Periodic Reporting for period 1 - eBORDER (Secure and Wireless Multimodal Biometric Scanning Device for Passenger Verification Targeting Land and Sea Border Control)
Période du rapport: 2020-01-01 au 2022-12-31
The use of biometric identification techniques coupled with efficient and secure wireless connections that enable access to EU law enforcement databases are proven techniques for ensuring efficiency and reliability. However, current biometric systems rely on one mode of biometric data that can at times lead to false identification, in particularly under uncontrolled conditions during live sample acquisition (vehicular scenarios). Moreover, the current crop of scanning devices is limited in coverage and typically have fixed links, thus confining the range of border control applications and compromising the comfort of passengers. In this context, we aim to go beyond legacy systems and propose an innovative passenger-centric biometric system that authenticates “on the fly”, or so called zero footprint.
In this context, eBORDER addresses four key objectives:
O1: Advanced biometric verification algorithms targeting face and fingerprints biometric traits for land and sea border crossing checks.
O2: Biometric data fusion for enhanced passenger identification
O3: Device and wireless security for next generation mobile passenger identification devices
O4 Implementation and validation of eBORDER in laboratory environment
It has been proved that the analytical models used in theory and simulations fail to capture exactly the uncontrolled environment during samples acquisition and the dynamics of the wireless medium, while the simplifying assumptions related to computational complexity and similar practical aspects are often unrealistic.
Therefore, we plan to implement the eBORDER architecture and the relevant mobile applications and demonstrate attainable performance benefits through experimentation in deployed real-life testbeds. The objective is to validate the high-performance benefits (in terms of efficiency, reliability, and security) provided by the theory-driven techniques.
In this context, eBORDER addresses four key objectives:
O1: Advanced biometric verification algorithms targeting face and fingerprints biometric traits for land and sea border crossing checks.
O2: Biometric data fusion for enhanced passenger identification
O3: Device and wireless security for next generation mobile passenger identification devices
O4 Implementation and validation of eBORDER in laboratory environment
It has been proved that the analytical models used in theory and simulations fail to capture exactly the uncontrolled environment during samples acquisition and the dynamics of the wireless medium, while the simplifying assumptions related to computational complexity and similar practical aspects are often unrealistic.
Therefore, we plan to implement the eBORDER architecture and the relevant mobile applications and demonstrate attainable performance benefits through experimentation in deployed real-life testbeds. The objective is to validate the high-performance benefits (in terms of efficiency, reliability, and security) provided by the theory-driven techniques.
The work performed in the eBORDER project so far comprises the following activities:
- Extensive review of the major biometric recognition techniques such as facial, iris and fingerprint recognition schemes
- SoA review on border control frameworks, identifying the characteristics of a strong and secure biometric recognition system and discusses the different security and privacy challenges.
- Investigation of different use cases and application scenarios to aid with the design of system architecture for eBORDER.
- Investigation of fifferent fusion approaches for multimodal biometric systems
- A detailed threat model for the eBORDER system was developed, using the Microsoft Threat Modeling Tool
- Definition of the overall system architecture based on a Passenger ID device utilised by the border control Officer at the border control entry point; and the eBORDER platform consisting of components implementing identification and verification services. These services include: Officer Authentication Service; Fingerprinting Identification Service; 3D Face Recognition Service; Data Fusion Service.
- Definition of the overall system requirements that included a comprehensive specification of the eBORDER user equipment, the eBORDER backend system, and the required hardware devices.
- Definition of the following essential security software components of eBORDER architecture has put: i) the Intrusion Detection System (IDS), running on the eBORDER Gateway (GW), ii) the SecureArray scheme for the eBORDER wireless environment, iii) the Officer Authentication mechanism, and iv) the Intrusion Detection and Prevention System (IDPS) running on the eBORDER mobile device.
- Advanced fingerprinting: Design of eBORDER biometric system, that provides authentication in two stages: enrolment and verification.
- Advanced facial recognition: Design of eBORDER biometric system requirements for facial recognition taking into account practical working conditions.
- Investigation of the fusion methods appropriate for application on the biometric modalities selected for the project
- High level architecture for proposed intrusion detection and prevention approach addressed.
- A detailed threat model for the eBORDER system was developed, using the Microsoft Threat Modelling Tool . The threat analysis showed 175 threats belonging to the following ten categories: i) Spoofing; ii) Tampering; iii) Repudiation; iv) Information disclosure; v) Denial of Service; vi) Elevation of privilege; vii) Malicious code injection; viii) Replay attacks; ix) Man-in-the-middle attacks; and x) Malware attacks.
- Key eBORDER device (eBORDER user equipment) security requirements were identified based on the threat analysis provided following the guidelines provided by NIST in the Draft NISTIR 8196 in terms of availability, confidentiality, authentication, and integrity.
- Identification of key eBORDER wireless communication security requirements between the identification device (eBORDER user equipment) and the eBORDER platform in terms of authentication, authorisation, data confidentiality, data integrity, and availability.
- Identification of key eBORDER backend platform security requirements in terms of authentication, authorisation, data confidentiality, data integrity, and availability.
- For demonstration purposes, a testing setup, based on Virtual Machines (VMs) on a laptop, was assumed. The testing setup was consisted of: a) a VM representing the eBORDER Gateway, where the Suricata-based IDS was installed and configured properly; b) a VM representing an eBORDER mobile device; and c) a VM representing the adversary device.
