0 évaluation0% ont trouvé ce document utile (0 vote)
63 vues47 pages
LIBERIA - eID project Introduction on the issuance of national identity cards Executive Summary Final / liberia.ZETES.eID.MOI.docx 2 / 47 Table of contents 1 Foreword. 4 2 Company profile of ZETES. 5 3 Some of our key references. 7 4 Overview of the principal applications.
LIBERIA - eID project Introduction on the issuance of national identity cards Executive Summary Final / liberia.ZETES.eID.MOI.docx 2 / 47 Table of contents 1 Foreword. 4 2 Company profile of ZETES. 5 3 Some of our key references. 7 4 Overview of the principal applications.
LIBERIA - eID project Introduction on the issuance of national identity cards Executive Summary Final / liberia.ZETES.eID.MOI.docx 2 / 47 Table of contents 1 Foreword. 4 2 Company profile of ZETES. 5 3 Some of our key references. 7 4 Overview of the principal applications.
eID project essentials Introduction on the issuance of national identity cards
Executive Summary
Final
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 2 / 47
Table of Content 1 Foreword ........................................................................................................................................................... 4 2 Company profile of Zetes ............................................................................................................................ 5 3 Some of our key references ....................................................................................................................... 7 4 Introduction...................................................................................................................................................... 9 5 Overview of the Principal Applications ................................................................................................. 11 6 The electronic ID card ................................................................................................................................ 13 6.1 Introduction .............................................................................................................................................................. 13 6.2 eID Chip ..................................................................................................................................................................... 13 6.3 eID Applications ...................................................................................................................................................... 14 6.4 eID Card Body ......................................................................................................................................................... 15 7 Registration, and Card Issuance Workstations ................................................................................. 18 7.1 Enrolment solution basic principles ................................................................................................................. 18 7.2 Schematic Enrolment process representation ............................................................................................. 19 7.3 Registration Workstations Equipment ............................................................................................................. 19 7.3.1 Registration Solution Module ......................................................................................................................... 20 7.3.2 Photo Capture Module ...................................................................................................................................... 20 7.4 Special Features for the Mobile Registration Workstation ....................................................................... 21 7.4.1 The presentation of the kit ............................................................................................................................. 21 7.4.2 Exterior .................................................................................................................................................................. 21 7.4.3 Interior ................................................................................................................................................................... 22 7.5 The Enrolment and Card Issuance Application ............................................................................................ 25 8 Card Management System ....................................................................................................................... 28 8.1 The CMS Application .............................................................................................................................................. 28 8.2 The Concept of Lifecycle Management for eID Cards ............................................................................... 29 9 Electronic Document Management System (EDMS) ....................................................................... 32 9.1 Document Management ....................................................................................................................................... 32 9.2 Document Scanning ............................................................................................................................................... 32 9.3 Document Storage and Retrieval ...................................................................................................................... 33 10 Card Personalization ................................................................................................................................... 34 10.1 The Personalization Management system ..................................................................................................... 34 10.2 The Personalization Machines ............................................................................................................................ 34 10.3 PKI Infrastructure for Document Signing ...................................................................................................... 35 11 ABIS .................................................................................................................................................................. 37 12 Other components ....................................................................................................................................... 39 12.1 WAN over 3G/EDGE Solution ............................................................................................................................. 39 12.2 BIMS Solution .......................................................................................................................................................... 39
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 3 / 47
12.3 Query Management and Stakeholders Interface Solution ....................................................................... 39 12.4 CRM Solution ............................................................................................................................................................ 40 12.5 ICT Asset Management and Helpdesk Solution ........................................................................................... 40 12.6 The Cryptographic Infrastructure ..................................................................................................................... 41 13 Project Execution ......................................................................................................................................... 42 13.1 The Business Continuity Plan ............................................................................................................................. 42 13.2 Training Plan ............................................................................................................................................................. 42 13.2.1 Training methodology .................................................................................................................................. 43 13.2.2 Training programs list .................................................................................................................................. 44
Figures Figure 1 Overview of the Infrastructure ........................................................................................................ 9 Figure 2 The principal applications ................................................................................................................ 11 Figure 4 Photo Module ....................................................................................................................................... 20 Figure 3 Integrated desktop biometric capture station ......................................................................... 20 Figure 5 Schematic Overview .......................................................................................................................... 28 Figure 6 Example of a Card Lifecycle / Workflow .................................................................................... 30 Figure 7 Datacard MPR5800 ............................................................................................................................ 35
Tables No table of figures entries found.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 4 / 47
1 Foreword The Ministry of Internal Affairs has submitted an inquiry to Pitkit and Zetes to elaborate on the issuance of electronic identity cards. This document will provide an overview of the steps and the components that involve the issuance of electronic identity cards (eIDs). It is a high level description and for further detailed information we suggest to organize an informal workshop to elaborate on the subject.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 5 / 47
