Novay's NFC Passport Reader

At Novay, as part of a project for EIT ICT Labs on Mobile Security & Privacy, we have been working hard on an Android app, based on JMRTD, to demonstrate how passports (and identity cards) and the passport holder can be validated. The first version of our efforts is now available from the Play Store.

Now the underlying ePassport Java library JMRTD was ported to Android almost two years ago in a proof-of-concept app. The new Novay app focuses on two new features. First, it makes the passport reading experience as user friendly as possible. The UI is up to 4.x standards, and has been better thought out. We're looking at showing the information as soon as possible as it comes in over the (awfully slow) NFC connection, while at the same time making sure that the user understands that the document needs to held in proximity to the device for the couple of seconds that it takes to read all of the information.

Second, and more importantly, the new app uses the security mechanisms of the chip embedded in a passport to their full potential. This means that the authenticity of the contents and of the chip are actually checked, and the results are displayed to the user.

We're working on a next version this app in a second phase of this project. We still see plenty of possibilities to improve the usability. 

People at Novay involved are: Peter Ebben, Ruud Kosman, and myself. Thanks to Atlantic Zeiser for providing the sample document that was used in the screenshots above and in the Play Store.

JMRTD for Android

JMRTD, the Java library that I (together with others) maintain to access and interpret ePassport content, has been ported to Android by Max Günther. To demonstrate this, Max has developed an app (see the screenshot) for Nexus S (and other NFC Android handsets). We're not the first ePassport project on Android or NFC, but we try to be the most usable one!

The contactless technology in ePassports, ISO-14443, is fully compatible with NFC. Essentially this means that an NFC device in reader mode will be able to read ePassports. That is, of course, if the device has sufficient access privileges (i.e. Basic Access Control BAC, and Extended Access Control EAC). Max's app demonstrates how the essential passport holder details (aka datagroup 1) and the passport holder's facial image (aka datagroup 2) can be displayed.

The latter is actually non-trivial since that image is encoded in JPEG 2000 by some issuing countries, a format that is not supported in Android by default (thankfully there's jj2000). Another challenge that we encountered is the presence of a crippled version of Bouncy Castle in Android 2.3 which prevents inclusion of the full version (thankfully there's Spongy Castle). In general we've made many changes to JMRTD and SCUBA to make these libraries easier to port to other platforms.

We're working hard on making the app more robust and usable. Max and Claude Heyman are currently the main developers looking at Android NFC. We're trying to get MRZ OCR scanning to work (perhaps based on the Java OCR project). In its current form the app is not doing document validation or access to EAC protected data, but JMRTD allows this, in principle. We hope to publish the proof-of-concept app via the Android market soon. If you own a Nexus S (and an ePassport) we're definitely interested in your feedback.

Update: Max published the app on the market.

Mobile PKI

Mobile PKI, also known as Wireless PKI (and a lot of other names such as Mobile Secure Signature Service, Secure Signature Creation Device, ...) is a technology which allows users to place electronic signatures with their cell phone. This can be used for applications that run on the phone, but also for applications that run on other platforms (the user's computer connected to the Internet, for instance). One could use this, for example, as an authentication mechanism at a relying party. In the latter scenario your phone is a "something-you-have" token which provides extra security as an attacker would have to manipulate two separate channels to mount an attack. Before placing a signature, the cell phone will ask the user for his or her PIN.

The SIM card inside the cell phone plays a central role in Mobile PKI. Actually, the obvious way to implement Mobile PKI is through a so-called SIM Application Toolkit (SAT) applet installed on the SIM card. SAT has some really cool features that make things easy, both for the mobile operator and for the user:

• They can be installed over the air (OTA) to an already deployed SIM by the mobile operator, without disturbing the user
• They can add extra (basic menu-based) features to the GUI
• They can react to events such as selection of menus by the user or incoming SMSs sent by the mobile operator

This makes Mobile PKI a pretty secure solution:

• The application resides on a tamper resistant smart card
• Most handset manufacturers will make sure that there's a trusted path from the phone's keyboard to SAT applications (the malware problem seems to still be small for the mobile platform)
• The separate channel advantage was already mentioned above

It's also user-friendlier when compared to other authentication solutions such as smart cards, PKI tokens, and one-time-password SMSs:

• The PIN is the same for each and every transaction
• There's no need to install software on the user's PC
• There's no need to read and type challenges or responses
• Most users will not forget or leave their cell phone unattended, and most will notice and report a missing or stolen phone
  

Mobile PKI has been standardized by ETSI around 2002/2003. Also Common Criteria protection profiles for Secure Signature Creation Devices have existed since 2001. So the technology is pretty old. It has found its way to end-customers in some countries, most notably Turkey and more recently to the Nordic countries (in Finland you can apparently even add your government issued eID to a SIM card). Most of the SIM manufacturers and technology providers offer Mobile PKI as an option to their customers (the mobile operators). I wonder why this hasn't caught on here in the Netherlands.