Germany: biometric passports in November
The German Upper House approved on 8 July the introduction of biometric passports. The ‘ePass’ will contain a contactless chip (RFID) that will hold a digital frontal picture of the bearer’s face. In the future, two fingerprints, one from each hand, will be included – probably starting in 2007. The issuing of the biometric passports is expected to begin in November 2005.
The picture and fingerprints in the chip will be compared with those of the holder of the passport. This will make it possible to establish that the passport really belongs to the holder. During border checks the data in passport can also be compared to federal police watchlists. Currently, there is no plan in Germany to create a central database to store the biometric data.
To facilitate privacy of the data and secure it against unnoticed reading or capture of the transmission, public-key cryptography will be employed. Reader devices at the border also integrate keys. These shall only live for a few weeks, so that stolen reader devices cannot be successfully used to steal data over a prolonged period of time.
Communication between the reader and the passport starts by optically scanning the machine readable zone (MRZ). An access key is computed from the MRZ and a cryptographically secured channel to the chip is opened. Through it, data stored on the chip is read and the embedded signature verified. Afterwards, the images are optically presented to the user.
The software used by the readers is called ‘Golden Reader Tool’ and is developed by the Federal Information Security Agency (BSI – part of the Federal Ministry of the Interior) in cooperation with the Federal Criminal Police (Bundeskriminalamt, BKA), Bundesdruckerei (the former federal printing office), Giesecke & Devrient GmbH (the world’s largest company for security printing specialising in ID documents and security papers), Cryptovision and Secunet.
The German EDRI-member Chaos Computer Club (CCC) published a manual how to fake the fingerprints used in the biometric passport. The procedure involves coping a fingerprint from a glass and transferring it to a latex dummy that can be used to fool the reader during border check. CCC will demonstrate the tactic during the hacker festival What the Hack (28-31 July 2005 in the Netherlands).
Germany clears biometric passports plan (08.07.2005)
http://www.theglobeandmail.com/servlet/story/RTGAM.20050708.gtgermanyjul8/BNStory/Technology/
Bundesrat billigt Biometriepass-Verordnung (08.07.2005)
http://www.heise.de/newsticker/meldung/61516
How to fake fingerprints? (26.10.2004)
http://www.ccc.de/biometrie/fingerabdruck_kopieren.xml?language=en
What the Hack
http://www.whatthehack.org/