2 Company profile of Zetes ZETES, is one of the leading ID integrators with large experience in delivering turn-key registration systems to governments in Europe and Africa. ZETES, a Belgian company founded in 1984, has taken a leading position both in the goods identification market (tracking and tracing of goods) as in the People Identification market in EMEA, delivering turn- key solutions to governments. ZETES went public in 2005 (EURONEXT stock market) and has been profitable since its very beginning. More than 1100 employees are working for ZETES, and a revenue of 220 million euro was generated in 2011. Since 2005, ZETES has implemented several successful biometric government projects in Africa. For this purpose two hubs have been installed locally : one in Abidjan (Ivory Coast) including an e- passport and a visa personalization site, and one in South Africa through acquisition. In particular ZETES is convinced to have the best competences to bring the best suitable solutions in African countries: - With more than 10 references of biometric population census in Africa in the last 5 years, ZETES is certainly one of the leaders in this field and has gained a great expertise in conducting successfully such projects and in implementing reliable, efficient and secured solutions. - Zetes is an experimented company with an acceptable size. We still have the important advantage of offering the flexibility needed to succeed this project whereas the bigger companies will have to respect loads of internal procedures first before being able to act and react. - Through the collaboration with a local partner and/or with the local authorities in Liberia, we will make sure that the transfer of the know-how to the local authorities will be perfectly possible. - Zetes has a total control of the people identification solutions and in particular of the project management of large-scale people identification projects: biometric census, digitalization of documents, centralization, national AFIS services, management of central databases and national register, production of secure documents (ID cards, passport, social-security cards, etc.). - Zetes has a perfect mastery of most leading biometric technologies: ZETES from the beginning of its activity in the field of people identification chose the leading providers of technologies for the civil AFIS. All the projects led on the African continent have integrated these technologies and know how on the subject. This long-time collaboration with the major players in this field allowed us to build a real partnership which represents a key success factor for the implementation of people identification projects. In the next chapter we are glad to present some of our key references in Africa in the field of people registration, de-duplication of civil registrations, issuances of secure cards (including biometric technologies), etc. These credentials show the vast experience ZETES acquired in the implementation of large scale census projects in various environments. This knowledge of the field and inherent constraints in the latter
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 6 / 47
allowed ZETES to build strong solutions and to upgrade them by taking advantage of previous experiences. Because of best practices developed in this field and minimal overheads, Zetes and its partners are able to offer a competitive proposal. The projects that we have implemented have been recognized many times by large international organizations: the PNUD, the United Nations authorities and the European Union.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 7 / 47
3 Some of our key references In 2005 ZETES provided United Nations 10.000 biometric enrolment kits which allowed registering of about 26 million citizens in Democratic Republic of Congo in less than 6 months. In order to do that, about 25000 persons have been trained. In 2006 ZETES has undertaken, in Democratic Republic of Congo, the registration of the armed forces with the production of an electronic ID card (chip card). Beginning of 2007, the government of Togo awarded ZETES as unique operator for the biometric registration of its voters, the verification of doubles in a service bureau mode, including the constitution of central database and the production of electoral lists. July, 2007, ZETES was chosen by the Government of the Republic of Cap Verde to complete successfully the population census of the population and the production, in a second stage, of an electronic identity card. March 2008, Republic of Burundi - Commissioned by a consortium comprising of Belgian Technical Cooperation (CTB) and SOFOS Consultants, an international consultancy bureau, Zetes has been selected to supply biometric enrolment and card production systems to identify the countrys approximately 58,000 civil servants. Zetes won contract to supply equipment and specialized services for : the biometric and biographic enrolment of civil servants the centralization of data and deduplication the production of secure cards April 2008 : Ivory Coast decided to use the technology and know-how of ZETES for its biometric passport. The Ivory Coast State granted a 15-year concession to SNEDAI (National Publishing Company of Administrative and Identification Documents), which selected ZETES as its exclusive technical partner for that same period, a decision that has been ratified by the Ivorian government. The new Ivorian electronic passport will include the latest available identification technologies and will hold the following information: the photo, names, address, digital fingerprints and signature of the bearer. December 2008, Zetes, announced that it has been awarded a contract for the enrolment of social insurees in Gabon, as technical provider for the electronic health programme piloted by Gemalto, the manager of this project. The health card, containing essential information about the social insurees, will make it possible to determine who is entitled to what forms of care and drugs and in what quantity. Zetes participated in this project to furnish a solution for enrolling the beneficiaries. The number of people to be enrolled is estimated at around one million. January 2009, Zetes, has announced the signing of a second contract with the government of Togo. This contract, which covers the delivery of 500 mobile biometric kits, comes further to the scheme aimed at compiling the electoral registers for which the Togolese authorities had previously called on the services of Zetes in March 2007. January 2009 - Zetes, announced the signing of a contract with the United Nations for the updating of 6000 registration kits. This made it possible for the Independent Electoral Commission of the Democratic Republic of Congo (DRC) to update the voter registration lists of the DRC.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 8 / 47
March 2009 Zetes, announced the signing of a new contract with the consortium composed of the Belgian Technical Cooperation and the French firm SOFOS Consultants bearing on a census of the Burundian military. This project was concluded in the aftermath of the civil servants census project. August 2009 Zetes, in partnership with the company SNEDAI (The National Company for the Issue of Administrative and Identity Documents), announced the launch of its latest projects with the Ivorian authorities: the biometric visa and the biometric diplomatic and service passports. August 2009 Zetes, announced the signing of a contract with the IOM (International Organisation for Migration) for the registration of the staff of the PNC (the Congolese National Police). 2009 2010 : ZETES delivered 1250 new biometric voters kits including the supporting services, AFIS service and voters cards for 3 million voters in Togo. RDC 2010 2011 : ZETES delivered the application update and support service for the DRC voters application for UNDP, and deliver more than 10.000 new biometric voters systems with accompanying services (separate contract with DRC government) and the AFIS service contract for deduplication of a voters database with more than 30 million voters (CENI project). Sierra Leone 2012 : Zetes is been appointed by the UNDP for the deduplication and the production of voter cards for the people in Sierra Leone. Zetes is working in close collaboration with a UK partner for the successful implementation of the project.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 9 / 47
4 Introduction The purpose of this document is to provide a concise overview of the issuance of eID cards in Liberia. The following schema lists the major components of our proposal:
Figure 1 Overview of the Infrastructure Identity Card - from Zetes/Pitkit Cards for civil servants operating system and SAM card for special card readers PRS -Enrolment and Card Issuance Application from Zetes (BE) CMS - Card Management System ABIS - Automated Biometric Identification System PMS - Personalisation Management System from Zetes Personalisation Equipment Cryptographic Infrastructure (HSM) Document Signing + PKI Billing System, Query System, CRM, NOC, Asset Management, etc. ICT Infrastructure Personalisation Facility and the ICT Data Center All the main parts are from independent manufacturers to avoid vendor-lock in. We realize that it is in the governments interest to have maximum freedom and autonomy in the execution of its mission. In
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 10 / 47
the following chapters we will briefly introduce the mentioned above items. These topics can be discussed in greater detail in separate documents.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 11 / 47
5 Overview of the Principal Applications The picture below shows the principal applications that are involved in citizen enrolment, validation and document personalization: Card Management System (CMS) Automated Biometric Identification System (ABIS) or Automated Fingerprint Identification System (AFIS) Enrolment and Issuance Application (PRS) Personalization Management System (PMS) Personalization Equipment
Figure 2 The principal applications
At the heart of the solution is the Card Management System (CMS). This is a central application that manages all the data, lifecycle events and status for all citizens, passports and identity cards. The CMS also provides the primary data flow and work flow management upon which the enrolment & issuance cycle is built. The CMS also takes care activation and post issuance updates for the eID card. The enrolment and issuance stations (PRS) are autonomous configurations located in registration offices around the country. The enrolment application collects and proofs all biographic and biometric data
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 12 / 47
pertaining to a citizen and the requested card. The enrolment station stores and forwards this data to the CMS. The CMS takes care of the validation process with internal systems (ABIS, billing) and automated external systems (law enforcement, ) if required. The ABIS has a supporting function for the validation process managed by the CMS. Its primary task is to detect potential cases of multiple requests by the same person. Once the request is approved by the ABIS and all external authorities, the CMS will prepare the personalization data and personalization order for the Personalization Management System (PMS). The PMS is the central application that controls the personalization process of the identity. This application plans and schedules personalization jobs on the various machines and is responsible for the data flow, work flow and material flow within the personalization room. Personalization of the identity card requires support from a PKI infrastructures (the Country Signing CA and Document Signer infrastructure). Once a card is personalized it will be shipped to a local issuance office. The issuance workstation will do a biometric verification of the citizen before the documents are handed over. The issuance workstation is also responsible for activating the eID chip. The issuance stations report the status of the card back to the CMS which will continue to monitor the cards state for years until it reaches the end of its life cycle.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 13 / 47
