Mobile ID

Devices

4
Technical Guide

Version 1.0
10 May 2011

Technical Guide
Contents
Introduction....................................................................................................................1
Strategy and architecture................................................................................................2
Summary ....................................................................................................................2
Standardsstrategy and architecture ........................................................................2
Architecture................................................................................................................3
Mobile device.........................................................................................................3
Single tactical end-to-end solution.........................................................................5
Multiple tactical end-to-end solutions ...................................................................5
Strategic end-to-end solution .................................................................................6
Replication .............................................................................................................7
GlossaryStrategy and architecture .........................................................................8
Interoperability...............................................................................................................9
Business process ..........................................................................................................10
Summary ..................................................................................................................10
Health and safety..................................................................................................10
Standards and glossary.............................................................................................10
Mobile communications...............................................................................................11
Summary ..................................................................................................................11
StandardsCommunications ..................................................................................11
GlossaryCommunications ....................................................................................12
Security ........................................................................................................................13
Summary ..................................................................................................................13
Risks.........................................................................................................................13
Countermeasures......................................................................................................14
StandardsSecurity ................................................................................................15
GlossarySecurity ..................................................................................................15
Biometrics ....................................................................................................................16
Summary ..................................................................................................................16
StandardsBiometrics ............................................................................................16
GlossaryBiometrics..............................................................................................17
Machine Readable Travel / Identity Documents (MRTD) ..........................................19
Summary ..................................................................................................................19
StandardsDocument Reading and PKI.................................................................19
GlossaryMachine Readable Travel / Identity Documents ...................................20
Driver and Vehicle Documents....................................................................................22
Summary ..................................................................................................................22
StandardsDriver and Vehicle Documents............................................................22
GlossaryDriver and Vehicle Documents .............................................................23
Watchlist ......................................................................................................................24
Summary ..................................................................................................................24
Standards and glossaryWatchlist .........................................................................24

Technical Guide

Introduction
Mobile communications and mobile devices are developing fast with new models and
improved capability appearing frequently on the market.
The same trajectory is also driving improving mobile capability for police and
immigration services. However, unlike a mass-consumer device, mobile immigration
and police devices are not an out-of-the-box solution they require a number of
different technologies to be used and to be brought together effectively.
This paper in e-MOBIDIG has been written to explain each of the different
technologies and challenges, and is offered as an introductory guide to this area.
Paper (2) from e-MOBIDIG sets out a Use Case Framework for mobile devices:
within that framework, this Technical Guide concentrates particularly on Use Class
1handheld mobile ID devices, but may also be applicable to other devices.
Paper (3) also presents Country Examples which describe projects and existing
mobile services for mobile ID devices for police and immigration.
Topics covered in this Technical Guide include:
Strategy and architecture
Interoperability
Business engagement
Mobile communications
Security
Biometrics
Document reading and authentication (travel, identity, vehicle and driver
documents)
Watchlists
Many thanks to everyone who has contributed to developing this document.
Frank Smith, Chair, e-MOBIDIG
frank.smith@homeoffice.gsi.gov.uk

Strategy and architecture

Summary

Where the business needs a mobile ID device connecting to core systems via a
secure infrastructure, it is important to regard this as a requirement to deliver
an end-to-end solution, not just a mobile device.
As well as involving experienced subject matter experts, a key role in
delivering an effective end-to-end solution is the prime integrator,
responsible for making the different components and technologies work well
together. A robust, experienced approach is needed including all the
technologies needed for a particular solution in a mobile context.
A clear definition of what the device will and will not do, initially and in the
future, is needed.
The mobile solution has to fit well into the broader context and strategy of the
organisation as a whole.
Mobile devices are a developing and complex fieldorganisations may
reasonably have difficulty in understanding fully how these can best be used
operationally, in a highly practical context. There can be considerable value in
undertaking early pilot work before committing to a full, strategic purchase and
deployment but it is important that the business rationale is properly understood.

Standardsstrategy and architecture

Systems and enterprise architecture are covered by well-established industry

standards such as The Open Group Architecture Framework (TOGAF) for
design, planning, implementation, and governance of an enterprise information
architecture.
Similarly, good project and programme management approaches are also
important to use.

Architecture

An architecture is a high level design setting a framework for detailed designs.

Mobile device has to fit into broader architectures: for the enterprise as a
whole, including business aims and processes; for particular solutions; and it
may be right to define strategy and a broad architecture for the use of all
mobile solutions in the organisation. This sets a framework within which an
end-to-end architecture can be defined for a specific mobile-based solution.
Architects and systems designers responsible for the overall architecture for
the organisation should be involved in reviewing and approving the mobile
solution. An overall solution architect is needed to achieve a coherent endto-end design and architecture.

Mobile device
The first aspect considered here is the mobile device itself. Figure 1 shows a generic
mobile device cast to cover a reasonably comprehensive range of possible features:
Figure 1Mobile device
3. User interface
Logon (user / password / biometrics),
user comands

9. Immigration

4. Biographics
Name, DoB,
address, nationality

Fingerprints, case
records, watchlists

1. Mobile ID device
FP Reader

Screen

5. Biometrics

Camera

Keyboard

Fingerprints, face,
iris

MRZ reader

PKI

Chip reader

Encryption

Contact reader

Geo location

6. Documents
Passport, ID card,
driver license, visa

7. Images
Evidence, doc
image, crime scene

C
o
m
m
s
+
V
P
N

Memory (+HSM)

2. Administration
User setup + permissions / roles,
security, config., key management

8. Central
control
Comms,
VPN,
security
presentation
orchestration
audit

10. Police
Criminal records,
fingerprints, vehicles

11. Other ref.

Drivers, passports,
cars, residence

12. PKI
Authentication of
docs, EAC access

The high-level model describing handheld ID devices is shown here. Actual devices
might implement various possible sub-sets of this outline, depending on actual
business requirements and priorities, legal framework, opportunities, etc. Components
shown here include:
Device and support
1. The device itself, with several possible core components reflecting the
functionality selected. Further details are expanded below.
2. A support / administration function that will allocate devices to users for
specific purposes, and may authorise different roles, and therefore load
different components or give different access to different users. This function
will create user accounts, enrol users (e.g. where a fingerprint is used for
access) and also report and block access to lost or stolen devices.
3. The user, who will operate the device by issuing commands to it.
3

