An informed overview of current or projected eID schemes in South-East Asia which show how governments in the region are gearing up to efficiently and distantly communicate with people through electronic means
by Artur Khakimov, Smart Insights
Biometrics is unique to each and every human. Fingerprints have being used for a long time to authenticate people. The uniqueness of thumbprints, along with other biometrics, gives big opportunities not only for security reasons but also for business, wealth and prosperity. Every human wants to keep his identity untouched, that no one could steal his own ‘me’. From our birth we are given different identification features, including name, surname, and other demographic data. They help us to prove we are who we pretend to be. Even though, there is often misidentification that occurs because demographic information may lack necessary secure authentication level.
Criminals use these flaws in weak identification links to violate the law. The easy way to create new identity with fake demographic data makes such situation occurring quite often. Fake identity allows people to avoid their obligations or to benefit from something they don’t have rights for. The tendency of growing number of faked identities creates imbalance in governmental and social constitutions of any considered state. On the contrary, the convergence of biometrics, new secure smart storing technologies and communication services brings a new era of government identity.
Real electronic identification cases show how efficiently government may distantly communicate with people. Electronic government (eGovernment) is a modern way for authorities to communicate with citizens using new technologies, including internet. The concept and function of eGovernment have been changed, because of advanced technology and social needs. The bureaucratic autonomy, emphasizing on efficiency of public service, has merged into the new concept of eGovernment, more focusing on democratic participation. This transformation has empowered citizens to participate in decision-making process by using information technology. It brings a huge possibility to public service to achieve both efficiency and democracy.
Several types of eGovernment interactions have already been identified. Government to citizen (G2C) is a direct exchange of authorities and civil institutions with people, for instance, while voting or reissuing new documents. Government to business (G2B) is a way business units cooperate with government authorities, for instance, while paying taxes. Finally, government to government (G2G) is a way in which states work with each other electronically, for instance, for criminal databases or frequent traveler programs. However, with the implementation of smart identity schemes the new secure business to client (B2C) communication is appearing. Businesses that need to authenticate their clients now use smart ID cards as know-your-customer (KYC) tool, improving the comfort and efficiency of service offering. Further, new smart technologies using biometrics bring an increase in people’s ‘bankarization’ level. Indian government with the implementation of Aadhaar national ID card project and accepting them as KYC tool by banks helps states improve demand on financial services.
Secure ID project phases
A secure eID project may appear as a complicated and sophisticated initiative. The number of different players involved sometimes brings more difficulties and misunderstandings. For instance, the issuance of passports may involve many industry specialists, including booklet producers, inlay manufacturers, as well as chip makers.
Although, the fact to have many players and sources diminish government issuing body’s dependence on suppliers, it also raises security and interoperability issues. The expansion and large-scale implementation of a number of biometric projects will compel manufacturers to focus on standardization. Once this technology becomes widespread, users will become more comfortable with biometrics. Secure eID project includes several phases, beginning from enrollment, through entitlement, data management, document issuance, their delivery, to post-issuance. The latter may include different initiatives established, including verification by government authorities or business units, auto-gates, etc.
ePassport generations
A machine-readable travel document (MRTD) is a basic identity document in which machine-readable data is presented in the form of optical character recognition (OCR). However, the amount of data that can be stored in the OCR format of machine-readable zone (MRZ) is limited. States require the storage in the document of more data relating both to the document holder and to the validity of the document. ePassports are machine-readable travel documents (MRTDs) with an embedded secure element based on specifications defined by the ICAO. ePassports incorporate a contactless microprocessor chip, on which information about the passport holder is stored. This may include his/her biographic data such as name, date and country of birth, medical information, and the facial image of the passport holder (mandatory, according to ICAO specifications). A contactless-enabled reader is used to read this data from the passport.