6 The electronic ID card 6.1 Introduction The ROM memory of the chip is pre-loaded with various applications that can be created when required, during initial personalization or post-issuance. The card body is made of PolyCarbonat PC material. As an example for a typical eID we propose the Masktech Pro eID platform on a ST23YR80 microchip of ST Microelectronics. This is a contactless chip, but for the Liberian project it can of course be a contact chip. The product reference of the ST Microelectronics chip is ST23YR80-MHB. This product consists of the following parts: a secure microcontroller ST23YR80A o a contact version for civil servant cards and for SAM cards o a contactless version for the national identity card for citizens, refugees and aliens a multi-application platform MTCOS Pro e-government applications built-in Match on Card for fingerprint matching a contact module and a contactless module to hold the chip and an antenna inlay (for contactless cards only)
6.2 eID Chip The ST23YR80 is a dual contact/contactless smartcard MCU with 80 Kbyte EEPROM, enhanced security, cryptoprocessor and optimized RF performance. It is based on an enhanced STMicroelectronics 8/16-bit CPU core offering 16 Mbytes linear addressing space. It is manufactured using an advanced highly reliable ST CMOS EEPROM technology. An RF Interface including an RF universal asynchronous receiver transmitter (RF UART) enables contactless communication up to 848 Kbits/s compatible with the ISO 14443-B standard. Moreover, an ISO 7816-3 EMV-compliant asynchronous receiver transmitter (IART). communication peripheral is available. The MTCOS Professional eID platform is a traditional smartcard operating system that incorporate all the functionality needed for use as an electronic travel document, a driving license, an ePurse, a voter card, an electronic ID card and more. A powerful ISO / IEC multi-application file system is included in MTCOS. Applications are activated or added by simply creating new application directories. Application installation and update is protected by administration keys.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 14 / 47
Individual configuration of eMRTD security features like BAC, AA, EAC and SAC protocols are also available to the applications on the chip. MTCOS supports the latest version of the GlobalPlatform personalization specification. E.g. sensitive data communication is encrypted the chips have to be unlocked by a cryptographic authentication by means of a SAM card or an HSM. Unauthorized access before personalisation is prevented by transport keys. MTCOS supports a variety of cryptographic methods such as Elliptic Curves, RSA, 3DES and AES with key lengths meeting present and future security demands. Further customer specific cryptographic procedures can be loaded securely in any life cycle phase of the chip. The card can be configured with travel document application only or with e-Government applications and support of advanced signature and PKI authentication features, all combinations are possible. The platform can be upgraded flexibly on customers request without changing the ROM-mask. The changes are loaded completely encrypted during the OS setup using the loading mechanism that is Common Criteria certified. The resulting product configuration is completely security tested and certified. Pre- and post issuance loading of additional applications and plug-ins is done by Common Criteria certified application loading mechanism and can be done at any time in the card life cycle (definable by the card issuer). Third party plug-ins such as match on card algorithms from different vendors or cryptographic features can be added securely
6.3 eID Applications The Masktech Solution MTCOS Pro 2.1 is dedicated for Government projects requiring a secure Contactless SmartCard Platform providing multi-application support. This chip allows the government to implement a combination of the following applications : Electronic Passport Application (ICAO DOC9303, BSI Tr03110) Electronic ID Card Application (CEN 15480) eHealth Application (ISO/IEC 24727): International Driver License Application (ISO/IEC 18013 compliant) eVoting Application ePurse Application Generic ISO/IEC 7816 Compliant Applications
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 15 / 47
6.4 eID Card Body Zetes proposes full Polycarbonate cards made of Polycarbonate sheets. The sheets are laminated at the right combination of temperature, time and pressure to make a very durable card with a lifetime of 10 years in normal usage conditions. Card bodies made of 100% polycarbonate provide he highest security and durability of all identification card solutions today, allowing for a lifespan sometimes comfortably in excess of 10 years A very unique property of polycarbonate is that it cannot be delaminated. Under the appropriate temperature and pressure level, the polycarbonate sheets will literally fuse together, without glue, creating a homogenous card body. During lamination, security features are entrapped into the various sheets. Personalization by laser engraving can be applied to polycarbonate cards and is irreversible, at the same making counterfeiting difficult due the expertise and the very specialized equipment that is required for personalization. The card will be compliant with international standard ISO 7810 for ID-1 card size and ISO 14443 for cards with a contactless chip. On the next page we will show a draft of the layout of the Liberian eID card. Of course this graphic design is just a proposal and can be modified by the Liberian government.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 16 / 47
UV fluorescent Ink Laser Engraving Hologram Two Colors Guilloche IR anti stokes ink Changeable Laser Image( CLI) Embossed Pattern Contact module Two Color Micro Text Printing Digital water mark Tactile laser engraving Laser Engraving Micro Text Printing Security Ink 2D Barcode Optical Variable Image( OVI) Two Color Micro Text Printing 1 Three colors offset printing 2 Iridescent color printing 3 Optical variable image 4 Guilloche patterns 5 Ultraviolet fluorescent Ink 6 Ultraviolet fluorescent Guilloche 7 Micro text printing 8 Defect text printing 9 Nano text in special hologram 10 Hologram (DOVID) 11 Digital water mark 12 2D bare 13 Laser engraving 14 Tactile laser engraving 15 IR anti stokes ink 16 Special Security ink 17 Contact module 18 Security code 19 Embossed Pattern
Security Features The following security features were applied in the Liberian polycarbonate employee card:
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Level 3 Security features: Special Security Smart Ink (Taggarts)
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 18 / 47
7 Registration, and Card Issuance Workstations 7.1 Enrolment solution basic principles The enrolment solution to request an identity document is based both on the collection of biographic as well as biometric information. For the biographic information, the applicant can provide all the information using the appropriate form. This form can be completed before the persons present themselves at the registration center. Obviously these forms can be completed at the center itself. Based on the information recorded on the form, the operator of the registration solution then enters that information into the software solution. In regards to the biometric information, three sets of data will be collected, a photo, a handwritten signature and one or more fingerprints. For the photo, ICAO compliancy is required since it will be used to issue an identity document. This international standard provides guidelines for the capture of (facial) photographs that will later on be used in identity documents in general (could be ID-cards, passports or visas). The fingerprints are used to verify that a single person obtained only one identity document. Also the fingerprint data is governed by ICAO rules and guidelines. Besides the collection of the biometric and biographic information, the proposed software solution will also be able to collect digital scans proof-of-identity documents used to obtain the identity document. Each enrolment record is assigned a unique identifier before it is stored in the local database or when it is transferred to a central system. This unique identifier is independent from any other unique personal identifiers issued to the applicant and recorded by the enrolment solution. This mechanism is used to assure no database conflicts can occur because of an identifier is issued to multiple citizens. Regardless whether the software solution is installed on a fixed or a mobile system, the operational characteristics remain identical. Because of the underlying technology used, a translation of the user interface into virtually any language is possible. The default language is English. The application developed by Zetes PASS manages the whole of the resources which make the station. The standard functionalities are listed further in this document. The specific project requirements will be implemented by the Zetes development team.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 19 / 47
7.2 Schematic Enrolment process representation
7.3 Registration Workstations Equipment The fixed workstation is primarily foreseen to be installed at enrollment offices. It is not the intention to move the configuration once installed (except for some special circumstances). The enrolment application foreseen is a stand-alone client application that communicates the collected enrolment data to the (central) server through available network infrastructure. The software solution installed on these workstations is in conformance with the functional specifications as specified in many tender documents.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 20 / 47
7.3.1 Registration Solution Module For a more convenient enrolment experience, Zetes has opted to integrate the different peripherals (except for the camera) into one solution that will be placed on the desk of the official performing the enrolment operation. The peripheral devices described above will be integrated into this solution. The illustration below shows the integrated desktop biometric capture station.