- Survey on User Authentication methods
- Definition of the integrated peripherals of the eBORDER mobile device
- Extensive review of the major biometric recognition techniques such as facial, iris and fingerprint recognition schemes
- SoA review on border control frameworks, identifying the characteristics of a strong and secure biometric recognition system and discusses the different security and privacy challenges.
- Investigation of different use cases and application scenarios to aid with the design of system architecture for eBORDER.
- Investigation of fifferent fusion approaches for multimodal biometric systems
- A detailed threat model for the eBORDER system was developed, using the Microsoft Threat Modeling Tool
- Definition of the overall system architecture based on a Passenger ID device utilised by the border control Officer at the border control entry point; and the eBORDER platform consisting of components implementing identification and verification services. These services include: Officer Authentication Service; Fingerprinting Identification Service; 3D Face Recognition Service; Data Fusion Service.
- Definition of the overall system requirements that included a comprehensive specification of the eBORDER user equipment, the eBORDER backend system, and the required hardware devices.
- Definition of the following essential security software components of eBORDER architecture has put: i) the Intrusion Detection System (IDS), running on the eBORDER Gateway (GW), ii) the SecureArray scheme for the eBORDER wireless environment, iii) the Officer Authentication mechanism, and iv) the Intrusion Detection and Prevention System (IDPS) running on the eBORDER mobile device.
- Advanced fingerprinting: Design of eBORDER biometric system, that provides authentication in two stages: enrolment and verification.
- Advanced facial recognition: Design of eBORDER biometric system requirements for facial recognition taking into account practical working conditions.
- Investigation of the fusion methods appropriate for application on the biometric modalities selected for the project
- High level architecture for proposed intrusion detection and prevention approach addressed.
- A detailed threat model for the eBORDER system was developed, using the Microsoft Threat Modelling Tool . The threat analysis showed 175 threats belonging to the following ten categories: i) Spoofing; ii) Tampering; iii) Repudiation; iv) Information disclosure; v) Denial of Service; vi) Elevation of privilege; vii) Malicious code injection; viii) Replay attacks; ix) Man-in-the-middle attacks; and x) Malware attacks.
- Key eBORDER device (eBORDER user equipment) security requirements were identified based on the threat analysis provided following the guidelines provided by NIST in the Draft NISTIR 8196 in terms of availability, confidentiality, authentication, and integrity.
- Identification of key eBORDER wireless communication security requirements between the identification device (eBORDER user equipment) and the eBORDER platform in terms of authentication, authorisation, data confidentiality, data integrity, and availability.
- Identification of key eBORDER backend platform security requirements in terms of authentication, authorisation, data confidentiality, data integrity, and availability.
- For demonstration purposes, a testing setup, based on Virtual Machines (VMs) on a laptop, was assumed. The testing setup was consisted of: a) a VM representing the eBORDER Gateway, where the Suricata-based IDS was installed and configured properly; b) a VM representing an eBORDER mobile device; and c) a VM representing the adversary device.
- Survey on User Authentication methods
- Definition of the integrated peripherals of the eBORDER mobile device
1) Design and development of the eBORDER device: a wireless multimodal biometric scanning device for passenger identification targeting land and sea border control applications
2) Design and development of the eBORDER Passenger Identification Mechanism as a mobile app running on the eBORDER device. It also supports biometric and passport data capturing and transmission.
3) Design and development of the Intrusion Detection System (IDS) running on the eBORDER Gateway (GW). Its target is to enhance the level of protection for the transmitted data between the eBORDER mobile devices and their local eBORDER Gateway over a wireless (Wi-Fi) communication channel.
4) Design and development of a Physical-Layer Security Scheme for the eBORDER wireless communication channel. Its target is to enhance the level of protection for the transmitted data between the eBORDER mobile devices and their local eBORDER Gateway over a wireless (Wi-Fi) communication channel.
5) Design and development of the Officer Authentication mechanism running on the eBORDER mobile device. Its target is to enhance the level of protection for the eBORDER mobile device.
6) Design and development of the Intrusion Detection and Prevention System (IDPS) running on the eBORDER mobile device. Its target is to enhance the level of protection for the eBORDER mobile device.
7) Design and development of cutting-edge biometrics identification algorithms that uses a wide variety of face and fingerprint images to deliver high recognition rate as well as cutting-edge data fusion techniques.
2) Design and development of the eBORDER Passenger Identification Mechanism as a mobile app running on the eBORDER device. It also supports biometric and passport data capturing and transmission.
3) Design and development of the Intrusion Detection System (IDS) running on the eBORDER Gateway (GW). Its target is to enhance the level of protection for the transmitted data between the eBORDER mobile devices and their local eBORDER Gateway over a wireless (Wi-Fi) communication channel.
4) Design and development of a Physical-Layer Security Scheme for the eBORDER wireless communication channel. Its target is to enhance the level of protection for the transmitted data between the eBORDER mobile devices and their local eBORDER Gateway over a wireless (Wi-Fi) communication channel.
5) Design and development of the Officer Authentication mechanism running on the eBORDER mobile device. Its target is to enhance the level of protection for the eBORDER mobile device.
6) Design and development of the Intrusion Detection and Prevention System (IDPS) running on the eBORDER mobile device. Its target is to enhance the level of protection for the eBORDER mobile device.
7) Design and development of cutting-edge biometrics identification algorithms that uses a wide variety of face and fingerprint images to deliver high recognition rate as well as cutting-edge data fusion techniques.