Speedup for European ePassport Authentication

Roel Peeters, Jens Hermans, Bart Mennink
2014 Biometrics and Electronic Signatures  
The overall ePassport authentication procedure should be fast to have a sufficient throughput of people at border crossings such as airports. At the same time, the ePassport and its holder should be checked as thoroughly as possible. By speeding up the ePassport authentication procedure, more time can be spend on verification of biometrics. We demonstrate that our proposed solution allows to replace the current combination of PACE and EACw ith am ore efficient authentication procedure that
more » ... des even better security and privacy guarantees. When abstracting away from the time needed for the ePassport to verify the terminal'scertificate, aspeed-up of at least 40% in comparison with the current ePassport authentication procedure is to be expected. 1I ntroduction Part of the ePassport authentication is run on an RFID chip contained within the ePassport. This means that when designing ePassport authentication protocols, one needs to takeinto account efficiencya nd cost constraints on the chip side. At the same time, the overall ePassport authentication procedure, including the verification of biometrics of the ePassport holder,s hould ideally takel ess than ten seconds to reach as ufficient throughput of people at border crossing such as airports, without compromising on security.T herefore it is important, that newly proposed solutions are at least as efficient as the current solution when providing improveds ecurity features or more efficient when providing at least the current security features. Additionally,tokeep the cost low, the newly proposed solutions should also be able to run on the currently available hardware. Recently acouple of ePassport authentication improvements were proposed. Bender et al. [BFK13] proposed to combine password authenticated connection establishment (PACE) 1 with active authentication (AA), which results in acost reduction on the tag side by one elliptic curvemultiplication: 6elliptic curvemultiplications instead of atotal of 7for PACE and AA separately.H owever,this improvement only applies to the version of PACE with the generic mapping and not to the version with the integrated mapping, where the total for PACE and AA separately would be 4e lliptic curvemultiplications. Buchmann et al. [BPBP13] propose an improvedBioPACEprotocol where the ePassport holder'sbiometrics are used in combination with ab iometric template protection scheme as input for PACE instead of the ePassport'sMachine Readable Zone (MRZ). This bypasses the need for extended access control (EAC) which is aimed at limiting access to the sensitive data
dblp:conf/biosig/PeetersHM14 fatcat:nhmlvcjlnbffblfhjxtvsxhhb4