7.3.2 Photo Capture Module The camera solution is also an integrated solution that combines the high resolution camera with the necessary illumination setup in order to take ICAO compliant pictures of the applicant. The camera assembly will be mounted on a tripod that the operator can adjust in order to adapt the setting based on the height of the person. A uniform background will be mounted on a second tripod that must be installed behind the applicant. The illustration below show the camera assembly.
Figure 4 Photo Module
RFID reader Stylus for the signature pad Fingerprint capture device Signature pad Feedback screen Figure 3 Integrated desktop biometric capture station
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 21 / 47
7.4 Special Features for the Mobile Registration Workstation This workstation is primarily meant to give citizens living in remote areas or who cannot visit one of the enrolment sites the opportunity to also apply for the identity document. Since in those remote locations, the network infrastructure may not always be available, a mobile enrolment station is foreseen. From a software solution point-of-view, the solution used on the mobile station is virtually identical to the fixed workstation. Some functionalities may differ or may even be absent because a certain peripheral device is not included in the configuration of the mobile installation. One important difference between the two workstations is the communication of the collected information to a central system. For the mobile configurations, the collected data is initially stored in a local database. The collected information is secured using a state-of-the-art encryption algorithm from the moment it is stored in the local database. At some given intervals, the data stored in that local database will be exported using some offline device (USB memory card, CD/DVD). This device is then sent to the central site for further processing.
7.4.1 The presentation of the kit The ZETES enrolment kit can operate for at least 8 hours on its batteries. Depending on the number of enrolments per hour this can even extend to more than 12 hours (depending also on the battery configuration). The batteries can be recharged in about 3 hours time from completely depleted to 100%. There is no need to interrupt the enrolment process to change batteries. The batteries are integrated in the printer and the laptop. Optionally the kit can contain an additional external lithium battery for autonomy of 2 days or more. This external lithium battery pack can be recharged independently from the laptop or the printers internal batteries. The external battery pack can power the printer, the laptop or the USB devices via a powered USB hub. The kit case in se is a US Military Standard waterproof case SKB type 3I-2015-10B-E. The enrolment station shown on the next is a mobile enrolment kit.
7.4.2 Exterior The case is moulded of ultra high-strength polypropylene copolymer resin, with the following characteristics:
Waterproof and dust tight design (MIL-C-4150J) Submersible design (MIL-C-4150J) that is resistant to corrosion
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 22 / 47
and impact damage Moulded-in hinge for added protection Trigger release latch system Snap-down rubber over-moulded cushion grip handle Ambient pressure equalization valve (MIL-STD-648C) Resistant to UV, solvents, corrosion, fungus (MIL-STD-810F) Resistant to impact damage (MIL-STD-810F)
The case is equipped with a carry handle and an integrated trolley system with two robust wheels and a retractable carry handle. The exterior dimensions of this compact case are 565 x 476 x 304 mm. The case weighs 6,2kg and approximately 8kg including the two foam interiors.
7.4.3 Interior The interior of the case is divided into two interior compartments that are tailor made to contain all the equipment, cables, consumables etc.
The technical drawing on the left illustrates a very similar design as the one that will be produced for this project based on the same carry case and with a similar configuration (laptop, printer, camera and fingerprint scanner). The upper interior All the peripheral equipment such as printer, fingerprint scanner, webcam and signature pad are integrated (with the cables connected) in the upper interior, ready for use. The peripheral equipment is connected to a USB hub inside the upper interior. When the interior is placed on a table, this hub allows easy connection to the laptop using only one (!) USB cable. The camera and its tripod or mounting foot are lifted from the interior and are placed on the table or on top of the interior. The upper interior also has an internal cable tray for the USB cables, the AC/DC adapter and power cable of the printer and optionally an lithium ion battery pack. The cable tray is covered with a removable lid.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 23 / 47
The upper interior can be taken out of the case using two integrated loops and placed on a table. All the operator has to do is to connect the outgoing USB cable from the upper interior to a free USB port on the laptop. If available, the printer and the laptop can be plugged into the electricity mains. The lower interior The laptop is stored in the lower interior together with its AC/DC adapter, power cable and a power surge protection device. The laptop is taken out of the case and placed close to the upper interior on the table. A single USB cable connects the laptop to the USB-hub inside the upper interior. This approach has two advantages: a compact footprint of the interiors and therefore a compact carry case choice of position for citizen and operator (opposite one another or next to one another) Remark: The layout of the interiors can be adapted to the requirements of the customer. The inside of the lid is covered with foam to protect the equipment in the upper interior during transportation. Equipment typically stored in the upper interior (pre-cabled): an inkjet printer a single fingerprint scanner a webcam a USB hub with 4 outgoing ports If necessary, other components can be included such as a signature panel etc. Equipment and consumables typically stored in the lower part: a foldable background panel + tripod a tripod or foot for the webcam a laptop computer with its extra slice battery, AC/DC adapter and power cable collection of small items such as ink cartridges The following technical drawings illustrate this concept. The configuration and layout of this example can be modified in relation to the specific requirements of the Ministry of Internal Affairs.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 24 / 47
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 25 / 47
7.5 The Enrolment and Card Issuance Application This solution has been used or is in use since about 3 years for several national enrolment projects in total of over 30 million individuals and for registration of visa applications (EU/Eurodac). The enrollment and card issuance applications of two parts: 1. Part 1 A local enrolment application on the enrolment station. For biometric data acquisition and a absolute minimum of the biographic data acquisition we will use a pre-installed Windows application, Zetes PRS. This application can work without network connection and because it is a native Windows application has full control over the local peripherals like the fingerprint scanner, the automated photo booth, signature scanner, etc. and provides a responsive GUI for data manipulation and for image manipulation. 2. Part 2 a browser based user interface to interact with the central Card Management System. This interface is used to perform all tasks not directly related to biographic and biometric data acquisition.