Input sources
4. Biographic information such as a persons name as printed in a passport or on
a residence or ID card, or as volunteered to the user by the person.
5. Biometric information such as the persons face image or fingerprints.
6. Documents the person may present.
7. Imagesnot necessarily covered by the points above traffic accidents,
scenes of crime, visual evidence, live video
Central control
8. Communications, security, and aspects of middleware that connect different
front-end devices to a variety of back-end systems. See description below of
this topic under the heading of strategy (Figure 4).
Reference sources
9. Immigration systems including biographic or biometric systems.
10. Likewise, police systems for general police use such as police-related
fingerprint or criminal record systems.
11. Other reference systems outside police and immigration such as civil reference
systems on drivers or vehicles, stolen properly (serial numbers / bar codes?).
12. Support systems to provide PKI reference certificates so that the device can
read and authenticate secure chipped documents, including signature
certificates, verification certificates (approving access to fingerprints on the
chip) and Certificate Revocation Lists (CRLs).
To consider possible components within the mobile device:
Fingerprint readerdifferent resolutions and quality (therefore price) of
reader are available depending on the intended use. In increasing quality, 1:1
verification; 1:Many search of a large system; high quality enrolment.
Camerathere are many uses for a camera on a mobile ID device. For still
shots or video. For general pictures, identification, intelligence, crime scene,
accident, injury or enforcement, for general information or as court evidence.
For saving to memory, live transmission or storing on a database. A camera
can also be an optical input to a recognition systemfacial recognition,
vehicle number place (ANPR), bar code reader, MRZ reader. A camera can
offer different resolutions (Megapixels) and can have image enhancement,
zoom, flash, or basic. What do you need?
MRZ readerfirst stage before opening and reading a passport or ID card
chip. Can be a swipe reader, or possibly camera-based.
Chip readersecond stage of reading a passport or ID card, interacting with
the chip e.g. by Radio Frequency ID (RFID)
Contact readeruses an electrical contact plate as traditional bank cards.
Screento operate the device and obtain results, check images being
recorded, can be used with a touch-sensitive screen as a soft keyboard. Can
be in varying size, quality and resolution of display.
Keyboardinput commands or data. Use finger or stylus; hard or on screen
PKIspecial memory to hold certificates and revocation lists for PKI process.
HSMa Hardware Security Module is needed to protect high security
information particularly encryption private keys (e.g. PKI / VPN).

Encryptionencryption is needed to protect transmitted and stored data.

Geo-locationbeing able to detect and record location e.g. GPS can be
valuable e.g. for operational co-ordination, tagging records, audit
Memoryin some uses large memory size may be needed, e.g. to store video.
Comms / VPN clienta wide range of comms methods are possible (see
comms section). VPN protects comms and allows authentication of a device.

Single tactical end-to-end solution

Figure 2Single tactical end-to-end solution
Mobile device 1

Security 1

System 1

e.g. fingerprint search

Firewall, VPN

e.g. fingerprint database

This solution is exclusive to the use and capabilities of one application and core
system. If there are many other potential uses of mobile technology in the business as
a whole then this approach is essentially tactical in that it meets a current and specific
requirement is not built to serve as efficiently as possible the organisations strategic
aims.
This does not necessarily make a tactical solution wrong: a tactical solution is likely
to be cheaper and quicker to implement; there may only be one business priority for
mobile solutions; there may be considerable value in piloting a prototype or proof of
concept solution delivered at lower-cost to ensure the correct design is understood
before committing to the full design in production form.

Multiple tactical end-to-end solutions

Figure 3Multiple tactical end-to-end solutions
Mobile device 1

Security 1

System 1

e.g. fingerprint search

Firewall, VPN

e.g. fingerprint system

Mobile device 2

Security 2

System 2

e.g. document EAC reader

Firewall, VPN

e.g. PKI central source

Mobile device 3

Security 3

System 3

e.g. ops support

Firewall, VPN

e.g. ops management system

Mobile device 4

Security 4

System 4

e.g. watchlist search

Firewall, VPN

e.g. watchlist system

This is more problematic because it could be what arises when different parts of the
business specify and build solutions that only reflect their own localised interests,
resulting in multiple tactical solutionsoverall, a fragmented corporate approach.
Much of the same functionality is designed and bought in parallel at higher total cost
but possibly to conflicting standards and without the opportunity to leverage synergies
and share and re-use components.
Multiple tactical end-to-end solutions might be justified in some circumstances, but it
may also arise from pushing tactical approaches too far when a more co-ordinated and
strategic approach ought to be being taken.

