karsof systems llc - border control and management

Karsof Integrated

Immigration System [KIIS]

Border Control & Management System

Border Control & Management System Karsof Systems

2 www.karsofsystems.com

Table of Contents INTRODUCTION ....................................................................................................................... 3

SYSTEM GOALS ....................................................................................................................... 3

BCMS MAIN FEATURES ........................................................................................................... 4

BCMS CORE COMPONENTS ................................................................................................... 4

Movements and History .......................................................................................................... 4

NYSIIS [Soundex] .................................................................................................................. 4

Watch Lists ............................................................................................................................. 7

Rule Base Engine ................................................................................................................... 7

Policy Configuration Systems ................................................................................................. 8

User Management .................................................................................................................. 8

Connectors to External Devices.............................................................................................. 9

BIOMETRIC TECHNOLOGY ....................................................................................................10

PKI ARCHITECTURE & INFRASTRUCTURE ...........................................................................11

SECURITY SERVICES PLATFORM .........................................................................................12

Functions ...............................................................................................................................13

Technical features .................................................................................................................13

THE MALAYSIAN CASE STUDY ..............................................................................................15

Karsof Foreign Worker System ..............................................................................................15

Karsof Illegal Immigrant Management System .......................................................................15

Karsof Foreign Worker Monitoring System ............................................................................15

Karsof Amnesty System ........................................................................................................16

About the technology .............................................................................................................17

CONCLUSION ..........................................................................................................................18

CONTACT US...........................................................................................................................19



INTRODUCTION

The system-brief outlines of Karsof Integrated Immigration Systems (KIIS) Border Control & Management

System (BCMS) main features and a description of the Malaysian case study.

We strongly believe that we have succeeded, together with the customer, to implement a modernized IT

system to support border management based on a unified intelligence and operational doctrine. Our

experience, accompanied by proprietary technology developed specifically for this project, can become a

great asset for similar initiatives carried out in other countries.

SYSTEM GOALS

BCMS main goals are to protect the country from security threats and to prevent illegal immigration. This

will happen by enforcing entry, exit and stay laws, together with intelligence and government agencies

policy. At the same time, BCMS keeps in balance with economic considerations through expediting cross-

border legitimate trade and travel.

Another goal of great importance is to effectively share intelligence and mission needs across

government stakeholders, so disparate agencies (such as agencies in counter terror operations) are

brought together to act in an integrated manner.

BCMS incorporates dozens of nationally deployed and synchronized Ports of Entry (POE) – Air, Sea,

Land and regional HQs. It simplifies the handling of traveler information to provide more effective control

of country borders and support for government stakeholders.



BCMS MAIN FEATURES

The main goal is to effectively share intelligence:

Absolute error-free identification of the crossing person.

State of the Art biometric technology.

Check passenger status and crossing permits.

Uses information received in advance to reduce workload and improve identification process.

Used to identify and stop persons, vehicles and merchandise in the Watch Lists.

Integrated Multilingual NYSIIS [soundex] tool for name search, especially Semitic names.

Performs logic checks – Correlation between entry and exit, time between two transactions,

Passport and ID numbers.

Displays comprehensive data processing to help the operator in his decision making.

Computerizes processes of on-line and batch handling of Watch Lists, Permits List, Inquiries,

Reports, etc.

Records all crossing transactions within an integrated traveler folder.

Provides crossing reports and real-time alerts to relevant government agencies.

BCMS CORE COMPONENTS

Movements and History

The main role of the Movements and History component is to correlate entries and exits from all point of

entries (POE) to detect suspicious patterns (e.g. last border crossing was in the same direction). It also

triggers actions by reporting on foreign nationals who have overstayed the legal duration of their

admission.

The Movements and History component supports identification of persons who travel under different

identities, using the concept of integrated traveler folder and support identification of citizens who travel

with a foreign passport.

NYSIIS [Soundex]

The challenge of the NYSIIS tool is to find a person in the system, in real-time, based on the way his

name sounds, rather than the way it is spelled, and without generating false matches.

NYSIIS is a morphological name search and matching tool that implements a popular scientific search

algorithm.



