Professional Documents
Culture Documents
Devices
4
Technical Guide
Version 1.0
10 May 2011
Technical Guide
Contents
Introduction....................................................................................................................1
Strategy and architecture................................................................................................2
Summary ....................................................................................................................2
Standardsstrategy and architecture ........................................................................2
Architecture................................................................................................................3
Mobile device.........................................................................................................3
Single tactical end-to-end solution.........................................................................5
Multiple tactical end-to-end solutions ...................................................................5
Strategic end-to-end solution .................................................................................6
Replication .............................................................................................................7
GlossaryStrategy and architecture .........................................................................8
Interoperability...............................................................................................................9
Business process ..........................................................................................................10
Summary ..................................................................................................................10
Health and safety..................................................................................................10
Standards and glossary.............................................................................................10
Mobile communications...............................................................................................11
Summary ..................................................................................................................11
StandardsCommunications ..................................................................................11
GlossaryCommunications ....................................................................................12
Security ........................................................................................................................13
Summary ..................................................................................................................13
Risks.........................................................................................................................13
Countermeasures......................................................................................................14
StandardsSecurity ................................................................................................15
GlossarySecurity ..................................................................................................15
Biometrics ....................................................................................................................16
Summary ..................................................................................................................16
StandardsBiometrics ............................................................................................16
GlossaryBiometrics..............................................................................................17
Machine Readable Travel / Identity Documents (MRTD) ..........................................19
Summary ..................................................................................................................19
StandardsDocument Reading and PKI.................................................................19
GlossaryMachine Readable Travel / Identity Documents ...................................20
Driver and Vehicle Documents....................................................................................22
Summary ..................................................................................................................22
StandardsDriver and Vehicle Documents............................................................22
GlossaryDriver and Vehicle Documents .............................................................23
Watchlist ......................................................................................................................24
Summary ..................................................................................................................24
Standards and glossaryWatchlist .........................................................................24
Technical Guide
Introduction
Mobile communications and mobile devices are developing fast with new models and
improved capability appearing frequently on the market.
The same trajectory is also driving improving mobile capability for police and
immigration services. However, unlike a mass-consumer device, mobile immigration
and police devices are not an out-of-the-box solution they require a number of
different technologies to be used and to be brought together effectively.
This paper in e-MOBIDIG has been written to explain each of the different
technologies and challenges, and is offered as an introductory guide to this area.
Paper (2) from e-MOBIDIG sets out a Use Case Framework for mobile devices:
within that framework, this Technical Guide concentrates particularly on Use Class
1handheld mobile ID devices, but may also be applicable to other devices.
Paper (3) also presents Country Examples which describe projects and existing
mobile services for mobile ID devices for police and immigration.
Topics covered in this Technical Guide include:
Strategy and architecture
Interoperability
Business engagement
Mobile communications
Security
Biometrics
Document reading and authentication (travel, identity, vehicle and driver
documents)
Watchlists
Many thanks to everyone who has contributed to developing this document.
Frank Smith, Chair, e-MOBIDIG
frank.smith@homeoffice.gsi.gov.uk
Where the business needs a mobile ID device connecting to core systems via a
secure infrastructure, it is important to regard this as a requirement to deliver
an end-to-end solution, not just a mobile device.
As well as involving experienced subject matter experts, a key role in
delivering an effective end-to-end solution is the prime integrator,
responsible for making the different components and technologies work well
together. A robust, experienced approach is needed including all the
technologies needed for a particular solution in a mobile context.
A clear definition of what the device will and will not do, initially and in the
future, is needed.
The mobile solution has to fit well into the broader context and strategy of the
organisation as a whole.
Mobile devices are a developing and complex fieldorganisations may
reasonably have difficulty in understanding fully how these can best be used
operationally, in a highly practical context. There can be considerable value in
undertaking early pilot work before committing to a full, strategic purchase and
deployment but it is important that the business rationale is properly understood.
