JMRTD is an open source Java implementation of the Machine Readable Travel Document (MRTD) standards as specified by the International Civil Aviation Organization (ICAO). The electronic passport (or "ePassport"), which by now has been introduced in many countries, is an implementation of these standards.
JMRTD provides both a card side application (the "passport applet") and a host side API for accessing ePassports. The passport applet makes it possible to create your own passports (in case you're starting your own country). The applet is written in Java Card.
The host side Java API can be used in different scenarios:
- Inspection system: The API makes it possible to read, decode, and validate the information on the chip (for some of these tasks JMRTD will need access to the issuing country's country signing root certificates).
- Enrollment / personalization system: The API also allows to encode information by complying to the relevant standards.
- Testing framework: JMRTD was developed initially to test conformance and security of ePassport implementations.
The main features of JMRTD:
- A (100% pure) Java API for accessing ICAO compliant eMRTDs and ePassports
- A Java Card eMRTD/ePassport emulator
- Java and Android supported
- PKD certificates and PKD CSCA master lists (from LDAP) supported
- Extended access control (EAC) and supplemental access control (SAC/PACE) supported
- LDS 1.7 decoding and encoding
- CBEFF datagroups fully supported
- JPEG2000 and WSQ encoded biometric images supported
Project History, Contributions, Background
JMRTD was initially developed in 2006 as part of a research project of the Digital Security group (at the time known as the Security of Systems group) at Radboud University in Nijmegen. The research was sponsored by the Dutch Ministry of Internal Affairs. In this project the host API was connected to model-based test generation systems TorX and GAST in an attempt to find vulnerabilities in the Dutch implementation of the ePassport. The applet was developed to have an independent implementation to test the model and the test-systems.
In 2008 JMRTD was used at Novay (at the time known as Telematica Instituut) in a research project sponsored by NLnet foundation to find out to what extent the ePassport's PKI can be used to do online authentication with Information Cards.
In 2009 JMRTD was used (again) by researchers of the Digital Security group at Radboud University in Nijmegen to test the newly introduced EAC functionality. The research was (again) sponsored by the Dutch Ministry of Internal Affairs.
In 2009 some of the lower level smart card communication stuff in JMRTD's host API was abstracted away into a seperate project called SCUBA.
In 2009 Wojciech Mostowski of Radboud University created an implementation (both card applet and host side API) of the ISO 18013 eDriving License standard based on JMRTD code in a project for the Dutch national authority for road traffic, transport and vehicle administration RDW.
In 2011 ScanTech IT asked Novay to bring JMRTD's encoding functionality for the biometric image datagroups (which can hold images of the face, fingerprints, iris, and handwritten signature) up to a standards compliant level (e.g., compliant to ISO 19785, ISO 19794). ScanTech IT uses this functionality in their biometric enrollment stations which are used at many of the Danish Muncipalities (Kommuner) as part of the issuing process for the second generation Danish ePassport.
As of 2014 InnoValor is actively developing a (mixed open and closed source) software solution for document verification based on JMRTD. The solution consists of an SDK for Android and a server backend. A free demonstration app is available from the Play Store. A demonstration video showing (an early version of) this app is available from YouTube. Inqueries about InnoValor's software proposition can be sent to email@example.com
Project factoids as measured by Ohloh
Active members of the JMRTD (and SCUBA) development team are listed on our member page on SourceForge.net. You can drop the project lead (Martijn Oostdijk ATM) a mail at firstname.lastname@example.org if you have questions or comments. Or you can leave a message on the Open Discussion forum on SourceForge.net.
Most of the specifications are open (as in: can be purchased). Here's our list.
- The ICAO ePassport specs are now part of Doc 9303.
The alternative links below point to scanned documents provided by Edward Hasbrouck.
- ICAO 9303 part 1 volume 1 (scanned)
- ICAO 9303 part 1 volume 2 (scanned)
- ICAO 9303 part 2
- ICAO 9303 part 3 volume 1
- ICAO 9303 part 3 volume 2 (scanned)
ICAO TR LDS - v1.7: Description of the data structure format. ICAO TR PKI - v1.1: Description of the security mechanisms Basic Access Control (BAC), Passive Authentication (PA), and Active Authentication (AA).