Figure 2 – BCMS Infrastructure Core Modules

BCMS NYSIIS advantages are:

Proprietary deployed rules to support Semitic names (e.g. Arabic)

Supports more than the two conventional name elements: family, given, father’s, grandfather’s,

mother’s, former names etc’

Handles name elements that are in the wrong order or appear more than once (e.g. more than

one family name)

Nicknames, e.g. Robert = Bob

Name variation, e.g. Christie = Krissy

Abbreviation, e.g. Mohamad = Mhd

Multi-lingual, e.g. Rose = Shoshana

Titles, Suffixes, Prefixes, e.g. Mr., M.D., Dr., Jr.

Compound names, e.g. Abed El Baki = Abdel Baqi

Initials, e.g. Frank Lee Adam = A. Frank Lee

Search is performed efficiently in real-time on all databases (e.g. watch lists, visa, movements) as

each database is encoded using the NYSIIS tool.



The NYSIIS algorithm is controlled by the system administrator, allowing on-going refinements as

required, and without slowing down the system

Two operating modes are enabled:

Interactive query (e.g. check if a person named X is included in a certain list)

Automatic process (e.g. search for all entries in the Watch Lists relevant to a person passing

through the border)

In order to narrow down the search results even more, presenting only the most relevant results and in a

ranked order, the BCMS includes a Matching Factor tool.

The Matching Factor tool utilizes:

Demographic data: date of birth, sex, country of birth, country of citizenship etc.

Weight of each element in name and demographic data

Penalty points for each non-match, per its type

The final search result list is presented in ranked order, parameter configured to:

Screen out entries with low matching factor

Define maximum number of entries to be displayed, sorted by decreasing matching factor



Figure 3 -BCMS Control Points

Watch Lists

BCMS Watch Lists consolidate and share information, intelligence and mission needs across government

stakeholders, in spite of the many laws and agency policies that prohibit sharing of information.

Implementation is through well-defined connectors to remote government agencies for Watch Lists

creation, update and query.

Watch Lists are used in three processes:

Inspect ion

Pre-arrival security check

Visa issue

Watch Lists trigger display of instructions to the Immigration Officer (e.g. arrest, deny entry, debt

payment) based on a <winner logic algorithm>, given situations of sometimes contradicting mission

needs. They also trigger “behind the scene” actions, such as Intelligence alerts via pager, SMS, fax etc.

BCMS supports 3 levels of Watch Lists:

Personal

Partial personal data

Group

BCMS supports 3 types of Watch Lists:

Person

Document

Vehicle

Rule Base Engine

Rule Base Engine guides the immigration officer through required steps to execute during the inspection,

required papers to examine etc.

It implements permit restrictions, e.g.:

Multiple entry

Group visa

Zone and direction

Date and time

It implements past incidents of importance, unusual situations and patterns, and instructions to be

presented to the Immigration Officer during the inspection, e.g.:

Prior cases where the person was denied entry to the country

Passport is registered as stolen

Passenger is registered as deceased



Policy Configuration Systems

Policy Configurations Systems provide real-time rules and policies updated without code changes or

affecting system availability.

Rules and policies determination are enabled at:

nation/country/arena/site levels

government agency level

The following are examples of Configuration Systems that BCMS provides:

Inspection process (e.g. what documents should be checked)

Watch lists & instructions (e.g. definition of new agency)

Winner logic

Matching factor (e.g. maximum number of entries to be displayed)

Identification criteria (e.g. biometric thresholds)

Figure 4 -Operator Management

User Management

BCMS provides hierarchy management of border immigration officers (Inspectors) and other agencies

operators. The hierarchy is both site oriented as well as agency oriented. The regular Inspectors will

handle the usual border crossing activity. In case of certain exceptions (e.g. identification of a person in a

Watch List) the handling may be transferred to the Chief Inspector residing in the same site. However, it is

possible to define transactions performed by an operator from a certain agency to be transferred, for

exception handling, only to the supervisor representing the same agency. Functions which each operator



type is authorized to perform are defined in the System configuration which is controlled by the system

manager.

While for big and medium sites all operators are on-site, for small crossing points, the supervisor will

reside at a remote, bigger site.

Connectors to External Devices

BCMS supports integration with the following devices for fast and error-free identification:

High resolution document scanner

MRZ & RFID Passport reader

Biometric verification system

Optionally:

Magnetic swipe reader

Gate pass printer

LPR-OCR vehicle identifier



Figure 5 -Part of System Management Workflow

BIOMETRIC TECHNOLOGY

Karsof BioNet Security System (KBSS) is an automated fingerprint verification and identification system.