Strategic end-to-end solution

Figure 4Strategic end-to-end solution

Mobile device A

Security

Middleware
Secure
integration

Mobile device B

Firewall,
VPN

Mobile device C

Mobile device D

Connections

System 1
e.g. fingerprint system

System 2
e.g. watchlist system

Services
Presentation,
orchestion,
data sharing,
control, audit,
software re-use

System 3
e.g. ops management system

System 4
e.g. PKI central source

In this solution, several different types of mobile device which may include some
different capabilities, complexity, size (e.g. smartphone, tablet, special purpose), etc.
are able to connect to and obtain services from a common midddleware solution,
which requests and receives data from several back end reference systems to which
it is able to connect. Potential advantages of this approach can include:
Scalability, extendibility and re-use of facilitiesthe solution can increase
in capacity and add new devices and/or back-end systems without having to
fundamentally re-design the existing solution. Existing services can be
provided to new devices will less re-implementation and duplication of effort,
therefore potentially cheaper and faster (better value for money).
Integration and presentationinformation drawn from multiple systems can
be brought together coherently and presented efficiently for example on a
small screen, prioritising and highlighting key information (e.g. violence
warning for a person being checked), allowing further detail to be expanded as
the user may wish. This is essential when a user needs to combine information
from more that one system, is working under real-time operational constraints,
and is using a small device.
Security and auditthere is consistent central control and management of
which devices, users, and/or roles can have access to systems or types of
information. There can also be central monitoring of access to information and
systems by users and devices, assignment of roles, etc.
Following this approach for multiple solutions is more strategicfor the reasons
outlined above, this offers a more holistic solution to meeting the businesss strategic
aims, providing employees on the move with integrated access to disparate
information owned or used by the organisation.
Cost is likely to be higher initially to implement a middleware solution and might not
therefore be appropriate for small or less complex requirements, but in more complex
solutions can become highly appropriate, with the additional cost spread over more
applications and uses.
To deliver these services effectively across multiple platforms and systems, it is most
effective if the middleware solution can access systems that readily support systemto-system connection rather than only serving conventional business users working

from a desktop PC and logged into the system in the traditional manner. This type of
technology solution is called web servicesa range of technologies designed to
facilitate system-to-system connection. Web services are closely allied with the
Service Oriented Architecture (SOA) approach; messaging via an Enterprise Service
Bus (ESB); and to message formats and protocols that can include:

SOAP (Simple Object Access Protocol), using Extendable Markup Language

(XML) format messaging and Web Services Description Language (WSDL).

WebAPI web services mechanism (an alternative to SOAP).

Replication
In a replication solution a read-only copy of a live database is created and maintained
through regular updates, e.g. daily. To refer to the information, e.g. from a mobile
device, reference is made to the copy rather than the live data. This is illustrated
below:
Figure 5Replication process
Mobile device A

Security
1

Mobile device B
Firewall,

Mobile device C

VPN

Security
2

System X
(Copy)

Firewall,

System X
(Master)

VPN

Mobile device D

Replication
process

The disadvantages of this approach may include:

Extra cost and complexity in setting this up and running it.
Data is not real-time information may be a day out of date, not live.
The advantages may include:
Extra control and security particularly if the live database contains sensitive
data that is not intended to be accessible to the mobile devices.
Performance on the live system is not be affected by traffic on the mobile
devices (likewise the contrary in reverse), apart from the overhead of copying.
Resiliencethe copy system and the live system can operate independently
and therefore either one can continue to work even if the other is not working.

GlossaryStrategy and architecture

Back-end system A system to which the end-user does not connect directly but is
used via other systems to answer the end-users request.
Client

A user device calling on a service, for example a mobile handheld

unit, a laptop, or a desktop PC or one system that requests a
service from another.

Geo-positioning The ability to detect precise location from navigation satellites and
to apply this information to applicationsparticularly relevant to
mobile systems. Example: Global Positioning Satellite (GPS).
Middleware

A system component that can integrate information from more than

one back-end system and present it more effectively to a user. Adds
value by offering a service, presenting information in a more
useable and co-ordinated form.

Orchestration

A co-ordinating function within a middleware / SOA solution.

Prime integrator A lead supplier with overall responsibility for bringing together
components into a single overall business solution. Particularly
important where several specialist suppliers and technologies need to
be co-ordinated.
Replication

Maintaining a read-only copy of a live database and using this to

service read requests e.g. from a mobile device.

Server

A device or system providing a service requested by a client e.g. a

central fingerprint system (server) responding to a request from a
mobile fingerprint reader (client) with information about the person.

SOA

Service Oriented Architecturea systems architecture in which

multiple sub-systems are built as individual components configured
to work together, rather than as a single, indivisible large system.
Permits maximum flexibility and re-use, but can be complex. See
orchestration, workflow, etc.

Web services

Organising systems so that middleware / SOA components can

connect more easily to them, sysem-to-system.

Workflow

A component in a SOA solution that ensures tasks follow predefined business rules, e.g. obtaining the correct sign-off from the
required business user before completion.

Interoperability
Figure 6a few challenges to interoperability

Interoperability is an important aim of e-MOBIDIG, included within the title of the

group, but what does interoperability actually mean in this context?
Not the ability for officers of one country to connect to local immigration or police
systems when they visit another country, certainly without authorityalthough the
ability to connect back to systems in their home country from another Member State
can be helpful for assisting joint operations (interoperability of mobile comms).
More crucial and probably challenging is reading different types and nationalities of
identity, travel and other documents. What about the aim of being able to read and
authenticate every identity card, residence permit, driving license, tachograph driver
card, visa and passport, plus every paper document protected by a digitally signed 2D
barcode, from every EU Member Statein one mobile ID device. A small selection
of these documents are included in the picture above.
Achieving that aim is absolutely not a task for e-MOBIDIG alone: this needs the full
co-operation of every working group producing such documents, as well as the
engagement of Member States. If you think document, please also think reader!
e-MOBIDIG welcomes engagement with other working groups and experts to address
this issue, for our mutual benefit.

Business process
Summary
Just as it is critical to integrate a mobile device with the infrastructure and reference
systems it uses, it is also vital to understand very clearly how the device will be used
and integrated with operational business processes by front-line officers. Introducing the
ability to check identities more securely at the front line means that business processes,
guidance and training also need to be designedwith and for users. This includes
how to deal with identity deception; loss / theft of devices; and audit / privacy.
Developers and analysts need to understand operational users; and users need to
understand the potential of mobile devices to enhance their work. For sure, mobile
devices need to support existing business processes; but providing powerful access
to relevant information in officers hands right at the front line may do more and open
new and unexpected possibilities for more efficient working, delivering enhanced
results. It may be valuable to conduct workshops with users, and to undertake
operational pilots and trials with close engagement to highlight achievements.

