The document provides an overview of Karsof Integrated Immigration System's (KIIS) Border Control & Management System (BCMS). The main goals of BCMS are to protect the country from security threats, prevent illegal immigration, and expedite legitimate travel while enforcing entry/exit/stay laws and intelligence agency policy. The core components of BCMS are described, including movements tracking, name searching, watch lists, rule engines, policy configuration, user management, and connections to external devices like biometric systems. The document also discusses Karsof's proprietary biometric and PKI technologies, as well as the security services platform. A case study of BCMS implementation in Malaysia is presented.
2. Border Control & Management System Karsof Systems
2
www.karsofsystems.com
Table of Contents
INTRODUCTION ....................................................................................................................... 3
SYSTEM GOALS....................................................................................................................... 3
BCMS MAIN FEATURES........................................................................................................... 4
BCMS CORE COMPONENTS................................................................................................... 4
Movements and History.......................................................................................................... 4
NYSIIS [Soundex] .................................................................................................................. 4
Watch Lists............................................................................................................................. 7
Rule Base Engine................................................................................................................... 7
Policy Configuration Systems................................................................................................. 8
User Management.................................................................................................................. 8
Connectors to External Devices.............................................................................................. 9
BIOMETRIC TECHNOLOGY ....................................................................................................10
PKI ARCHITECTURE & INFRASTRUCTURE...........................................................................11
SECURITY SERVICES PLATFORM.........................................................................................12
Functions...............................................................................................................................13
Technical features .................................................................................................................13
THE MALAYSIAN CASE STUDY..............................................................................................15
Karsof Foreign Worker System..............................................................................................15
Karsof Illegal Immigrant Management System.......................................................................15
Karsof Foreign Worker Monitoring System ............................................................................15
Karsof Amnesty System ........................................................................................................16
About the technology.............................................................................................................17
CONCLUSION..........................................................................................................................18
CONTACT US...........................................................................................................................19
3. Border Control & Management System Karsof Systems
3
www.karsofsystems.com
INTRODUCTION
The system-brief outlines of Karsof Integrated Immigration Systems (KIIS) Border Control & Management
System (BCMS) main features and a description of the Malaysian case study.
We strongly believe that we have succeeded, together with the customer, to implement a modernized IT
system to support border management based on a unified intelligence and operational doctrine. Our
experience, accompanied by proprietary technology developed specifically for this project, can become a
great asset for similar initiatives carried out in other countries.
SYSTEM GOALS
BCMS main goals are to protect the country from security threats and to prevent illegal immigration. This
will happen by enforcing entry, exit and stay laws, together with intelligence and government agencies
policy. At the same time, BCMS keeps in balance with economic considerations through expediting cross-
border legitimate trade and travel.
Another goal of great importance is to effectively share intelligence and mission needs across
government stakeholders, so disparate agencies (such as agencies in counter terror operations) are
brought together to act in an integrated manner.
BCMS incorporates dozens of nationally deployed and synchronized Ports of Entry (POE) â Air, Sea,
Land and regional HQs. It simplifies the handling of traveler information to provide more effective control
of country borders and support for government stakeholders.
4. Border Control & Management System Karsof Systems
4
www.karsofsystems.com
BCMS MAIN FEATURES
The main goal is to effectively share intelligence:
īˇ Absolute error-free identification of the crossing person.
īˇ State of the Art biometric technology.
īˇ Check passenger status and crossing permits.
īˇ Uses information received in advance to reduce workload and improve identification process.
īˇ Used to identify and stop persons, vehicles and merchandise in the Watch Lists.
īˇ Integrated Multilingual NYSIIS [soundex] tool for name search, especially Semitic names.
īˇ Performs logic checks â Correlation between entry and exit, time between two transactions,
Passport and ID numbers.
īˇ Displays comprehensive data processing to help the operator in his decision making.
īˇ Computerizes processes of on-line and batch handling of Watch Lists, Permits List, Inquiries,
Reports, etc.
īˇ Records all crossing transactions within an integrated traveler folder.