Apart from the conformed standards, the KBSS technology has the following features:

4096-bit dynamic, multi-layered encryption

Lowest fingerprint data storage – 16 bytes

Very fast fingerprint Identification

One-to-One (1:1) – 0.5 seconds

One-to-Many (1:N) – 0.5 seconds with 2.4 billion records

Least false rejection rate (FRR) 0.00001 and zero false acceptance rate (FAR) for One-to-One

verification mode

Least false rejection rate (FRR) 0.00025 and zero false acceptance rate (FAR) for One-to-Many

identification mode

The KBSS system uses fingerprint as the model of biometric identification and conforms to the standards:

Electronic Fingerprint Image Print Server (EFIPS)



Data Format for the Interchange of Fingerprint Information (ANSI/NIST-CSL 1-1993;

Data Format for the Interchange of Fingerprint, Facial & SMT Information (Addendum) –

ANSI/NISTITL 1a-1997

Electronic Fingerprint Transmission Specification (EFTS) – CJIS-RS-0010 (V7)

IAFIS Image Quality Specifications (Appendix F) – CJIS-RS-0010 (V7)

Interim IAFIS Image Quality Specification for Scanners (Appendix G) – CJIS-RS-0010 (V7)

WSQ Gray-Scale Fingerprint Image Compression Specification

KBSS supports the following applications:

Central repository storing all biometric, photographic and textual information of personnel such as

immigration offenders;

Screening, accepting and capturing the fingerprint images of the suspected immigration offender

and to verify and identify the identity of the suspected immigration offender;

Registration, capturing and storing the records of immigration offender;

Fingerprint matching, performs the identification and verification of the individual based on the

fingerprint

Images provided as input from the central repository of fingerprint images.

KBSS features an Application Program Interface (API) that enables the customizability of the application

based on KBSS to fulfill requirements.

PKI ARCHITECTURE & INFRASTRUCTURE

PKI infrastructure for electronic certification systems includes digital certificate management systems and

advanced services for validating certificates and time-stamps.

The solutions are entirely scalable, modular and integral, and include a complete security system

designed in compliance with recommendations from CEN (European Committee for Standardization) and

ETSI (European Telecommunications Standards Institute). These recommendations affect the security

and operation requirements of Trusted Systems for Managing Digital Certificates and Electronic

Signature.

The family for electronic certification solutions is made up of the following products:

KIIS CA: Contains the functions required to issue public key certificates according to the syntax

defined in ITU-T X.509v3. Furthermore, optional components can be added (for instance, add-

ins) which provide functions for issuing CRLs and making backup copies of keys.

KIIS VA: Contains the functions required to issue proof of the validity of specific certificates in

compliance with Internet Engineering Task Force (IETF)’s Online Certificate Status Protocol

(OCSP) protocol.

KIIS TSA: Brings together the functions required for issuing proof of the existence of specific data

at a given time, according to IETF’s TSP protocol.

KIIS RA: Contains the functions required to record end-entity data, generate the corresponding

certification requests, perform revocation requests, deliver certificates to their owners and publish

certificates in repositories.



KIIS LRA: A special type of application that is capable of downloading code stored in KIIS CA and

running it locally. Although the functions of this code can be of any sort, they are usually those

typical of a remote registration system that sends certification and revocation requests to KIIS CA

for its immediate processing (online, for instance), managing both the data contained in the

certificate and that which refers to the design and printing of smartcards.

Figure 6 – Security Services Platform

SECURITY SERVICES PLATFORM

KIIS Security Services Platform [SSP]

Today, Web services (WS) and service oriented architectures (SOA) technologies leverage the security

enabling in applications, which is understood in terms of the consumption of specialized services. This

new approach, that determines the interoperability through Web service standards, means agility in

software development and maintenance.

With the SSP platform, we offer a complete web services platform designed to allow fast and efficient

security services integration (authentication, electronic signature and data protection) in applications. The



service-oriented architecture improves the flexibility and it allows better scalability, availability and

management, required for critical business processes.

The SSP platform includes:

A set of global services and security standards based on Public Key Infrastructure (PKI).