Health and safety

Operational work by police and immigration services carries risks that need to be
managed professionally by officers and services every day. Some encounters may
present potential danger to the officers involved. It is important that that the impact of
a mobile ID device on operational work is considered before such devices are
deployed and that this is reviewed in the light of experience. A formal risk
assessment may be desirable to understand and mitigate risk, taking a balanced view
across different risks that could conflict. For instance:
Minimising critical delaysgood availability, performance and response of a
mobile device is important in an enforcement context where prolonged delay
may increase tension and the risk of disturbance. Are communications as
effective and reliable as they can be and need to be? Can necessary security
procedures be completed quickly enough in an operational settingfor
example, fingerprint touch in by authorised users may be a better solution
than (multiple?) passwords when a device times out during an operation.
Considering the reaction to discovery of true identitya fingerprint or
name check may reveal that someone is wanted for serious offences and may
react by attacking police or immigration staff if confronted. Consideration
may need to be given to suitable risk reductionguidance and training;
ensuring screens are not overlooked or radio messages overheard; personal
protection measures; availability of backup officers, etc.
Safe design or the unitfor example, one service specified the use of secure
local radio connection (Bluetooth) to avoid connecting two components of the
device by a cable which might be used in an attack on the user. Another case
is safe mounting of equipment in a vehicle to avoid injuring occupants if the
air bag activates.

Standards and glossary

It is good practice to take business engagement seriously and to bridge any divide
between operational users and technical staff and to be careful to avoid the use of
any specialist terms in a way that obstructs shared understanding on either side.

10

Mobile communications
Summary
Key design decision is the selection of appropriate network(s) for a device, e.g.:

2G (first all-digital cellular network, from 1991)well established but

limited data bandwidth. GSM originally available as a circuit switched (dialup) service; later enhanced by packet switched services GPRS (1997) and
EDGE (2003)see glossary.

3G (mobile broadband, from 2001)improved bandwidth. May be more

limited coverage. Substantial enhancements beginning to appear with HSPA,
WiMAX and LTE radio connections from mobile devices to the network.

4G (high-speed mobile broadband using only Internet Protocol (IP), in

development / pilot use)emergent technology building on high end
solutions for 3G, not yet (2011) widely available but promises high bandwidth
and better connection.

TETRAmobile communications for emergency services. Best coverage but

more expensive and bandwidth may be limited. More robust e.g. in an
emergency. Earlier standard TETRAPOL is also widely used.

Local connectionWiFi (local) or WiMax (up to 45 km) also relevant.

Delivering effective and secure mobile communications to support mobile ID devices

requires good technical design / implementation and an experienced, pragmatic
approach, thoroughly tested end-to-end in the context in which it will be used. This
needs to include degraded conditions to ensure the connection is sufficiently robust in
practical use, e.g. that it will maintain the connection in poor conditions and recover
the connection efficiently from a loss and restoration of signal.
Some areas present difficulties for effective communications. How important is it to
achieve full coverage? Are there alternative solutions for problem areas, e.g. selective
use of Tetra, or in frequently-visited locations, the use of special WiFi nodes or signal
enhancers / cellular repeaters to boost a weak network signal in a small local area (e.g.
within a particular building)? Use of more than one network technology (2G, 3G,
Tetra) or service provider by the same device is possiblebut can introduce additional
complexity and cost. Robust handling of poor signal conditions is importnant.
See further guide Comms to Go by Frank Smith for a more comprehensive business
introduction to mobile communications technology.

StandardsCommunications
Standards exist for:
Network generationse.g. 2G, 3G, 4G and TETRA, Tetrapol
Radio connection to networkse.g. GPRS, EDGE, WiFi, WiMax and LTE
Data transfer over networkse.g. IPv4, IPv6 and VoIP

11

GlossaryCommunications
2G

Mobile cellular network based on GSM. First offering mobile data

connection, using GPRS (known as 2.5G); later, EDGE.

3G

3rd generation mobile communications technologysuperior

replacement for GPRS / GSM for mobile cellular data
communications. Allows much faster data transfer rates than 2G or
2.5G: minimum data rate 2 Mbps stationary or 0.35 Mbps moving;
up to 14Mbps uplink and 5.8 Mbps downlink. Allows simultaneous
voice and data communications. Entered trial operation from
around 2001/2; first fully commercial service from 2003. 200
million 3G subscribers by 2007 (but only 6.7% of global mobile
subscriber basethen 3 billion subscribers). 3G uses different
radio frequencies from 2Gcompletely new network required.

4G

Forthcoming successor standard to 3G for mobile communications

with data transfer rates of 1 Gbps (stationary) or 100 Mbps
(mobile). Not yet in use though some 3.9G or pre-4G services
are being piloted.

Bluetooth

An open wireless protocol for exchanging data over short distances

as an alternative to connection by more conventional cable.

Cellular repeater A device to boost cell phone reception in a local area by receiving,
amplifying and re-broadcasting the signal e.g. within one building.
EDGE

Enhanced Data Rates for GSM Evolutionextends capability of

GPRS with higher rates of data transfer (1999 standard). Almost
3G (sometimes called 2.75G!).

GPRS

General Packet Radio Servicemobile cellular data

communications based on 2nd generation mobile communications.
2G + GPRS is sometimes referred to as 2.5G. Maximum data rate
of 114 kbps (1997 standard). Uses GSM.

GSM

Global System for Mobile communications. Based on a cellular

network (i.e. mobile units connect to the network by searching for
a local cell in the vicinity). Differs from predecessors in that all
communications (voice and data) are digital. Supports GPRS.
Higher data transfer rates using EDGE.

IP

Internet Protocolfor packet-switched data networks: IPv4, IPv6

TETRA

Terrestrial Trunked Radio. Mobile communications standard for

emergency services. Similar to GSM but operates on a different
frequency range with more powerful handsets. Tetra is endorsed by
the European Radio Communications Committee. Local
implementations in each country, e.g. C2000 (Netherlands) and
Airwave (UK). Previous TETRAPOL standard also used.

VoIP

Voice over Internet Protocolvoice calls using IP packet-switching

VPN

Virtual Private Networksee systems architecture.