īˇ Provides crossing reports and real-time alerts to relevant government agencies.
BCMS CORE COMPONENTS
Movements and History
The main role of the Movements and History component is to correlate entries and exits from all point of
entries (POE) to detect suspicious patterns (e.g. last border crossing was in the same direction). It also
triggers actions by reporting on foreign nationals who have overstayed the legal duration of their
admission.
The Movements and History component supports identification of persons who travel under different
identities, using the concept of integrated traveler folder and support identification of citizens who travel
with a foreign passport.
NYSIIS [Soundex]
The challenge of the NYSIIS tool is to find a person in the system, in real-time, based on the way his
name sounds, rather than the way it is spelled, and without generating false matches.
NYSIIS is a morphological name search and matching tool that implements a popular scientific search
algorithm.
5. Border Control & Management System Karsof Systems
5
www.karsofsystems.com
Figure 2 â BCMS Infrastructure Core Modules
BCMS NYSIIS advantages are:
Proprietary deployed rules to support Semitic names (e.g. Arabic)
īˇ Supports more than the two conventional name elements: family, given, fatherâs, grandfatherâs,
motherâs, former names etcâ
īˇ Handles name elements that are in the wrong order or appear more than once (e.g. more than
one family name)
īˇ Nicknames, e.g. Robert = Bob
īˇ Name variation, e.g. Christie = Krissy
īˇ Abbreviation, e.g. Mohamad = Mhd
īˇ Multi-lingual, e.g. Rose = Shoshana
īˇ Titles, Suffixes, Prefixes, e.g. Mr., M.D., Dr., Jr.
īˇ Compound names, e.g. Abed El Baki = Abdel Baqi
īˇ Initials, e.g. Frank Lee Adam = A. Frank Lee
īˇ Search is performed efficiently in real-time on all databases (e.g. watch lists, visa, movements) as
each database is encoded using the NYSIIS tool.
6. Border Control & Management System Karsof Systems
6
www.karsofsystems.com
īˇ The NYSIIS algorithm is controlled by the system administrator, allowing on-going refinements as
required, and without slowing down the system
īˇ Two operating modes are enabled:
īˇ Interactive query (e.g. check if a person named X is included in a certain list)
īˇ Automatic process (e.g. search for all entries in the Watch Lists relevant to a person passing
through the border)
In order to narrow down the search results even more, presenting only the most relevant results and in a
ranked order, the BCMS includes a Matching Factor tool.
The Matching Factor tool utilizes:
īˇ Demographic data: date of birth, sex, country of birth, country of citizenship etc.
īˇ Weight of each element in name and demographic data
īˇ Penalty points for each non-match, per its type
The final search result list is presented in ranked order, parameter configured to:
īˇ Screen out entries with low matching factor
īˇ Define maximum number of entries to be displayed, sorted by decreasing matching factor
7. Border Control & Management System Karsof Systems
7
www.karsofsystems.com
Figure 3 -BCMS Control Points
Watch Lists
BCMS Watch Lists consolidate and share information, intelligence and mission needs across government
stakeholders, in spite of the many laws and agency policies that prohibit sharing of information.
Implementation is through well-defined connectors to remote government agencies for Watch Lists
creation, update and query.
Watch Lists are used in three processes:
īˇ Inspect ion
īˇ Pre-arrival security check
īˇ Visa issue
Watch Lists trigger display of instructions to the Immigration Officer (e.g. arrest, deny entry, debt
payment) based on a <winner logic algorithm>, given situations of sometimes contradicting mission
needs. They also trigger âbehind the sceneâ actions, such as Intelligence alerts via pager, SMS, fax etc.
BCMS supports 3 levels of Watch Lists:
īˇ Personal
īˇ Partial personal data
īˇ Group
BCMS supports 3 types of Watch Lists:
īˇ Person
īˇ Document
īˇ Vehicle
Rule Base Engine
Rule Base Engine guides the immigration officer through required steps to execute during the inspection,
required papers to examine etc.
