JMRTD

About JMRTD

JMRTD is a free implementation of the Machine Readable Travel Document (MRTD) standards as specified by the International Civil Aviation Organization (ICAO). The electronic passport (or "ePassport"), which by now has been introduced in many countries, is an implementation of these standards.

Both a card side application (the "passport applet") and a host side API for accessing electronic passports are developed. The passport applet makes it possible to create your own passports (in case you're starting your own country). The applet is written in Java Card.

The host side API makes it possible to read the information on the chip in a passport and to check its validity (provided the issuing country's certificate is available). The host side API is written in Java and a graphical application utilizing the API is also provided.

Project History, Contributions, Background

JMRTD was initially developed in 2006 as part of a research project of the Digital Security group (at the time known as the Security of Systems group) at Radboud University in Nijmegen. The research was sponsored by the Dutch Ministry of Internal Affairs. In this project the host API was connected to model-based test generation systems TorX and GAST in an attempt to find vulnerabilities in the Dutch implementation of the ePassport. The applet was developed to have an independent implementation to test the model and the test-systems.

In 2007 functionality for fingerprinting the Nationality of passports was added by Henning Richter of the Lausitz University of Applied Sciences while visiting Nijmegen.

In 2008 JMRTD was used at Novay (at the time known as Telematica Instituut) in a research project sponsored by NLnet foundation to find out to what extent the ePassport's PKI can be used to do online authentication with Information Cards.

In 2009 JMRTD was used (again) by researchers of the Digital Security group at Radboud University in Nijmegen to test the newly introduced EAC functionality. The research was sponsored by the Dutch Ministry of Internal Affairs.

In 2009 some of the lower level smart card communication stuff in JMRTD's host API was abstracted away into a seperate project called SCUBA.

In 2009 Wojciech Mostowski created an implementation of the ISO 18013 eDriving License standard based on JMRTD code.

Contact

Active members of the JMRTD development team are listed on our member page on SourceForge.net. You can drop the project lead (Martijn Oostdijk ATM) a mail at info@jmrtd.org if you have questions or comments. Or you can leave a message on the Open Discussion forum on SourceForge.net.

Documentation

Available documentation:

• License (it's LGPL)
• Installation instructions
• API docs of the host API

Most of the specifications are open (as in: can be purchased). Here's our list.

• The ICAO ePassport specs are now part of Doc 9303. The alternative links below point to scanned documents provided by Edward Hasbrouck.
  • ICAO 9303 part 1 volume 1 (scanned)
  • ICAO 9303 part 1 volume 2 (scanned)
  • ICAO 9303 part 2
  • ICAO 9303 part 3 volume 1
  • ICAO 9303 part 3 volume 2 (scanned)
  When they were still being drafted, ePassports were described in two ICAO technical reports.
  • ICAO TR LDS - v1.7: Description of the data structure format.
  • ICAO TR PKI - v1.1: Description of the security mechanisms Basic Access Control (BAC), Passive Authentication (PA), and Active Authentication (AA).
• The MRZ (EF.DG1) is specified in ICAO Doc 9303 part 1 volume 1.
• Biometric data (EF.DG2 - EF.DG4):
  • NISTIR6529A: Specification of the CBEFF format.
  • ISO/IEC 7816-11: Specification of storage format for biometric templates.
  • ISO/IEC 19794-4: Biometric data interchange formats - Part 4: Finger image data: Specification of finger and palm images in DG3.
  • ISO/IEC 19794-5: Biometric Data Interchange Formats - Part 5: Face Image Data: Specification of face images in DG2.
  • ISO/IEC 19794-6: Biometric Data Interchange Formats - Part 6: Iris Image Data: Specification of iris images in DG4.
• EAC (EF.DG14, EF.CVCA):
  • BSI TR-03110_v111: Description of the security mechanism Extended Access Control (EAC).
  • BSI TR-03110_v203: Latest version of EAC specification.
• Specs dealing with crypto (EF.SOd):
  • RFC 3369: Cryptographic Message Syntax: Specification of the data-structure used in the security object (PA).
  • ISO/IEC 9796-2:2002 Digital signature schemes giving message recovery: Specification of the padding used in BAC secure messaging and of the AA cryptogram.

Background reading

• Our project page on SourceForge.net.
• Similar projects (in alphabetical order):
  • cmrtd is a sibling project of JMRTD written in C.
  • DexLab (Jeroen van Beek) has a couple of relevant tools: eCl0wn can read ePassports and runs on Nokia NFC handsets. The THC-ePassport is the ePassport emulating JavaCard applet used in the August 2008 Times articles. These were likely also used in the "hack" of the British ID card by Adam Laurie and Jeroen van Beek, reported on in the Daily Mail in August 2009.
  • The EJBCA project is a Java based CA server with support for ePassport certificates. (JMRTD's handling of CV certificates for EAC actually depends on EJBCA code.)
  • The Golden Reader Tool (GRT) by BSI.
  • The ISO18013 Electronic Driving License implementation by Wojciech Mostowski (apparently together with RDW and Collis) is partially based on JMRTD code. Wojciech also has an eID JavaCard applet which shares some low level code with this project.
  • JMRTD is the obligatory recursive link.
  • JSmex is a smart card explorer which supports MRTDs.
  • The OpenMRTD.org project by Harald Welte.
  • The pyPassport and ePassport Viewer are Python based tools for reading and displaying ePassports by Jean-François Houzard and Olivier Roger of UC Louvain.
  • The RFIDIOt project by Adam Laurie.
  • wzPass is Windows software for reading ePassports by Johann Dantant.
• General information:
  • ICAO site and ICAO/MRTD site.
  • Wikipedia entries on Biometric passport, ePassport, and MRTD.
  • Paspoort informatie (in Dutch) by the Dutch government.
• Opinions, blogs, and other links on the ePassport by other people:
  • E-passports without the big picture: Jaap-Henk Hoepman and Bart Jacobs on ePassports, identity management, and privacy.
  • MRTD Analysis.org: Lukas Grunwald's site
  • The ePassport cloning myth never dies: A blog entry on ePassport "hacks" by ZDNet's George Ou.
  • Bio Paspoort.blogspot.com: An anonymous blog (in Dutch) about the passport
  • The practical nomad: Edward Hasbrouck's blog.
  • Beveiliging elektronisch paspoort: FAQ (in Dutch) by the System & Network Engineering group at UvA about the August 2008 articles in The Times.
  • On Exploiting ePassport Vulnerabilities: by Rowland Watkins also looks at PKD vulnerabilities.
  • Passport cloning in perspective: Cees-Bart Breunesse of Riscure on ePassport cloning.
  • The ePassport Revolution over at Miller-McCune: On why assassins won't use biometric passports.
  • Blackhat Europe 2010 presentation by Raoul D'Costa.
  • 39 myths about ePassports by Mike Ellis of Gemalto.
  • Traceability attacks agains e-Passports are described by Chothia and Smirnov of the University of Birmingham.