Electronic passports are based on Basic Access Control (BAC), which aims at avoiding spoofing, i.e. unauthorized access to passport data. BAC is a mechanism that was introduced to ensure that the data stored in the ePassport microprocessor chip is read in a secure way. BAC protects the data visible on the ePassport data page (biographic data and facial image). BAC is based on a symmetric protocol and the authentication relies on an access key derived from the MRZ, which contains data that can be read on the data page of the passport itself or partially known (for example, date of birth). Before granting access to its data, the chip authenticates that the reader has accessed the MRZ and performed the appropriate computing. Data contained in the MRZ is used to generate a code presented to the chip.
Biometric passports are new generation of MRTDs with an embedded secure element as well. Chip embedded into biometric passports store not only demographic information of the passport holder, but also his biometric data. Biometrics may include fingerprints, iris pattern and other biometric data (optional). Second-generation biometric passports are supposed to be based on Extended Access Control (EAC). EAC is a mechanism that restricts access to highly sensitive biometric data, including fingerprints and iris, to authorized parties only and adds functionality to perform chip and terminal authentications. EAC is based on an asymmetric (public key cryptography) protocol and uses stronger encryption. In South-East Asia, only Singapore has implemented EAC-based ePassport scheme. For the third-generation ePassports, ICAO introduced a new security mechanism, Supplemental Access Control (SAC), which aims to overcome the limitations of BAC. SAC is based on Password Authenticated Connection Establishment (PACE v2). During the authentication phase, it implements asymmetric cryptography and bases data encryption on a shared key between the reading device and the chip.
Philippines
The Philippines is a Southeast Asian country, expected to become one of the biggest ePassport issuer in the world. In June 2010, Acuity Market Intelligence forecasted that by 2014, the Philippines would be the world’s sixth-largest issuer of ePassports, behind India, the US, China, Brazil, and Britain, and followed by Japan, France and Canada.
The Philippine ePassport project entered into a new phase on December 9, 2005, when the Department of Foreign Affairs of Philippines (DFA) terminated its contract with the Philippine-Thai firm BCA International, a firm that signed a build-operate-transfer contract in 2000, to implement the national passport project.
The contract was abolished due to the firm’s financial incapacity to carry it out. In 2006, the DFA in cooperation with the Bangko Sentral ng Pilipinas (BSP, Central Bank) started a five-year passport modernization project designed to issue new Philippine machine-readable passports (MRP).
In February 2007, however, following a petition of BCA, a lower court stopped the DFA and the BSP partnership on implementing the ePassport project. The Supreme Court then issued a temporary restraining order (TRO) against a regional trial court and BCA over a similar petition that sought to stop newer MRPs issuance to Filipinos. Finally, the MRP of Philippines was issued on September 17, 2007. On June 26, 2008, the BSP conducted a new bidding process for the possible implementation of a new Biometric Passport System.
In the bidding, French company Oberthur outdid 14 other companies including Alma Viva, ePassport supplier to the Italian government, Bundesdruckerei, and Giesecke & Devrient (G&D). The Monetary Board, the highest policy making body of BSP, has chosen Oberthur as the winning bidder for the ePassport project with a bid worth PHP 859.7 million (EUR 15.3 million), well below the approved budget cost of PHP 970.5 million (EUR 17.2 million). On August 11, 2009, the first biometric passport was issued to President Gloria Macapagal-Arroyo. Afterwards, in mid-2010, the DFA has begun to implement nationwide the ePassport project.
Other countries
- in Brunei, the Immigration and National Registration Department has trialed biometric passports in 2007 and launched the project in 2008
- in Myanmar, current identity documents are MRPs
- the Cambodian government has launched an ePassport scheme
- in January 2011, Law and Human Rights Ministry officials of Indonesia officially introduced new Indonesian ePassport
- in March 1998, Malaysia introduced ePassports, becoming the first country in the world to launch its national passports with embedded chips
- Singapore is the only country in the region implemented EAC-based ePassport project.