It implements permit restrictions, e.g.:
īˇ Multiple entry
īˇ Group visa
īˇ Zone and direction
īˇ Date and time
It implements past incidents of importance, unusual situations and patterns, and instructions to be
presented to the Immigration Officer during the inspection, e.g.:
īˇ Prior cases where the person was denied entry to the country
īˇ Passport is registered as stolen
īˇ Passenger is registered as deceased
8. Border Control & Management System Karsof Systems
8
www.karsofsystems.com
Policy Configuration Systems
Policy Configurations Systems provide real-time rules and policies updated without code changes or
affecting system availability.
Rules and policies determination are enabled at:
īˇ nation/country/arena/site levels
īˇ government agency level
The following are examples of Configuration Systems that BCMS provides:
īˇ Inspection process (e.g. what documents should be checked)
īˇ Watch lists & instructions (e.g. definition of new agency)
īˇ Winner logic
īˇ Matching factor (e.g. maximum number of entries to be displayed)
īˇ Identification criteria (e.g. biometric thresholds)
Figure 4 -Operator Management
User Management
BCMS provides hierarchy management of border immigration officers (Inspectors) and other agencies
operators. The hierarchy is both site oriented as well as agency oriented. The regular Inspectors will
handle the usual border crossing activity. In case of certain exceptions (e.g. identification of a person in a
Watch List) the handling may be transferred to the Chief Inspector residing in the same site. However, it is
possible to define transactions performed by an operator from a certain agency to be transferred, for
exception handling, only to the supervisor representing the same agency. Functions which each operator
9. Border Control & Management System Karsof Systems
9
www.karsofsystems.com
type is authorized to perform are defined in the System configuration which is controlled by the system
manager.
While for big and medium sites all operators are on-site, for small crossing points, the supervisor will
reside at a remote, bigger site.
Connectors to External Devices
BCMS supports integration with the following devices for fast and error-free identification:
īˇ High resolution document scanner
īˇ MRZ & RFID Passport reader
īˇ Biometric verification system
Optionally:
īˇ Magnetic swipe reader
īˇ Gate pass printer
īˇ LPR-OCR vehicle identifier
10. Border Control & Management System Karsof Systems
10
www.karsofsystems.com
Figure 5 -Part of System Management Workflow
BIOMETRIC TECHNOLOGY
Karsof BioNet Security System (KBSS) is an automated fingerprint verification and identification system.
Apart from the conformed standards, the KBSS technology has the following features:
īˇ 4096-bit dynamic, multi-layered encryption
īˇ Lowest fingerprint data storage â 16 bytes
īˇ Very fast fingerprint Identification
īˇ One-to-One (1:1) â 0.5 seconds
īˇ One-to-Many (1:N) â 0.5 seconds with 2.4 billion records
īˇ Least false rejection rate (FRR) 0.00001 and zero false acceptance rate (FAR) for One-to-One
verification mode
īˇ Least false rejection rate (FRR) 0.00025 and zero false acceptance rate (FAR) for One-to-Many
identification mode
The KBSS system uses fingerprint as the model of biometric identification and conforms to the standards:
īˇ Electronic Fingerprint Image Print Server (EFIPS)
11. Border Control & Management System Karsof Systems
11
www.karsofsystems.com
īˇ Data Format for the Interchange of Fingerprint Information (ANSI/NIST-CSL 1-1993;
īˇ Data Format for the Interchange of Fingerprint, Facial & SMT Information (Addendum) â
ANSI/NISTITL 1a-1997
īˇ Electronic Fingerprint Transmission Specification (EFTS) â CJIS-RS-0010 (V7)
īˇ IAFIS Image Quality Specifications (Appendix F) â CJIS-RS-0010 (V7)
īˇ Interim IAFIS Image Quality Specification for Scanners (Appendix G) â CJIS-RS-0010 (V7)
īˇ WSQ Gray-Scale Fingerprint Image Compression Specification
KBSS supports the following applications:
īˇ Central repository storing all biometric, photographic and textual information of personnel such as
immigration offenders;
īˇ Screening, accepting and capturing the fingerprint images of the suspected immigration offender
and to verify and identify the identity of the suspected immigration offender;
īˇ Registration, capturing and storing the records of immigration offender;
īˇ Fingerprint matching, performs the identification and verification of the individual based on the
fingerprint
īˇ Images provided as input from the central repository of fingerprint images.