Workflow and Dataflow Management The application manages configurable sets of input sources, output targets and processing tasks. Input sources can be files, databases, manual input via the keyboard, scanners, photo cameras, fingerprint scanners, etc. Output targets can be files, databases, web services, etc. Processing tasks are automated or interactive procedures to collect data, output data or process data. The system maintains a set of
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 26 / 47
rules that tie input, processing and output together in a pre-defined provide dataflow and workflow management.
Data Validation All data can be verified and validated according to rules defined by the operating organization or according to international standards from ISO/NIST/ICAO. Data validation takes into account local standards or local resources, like lists of postal codes, names of provinces, etc. Biometric data can be subjected to (semi-)automated quality control, e.g. to guarantee that a facial image meets the requirements by ICAO or that fingerprints guarantee accurate results for ABIS processing or 1:1 checks.
Biographic and Biometric Data Acquisition The PRS application can be used to perform multi-biometric data acquisition such as facial image and fingerprint image collection and can easily be extended for other forms of biometrics like full palm prints, iris, etc.
Flexible Data Output Data output can be provided for in any format and protocol. Popular output formats are XML, flat text, SQL scripts, binary formats for images or NIST/ICAO/ISO data formats. Output protocols can be anything from file transfer, SOAP based web services, local and remote database access, etc.
Stand-Alone Operation and Connected Operation The PRS application is a completely autonomous application that can be operated in stand-alone mode or in connected mode. In stand-alone mode the application can perform a complete enrolment procedure or card handover procedure. All data is stored locally and can if required be synchronized with a central system if and when required. In connected mode the application can link with a central system either in classic client/server mode or in a loosely coupled, asynchronous mode based on SOAP-based web services.
Security Data records can be encrypted and signed. Operators need to authenticate by means of user ID and password or fingerprint.
Modular and Extensible Architecture
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 27 / 47
The PRS application is like a framework around a set of plug-ins. These plug-ins are usually single-task modules which are either simple single-screen or multi-screen user dialogs. Multi-screen plug-ins can be sequential wizards or a set of separate tab pages. Most importantly, the architecture allows third parties to add their own plug-ins to extend or modify the application. This guarantees the government that the application can be enhanced to fulfill future needs and that the government is not locked in by a single supplier for the maintenance of such a strategic application.
Final / Liberia.ZETES.eID.MOI.docx 8 Card Management System 8.1 The CMS Application The CMS is the central part of the PMS and it manages the workflow and data flow application that will be hosted on a cluster of Java application servers. the central storage system in a dedicated Oracle database.
CMS takes care of: validation all requests for storing the history and data associated with citizens and cards generation of daily orders for personalization of managing the life cycle of cards and the applications cryptographic key management for card issuance, card updates, etc. secure activation of the eID card at handover post issuance updates of applications and data on the eID card The CMS manages the card configuration data such as issuers, target groups, card types, card programs, card personalization bureaus, chip types, operating system, card programs, application data, application versions, etc. which are all stored in a secured Oracle database. LIBERIA Introduction on the issuance of national identity cards .ZETES.eID.MOI.docx ard Management System The CMS Application is the central part of the system. It integrates with the other systems such as the ABIS and the PMS and it manages the workflow and data flow between the various systems. application that will be hosted on a cluster of Java application servers. The data for the the central storage system in a dedicated Oracle database. Figure 5 Schematic Overview all requests for cards with the ABIS and external authorities storing the history and data associated with citizens and cards generation of daily orders for personalization of cards of cards and the applications and data on those card cryptographic key management for card issuance, card updates, etc. secure activation of the eID card at handover post issuance updates of applications and data on the eID card The CMS manages the cardholders, cards and applications and their lifecycles based on configuration data such as issuers, target groups, card types, card programs, card personalization bureaus, chip types, operating system, card programs, application data, tc. which are all stored in a secured Oracle database. eID project essentials Introduction on the issuance of national identity cards 28 / 47
. It integrates with the other systems such as the ABIS and the between the various systems. The CMS is a J2EE The data for the CMS is stored on
cards holders, cards and applications and their lifecycles based on configuration data such as issuers, target groups, card types, card programs, card personalization bureaus, chip types, operating system, card programs, application data, tc. which are all stored in a secured Oracle database.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 29 / 47
The CMS operator use a web-based GUI (see picture below) and contains the logic and processes to perform all the required tasks in cooperation with the other elements mentioned. The CMS creates an audit trail of all actions and it can generate a number of standard reports for these and the entities mentioned.
Our proposal for the Card Management System is built around a specialized product called Token Manager. Token Manager is a professional Card and Application Management System (CAMS) used by dozens of governments and financial institutions for managing the issuance and life cycle of a few hundred thousand to tens of millions of cards. On one hand the bulk of the functionality has to be implemented and deployed in the very short timeframe of only 18 months and on the other hand the system will be extended and enhanced to handle the card management for 5 years and beyond. We decided to choose a standard product as the centerpiece of our concept instead of building a system from the ground up. The number one challenge is to have all of the most relevant functions up and running in less than a years time. We feel that using a tried and tested product is the best answer to meet this challenge. The Token Manager card management product is the sixth generation of a product line with a history of more than 15 years. The manufacturer of this system only produces 1 product for 1 purpose: mass volume card management. The integrator of this project, Zetes, has over 10 years experience with managing the Belgian and Israeli eID-card project, a project with a comparable scale and complexity as the present project. Zetes also has a proven track record for implementing and deploying a mass registration and enrolment system for the United Nations and national government, involving the collection and deduplication of digital photographs and fingerprints for up to 30 million people. The experience of Zetes is unique in the market and will be a key factor for the success of this project.
8.2 The Concept of Lifecycle Management for eID Cards A key concept of the CMS is that of lifecycle. A life cycle defines the business logic that is applied for a passport or card from start till finish. The life cycle defines all the states and state transitions that can happen to a card during its lifetime. This means that a card can never be brought in an undetermined state and that the state of all cards is known at all times. The lifecycle concept is even more important for the eID card than for a passport or a card without chip. An eID card is not designed to be a single purpose, static document that doesnt change during its five year lifespan. The eID card is a state of the art, complex multi-application card. Managing the life cycle of such a card also means managing the lifecycles of the various applications on the card and managing the life cycle of the card holder. All these life cycles are interconnected and form a complex web of
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 30 / 47
relations. Manual interventions or automatic actions can be both the cause and result of a change of state in an objects life cycle. Lifecycles also influence other lifecycles; a change in the state of a card application could also cause a change in the state of the card Lifecycles are THE core design concept of the product. Lifecycles are applied to everything: cards, card holders, card types, applications, application programs, target groups, etc. All objects with a lifecycle are managed from start to finish, spanning several years. Below is an example of a typical lifecycle for a national eID card. The transitions in the card life cycle are closely linked to the workflow of enrolment, validation of the requests with the ABIS, payment check ,police watch lists, etc. followed by acceptance of the request, data preparation, personalization, shipment, card activation, operational use of the card (active card <-> block/unblock card) until finally the card reaches its end of life.