12

Security
Summary
Protection is needed for:
The deviceaccess control, data held on the device, local communications
between solution components
Communicationsencryption communications cant be intercepted and
understood / used in any unauthorised way
Central services, systems and datais the connection for mobile devices
protected to safeguard the central communications portal and systems
accessible through it from attack or eavesdropping? VPN and firewall
solution?
Supporting admin and operationssupport and dont compromise the
device and systems / information, e.g. rigorous key handling, account creation
/ maintenance, user authorisation, action on loss of equipment.
Accreditationthe authority responsible for reviewing and authorising
security for the organisation, and the key people owning the business decision
and risk for IT and information systems understand and approve the solution.

Risks
Risks in relation to an IT system can generally be classified in loss of confidentiality,
integrity and availabilityplus perhaps reputation.
Loss of confidentialityfor example unauthorised access, overlooking
transactions by a legitimate user, intercepting and/or using security credentials
to gain access from an unauthorised device and/or by an unauthorised user.
This is not just a mobile device but potentially other systems they access.
Loss of integrityunauthorised changes, deletions or additions to data in
storage systems or in transit, or to processing / functionality, so that a device
that is trusted to produce only authorised results is corrupted.
Loss of availabilityunwanted loss of access / availability of a system or
data, for example following theft, denial of service attack or equipment failure.
Loss of reputationa government or enforcement service may suffer serious
embarrassment or reputational damage from public awareness that they have
not failed to safeguarded personal information of have compromised security.
Specific examples of attacks that need to be protected against include:
Overlooking devices while they are in use by authorised usersthis includes
people being able to see the results of searches as to whether someone
registers a hit against a watchlist, which may itself be highly sensitive.
Unauthorised accessto a mobile device: can an unauthorised user gain
access to / control of a device to access information and systems?
Interceptionof communications with the mobile device, including passive
listening / recording and also unauthorised users being able to introduce their
own transactions to access information. The use of mobile devices by
enforcement agencies may give away the possibility of an imminent
operations; or may allow the use of such devices to be blocked or disrupted.
Wireless compromise of mobile devicesthe existence of a wireless (radio)
connection to a mobile device may allow a hostile attack in which software on

13

the device is altered or replaced by a malicious third party, possibly without

the user or operator being aware of any change.
Vulnerability of mobile devicesmany of the latest mobile devices and their
operating systems / applications software are strongly driven by the gaming
and mass-consumer market and may not be as robust in protecting against
attack as longer established commercial software systems.
Theft / loss of mobile devicesnot simply because of the cost of the device
but the potential threat to the integrity of information held on the device (e.g.
watchlist contents; PKI certificates potentially from many countries, which
will be reportable to all source countries; or access codes for core systems) or
access to core systems themselves and protecting the integrity of information
they hold.
Attacks against core systemsfor example by attempting to gain access via
the incoming communications links used by mobile devices to access the
central systems. Systems that have no access points for mobile devices may be
better protected because they do not offer this potential vulnerability.

Countermeasures
Possible security countermeasures to protect against these risks are:
Access controlto devices and core systems e.g. by password protection,
possibly even fingerprint verification of authorised users, tamper-proofing to
detect unauthorised access and lock the device and/or erase all sensitive data.
Encryptionof communications and of data held on the device.
Virtual Private Network (VPN)a VPN solution ensures that even when
using open, public networks, users or organisations have assurance that
communications are confidential to the authorised users, and that
authentication of users and devices takes place. Uses encryption, secure
tunnelling protocols and digital signature technologies.
Tamper-proofingdetection of any attempt at unauthorised access leading to
shutdown of the device and/or deletion of sensitive data. This can include
HSMs (below) and anti-snatch detection such as a cord secured to the user of
the device so that if the device is grabbed and removed by someone else, the
cord is pulled out and the device is alerted to the attack.
Hardware Security Modules (HSMs)are a means of protecting against a
device being attacked to prevent data being accessed. Traditionally a HSM
was an armoured box that would detect any attempt at unauthorised tampering
but this can be implemented as a smart card which deletes all data if removed.
Possible contents: encryption private keys, watchlist contents, access codes for
central systems.
Limitations on functionalityit may be appropriate as a safeguard to limit
the sensitivity of information placed on or transmitted to a mobile device, to
reduce the impact of any potential security violation.
Remote deletion or blockingcommands may be issued from a central
control point instructing a mobile device that has been lost or stolen to delete
any sensitive data including access codes or authorisations that it is holding.
Security inspection and accreditationinvolving detailed inspection and
testing by security experts to test for security weaknesses and the effectiveness
of countermeasures, leading to approval of the device / system as being fit for

14

purpose in security terms. This needs to be a practical and expert examination,

not just a paper-based review of the features in the design specification.

StandardsSecurity
Standards and/or guidance include:
http://www.enisa.europa.eu European Network and Information Security
Agency
http://www.iso.org/iso/iss_international-security-standards.htm ISO/IEC work on IT
security, including the expected ISO 27000 series on Information Security
Management.
http://www.thebci.org.uk UK Business Continuity Institute including a practice
guide and standard on business continuity.
http://www.ifiptc11.org/ International Federation for Information Processing
(IFIP), Technical Committee 11Security and Privacy Protection in
Information Processing Systems (TC11).

GlossarySecurity
Authentication

The function of determining securely who is seeking to use a

system, to determine whether the user is authorised and if so with
what access rights, as part of a defence against unauthorised access.

DMZ

De-Militarised Zonea special security area where traffic into and

out of a system can be scrutinised, isolated from the outside world
and from the host system by firewalls (into and out of the DMZ).

Firewall

An application that inspects all incoming data traffic to detect and

counter unauthorised or damaging content, e.g. viruses or other
malware that might attack the system.

HSM

Hardware Security Modulea means of protecting sensitive data

by storing it in a component which resists attack and will only
release data to an authorised user. Can literally use an armoured
casing; or a solution e.g. based on a Smartcard which is similarly
tamperproof and will erase its contents if an attack is attempted or
the device is removed from its host equipment.