KBSS features an Application Program Interface (API) that enables the customizability of the application
based on KBSS to fulfill requirements.
PKI ARCHITECTURE & INFRASTRUCTURE
PKI infrastructure for electronic certification systems includes digital certificate management systems and
advanced services for validating certificates and time-stamps.
The solutions are entirely scalable, modular and integral, and include a complete security system
designed in compliance with recommendations from CEN (European Committee for Standardization) and
ETSI (European Telecommunications Standards Institute). These recommendations affect the security
and operation requirements of Trusted Systems for Managing Digital Certificates and Electronic
Signature.
The family for electronic certification solutions is made up of the following products:
īˇ KIIS CA: Contains the functions required to issue public key certificates according to the syntax
defined in ITU-T X.509v3. Furthermore, optional components can be added (for instance, add-
ins) which provide functions for issuing CRLs and making backup copies of keys.
īˇ KIIS VA: Contains the functions required to issue proof of the validity of specific certificates in
compliance with Internet Engineering Task Force (IETF)âs Online Certificate Status Protocol
(OCSP) protocol.
īˇ KIIS TSA: Brings together the functions required for issuing proof of the existence of specific data
at a given time, according to IETFâs TSP protocol.
īˇ KIIS RA: Contains the functions required to record end-entity data, generate the corresponding
certification requests, perform revocation requests, deliver certificates to their owners and publish
certificates in repositories.
12. Border Control & Management System Karsof Systems
12
www.karsofsystems.com
īˇ KIIS LRA: A special type of application that is capable of downloading code stored in KIIS CA and
running it locally. Although the functions of this code can be of any sort, they are usually those
typical of a remote registration system that sends certification and revocation requests to KIIS CA
for its immediate processing (online, for instance), managing both the data contained in the
certificate and that which refers to the design and printing of smartcards.
Figure 6 â Security Services Platform
SECURITY SERVICES PLATFORM
KIIS Security Services Platform [SSP]
Today, Web services (WS) and service oriented architectures (SOA) technologies leverage the security
enabling in applications, which is understood in terms of the consumption of specialized services. This
new approach, that determines the interoperability through Web service standards, means agility in
software development and maintenance.
With the SSP platform, we offer a complete web services platform designed to allow fast and efficient
security services integration (authentication, electronic signature and data protection) in applications. The
13. Border Control & Management System Karsof Systems
13
www.karsofsystems.com
service-oriented architecture improves the flexibility and it allows better scalability, availability and
management, required for critical business processes.
The SSP platform includes:
īˇ A set of global services and security standards based on Public Key Infrastructure (PKI).
īˇ Centralized user and resource management, facilitating unified access control and federation.
īˇ Uniform and centralized log information management and its auditing.
Functions
Included security services in SSP platform are based on Public Key Infrastructures (PKI) standards and
service oriented regardless if the user is an application, end user of or other service.
īˇ Electronic signature: Functions for validation and electronic signature generation. It supports
different signature formats and digital certificate verification mechanisms in a transparent way.
The service also offers the generation and custody of electronic evidences guaranteeing long
term signature verification.
īˇ Data protection: This functionality allows data protection through encryption and data custody
guaranteeing its maintenance time and the access control to the authorized entities.
īˇ Key management: The platform includes its own key management service that standardizes
functionalities such as key registration, revocation, retrieval and verification of the entities.
īˇ Authentication, authorization and access control: This functionality is common to all service
components and provides authorization, authentication and access control to registered entities
enabling a unified access control throughout the whole platform (between users, web services
and applications).
īˇ Object and entity management: Through a common service component, a uniform information
model based on XML is provided for all platform objects and entities. This unique feature allows
masking of different data structures (XML, ASN.1, Text, etc.), different information resources
(LDAP, SQL, Files, etc.) and different locations (local, remote, Intranet, extranet, etc.). The
component allows registering, consulting and modifying the information of entities and in
particular the identity, configuration, auditing and other XML documents.