Figure 6 Example of a Card Lifecycle / Workflow
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 31 / 47
For the Liberian project the CMS can be configured for the following card types: 3 types of eID cards using a contactless chip and 1 applet o card type for citizens o card type for refugees to be discussed o card type for aliens to be discusssed SAM cards used in the card readers at the registration offices cards for civil servants for authentication, digital signature and (physical) access control (*)
For each type a specific card life cycle will be created * Depending on the outcome of the design phase it is possible that the cards for the civil servants will be managed and personalized outside of the CMS, e.g. using the smartcard and certificate management tools of the Windows Domain Controller and the Windows Certificate Server. This will depend on the governments preferences and on practical considerations.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 32 / 47
9 Electronic Document Management System (EDMS) 9.1 Document Management In our proposal the EDMS consists of three parts: 1. the enrolment stations that scan the supporting document presented by applicants for an eID 2. the scan stations at the Ministry of Internal Affairs that scan the new paper forms for refugees and aliens 3. the central document archive, which is an integral part of the CMS
9.2 Document Scanning The documents will be scanned at a resolution of 300dpi. The documents originate from two sources: - The enrolment stations for enrolling citizens requesting an eID card Every enrolment station is equipped with oneA4 flatbed scanner. - A group of scan stations with autofeed scanners at the governments data centre to scan the registration form used by the Ministry of Internal Affairs
The scanned documents will be converted into PDF/A documents. The type and quality of the document allowing we will apply OCR and text indexing to make the PDF/A searchable. In all cases the image(s) contained in the PDF/A will be compressed to reduce the size of the PDF/A to an acceptable size for data transmission and storage in the central document archive. The compression ratio and the choice between colour, grayscale or black&white will be specific to each document in order to obtain the best possible compromise between size and visual quality. However, at all times the compression rate must guarantee that the size of the PDF/A documents are below a pre-defined maximum due to the limitations in bandwidth and storage space. We performed extensive testing using various compression rates for colour and grayscale scans of birth certificates and 2GID cards. This resulted in the following: Scanned Supporting Documents for Citizens when applying for an eID: - one 2GID ID card, both sides, colour or grayscale - one birth certificate, colour or grayscale - one text document (2 pages), black&white The total size of all PDF/A documents combined may not exceed 480kbyte / citizen.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 33 / 47
9.3 Document Storage and Retrieval The CMS is designed to store images and documents that are associated with cards and card holders, such as facial images, fingerprint images, signature images as well as images of scanned documents. The CMS stores these objects in their original formats and adds additional information such as document type, dates, purpose, comments, etc. An object is always associated with a card holder or a specific card (which is linked to a specific card holder). We have foreseen two use cases for PDF/A archival inside the CMS database: - citizens - supporting documents for application for an ID card - refugees and aliens a newly designed paper form for registration of refugees and aliens
Images and documents are stored in the CMS database which is hosted on a Storage Area Network. These objects are therefore always available, unlike when these objects are stored on a tape archive. By including the objects in the database the CMS/EDMS can use the databases data protection mechanisms and data backup mechanisms. In contrast to other data in the CMS database these images and documents are archived and are not frequently retrieved or updated. Therefore the CMS database provides a mechanism to optimize the balance between cost and performance. The CMS puts images and documents in a part of the database that is hosted on a part of the storage system that uses large (but slower) disks. The other data of the CMS database is hosted on a part of the storage system that uses fast (but smaller) disks.
Documents can be retrieved from the CMS/EDMS database in three ways: - by direct reference (card reference or card holder reference) - by query on metadata such as document type + date range combined with any card or card holder attribute - by text search, for those PDF/A documents that allow text search (this requires OCR and text indexing when the PDF/A is generated), using the Oracle Text feature of the Oracle database
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 34 / 47
10 Card Personalization 10.1 The Personalization Management system It should be noticed that Zetes has a proven experience in setting up fully equipped personalization sites for the governments of Belgium, Israel and Ivory Coast, either in Build & Transfer or in Build & Operate. The primary task of the Personalization Management System is to prepare, synchronize and monitor the material flow, data flow and workflow which will ultimately lead to the personalization of passport booklets. The PMS manages the day to day operations in the personalization centre and is in direct control of the personalisation machines, the quality check stations, etc. The PMS has a modular design and consists of the following modules: Data Preparation Interfaces with PKI and Document Signer Job Scheduling and Assignment of staff and resources to jobs Generation of Production / Personalization Batches Audit Trace, Reporting and Statistics Inventory Management Quality Assurance Shipment
10.2 The Personalization Machines Depending of the size of the project and the daily number of cards we will need to decide on the type of machines to personalize the cards. For another eID project in another country we would require a daily personalization capacity of 10,000 cards in 2 x 8-hour shifts. The proposed systems are two Datacard MPR5800 machines: 1 operational line 1 standby line
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 35 / 47
Figure 7 Datacard MPR5800 These personalization lines are fully automated and can perform the personalization of an identity card in a single, uninterrupted personalization cycle. Each machine can provide a production rate of 1550 cards per hour and does inline quality checks before and after laser engraving. These machines have a modular architecture and can be reconfigured or refurbished to meet future requirements.
10.3 PKI Infrastructure for Document Signing Our proposal includes a PKI for Document Signing. Document Signing is an essential part of the personalization procedure. This infrastructure digitally signs the data that will be written to the chip. This digital signature allows relying parties (police, banks, ) to verify the authenticity of the data when they read the eID card. The Document Signing infrastructure consists of three components; Country Signing Certificate Authority (CSCA) + Administration Client The CSCA is used to hold the root key for validating the authenticity of the logical data structure on the chip. Document Signer(DS) The DS is closely integrated within the PMS and creates and signs the Document Security Object (SO D ) of the logical data structure on the chip. DS certificates are renewed regularly by the CSCA. LDAP Directory Upload Workstation A workstation connected to upload certificates and CRLs to an LDAP directory.