SAML

Security Assertion Markup Languagea messaging technology for

secure exchange of identity credentials between systems so that a user
can log onto one system and use that assured identity to log onto other
systems (single sign on capability).

TLS (was SSL)

Transport Layer Securitya communications protocol allowing a

secure link to be established over a public network e.g. the internet.

VPN

Virtual Private Networkuse of a multi-user (potentially public)

network which is able to deliver a secure network service to a
private group of authorised users, creating a virtual network for
them, securely excluding others. Example communications
standard: IPSec protocol. Example supplier of secure VPN server
(router and firewall) to which mobile devices could connect to
access the VPN network: Cisco.

15

Biometrics
Summary
Minimum approach:
Consider the real business need and the problem that needs to be solved ahead
of thinking about specific biometric hardware/solutions...

Experienced biometric specialist (technical and business) and appropriate

front end business users involved throughout specification, procurement,
testing, acceptance, continuing operational use.

Specification / use of equipment is appropriate for the task required, e.g.

choice of a single digit flat fingerprint reader may be okay for verification or
quick search in operational conditions, but not for good quality enrolment of
biometric recordsfit for the required purpose.

Consider interoperability and usability appropriately in choice for all

components and data, e.g. biometric sensors, data formats, quality measures,
open standards, displays. Beware of biometric vendor lock in (e.g. using
vendor specific templates rather than biometric images, etc.)

Ensure that the particularly challenging aspects of mobile biometric devices

have been properly considered. For example, difficulties with security
accreditation, environmental usage challenges, communications (trade off
between mobile comms data speed and available coverage), etc...

Test and confirm quality and fitness for purpose at all stages / times.

StandardsBiometrics
EU regulation biometric characteristics to be included in the Electronic Passport:
Regulation (EC) No 2252/2004 of the European Parliament and of the Council
of 13 December 2004 on standards for security features and biometrics in
passports and travel documents issued by Member States.
ISO standard vocabulary of standard terms:
http://www.iso.org/iso/iss_international-security-standards.htm

ISO standard for biometric data interchange formats:

ISO/IEC 19794-5:2005 Information technology Biometric data interchange
formats Part 5: Face Image Data
ISO/IEC 19794-4:2005 Information technology Biometric data interchange
formats Part 4: Finger Image Data
US National Institute of Standards and technology:
http://www.nist.gov/itl/iad/ig/ansi_standard.cfm

NIST standard to encode image files and other metadata.:

ANSI/NIST-ITL 1-2000, American National Standard for Information Systems
Data Format for the Interchange of Fingerprint, Facial, & Scar Mark & Tattoo
(SMT) Information
NIST standard for fingerprint quality assessment:
NISTIR 7300, E. Tabassi Nist Fingerprint Image Quality (NFIQ) Compliance
Test, febbario 2005, NIST

16

GlossaryBiometrics
1:1 verification

A comparison between two biometric samples to verify that the

person is who he / she claims to be. For example, a fingerprint
image recorded from a subject and compared to an existing record
on a fingerprint system Much less processing required than
1:Many.

1:Many search

A search of a whole system (or selected part of it) to find any

record matching a searched biometric sample. For example,
searching of a set of fingerprint images against a fingerprint
database to determine if the donor of the fingerprint images is
already known.

1st generation

A document with a 1st generation biometric chip contains

biographic information + face image see MRTD

2nd Generation

A document containing a 2nd generation biometric chip also

contains more sensitive, protected biometric information such as
two fingerprint images see MRTD.

DPI

Dots Per Incha measure of the precision of an image, e.g.

relating to a fingerprint reader500 dpi is generally considered to
be a good quality for sampling fingerprints, but higher resolutions
are also used. (DPI is the term historically used although PPI
pixels per inch is now often preferred.)

Error Rates

All biometric solutions are subject to error rates, which are

influenced by factors such as the biometric modality used (e.g.
fingerprint, face or iris), the search mode (1:one or 1:many and
dependant on database size), the quality and number of the
biometric samples used, whether a human biometric comparison
expert is available in the process, etc. Business decisions often
involve deciding how best to set match thresholds to manage these
error rates, specific to the particular business situation, and trading
off opposite rates (such as False Accept Rate (FAR) versus False
Reject Rate (FRR). Biometric error rates is complex and advice
must be sought from a suitably experienced biometric specialist.

Latent

A mark e.g. from a fingerprint at a scene of crime which could be

retrieved/developed and used for searching on a automated
fingerprint system. Often referred to as latent marks or latent
prints.

Liveness

Testing that a biometric image that should be from a live person is

genuine, e.g. temperature or blood flow in fingers; live movements
in a face image (to check it is not a static photograph).

Matcher

Special purpose system component optimised for automated

biometric comparison tasks.

Minutiae

Distinctive features on a fingerprint pattern e.g. where one

fingerprint friction ridge ends (ridge ending) or divides into two
(bifurcation). These features are used for automated matching and
for fingerprint experts to prove a match between two fingerprint
images.
17

Multi-modal

The use of more than one type of biometric e.g. to increase accuracy
and resist spoofing. For example, iris, fingerprint and face image.

NIST

US National Institute of Standards and Technology. NIST has

developed and published the leading standard for exchange of
fingerprint images, is heavily involved in biometric testing and has
produced a widely used fingerprint quality testing algorithm, known
as NFIQ (scale 1 = best; 5 = worst)

PPI

See DPI

Rolled

Fingerprint recording in which each finger individually is rolled

onto the image sensor to sample the maximum possible area of the
fingerprint.

Slap

A simpler method of sampling fingerprint images than rolled prints

in which the finger is placed on a flat surface and only the
fingerprint detail visible from that view is recorded. Allows 4
fingers to be enrolled at once (4-finger slap).

Spoofing

Attempting to achieve a false acceptance in a biometric system e.g.

by fixing manufactured fingerprints over the real fingers.