Architecture
Mobile device
The first aspect considered here is the mobile device itself. Figure 1 shows a generic
mobile device cast to cover a reasonably comprehensive range of possible features:
Figure 1Mobile device
3. User interface
Logon (user / password / biometrics),
user comands
9. Immigration
4. Biographics
Name, DoB,
address, nationality
Fingerprints, case
records, watchlists
1. Mobile ID device
FP Reader
Screen
5. Biometrics
Camera
Keyboard
Fingerprints, face,
iris
MRZ reader
PKI
Chip reader
Encryption
Contact reader
Geo location
6. Documents
Passport, ID card,
driver license, visa
7. Images
Evidence, doc
image, crime scene
C
o
m
m
s
+
V
P
N
Memory (+HSM)
2. Administration
User setup + permissions / roles,
security, config., key management
8. Central
control
Comms,
VPN,
security
presentation
orchestration
audit
10. Police
Criminal records,
fingerprints, vehicles
12. PKI
Authentication of
docs, EAC access
The high-level model describing handheld ID devices is shown here. Actual devices
might implement various possible sub-sets of this outline, depending on actual
business requirements and priorities, legal framework, opportunities, etc. Components
shown here include:
Device and support
1. The device itself, with several possible core components reflecting the
functionality selected. Further details are expanded below.
2. A support / administration function that will allocate devices to users for
specific purposes, and may authorise different roles, and therefore load
different components or give different access to different users. This function
will create user accounts, enrol users (e.g. where a fingerprint is used for
access) and also report and block access to lost or stolen devices.
3. The user, who will operate the device by issuing commands to it.
3
Input sources
4. Biographic information such as a persons name as printed in a passport or on
a residence or ID card, or as volunteered to the user by the person.
5. Biometric information such as the persons face image or fingerprints.
6. Documents the person may present.
7. Imagesnot necessarily covered by the points above traffic accidents,
scenes of crime, visual evidence, live video
Central control
8. Communications, security, and aspects of middleware that connect different
front-end devices to a variety of back-end systems. See description below of
this topic under the heading of strategy (Figure 4).
Reference sources
9. Immigration systems including biographic or biometric systems.
10. Likewise, police systems for general police use such as police-related
fingerprint or criminal record systems.
11. Other reference systems outside police and immigration such as civil reference
systems on drivers or vehicles, stolen properly (serial numbers / bar codes?).
12. Support systems to provide PKI reference certificates so that the device can
read and authenticate secure chipped documents, including signature
certificates, verification certificates (approving access to fingerprints on the
chip) and Certificate Revocation Lists (CRLs).
To consider possible components within the mobile device:
Fingerprint readerdifferent resolutions and quality (therefore price) of
reader are available depending on the intended use. In increasing quality, 1:1
verification; 1:Many search of a large system; high quality enrolment.
Camerathere are many uses for a camera on a mobile ID device. For still
shots or video. For general pictures, identification, intelligence, crime scene,
accident, injury or enforcement, for general information or as court evidence.
For saving to memory, live transmission or storing on a database. A camera
can also be an optical input to a recognition systemfacial recognition,
vehicle number place (ANPR), bar code reader, MRZ reader. A camera can
offer different resolutions (Megapixels) and can have image enhancement,
zoom, flash, or basic. What do you need?
MRZ readerfirst stage before opening and reading a passport or ID card
chip. Can be a swipe reader, or possibly camera-based.
Chip readersecond stage of reading a passport or ID card, interacting with
the chip e.g. by Radio Frequency ID (RFID)
Contact readeruses an electrical contact plate as traditional bank cards.
Screento operate the device and obtain results, check images being
recorded, can be used with a touch-sensitive screen as a soft keyboard. Can
be in varying size, quality and resolution of display.
Keyboardinput commands or data. Use finger or stylus; hard or on screen
PKIspecial memory to hold certificates and revocation lists for PKI process.
HSMa Hardware Security Module is needed to protect high security
information particularly encryption private keys (e.g. PKI / VPN).
Security 1
System 1
Firewall, VPN
This solution is exclusive to the use and capabilities of one application and core
system. If there are many other potential uses of mobile technology in the business as
a whole then this approach is essentially tactical in that it meets a current and specific
requirement is not built to serve as efficiently as possible the organisations strategic
aims.
This does not necessarily make a tactical solution wrong: a tactical solution is likely
to be cheaper and quicker to implement; there may only be one business priority for
mobile solutions; there may be considerable value in piloting a prototype or proof of
concept solution delivered at lower-cost to ensure the correct design is understood
before committing to the full design in production form.