All components that have to protect private keys will use HSM from Thales. The Document Signers and the CSCA
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 36 / 47
will share a set of nShield Connect 500.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 37 / 47
11 ABIS Our proposal includes a multi-modal Automated Biometric Identification System (ABIS). he ABIS consists of the following components the ABIS Control Application, an application front end for managing incoming requests for verification, identification and registration of biometric data a database for storing biometric images and templates clusters of fast matching engines for face matching and fingerprint matching an operator tool for manual arbitration for suspected duplicates an expert tool for analyzing and comparing fingerprints a scan station for scanning ink cards with (rolled) fingerprints a set of tools for data migration from the legacy 2GID system into the new system
The scale of the project and the fact that the deduplication will combine fingerprints and face for an entire population have prompted us to optimize the system architecture and deduplication strategy accordingly. We understand that the government does not want to rely on filtering or classification to reduce the workload of the deduplication infrastructure. We also realize that the nature of the project requires an inclusive approach whereby every citizen is included even those whose biometric features do not meet normal quality levels. All operations can be done using face, fingers or both. Fingerprint matching is supported for rolled fingerings, flat fingerprints or intermixed (rolled against flat or vice versa). For best performance and accuracy we strongly recommend that deduplication and identification are always done using fingers and to use face optionally for special cases. The ABIS can be extended to support iris or palm print matching in the future. The ABIS can be used to perform face and fingerprint matching in any order and either separately or in fused mode (a single score for face and finger). The infrastructure has reserve capacity and provides full fault tolerance. The servers and the storage system are high quality high performance equipment. All essential equipment is fully redundant and all essential applications are clustered for fault tolerance and to allow future extension of the ABIS.
The central ABIS is integrated with the CMS and can be integrated with other applications by means of a web services interface. All biometric data is stored in an accessible Oracle RDBMS database for retrieval and use by other applications through standard SQL interfaces. The ABIS system architecture is a Java based Web Services framework that provides input and output in XML formats consistent with Web Services used in modern system architectures. The ABIS Matching Engines are grouped in three clusters, two for fingerprints and one for face. Each . cluster consists of 12 identical servers. Of these 12 servers all 12 can perform matching of which 10 are operational nodes and 2 are configured as hot standby nodes. Of these 12 servers 3 can perform as cluster server (i.e. manage the cluster) of which 1 is the operational cluster server and two are hot standby cluster servers. The hardware configuration of the servers for fingerprint matching and face matching are identical with the exception of the RAM memory.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 38 / 47
The proposed solution includes the infrastructure for deduplication, identification and verification of up to 35 million citizens and extensible to up to 50 million citizens. For every citizen 1 facial image and 10 fingerprints (either rolled or flat fingerprints) are stored in the ABIS. With a full database of 35 million records the proposed solution can handle 400,000 10-print searches and 88,000 face searches per day. In other words, the clusters for fingerprint matching and face matching have sufficient spare capacity even for peak days of 75,000 transactions. The response times with a full database of 35 million people is in the order of 0,4 seconds for matching 10 fingerprints and 1 second for matching 1 face.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 39 / 47
12 Other components 12.1 WAN over 3G/EDGE Solution The Registrations Offices will be connected to the Ministry of Internal Affairs through the existing 3G/EDGE data network of a telecom operator. Our proposal includes one 3G/EDGE USB-dongle for every enrolment station as well the fiber connection of the data center to the operators backhaul link by means of a fiber connection. This is the backhaul link that shall terminate at Telco Provider GPRS gateway for data traffic to the head office. The telecommunication costs (subscription, data volumes, etc.) will be borne by the government.
12.2 BIMS Solution The system shall have a business information management (BIMS) tool to manage data through the whole card issuance process, from the application submission, card delivery up to the issuance of the card to the applicant. The main purpose of this tool is to provide information and produce reports and statistics for Enrolment, Verification and validation, Production, Card management life cycle, Revenue collection, ICT asset management, Application status follow ups, Anomalies and exceptions, System activity analysis, User activity analysis and Ad-hoc reports by means of:- Business intelligence Trend analysis Dashboards
12.3 Query Management and Stakeholders Interface Solution Our proposal for the the government system includes a web service oriented interface and query system to allow consultation of various information and services by external organizations and provide information as described below: Registration of Births and Deaths e.g. for the declaration of deaths and births by a variety of stakeholders (local authorities, hospitals, embassies, etc.) Population Registration System (PRS) e.g. for consultation or update of the civil status of a person Social Security funds for consultation of the civil status or for verification of the identity of a person claiming social benefits
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 40 / 47
Liberian Police e.g. for consultation of the civil status or the verification of the identity of victims or suspects as well as the identification of people without proof of ID, for the declaration of loss or theft of an identity card, for checking the status of an identity card, etc. Revenue authorities e.g. for consultation of the civil status, place of residence, composition of the household, etc. Financial Institutions e.g. for the verification of a persons identity or for checking the status of an identity card (lost, stolen, non-existent, etc.)
12.4 CRM Solution The customer care function will provide a web based function that will be available to stakeholders and applicants to make enquiries on the following: Services offered by the government Status of application Lost and found ID cards Verification of ID cards The applicant will query the subsystem via the Internet or SMS giving his/her application number whilst system security is ensured. The applicant will also be reached by automatically issuing an SMS or email message when their card is ready for collection at the registration centre or when the application cannot be processed properly.
12.5 ICT Asset Management and Helpdesk Solution ServiceDesk integrates the government help desk requests and assets to help the government manage thier IT effectively. It helps the government to implement best practices and troubleshoot IT service requests faster. ServiceDesk Plus is a highly customizable, easy-to-implement help desk software. The government will be responsible for: Management of ICT equipment. Providing Help Desk facility staff, stakeholders and citizens.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 41 / 47
12.6 The Cryptographic Infrastructure The technical architecture of our proposal includes cryptographic infrastructure known as Hardware Security Modules or HSM. This infrastructure is used to protect cryptographic keys that are used to encrypt and/or digitally sign data. In this project HSMs are used for the following purposes: - The card personalization infrastructure uses HSM to secure the keys that are used to apply a digital signature to the data files on the chip (the Document Signer infrastructure). - The Card Management System uses the HSMs to secure the keys with which cards can be locked, unlocked and updated after issuance (activation and post-issuance card management) - The Card Management System and the ABIS can use the HSMs for encrypting sensitive data stored in databases (a special feature of Oracle Database Enterprise Edition option Advanced Security). The central infrastructure relies on HSM devices to protect important cryptographic keys from duplication, destruction or unauthorized use. By using network connected HSMs, multiple servers and applications can share one or more HSMs. The HSMs are logically grouped in clusters of two or more HSMs to achieve high availability and load balancing. Each HSM can service multiple applications and segregates the key material per application. All communication between the applications and the HSMs are secured and applications have to authenticate to the HSM. For additional security the HSM clusters are put in separate VLAN segments and benefit from the access control rules and filters imposed by the network switch.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 42 / 47
13 Project Execution 13.1 The Business Continuity Plan In Phase 1 of this project Zetes and the government would work closely together to define and test a backup plan, a disaster recovery plan, a contingency plan and a business continuity plan. This task is covered by a separate work package that is clearly mentioned in the project plan in our proposal. All plans will take into account the specific conditions for this project such as the fact that all the critical resources are located in the same building. Zetes will formulate recommendations that stay within the conditions and limitations imposed by the present RFP. For the governments benefit Zetes will also make recommendations that may go beyond these limitations. For example: keep an additional (cold standby) personalization machine and part of the stock of blank cards in a different part of town. The government is simultaneously operator and owner of the critical business processes that are covered by the Business Continuity Plan. The government will perform the daily tasks to keep the organization and the infrastructure prepared in case of emergencies or disaster. Finally, government staff will be trained and prepared so they are able to manage the recovery process (with some assistance from Zetes if desired). Zetes puts its knowhow on ISO27001 at the disposal of its customers worldwide regardless whether the project takes the form of a Personalisation Service, a Build & Operate project or a Build & Transfer project. For Build & Transfer projects Zetes assists the customer in establishing a Business Continuity Plan based on the ISO 27000x practices and guidelines, taking into account the specific limitations of the customer
13.2 Training Plan The assistance of the Ministry of Internal Affairs is a fundamental element of our vision of the project for the design, the development, the supply, the installation, the testing and the comissioning of the smart identity cards of Liberia, allowing to guarantee not only the good progress of the project, the goals achievement, but also to make the Ministry of Internal Affairs independent in its management and its control of the new set up systems. This assistance recovers several themes which seem to us fundamental: "Coaching" and knowledge transfer beside the agents (mainly ICT). This mission will have to guarantee the autonomy and the maintenance of the system after its commissioning. Training (Functional and technical) of the registration offices agents, of the central site and personalization sites.