- the Thailand Foreign Ministry’s ePassport committee launched electronic Passports in 2005
- according to the plan approved by the Vietnamese government, the Ministry of Public Security of Vietnam might be issuing the first electronic passport in late 2012 and grant more of them to the public in 2013.
eID cards
First eID cards were produced in 1997. Beyond their traditional usage as identity documents, such cards also offer supplemental functions. The range of additional features stored on secure elements of eID cards varies from digital signature and physical access solutions, to social security, driver’s licenses, healthcare, banking and transportation applications. Further, the eID cards are designed to provide access to a number of eGovernment services. This multi-service potential means the same card, in addition to being a state-delivered ID card, it can be used for many different applications.
eID documents have three main functions:
- identification: to prove either visually or automatically the identity of a person who presents his ID credentials
- authentication: an optional function that constitutes the process of verifying a person’s identity to be authentic
- eSignature: an optional function to generate digital certificates to sign electronic documents.
Indonesia
The Indonesian government announced its plans to issue electronic identification (eID) cards, or locally
called eKTP (Kartu Tanda Penduduk), in 2009. About 178 million people throughout the country are eligible to have eID cards in Indonesia. eID card pilot projects were carried out in six sub districts by involving around 150,000 residents in 2010. The electronic KTP cards will be handed out free of charge and will replace the older KTP identity cards. Distribution of eKTP cards is to be completed in 2012. The eID card project has been long planned as part of a government initiative to give every citizen a single 16-digit identity number. Each card displays a photo, name and identity number. The project of the life-long Population Identity Numbers (NIK) has been carried out nationwide from 2010 to 2011.
The population database built for eID cards will also become a basis for the issuance of other documents such as passports, driving licenses, NPWP (tax identification number), insurance policies and land certificates. The procedures of eID card production include the verification of data on inhabitants 17 years old or above. Then, they are required to visit an enrollment office for fingerprint recording, photo and signatures. The data then is directly sent to the home affairs ministry for verification and later printing of their ID cards. The new eID card must be renewed each 5 years. Children under 17 will be issued a NIK.
Other countries
- in Malaysia, national ID card, or MyKad, was officially launched in 2001
- in the Philippines, according to Executive Order (EO) 420 issued in 2005, all government agencies were asked to adopt the Unified Multi-Purpose ID (UMID) System
- the national eID card of Thailand was launched by the Ministry of Information and Communication Technology (MICT) in 2004.
Other ID applications
- the new driver’s license in Brunei was revealed at the Land Transport Department of Brunei in 2009
- driver’s license of a citizen of Malaysia are now stored on the citizen’s ID card
- Malaysia introduced a smart vehicle registration system, where Thai vehicles entering the country from December 15, 2008, were required to use a smart card for the electronic Vehicle Information System (eVIS)
- in 2009, the Public Health Ministry in Thailand launched its new smart card-based healthcare project
- in May 2011, the government of Philippines started the distribution of about 220,000 smart cards, granting fuel subsidies to drivers of Jeepneys and tricycles, local public transport means, to avail of fuel subsidies.
Standardization
The ICAO has set global standards for ePassports, and more globally for ID documents. This has been doing in order to facilitate interoperability across countries. The ePassport contains sensitive personal information, making the security and integrity of the ePassport a critical issue. For this reason, the ICAO provides a set of cryptographic mechanisms to protect the passport’s data confidentiality, integrity (authenticity), and anti-cloning, including two ePassport standards: Basic Access Control (BAC) and Extended Access Control (EAC).
These new security standards are designed to help countries migrate from traditional paper-based travel documents. The ICAO defines the biometric file formats and communication protocols to be used in passports. The comparison of biometric features is performed outside the passport chip. To store biometric data on the contactless chip, it includes a minimum of 32K of EEPROM storage memory, and runs on an interface in accordance with the ISO/IEC 14443 international standard, amongst others.
International standards intend to found interoperability of border control systems in ICAO-member countries. According to ICAO Standards (Document 9303) there are several types of cryptographic mechanisms, for instance, passive authentication (PA) or active authentication (AA).
by Artur Khakimov
Smart Insights