Template

A coded version of a biometric image as used internally within a

biometric matching system. There are some universal/open source
templating algorithms but most are locked to a particular
proprietary supplier/system (and version).

18

Machine Readable Travel / Identity Documents (MRTD)

Summary
It is important to understand and select the appropriate level of reading and
authentication:
Basic access onlyoptical reader can scan the Machine Readable Zone
(MRZ) of characters on the passport, card or visa to acquire name, date of
birth and the document number and expiry date. This level can also include
opening the chip (basic access) to read the facial image, but without electronic
authentication of the data or document.
Digital signature-based authenticationafter opening the chip and reading
MRZ data and the facial image (1st generation biometrics) the digital
signatures for all this data can be verified making reference to the relevant
country signing public key of the issuer. This provides high-assurance that
the data is complete and unaltered, and was issued by the claimed issuing
authority. Central infrastructure is needed to acquire and provide to the device
the relevant public key certificates and Certificate Revocation Lists (CRLs).
Fingerprint-based verification2nd generation biometric chips in some EU
passports or residence permit cards contain two fingerprint images of the
authorised holder, protected by advanced privacy / access control. The correct
verification certificate from the issuing country is required to be able to
access the fingerprint images, using Extended Access Control (EAC). Once
these images have been obtained from the chip and authenticated, a highassurance comparison can be made with the live fingerprint images of the
person presenting the document to verify that he or she is the same person to
whom the document was issued. A considerably more complex infrastructure
is needed to acquire and distribute the verification certificates, and more
complex functionality is needed on the mobile device.
It is also important to understand that enabling a mobile ID device to carry out
authentication checks on documents requires a secure PKI infrastructure to have
been set up with continuing management to acquire, manage and distribute all the
certificates needed to enable the device to deliver this authentication capability. EAC
capability to validate someone by fingerprint against an authenticated document is
significantly more complex to design, manage and operate.

StandardsDocument Reading and PKI

ICAO standard for travel documents and document readers:
ICAO, International Civil Aviation Organization: Doc9303 Machine
Readable Travel Documents, Part 1 Vol. 2 and Part 3 Vol. 2
Certification schemes for compliance of document reader to ISO and ICAO standards:
BSI, TR-03110, Advanced Security Mechanisms for Machine Readable Travel
Documents Extended Access Control (EAC), Version 2.05, 2010
BSI, TR-03105, Conformity Tests for Official Electronic ID Documents, Part 4:
Test plan for ICAO compliant Proximity Coupling Device (PCD) on Layer 2-4
BSI standard for Extended Access Control (EAC):
BSI, TR-03105, Conformity Tests for Official Electronic ID Documents, Part
5.1: Test plan for ICAO compliant Inspection Systems with EAC 1.11
19

GlossaryMachine Readable Travel / Identity Documents

1st Generation

1st generation biometric travel documents (MRTDs) contain a chip which

holds biographic information about the document and holder. The chip
and data are protected by secure digital signatures that prove whether the
data and chip are exactly as issued by the issuing authority. Fraudulent
changes show up because any digital signatures will not match the data
and/or will be shown not to have come from the claimed originator.

2nd Generation

2nd generation biometric travel documents (MRTDs) also contain

more sensitive personal data (e.g. fingerprints) which are protected
by a special access control (EAC): only countries individually
authorised by the issuing state are able to access this data.

Digital signature A system to authenticate data purporting to come from a particular

source. A special fingerprint or Hash value is computed for the
data to be protected. The Hash value is then encrypted using a
secret, private key. The issuer publishes a corresponding public key
which will decrypt the hash value. If the decrypted hash value
matches the data received, this proves it must have originated from
the claimed source and must be intact.
BAC

Basic Access Controlthis is the initial access method to the chip

in an e-passport (MRTD). A simple access code is calculated from
elements of the MRZ; this allows the reader to establish initial
communications with the chip and to read the non-sensitive (1st
generation) informationbut with no authentication of the data.

BIG

Brussels Interoperability Grouptechnical working group on

technical standards for EU 2nd generation e-passports; reports to
EU Article 6 Committee responsible for uniform format of visas.

BSI

The Bundesamt fr Sicherheit in der Informationstechnik English:

Federal Office for Information Security, the German government
agency in charge of managing computer and communication
security for the German government.

CA / PA

Chip Authentication and Passive Authenticationthese processes can

be followed after initial communication is established with the chip
(BAC) in order to authenticate to a high degree of security that the
chip in the travel document and the data it contains are genuine
proved to come from the claimed issuing authority and are complete
and untampered with. This is done by verifying digital signatures on
the chip and data using trusted public keys from the issuer.

DRA

Document Reading Authorityproposed central shared service in

the UK: will acquire all the PKI information needed by UK readers
to undertake 1st and 2nd generation reading and authentication,
manage the content, and pass it on to the reader networks. Initial
customer border control (immigration) but other users likely.

EAC

Extended Access Controlto access fingerprints on a 2nd

generation chip, the full sequence of access protocols has to be
followed: BAC (opens the chip); CA and PA (authenticates the
chip and data); and TA (the chip authenticates the reader).

20

ECC

European Citizen Carda joint card combining the functions of a

MRTD travel document and eID card in one. The EU Biop@ss
programme is building a demonstrator ECC.

eID

Electronic ID (card)the equivalent card to an ID card for travel

(and MRTD), but for use in online authentication, e.g. signing
authorisations and establishing identity in online transactions.

EU

European Unionpublishes the standards for 2nd generation

biometric documents (via BIG and Article 6 committees).

ICAO

International Civil Aviation Organisationpublishes the standards

for 1st generation biometric documents

MRTD

Machine Readable Travel Documentchipped passports / cards

MRZ

Machine Readable Zonethe 2 or 3 lines of characters at the

bottom of the title page on a passport (or bottom of one side of an
ID / residence card) containing basic details about the travel
document, holder and issuing country, in a standard ICAO format.
This information can be scanned optically by a document reader to
convert this information into machine characters.

