supposed to be random data, but the inspection systems could potentially give meaningful data that would be signed by chip which could implicate false information Authenticates chip to terminal Validates that chip has not been substituted CHALLENGE RESPONSE

10 Borders PKI for eac “2nd gen” eMRTD
TWO DISTINCT BUSINESS CASES Domestic High assurance validation of own citizens based on live match of biometrics with that on the chip Possibly in concert with ABC (eGates) – high assurance with speedy access Relatively straight forward deployment model Interoperable International High assurance validation of foreigners covered under agreement as they enter your border Again possibly in concert with ABC High assurance validation of your citizens at foreign borders, with controlled access to biometrics Significantly more complex Single Point of Contact (SPOC) TRUST

11 Borders PKI for eac “2nd gen” eMRTD
TRUST EAC Mutual Authentication Chip Authentication Terminal Authentication

12 2nd generation ePassport
Extended Access Control — Read (Terminal Authentication) Data Authenticity & Integrity (Passive Authentication) SOD Data Privacy & Access Control Chip Authenticity (PACE & BAC) (Chip Authentication) Electronic Data Biometrics added at personalization Security Features: Passive Authentication used to protect integrity and authenticity of biometrics the same was as for other data in 1st generation PACE protocol can be used instead of BAC Uses either MRZ data or 6 digit Card Access Number as password Provides stronger session keys with less entropy on password – fewer digits provides stronger session security Chip Authentication protocol can be used instead of Active Authentication Key exchange mechanism rather than challenge / response Eliminates risk of ‘challenge semantics’ Terminal Authentication – only authorized readers get access Extended Access Control for biometric data ISO 7816-based Card Verifiable (CV) certificate PKI infrastructure Passport issuer explicitly authorizes read of biometric data There are differences between what ICAO recommend (no terminal auth) and the EU recommendations (includes terminal auth) Security object is the signed hash. CHALLENGE RESPONSE KEY EXCHANGE

13 2nd GENERATION impact on border control
Number of ePassports in circulation increasing 2nd Generation ePassports become more common — mandatory in EU; adopted by states interested in biometrics Increased confidence Authenticity, integrity and reliability of data/document Binding documents and passengers Easier identification of fraud and forgery Faster processing of passengers

14 3rd generation ePassport
Data Authenticity & Integrity (Passive Authentication) Extended Access Control Read & Write (Terminal Authentication) Travel Stamps Visas Biometrics Data Privacy & Access Control Chip Authenticity (Chip Authentication) (PACE) Electronic Data Three additional applications (travel stamps, visa and additional biometrics) Security Features: Passive Authentication used to protect integrity and authenticity of additional 3rd generation data in same way as 1st & 2nd gen PACE protocol used exclusively (no BAC) Chip Authentication protocol used exclusively (no Active Authentication) Terminal Authentication used for extended access control to 3rd gen data Covers both read and write permissions Independent authorization for each of the 3 applications KEY EXCHANGE

15 3rd Generation impact on border control
Automation of additional services possible Examination of travel history Electronic processing of Visas Verification of additional biometrics Ability to write to ePassports Authorization required from passport issuing state Travel entry/exit stamps can be written electronically at border Additional biometrics Additional security focused on authorization

16 ePassport Overview – What’s on the Chip?
Chip contains Logical Data Structure (LDS) with 16 Data Groups (DGs) DG1 contains the contents of the MRZ - mandatory DG2 contains photograph of the holder - mandatory DG3 contains fingerprint biometric – Optional Etc. Chip contains Security Data Object (SOD) Contains hash of the Data Group present in LDS Contains a signature that encapsulates the stored hashes SOD HashLDS

17

18 IMPORTANT OUTCOMES AT THE BORDER
DONE

19 Required Actions & necessary outcomes
Greater veracity in verifying identities, travel documents Efficiency in processing through borders Greater utilization of existing data sources Agreement and adherence to standards Affordability for government agencies Simplicity for field officers COORDINATED RESPONSE Public-Private Sector Collaboration

20 Border Control Perspective
Critical Decision In less than 60 seconds for each Inbound or outbound passenger Travelers are who they say they are Know their point of origin and destination Identify threat to travelers, transit Identify national security threats Authenticate credentials Verify entry privileges

21 FIELD OFFICER PERSPECTIVE
ELEMENTS OF A DECISION Who is this person? Is the credential authentic? Do the biometrics agree? WHO WHAT What does the credential say? Does it belong to this person? Is it authentic or has it been altered? WHERE Where is he from? Where has he travelled? Where is he going?

