I527-290 ESRIF Final Report (WEB).indd - European Commission
I527-290 ESRIF Final Report (WEB).indd - European Commission
I527-290 ESRIF Final Report (WEB).indd - European Commission
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
182<br />
Behaviour analysis<br />
One possible way to prevent identity theft or misuse of biometric traits is to be able to measure the user behaviour to<br />
derive the coherence with previous uses of the services, and thus the potential presentation of a biometric credential<br />
by an intruder. User behaviour may also be used to detect a user acting under unexpected conditions that may be<br />
forced by a kind of kidnapping act: the stress, the face contraction, etc. could be used. Abnormal behaviour needs<br />
to be extended to vehicles and assets in general where the person is always involved in the process as a driver or a<br />
controller.<br />
But some diffi culties exist and require further work:<br />
First, these practices may be against the Personal Data Protection Directive, and study of legal implications and limits should<br />
also be an issue of research<br />
Second, there is no standard methodology to evaluate the security of a behaviour detection system<br />
Standardisation Status<br />
Standards are critical to the proper and robust development of the biometrics and identity management market place and<br />
technologies. Contrary to common perception there are many standards already in existence for many technologies. However<br />
some key cross technology areas remain to be properly addressed as for example security, interoperability and performance.<br />
This standards harmonization will be key to the success of future biometric systems’ operations.<br />
The need for enhanced security technologies drove and accelerated the development of identity related standards. With<br />
regards to biometrics, in addition to the ICAO standards, relevant biometric, ID/smartcard, and security standards have been<br />
developed in ISO (i.e., JTC1 SC37, SC17, and SC27). Although there is still a long way to go towards achieving interoperability<br />
in terms of technical specifi cations, it is important to note that these standards exist and they should be promoted and<br />
developed.<br />
Extended Access Control (EAC) requirements<br />
With the EAC process, the time needed for reading the chip in the e-passport is estimated to be 6 to 9 seconds for 40 Kb data<br />
read. It would be interesting to break down this time:<br />
1. Is the maximum communication speed reached by the reader?<br />
2. Are there waiting times (calculation of the keys, data encryption)? Is it possible to count and measure these? How long do<br />
they take? Is it possible to reduce these? If so, how?<br />
3. BAC reading seems to be very smart. Has the diff erence of reading time with the EAC control been identifi ed: availability of<br />
certifi cates? Latency time between two readings? Calculation time for the keys? Exchange data’s encryption time? Are these<br />
times attributable to the reader, to the chip, or to both of them?<br />
At border control, time is money and the EAC process execution time is a critical factor. It would be interesting to answer these<br />
questions, especially for airport administrators. In addition, it is important to assess if the considered technical solutions (RSA<br />
key, elliptic curve) will be able to reduce the time of border control on complex airport platforms such as Heathrow, CDG,<br />
Frankfurt, Schiphol and so on.<br />
Of course, the main reason for introducing biometrics is to increase security and the sense of security. Although increased<br />
effi ciency in law enforcement does not directly improve security, it can be argued that the use of biometrics acts as a deterrent<br />
to criminal, illegal or anti-social activities. In this respect, overblown claims about the performance of biometrics may actually<br />
prove helpful.<br />
Fingerprints consist of particularly sensitive personal data. Their access, for any check or verifi cation operation needs to be<br />
strongly secure. Therefore, even though we want to reduce the reading time, it is critical to maintain a high level of data<br />
protection. This is achieved by having for each Member State an infrastructure of keys management and cryptographic<br />
mechanisms.<br />
<strong>ESRIF</strong> FINAL REPORT - PART 2 • Working Group: Identifi cation of People and Assets