PACE

Password Authenticated Access Controla new, more secure

protocol for making the initial connection between a reader and a
document chip. See also SAC

PKI

Public Key Infrastructurecollectively, the whole system of

standards, certificates, documents and readers necessary to issue,
read and authenticate 1st and 2nd generation biometric documents.

SAC

Supplemental Access Controlproposed by ICAO as a future

replacement for BAC in MRTDs (e-passports / ID cards), using the
PACE protocol. Intention is to start a transition using SAC on new
documents and readers, with a long transition period allowing BAC
to be used until readers and documents using only that protocol are
no longer in use.

SPOC

Single Point of Contactin the context of PKI, the single

communications point (and device) for exchanging verification
certificates between participating countries to authorise access to
fingerprints on 2nd generation chips, under the TA and EAC protocols.

TA

Terminal Authenticationan additional EU standard required for

access to 2nd generation information on chips (e.g. fingerprints).
Following BAC (the reader opens and reads the chip) and CA / PA
(the reader authenticates the 1st generation information on the
chip), TA allows the chip to challenge the reader to produce a
valid certificate proving that it has authority from the chips (travel
documents) issuing authority to read sensitive 2nd generation
personal data. The chip verifies this certificate (by verifying the
digital signature on the certificate). If OK, allows access.

21

Driver and Vehicle Documents

Summary
This category comprises three documents:
Driving licensea new EU driving licence [check: is proposed / has been
agreed? For introduction in 2013?] which will include a chip containing
primary biographic information about the document and holder, validity
period, etc; and a facial image (biometric) of the holder. This information is to
be digitally signed using a PKI system analogous to the PKI approach for
travel documents (MRTDs).
Tachographa smartcard tachograph (recording vehicle speed and hours for
enforcement against drives of heavy vehicles) has been in use since 2005.
Vehicle Registrationan electronic vehicle registration document (smartcard)
has been defined, to a less demanding or secure technical standard.
The electronic tachograph is an important enforcement control on drivers of heavy
lorries. This area is likely to expand very considerably with the introduction of an EU
chipped driving license as this will greatly expand the number of chipped documents
in use and being encountered by operational police teams, in vehicles for traffic
officers, in circumstances where the citizen has an obligation to produce the document
on request. These documents will also be encountered by officers on foot patrol and
by immigration officers at borders (even though they will not represent a valid travel
document).
There is an important opportunity to consider a joint approach to (1) reader
devices capable of reading smart travel and vehicle / driver documents; (2)
distribution infrastructure to acquire, manage and distribute public PKI key
certificates from issuers (e.g. of passports, ID cards, residence permits and driver /
vehicle documents) to infrastructures and devices where they will be read; and
potentially in some cases (3) signing infrastructure used to produce these
documents.
The Eurosmart consortium (www.eurosmart.com) has urged EU Member States to
implement driving licenses and tachographs in a way which is as consistent as
possible, specifically to make more feasible the interoperability of national level
readers and national level smart documentsin line with e-MOBIDIG aims.

StandardsDriver and Vehicle Documents

22

Driving licenseISO/IEC 18013. The standard results from a collaboration

by the International Organisation for Standardiation (ISO WGH10) and the
International Electrotechnical Commission. The standard provides a common
framework with national level authorities able to choose to adopt different
parts of the standard. WG10 agreed a harmonised standard for the chip using
Data Groups (similar in concept to MRTDs). DG1 (mandatory) contains
family name, given name, date of birth, date of issue, date of expiry, issuing
country, issuing authority. License number, categories of vehicles and
restrictions. DG4 (optional) can contain a face image. DG6 (optional) can
contain a templated finger biometric.

EU minimum information on a driving licensedriving licence Directives

91/439/EEC, in force since 1 July 1996; and 2006/126/EC.
Regulation on Digital Tachographs3821/85 as amended by 2135/98.
Digital tachographs cards have been used in the UK since 2005. Digital
tachographs have a single PKI hierarchy with a European root key.
Vehicle Registration Document Directive2003/127/EC. Annex 1 sets out
the smartcard format. The standard lacks read data access control. (Does it
include PKI-based authentication?)

GlossaryDriver and Vehicle Documents

ERCA
IEC
ISO
JRC
Tachograph
WG10

European Root Certificate Authority for EU tachographs (based at

JRC, Ispra)
International Electrotechnical Commissionstandards body
International Organisation for Standards
EU Joint Research Centre, Ispra, Italy
A device to record a vehicles speed over time as a means of
enforcing regulations on drivers hours and vehicle speed.
of ISOdeals with driving licence technical standard

23

Watchlist
Summary
Watchlist information will provide the operator of a mobile device with an alert signal
if someone whose identity or document details match with information on a
prioritised list for the country (or region). Entries on a watchlist may cover many
possible circumstances, for example a passport that has been lost or stolen, a person
who is wanted by the police for arrest in connection with a criminal investigation, a
warning that the person may be violent towards officials, or an indication that the
person is of more discrete interest to a law enforcement or security agency.
Considerations in accessing watchlist information from a mobile device are:
There may be considerable value in connecting to this source because it may
make it possible to conduct full border checks using the device. May be of
other operational use.
It is important that the response from a hit indicates clearly the action, if any,
to be taken and that in doing so it does not alert or inform the person being
checked (there should not be a characteristic sound or readily visible
indicationeven so, the operator needs to protect the device from being
overlooked when in use.
Contents of a watchlist, and whether a particular person is or is not listed, may
be of high value to people who pose a serious threat to security. It is therefore
critical that any device giving access to watchlisting information is especially
well protected from attack. This could include access control measures;
directing all requests from mobile devices to a read-only copy of the live
database, to restrict the information the device can access (see replication,
above); or limiting the information sent back to the mobile device but where
appropriate advising the user to refer to a central point or a separate
confidential system for further information.

Standards and glossaryWatchlist

Note relevance to security and architecture: very high premium on protecting the
information from compromise.

24