Centralized user and resource management, facilitating unified access control and federation.

Uniform and centralized log information management and its auditing.

Functions

Included security services in SSP platform are based on Public Key Infrastructures (PKI) standards and

service oriented regardless if the user is an application, end user of or other service.

Electronic signature: Functions for validation and electronic signature generation. It supports

different signature formats and digital certificate verification mechanisms in a transparent way.

The service also offers the generation and custody of electronic evidences guaranteeing long

term signature verification.

Data protection: This functionality allows data protection through encryption and data custody

guaranteeing its maintenance time and the access control to the authorized entities.

Key management: The platform includes its own key management service that standardizes

functionalities such as key registration, revocation, retrieval and verification of the entities.

Authentication, authorization and access control: This functionality is common to all service

components and provides authorization, authentication and access control to registered entities

enabling a unified access control throughout the whole platform (between users, web services

and applications).

Object and entity management: Through a common service component, a uniform information

model based on XML is provided for all platform objects and entities. This unique feature allows

masking of different data structures (XML, ASN.1, Text, etc.), different information resources

(LDAP, SQL, Files, etc.) and different locations (local, remote, Intranet, extranet, etc.). The

component allows registering, consulting and modifying the information of entities and in

particular the identity, configuration, auditing and other XML documents.

Auditing and accounting: A service that traces the information (logs) of all platform service

components and service information in a uniform, centralized and secure manner as well as the

information on usage and service consumption. You can generate all kind of report through a

controlled access to all the activity information.

Technical features

Web Services infrastructure: WSDL, UDDI and SOAP.

Security services: OASIS WSS, SSL/TLS, SASL, OASIS SAML and Liberty ID-WSF. OASIS DSS

digital signature service. XKMS key management.

Digital envelope standards: PKCS#7, IETF CMS, ETSI TS 101733, W3C XMLDSig, W3C

XMLEnc, ETSITS 101903, W3C XAdES, PDF electronic signature according IETF and S/MIME.

Digital time stamp support: IETF TSP Time stamp protocol.

Verification of Digital Certificate status: Through CRLs or IETF OCSP protocol.



Directory support: LDAP protocol.

HSM support: PKCS #11 devices certified by country specific PKI CA.

SSP include optional components to provide advanced data management functionalities:

SSP Data Signature Custody (TWS-DSC). Electronic signature custody service that can maintain

the signature time. The service allows verification that a digital signature was generated and

verified while the digital certificates were valid and were not revoked.

SSP Digital Encipherment (TWS-DE). Ciphering and deciphering service of documents in

PKCS#7/CMS and XMLEnc formats.

SSP Data Encipherment Custody (TWS-DEC). Document key encryption custody service that

guarantees long time data access.

SSP Key Management (TWS-KM). Key management service that provides key generation,

registration, retrieval and verification services.



THE MALAYSIAN CASE STUDY

The Malaysian Government’s efforts to develop a smart and safe border identified four main categories of

people crossing borders everyday: visitors, foreign workers, students and citizens.

The Government of Malaysia has implemented biometrics security systems at all entry and exit points. All

foreign workers and citizens are required to verify their identities by using biometrics fingerprints and/or

chip-based passports. This enables officers to promptly identify and detain illegal immigrants. During the

process of verification, the system will also check with various blacklists.

Karsof is the biometric technology inventor, patent holder, and solutions provider identified by the Home

Ministry to implement a “smart border” security solution in Malaysia. To achieve this, we adopted a new

approach.

We implemented Karsof biometric technology and other Karsof technologies for monitoring and

controlling illegal and over-staying immigrants and foreign workers. Coupled with Karsof Total Security

System at all entry and exit points, we delivered a complete solution that meets the “smart border”

definition.

Following the successful implementation of the Karsof Total Security System at all entry and exit points,

Karsof biometrics technology has evolved into a complete integration of systems protecting Malaysia from

border security threats.

Karsof Foreign Worker System

The Foreign Worker system is available at all entry and exit points. Foreign workers entering the country

need to register their fingerprints’ data to verify that they have the required visas to enter and are not in

the blacklists database.