Security 1
System 1
Firewall, VPN
Mobile device 2
Security 2
System 2
Firewall, VPN
Mobile device 3
Security 3
System 3
Firewall, VPN
Mobile device 4
Security 4
System 4
Firewall, VPN
This is more problematic because it could be what arises when different parts of the
business specify and build solutions that only reflect their own localised interests,
resulting in multiple tactical solutionsoverall, a fragmented corporate approach.
Much of the same functionality is designed and bought in parallel at higher total cost
but possibly to conflicting standards and without the opportunity to leverage synergies
and share and re-use components.
Multiple tactical end-to-end solutions might be justified in some circumstances, but it
may also arise from pushing tactical approaches too far when a more co-ordinated and
strategic approach ought to be being taken.
Mobile device A
Security
Middleware
Secure
integration
Mobile device B
Firewall,
VPN
Mobile device C
Mobile device D
Connections
System 1
e.g. fingerprint system
System 2
e.g. watchlist system
Services
Presentation,
orchestion,
data sharing,
control, audit,
software re-use
System 3
e.g. ops management system
System 4
e.g. PKI central source
In this solution, several different types of mobile device which may include some
different capabilities, complexity, size (e.g. smartphone, tablet, special purpose), etc.
are able to connect to and obtain services from a common midddleware solution,
which requests and receives data from several back end reference systems to which
it is able to connect. Potential advantages of this approach can include:
Scalability, extendibility and re-use of facilitiesthe solution can increase
in capacity and add new devices and/or back-end systems without having to
fundamentally re-design the existing solution. Existing services can be
provided to new devices will less re-implementation and duplication of effort,
therefore potentially cheaper and faster (better value for money).
Integration and presentationinformation drawn from multiple systems can
be brought together coherently and presented efficiently for example on a
small screen, prioritising and highlighting key information (e.g. violence
warning for a person being checked), allowing further detail to be expanded as
the user may wish. This is essential when a user needs to combine information
from more that one system, is working under real-time operational constraints,
and is using a small device.
Security and auditthere is consistent central control and management of
which devices, users, and/or roles can have access to systems or types of
information. There can also be central monitoring of access to information and
systems by users and devices, assignment of roles, etc.
Following this approach for multiple solutions is more strategicfor the reasons
outlined above, this offers a more holistic solution to meeting the businesss strategic
aims, providing employees on the move with integrated access to disparate
information owned or used by the organisation.
Cost is likely to be higher initially to implement a middleware solution and might not
therefore be appropriate for small or less complex requirements, but in more complex
solutions can become highly appropriate, with the additional cost spread over more
applications and uses.
To deliver these services effectively across multiple platforms and systems, it is most
effective if the middleware solution can access systems that readily support systemto-system connection rather than only serving conventional business users working
from a desktop PC and logged into the system in the traditional manner. This type of
technology solution is called web servicesa range of technologies designed to
facilitate system-to-system connection. Web services are closely allied with the
Service Oriented Architecture (SOA) approach; messaging via an Enterprise Service
Bus (ESB); and to message formats and protocols that can include:
Replication
In a replication solution a read-only copy of a live database is created and maintained
through regular updates, e.g. daily. To refer to the information, e.g. from a mobile
device, reference is made to the copy rather than the live data. This is illustrated
below:
Figure 5Replication process
Mobile device A
Security
1
Mobile device B
Firewall,
Mobile device C
VPN
Security
2
System X
(Copy)
Firewall,
System X
(Master)
VPN
Mobile device D
Replication
process
Geo-positioning The ability to detect precise location from navigation satellites and
to apply this information to applicationsparticularly relevant to
mobile systems. Example: Global Positioning Satellite (GPS).
Middleware
Orchestration
Prime integrator A lead supplier with overall responsibility for bringing together
components into a single overall business solution. Particularly
important where several specialist suppliers and technologies need to
be co-ordinated.
Replication
Server
SOA
Web services
Workflow
A component in a SOA solution that ensures tasks follow predefined business rules, e.g. obtaining the correct sign-off from the
required business user before completion.
