Security certified, multi-functional smartcard with high recognition value
Official police ID cards identify the holder as police employees through a personalised document. Public authority tasks may only be carried out by police officers or other authorised members of the police force. In some federal states, members of staff and administrative offices also have official (police) ID cards. Since the police in Germany, like the exercising of all state powers, is fundamentally a state matter according to the constitution, ID cards are not uniformly regulated and are different for the police in each federal state. The majority are therefore printed on paper or plastic cards and only a few states also include a chip for data encoding.
Novelty in ID card layout
During the course of the revision of the security measures for access to buildings and for logging on to the computer systems, Bremen Police had the aim of introducing a new official police ID card, taking into account the latest technical know-how which, as a side benefit and novelty owing to its design, would fundamentally be usable throughout Germany, i.e. for the police and authorities in other federal states as well.The goal was, in particular, a strong recognition factor of the visual ID card by citizens which contains a security certified multi-application chip for the various digital access applications as well as being based on a card body which, as a universally pre-manufactured smart card layout in blue (police) and green (general administrative authorities), demonstrates a variety of anti-counterfeiting features. A future-oriented means of unifying IT access, access control and visual ID cards for police officers which was feasible in the short term thus needed to be found, planned and implemented in collaboration with a security provider. Until now, law enforcement officers in Bremen did not have “the“ official ID card, but rather had to hold two cards for daily use: the actual official ID card as a visual ID with a photograph and a card with RFID and contact chips. The latter gave access to the buildings and allowed them to log on to the PC, thereby allowing secure access to the police IT systems. Alongside the high procurement, administration and upkeep costs associated with having two systems, the non-continuous security processes constituted a problem area for data protection and IT. Motivation was consequently high for finding forward-looking strategic solutions for unification in terms of “integrated security“.
Stumbling blocks cleared away
From the beginning of the project, all parties of Bremen Police pulled together. External advice was also sought in order that the implementation process remained within a reasonable frame – both in terms of time and budget – because the view from the outside can often help to remove internal stumbling blocks in a timely fashion and to accelerate the coordination process. For the purposes of the universal and anti-counterfeiting design, we coordinated with colleagues from Hessen Police. Thanks to the shared motivation of the project team, goals were able to be quickly defined. The working group prioritised the essential cornerstones such as security, stability and flexibility according to requirements and found compromises which all the participants could support. It was thus possible to perceptibly reduce the cost of issuing and managing the future official ID cards, among other things. The applications to be integrated should be embedded via a higher- level workflow management system. Furthermore, it was necessary to ensure that the card design had a high level of protection against counterfeiting and had a high level of recognition for the citizens. To this end, we consulted with colleagues of Hessen Police since they were pursuing the same objectives in preparation for their own project. The project group also found clear answers to other issues such as stability, application as an access card or integration into the personnel management system.
BSI certificate in accordance with Common Criteria EAL 4+
Following the definition of goals for the multi-application chip, we favoured the use of a LEGIC advant AFS4096 Applet on a JCOP multi-processor platform which was recently certified by the BSI (German Federal Office for Information Security) according to Common Criteria EAL 4+ with these specifications – and for an RFID environment for the first time – as regards both the hardware and the contactless application environment. This platform also provided the contact interface option which was required in Bremen for IT access. However, in the course of the project, it was clear that the solution scenario would need to be reassessed. Owing to the requirements for longevity of up to ten years and personalisation by laser, the dual-interface variant could not be sustained. Bremen Police ultimately decided on ID card design which was designed according to the latest understanding of document security, printed on a multi-layered polycarbonate body and equipped with the contactless JCOP multi-processor chip with LEGIC advant AFS4096 Java Applet as well as an additional JCOP contact chip. Following the idea of universality, this decision allowed other interested authorities to, for example, forego the contact chip without any problems depending on their requirements and to use a purely contactless official ID card for the respective applications.
Security under your own control
Another building block in the official ID project was ensuring data protection using, among other things, recognised encryption algorithms according to international standards as well as system sovereignty for Bremen Police over card applications and reader infrastructure. Against this background, it was out of the question that Bremen Police would leave key management for cards and applications to the system provider. Instead, they opted for an individual LEGIC Master-Token in order to ensure that the project requirements were satisfied.
Although the matter of access control through the implementation of a modern RFID system required intensive preparation, the expenditure paid off: as soon as the system is fully configured, installed and integrated into the day-to-day operations, Bremen Police should benefit from a highly secure access system which, in combination with a modern card management system, should not only speed up the issuing process but also simplify the management of ID cards and protect access to the police‘s IT resources. In particular, the integration of visual ID cards with smartcard functions makes the card a constant companion for all employees. Further benefits should be achieved in the future through functional upgrades to the cards.