22 FIELD OFFICER PERSPECTIVE

23 Concept — Attributes of a Decision
Where What IDENTITY ASSURANCE Who

24 ESTABLISHING THE Who What Who Where
IDENTITY ASSURANCE Who is this person according to the document? Do biometrics confirm identity? Local Databases Secondary Biometric Primary Biometric

25 eFeatures & Physical Security
CONFIRMING THE What Where Who What IDENTITY ASSURANCE Does the credential belong to the bearer & Is it authentic and valid? Multi-Lateral Interoperability eFeatures & Physical Security International & SLTD

26 ESTABLISHING THE Where
Who What confidence can be drawn from the person’s nationality and itinerary? PNR Itinerary & Ticket Data National Trust Policy - Alerts - Standing Advanced Passenger Information (API & iAPI) Where IDENTITY ASSURANCE What

27 Where What Who Future Extensions IDENTITY ASSURANCE LDS2 eVisa LDS2
Travel Stamps What IDENTITY ASSURANCE Who LDS2 Biometrics

28 ADVANCED PASSENGER INFORMATION (API)
PORTABLE EGATES BORDER CONTROL DATABASES INTERPOL & LOCAL/REGIONAL ADVANCED PASSENGER INFORMATION (API) MULTI-LATERAL TRUST NETWORKS ICAO nPKD

29 Closing thoughts Time to Reap the Value Validate the Identity
Threat level increasing Standards-based technology widely available ePassport issuance pervasive Threat level continues to increase For border control: Products and services are widely available that implement 1st and 2nd generation security features 3rd generation features not yet fully standardized – possible demonstrator sometime in mid-late 2016 Number of chip-enabled passports in circulation has now reach critical mass Given all these factors It is time for border control to begin reaping the benefit of these electronic passports Use the available tools to validate the identity Time to Reap the Value Validate the Identity

Download ppt "Trusted identities | secure transactions™"

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Building Confidence in E-government Services ITU-T Workshop on.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Building Confidence in E-government Services ITU-T Workshop on.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, 2004-05-18 Tom Kinneging.

Technical Report PKI for Machine Readable Travel Documents offering ICC read-only access TAG_15 Montreal, Tom Kinneging.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
1 Bali Process Workshop on Enabling Electronic Exchange of Lost and Stolen Travel Document Information April 2005.

1 Bali Process Workshop on Enabling Electronic Exchange of Lost and Stolen Travel Document Information April 2005.
AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.

AFACT eCOO WG interim meeting - Conference Call 1st March of 2011 Mahmood Zargar eCOO Experiences and Standards.
AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.

AFCEA TechNet Europe Identity and Authentication Management Systems for Access Control Security IDENTITY MANAGEMENT Good Afternoon! Since Yesterday we.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
The Evolution of the Trusted Traveler Concept September 2010.

The Evolution of the Trusted Traveler Concept September 2010.
Nairobi, Kenya 29-31October 2007 1 Fifth Special Meeting of the Counter- Terrorism Committee with International, Regional and Subregional Organizations.

Nairobi, Kenya 29-31October Fifth Special Meeting of the Counter- Terrorism Committee with International, Regional and Subregional Organizations.
FAL Programme Presentation to ACI July 2004 Mary McMunn Chief FAL section Presentation to ACI July 2004 Mary McMunn Chief FAL section.

FAL Programme Presentation to ACI July 2004 Mary McMunn Chief FAL section Presentation to ACI July 2004 Mary McMunn Chief FAL section.
Secure Communication Architectures.

Secure Communication Architectures.
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)

“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
Department of Labor HSPD-12

Department of Labor HSPD-12
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Security of eGovernment, European Parliament, Brussels 2013 Max Snijder, Linda Kool, Geert Munnichs L Kool | 1 19 February 2013 Findings from the ePassport.

Security of eGovernment, European Parliament, Brussels 2013 Max Snijder, Linda Kool, Geert Munnichs L Kool | 1 19 February 2013 Findings from the ePassport.
Government Applications of Biometric Technologies Border & Aviation Security 19 June 2003.

Government Applications of Biometric Technologies Border & Aviation Security 19 June 2003.
Computer Security Biometric authentication Based on a talk by Dr J.J. Atick, Identix, “Biometrics in the Decade of Security”, CNSS 2003.

Computer Security Biometric authentication Based on a talk by Dr J.J. Atick, Identix, “Biometrics in the Decade of Security”, CNSS 2003.
1 MRTD Programme: Consolidating Comprehensive Security and Enhancing Facilitation Mauricio Siciliano Mauricio Siciliano ICAO MRTD Programme ICAO/McGill.

1 MRTD Programme: Consolidating Comprehensive Security and Enhancing Facilitation Mauricio Siciliano Mauricio Siciliano ICAO MRTD Programme ICAO/McGill.

Similar presentations

Ads by Google