Interoperability
Figure 6a few challenges to interoperability
Business process
Summary
Just as it is critical to integrate a mobile device with the infrastructure and reference
systems it uses, it is also vital to understand very clearly how the device will be used
and integrated with operational business processes by front-line officers. Introducing the
ability to check identities more securely at the front line means that business processes,
guidance and training also need to be designedwith and for users. This includes
how to deal with identity deception; loss / theft of devices; and audit / privacy.
Developers and analysts need to understand operational users; and users need to
understand the potential of mobile devices to enhance their work. For sure, mobile
devices need to support existing business processes; but providing powerful access
to relevant information in officers hands right at the front line may do more and open
new and unexpected possibilities for more efficient working, delivering enhanced
results. It may be valuable to conduct workshops with users, and to undertake
operational pilots and trials with close engagement to highlight achievements.
10
Mobile communications
Summary
Key design decision is the selection of appropriate network(s) for a device, e.g.:
StandardsCommunications
Standards exist for:
Network generationse.g. 2G, 3G, 4G and TETRA, Tetrapol
Radio connection to networkse.g. GPRS, EDGE, WiFi, WiMax and LTE
Data transfer over networkse.g. IPv4, IPv6 and VoIP
11
GlossaryCommunications
2G
3G
4G
Bluetooth
Cellular repeater A device to boost cell phone reception in a local area by receiving,
amplifying and re-broadcasting the signal e.g. within one building.
EDGE
GPRS
GSM
IP
TETRA
VoIP
VPN
12
Security
Summary
Protection is needed for:
The deviceaccess control, data held on the device, local communications
between solution components
Communicationsencryption communications cant be intercepted and
understood / used in any unauthorised way
Central services, systems and datais the connection for mobile devices
protected to safeguard the central communications portal and systems
accessible through it from attack or eavesdropping? VPN and firewall
solution?
Supporting admin and operationssupport and dont compromise the
device and systems / information, e.g. rigorous key handling, account creation
/ maintenance, user authorisation, action on loss of equipment.
Accreditationthe authority responsible for reviewing and authorising
security for the organisation, and the key people owning the business decision
and risk for IT and information systems understand and approve the solution.
Risks
Risks in relation to an IT system can generally be classified in loss of confidentiality,
integrity and availabilityplus perhaps reputation.
Loss of confidentialityfor example unauthorised access, overlooking
transactions by a legitimate user, intercepting and/or using security credentials
to gain access from an unauthorised device and/or by an unauthorised user.
This is not just a mobile device but potentially other systems they access.
Loss of integrityunauthorised changes, deletions or additions to data in
storage systems or in transit, or to processing / functionality, so that a device
that is trusted to produce only authorised results is corrupted.
Loss of availabilityunwanted loss of access / availability of a system or
data, for example following theft, denial of service attack or equipment failure.
Loss of reputationa government or enforcement service may suffer serious
embarrassment or reputational damage from public awareness that they have
not failed to safeguarded personal information of have compromised security.
Specific examples of attacks that need to be protected against include:
Overlooking devices while they are in use by authorised usersthis includes
people being able to see the results of searches as to whether someone
registers a hit against a watchlist, which may itself be highly sensitive.
Unauthorised accessto a mobile device: can an unauthorised user gain
access to / control of a device to access information and systems?
Interceptionof communications with the mobile device, including passive
listening / recording and also unauthorised users being able to introduce their
own transactions to access information. The use of mobile devices by
enforcement agencies may give away the possibility of an imminent
operations; or may allow the use of such devices to be blocked or disrupted.
Wireless compromise of mobile devicesthe existence of a wireless (radio)
connection to a mobile device may allow a hostile attack in which software on
13
Countermeasures
Possible security countermeasures to protect against these risks are:
Access controlto devices and core systems e.g. by password protection,
possibly even fingerprint verification of authorised users, tamper-proofing to
detect unauthorised access and lock the device and/or erase all sensitive data.
Encryptionof communications and of data held on the device.
Virtual Private Network (VPN)a VPN solution ensures that even when
using open, public networks, users or organisations have assurance that
communications are confidential to the authorised users, and that
authentication of users and devices takes place. Uses encryption, secure
tunnelling protocols and digital signature technologies.