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 43 / 47
The participation and involvement of the MOI staff. The assistance for the roll out The importance of the training for the end users in regards to the effective integration of the new systems cannot be underestimated. Through the acquired experience during similar projects, we recommend as much as possible the approach Train The Trainer" for the training of the users. The objective is to train agents of the MOI. These agents will then take care the end users training. The transfer of knowledge towards the co-workers ICT is expressly planned throughout the various phases of the project and it more particularly through the cycles of magazine(review) and reception. This approach will allow the Ministry of the Interior and some Decentralization to take the measure of the functional and technical dimensions of the implemented(operated) global system. The transfer of knowledge towards the ICT staff is expressly planned throughout the various phases of the project and it more particularly through the review and reception sessions. This approach will allow the MOI to take the measure of the functional and technical dimensions of the implemented global system. The implication of the Ministry staff, wants to be respectful of time and resources, but is essential in the project approach. The assistance in the deployment has for objective to assist the MOI after the roll out of the system, by the assistance to Help Desk, by the technical support in terms of control of the technical infrastructure supporting the system in general and by the advice in the follow-up of the training initiatives of the users. All the aspects described above are an integral part of the methodology that we implement in all the big projects that we lead in the field of the people identification. 13.2.1 Training methodology Train the Trainer methodology will be employed whereby selected users will be trained and provided with material necessary to present the training course to further users of the system. These users will be responsible for the ongoing training of the end users of MIRP. All users, trainers, and support personnel will need training and/or resources at different levels. Comprehensive training is a critical requirement for all persons central to the implementation process. Training will be intense in different components and careful planning and scheduling is necessary. ZETES will organize the training for the various users of the system deployed throughout Liberia. Several types of users will follow dedicated training: The supervisors, their deputies and operators of the Enrolment Workstations will follow a proven training cascade that has previously been successfully used in previous projects in Congo where more than 20,000 operators were put to speed in a record time. It is recommended that 2 operators per Enrolment Workstations be trained for the enrolment. A model of such training is provided below in the document. Operators in registration centers that require access to the system will be
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 44 / 47
trained by specialized and experienced members of ZETES and its partners and will be organized at the level of the woredas. At central level, specialized training will be given for the Card and Application Management System, ABIS, Business Information management System, Customer Relationship Management Portal, Query System/Stakeholder information system, Billing system, ICT, The card manufacturing and personalization center will be operated by personnel hired by the members of ZETES and its partners. Gradually over the course of the project, government appointed personnel will be trained, familiarized and integrated into the operations in preparation of the transfer of the infrastructure to the Government of Liberia after the expiration of the contract.
Most training modules consist of a balance between theory and practical exercises, allowing the trainees to get a solid theoretical foundation and hands on experience during the training sessions. Each module is put in the context of a business case or realistic situations, allowing trainees to see the bigger picture and to put the lessons learned in perspective.
13.2.2 Training programs list In respects of many tender specifications and base on our experience, the following trainings will be delivered during the project. Managers Training Enrolment/Issuance Training o Enrolment - Operators training o Enrolment - Supervisors training o Enrolment - Technicians training Central application training o Card and Application Management System Relevant operational module(s) Introduction to Smart Card Management Identity Card Manager operator training User Rights Module operator training Key Manager operator training System Installation, Upgrade and Maintenance training Relevant configuration module(s)
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 45 / 47
Identity Card Manager configuration training Release 6 Data Model training Manager training Hands on training Technical staff training o ABIS Training ABIS concepts ABIS architecture & administration ABIS web services ABIS Manual Decision Tool o Business Information Management System o Query Management System o CRM System o Billing Management System o Network Administrator training o Systems, Networks and Telecoms tools Administrator
ICT training o Linux Training - Fundamentals and Systems Administration o Oracle Database 11g - Administration o Configuring and Troubleshooting a Windows Server 2008 Network Infrastructure o Configuring Windows Server 2008 Active Directory Domain Services o Configuring and Troubleshooting Identity and Access Management in Windows Server 2008 Active Directory o Exchange 2010 Administration o Java Programming o Certified Ethical Hacker, Version 7 o Training of Trainers (HP Carepacks - Hardware) o Symantec Endpoint Protection 12.1: Administration o Network Operation Center System
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 46 / 47
o ICT Asset Management and Help desk Back-Up training o Training of Trainers (HP Insight Control Fundamentals Training) o Symantec Backup Exec 2010: Administration Data Centre and Personalisation Centre o Training on Specialised Equipment (UPS, CCTV, Access Control, Cooling System and Fire Supression) o Personalization Management System Internal Management Products management Stocks management Ticketing management Purchase orders Production operators Machines maintenance plans Production management GI - AS communication Delivery and invoicing (optional) GI - AS architecture Layout customization (xml and rave) Production customization 1 Production customization 2 Application Server o HSM nShield Certified Systems Developer (nCSD) courses nShield Certified Systems Engineer (nCSE) o PKI for Document Signing Zetes course Customer course o Personalization system training
LIBERIA eID project essentials Introduction on the issuance of national identity cards
Final / Liberia.ZETES.eID.MOI.docx 47 / 47
MPR5800 Operator Training MPR5800 Administrator Training MPR5800 Maintenance Training As required in the technical specifications for each training program it is mentioned if the training is part of Phase 1 or Phase 2 and if the delivery period so to say : Pre-installation training Installation training Post- installation training.
----------------------- last page of this document -----------------------