- The MRZ (EF.DG1) is specified in ICAO Doc 9303 part 1 volume 1.
- Biometric data (EF.DG2 - EF.DG4):
- ISO/IEC 19785-1 and NISTIR6529A: Specification of the CBEFF format.
- ISO/IEC 7816-11: Specification of storage format for biometric templates.
- ISO/IEC 19794-4: Biometric data interchange formats - Part 4: Finger image data: Specification of finger and palm images in DG3.
- ISO/IEC 19794-5: Biometric Data Interchange Formats - Part 5: Face Image Data: Specification of face images in DG2.
- ISO/IEC 19794-6: Biometric Data Interchange Formats - Part 6: Iris Image Data: Specification of iris images in DG4.
- EAC and PACE (EF.DG14, EF.CardAccess, EF.CVCA):
- Specs dealing with crypto (EF.DG15, EF.SOd):
- ISO/IEC 9796-2:2002 Digital signature schemes giving message recovery: Specification of the padding used in BAC secure messaging and of the AA cryptogram.
- RFC 3369: Cryptographic Message Syntax: Specification of the data-structure used in the security object (PA).
- BSI TR-03111: Elliptic Curve Cryptography: Underlying cryptographic primitives, conventions, conversion routines used in EAC and PACE.
- Our project page on SourceForge.net.
- Similar projects (in alphabetical order):
- aJMRTD is an Android client for JMRTD.
- androsmex is a mobile smart card explorer for android smartphones with NFC capabilities (with support for MRTDs).
- cmrtd is a sibling project of JMRTD written in C.
- DexLab (Jeroen van Beek) has a couple of relevant tools: eCl0wn can read ePassports and runs on Nokia NFC handsets. The THC-ePassport is the ePassport emulating JavaCard applet used in the August 2008 Times articles. These were likely also used in the "hack" of the British ID card by Adam Laurie and Jeroen van Beek, reported on in the Daily Mail in August 2009.
- The EJBCA project is a Java based CA server with support for ePassport certificates. (JMRTD's handling of CV certificates for EAC actually depends on EJBCA code.)
- The Golden Reader Tool (GRT) by secunet / BSI.
- The ISO18013 Electronic Driving License implementation by Wojciech Mostowski (apparently together with RDW and Collis) is partially based on JMRTD code. Wojciech also has an eID JavaCard applet which shares some low level code with this project.
- JMRTD is the obligatory recursive link.
- JSmex is a smart card explorer which supports MRTDs.
- The OpenMRTD.org project by Harald Welte.
- The pyPassport and ePassport Viewer are Python based tools for reading and displaying ePassports by Jean-François Houzard and Olivier Roger of UC Louvain.
- The RFIDIOt project by Adam Laurie.
- wzPass is Windows software for reading ePassports by Johann Dantant.
- General information:
- Opinions, blogs, and other links on the ePassport by other people:
- E-passports without the big picture: Jaap-Henk Hoepman and Bart Jacobs on ePassports, identity management, and privacy.
- MRTD Analysis.org: Lukas Grunwald's site
- The ePassport cloning myth never dies: A blog entry on ePassport "hacks" by ZDNet's George Ou.
- Bio Paspoort.blogspot.com: An anonymous blog (in Dutch) about the passport
- The practical nomad: Edward Hasbrouck's blog.
- Beveiliging elektronisch paspoort: FAQ (in Dutch) by the System & Network Engineering group at UvA about the August 2008 articles in The Times.
- On Exploiting ePassport Vulnerabilities: by Rowland Watkins also looks at PKD vulnerabilities.
- Passport cloning in perspective: Cees-Bart Breunesse of Riscure on ePassport cloning.
- The ePassport Revolution over at Miller-McCune: On why assassins won't use biometric passports.
- Blackhat Europe 2010 presentation by Raoul D'Costa.
- 39 myths about ePassports by Mike Ellis of Gemalto.
- Traceability attacks agains e-Passports are described by Chothia and Smirnov of the University of Birmingham.
- Thesis (Implementation of Inspection System for Biometric Passports based on ICAO Specifications) by Luis Terán of EPFL (Lausanne). They also have a paper in BioID_MultiComm2009.