Karsof Illegal Immigrant Management System

The Illegal Immigrant Management system is used when an illegal immigrant is arrested. They will be

taken to the depot, and all fingerprints and a photograph are captured. All procedures are paperless. The

illegal immigrant will be sent back to their home country and the information captured will be updated into

the blacklists database.

Karsof Foreign Worker Monitoring System

The Foreign Worker Monitoring system is made available to more than 60 foreign workers agencies. The

Malaysian Home Ministry can now ensure that these workers are verified daily, and that their movement

is continually monitored. In addition, the system allows employers and the Ministry to keep track of visa

expiry dates to avoid over-staying foreign workers. The payroll system monitors payments of these

workers, hence ensuring that disgruntled employees do not become internal security threats.



Figure 7 – eDocument Reader with Forensic

Figure 8 – FingerPrint Reader Figure 9 – eID Reader

Karsof Secure Foreign Worker Card

The Secure Foreign Worker card enables enforcement officers to check foreign workers and their visa

status anywhere and at any time, as the mobile card reader system links to the central database.

Karsof Amnesty System



The Amnesty system enables the Home Ministry to determine that deportees sent back by the

government are able to return as legal foreign workers by sharing a central database with Malaysian

embassies in other countries before issuing travel visas. This system is in place for a limited time only.

The Home Ministry can view management information system (MIS) reports in real time, with information

such as the total number of foreign workers and a complete breakdown of numbers according to entry

and exit points. They can also view the total number of illegal immigrants detained in each depot and the

total number returned to their home countries.

Karsof solutions are robust and universally available to top management and enforcement management

to access the central database in a secure manner, enabling them to take prompt and accurate action

when the need arises.

About the technology

Karsof technology provides complete solutions. The highly-secure Karsof biometric technology solution

encompasses five patent pending inventions, of which “Karsof Biometric authentication over the Web”

was granted a patent in the year 2005.

Karsof solutions are proven in real life, mission critical environments to be performing at optimal levels

and implemented in all locations are linked through broadband connections. It is crucial to have a dual

network failsafe; if one critical solution goes down, another takes over automatically using the Karsof

Business Continuity System. In the event that the broadband connection fails, we will be able to use

satellite communications technologies to transfer data ensuring the continuity of operations.

For enhanced security, Karsof Network Security offers encryption to our Web-based system and provides

network infrastructure security at all locations.

All of our solutions use open source architecture and are cost effective. In fact, our solutions are

accessible through portable devices such as PDAs, mobile phones and notebooks with the use of

3G/GPRS technology.

The implemented systems and technology offers the following:

1) Unique: a measurable characteristic of identification that is difficult to counterfeit.

2) Accurate: Karsof biometrics verification and authentication is proven to be highly accurate with

zero false identification.

3) Secure: Using patent pending, highest Karsof encryption technology.

4) Least intrusive: Karsof encryption methodology ensures that the data cannot be misused.

5) Cost effective: Cost effective roll out of solutions.

6) Scalable and Interoperable: Proven to integrate with other local and international enforcement

systems.

7) Compatibility: Data sharing has already been proven in Malaysia. Our biometrics security

solution is currently accepted as a best practice by Asia-Pacific Economic Cooperation (APEC).



8) Control – The system is designed to be tamper-proof and has sound management modules

with a high level of encryption for different authority levels.

CONCLUSION

Based on the Malaysian case study and the above-mentioned points, Karsof biometrics technology

successfully addresses crucial aspects of border security, greatly contributing towards creating a “smart

border” environment in Malaysia.

Through our hands-on experience, we have acquired valuable knowledge with regards to the use of

biometrics technology for border security, and conclude this discussion with recommendations for the

following measures:

1) Security improvement of all ports of entry (POE) thorough biometric technology.

2) Requiring the verification of travelers’ identities before leaving a country

3) Checking the authenticity of travel documents with the traveler’s source country’s authorities

(with forensic option)

4) Watch list and blacklists data sharing among countries

5) International cooperation

6) Wide-scale systems integration



CONTACT US

• For more information, visit our website at: www.karsofsystems.com

• Or email us on [email protected]

• Or give us a call on (877) 9KARSOF or (877) 952-7763

Jeff Rosen – Vice President Sales

Barney T. Villa – Senior Vice President

http://www.karsofsystems.com/

mailto:[email protected]

karsof systems llc - border control and management

Technology