Tamper-proofingdetection of any attempt at unauthorised access leading to
shutdown of the device and/or deletion of sensitive data. This can include
HSMs (below) and anti-snatch detection such as a cord secured to the user of
the device so that if the device is grabbed and removed by someone else, the
cord is pulled out and the device is alerted to the attack.
Hardware Security Modules (HSMs)are a means of protecting against a
device being attacked to prevent data being accessed. Traditionally a HSM
was an armoured box that would detect any attempt at unauthorised tampering
but this can be implemented as a smart card which deletes all data if removed.
Possible contents: encryption private keys, watchlist contents, access codes for
central systems.
Limitations on functionalityit may be appropriate as a safeguard to limit
the sensitivity of information placed on or transmitted to a mobile device, to
reduce the impact of any potential security violation.
Remote deletion or blockingcommands may be issued from a central
control point instructing a mobile device that has been lost or stolen to delete
any sensitive data including access codes or authorisations that it is holding.
Security inspection and accreditationinvolving detailed inspection and
testing by security experts to test for security weaknesses and the effectiveness
of countermeasures, leading to approval of the device / system as being fit for
14
StandardsSecurity
Standards and/or guidance include:
http://www.enisa.europa.eu European Network and Information Security
Agency
http://www.iso.org/iso/iss_international-security-standards.htm ISO/IEC work on IT
security, including the expected ISO 27000 series on Information Security
Management.
http://www.thebci.org.uk UK Business Continuity Institute including a practice
guide and standard on business continuity.
http://www.ifiptc11.org/ International Federation for Information Processing
(IFIP), Technical Committee 11Security and Privacy Protection in
Information Processing Systems (TC11).
GlossarySecurity
Authentication
DMZ
Firewall
HSM
SAML
VPN
15
Biometrics
Summary
Minimum approach:
Consider the real business need and the problem that needs to be solved ahead
of thinking about specific biometric hardware/solutions...
Test and confirm quality and fitness for purpose at all stages / times.
StandardsBiometrics
EU regulation biometric characteristics to be included in the Electronic Passport:
Regulation (EC) No 2252/2004 of the European Parliament and of the Council
of 13 December 2004 on standards for security features and biometrics in
passports and travel documents issued by Member States.
ISO standard vocabulary of standard terms:
http://www.iso.org/iso/iss_international-security-standards.htm
16
GlossaryBiometrics
1:1 verification
1:Many search
1st generation
2nd Generation
DPI
Error Rates
Latent
Liveness
Matcher
Minutiae
Multi-modal
The use of more than one type of biometric e.g. to increase accuracy
and resist spoofing. For example, iris, fingerprint and face image.
NIST
PPI
See DPI
Rolled
Slap
Spoofing
Template
18
2nd Generation
BIG
BSI
CA / PA
DRA
EAC
20
ECC
eID
EU
ICAO
MRTD
MRZ
PACE
PKI
SAC
SPOC
TA
21
22
23
Watchlist
Summary
Watchlist information will provide the operator of a mobile device with an alert signal
if someone whose identity or document details match with information on a
prioritised list for the country (or region). Entries on a watchlist may cover many
possible circumstances, for example a passport that has been lost or stolen, a person
who is wanted by the police for arrest in connection with a criminal investigation, a
warning that the person may be violent towards officials, or an indication that the
person is of more discrete interest to a law enforcement or security agency.
Considerations in accessing watchlist information from a mobile device are:
There may be considerable value in connecting to this source because it may
make it possible to conduct full border checks using the device. May be of
other operational use.
It is important that the response from a hit indicates clearly the action, if any,
to be taken and that in doing so it does not alert or inform the person being
checked (there should not be a characteristic sound or readily visible
indicationeven so, the operator needs to protect the device from being
overlooked when in use.
Contents of a watchlist, and whether a particular person is or is not listed, may
be of high value to people who pose a serious threat to security. It is therefore
critical that any device giving access to watchlisting information is especially
well protected from attack. This could include access control measures;
directing all requests from mobile devices to a read-only copy of the live
database, to restrict the information the device can access (see replication,
above); or limiting the information sent back to the mobile device but where
appropriate advising the user to refer to a central point or a separate
confidential system for further information.
24