īˇ Auditing and accounting: A service that traces the information (logs) of all platform service
components and service information in a uniform, centralized and secure manner as well as the
information on usage and service consumption. You can generate all kind of report through a
controlled access to all the activity information.
Technical features
īˇ Web Services infrastructure: WSDL, UDDI and SOAP.
īˇ Security services: OASIS WSS, SSL/TLS, SASL, OASIS SAML and Liberty ID-WSF. OASIS DSS
digital signature service. XKMS key management.
īˇ Digital envelope standards: PKCS#7, IETF CMS, ETSI TS 101733, W3C XMLDSig, W3C
XMLEnc, ETSITS 101903, W3C XAdES, PDF electronic signature according IETF and S/MIME.
īˇ Digital time stamp support: IETF TSP Time stamp protocol.
īˇ Verification of Digital Certificate status: Through CRLs or IETF OCSP protocol.
14. Border Control & Management System Karsof Systems
14
www.karsofsystems.com
īˇ Directory support: LDAP protocol.
īˇ HSM support: PKCS #11 devices certified by country specific PKI CA.
SSP include optional components to provide advanced data management functionalities:
īˇ SSP Data Signature Custody (TWS-DSC). Electronic signature custody service that can maintain
the signature time. The service allows verification that a digital signature was generated and
verified while the digital certificates were valid and were not revoked.
īˇ SSP Digital Encipherment (TWS-DE). Ciphering and deciphering service of documents in
PKCS#7/CMS and XMLEnc formats.
īˇ SSP Data Encipherment Custody (TWS-DEC). Document key encryption custody service that
guarantees long time data access.
īˇ SSP Key Management (TWS-KM). Key management service that provides key generation,
registration, retrieval and verification services.
15. Border Control & Management System Karsof Systems
15
www.karsofsystems.com
THE MALAYSIAN CASE STUDY
The Malaysian Governmentâs efforts to develop a smart and safe border identified four main categories of
people crossing borders everyday: visitors, foreign workers, students and citizens.
The Government of Malaysia has implemented biometrics security systems at all entry and exit points. All
foreign workers and citizens are required to verify their identities by using biometrics fingerprints and/or
chip-based passports. This enables officers to promptly identify and detain illegal immigrants. During the
process of verification, the system will also check with various blacklists.
Karsof is the biometric technology inventor, patent holder, and solutions provider identified by the Home
Ministry to implement a âsmart borderâ security solution in Malaysia. To achieve this, we adopted a new
approach.
We implemented Karsof biometric technology and other Karsof technologies for monitoring and
controlling illegal and over-staying immigrants and foreign workers. Coupled with Karsof Total Security
System at all entry and exit points, we delivered a complete solution that meets the âsmart borderâ
definition.
Following the successful implementation of the Karsof Total Security System at all entry and exit points,
Karsof biometrics technology has evolved into a complete integration of systems protecting Malaysia from
border security threats.
Karsof Foreign Worker System
The Foreign Worker system is available at all entry and exit points. Foreign workers entering the country
need to register their fingerprintsâ data to verify that they have the required visas to enter and are not in
the blacklists database.
Karsof Illegal Immigrant Management System
The Illegal Immigrant Management system is used when an illegal immigrant is arrested. They will be
taken to the depot, and all fingerprints and a photograph are captured. All procedures are paperless. The
illegal immigrant will be sent back to their home country and the information captured will be updated into
the blacklists database.
Karsof Foreign Worker Monitoring System
The Foreign Worker Monitoring system is made available to more than 60 foreign workers agencies. The
Malaysian Home Ministry can now ensure that these workers are verified daily, and that their movement
is continually monitored. In addition, the system allows employers and the Ministry to keep track of visa
expiry dates to avoid over-staying foreign workers. The payroll system monitors payments of these
workers, hence ensuring that disgruntled employees do not become internal security threats.
16. Border Control & Management System Karsof Systems
16
www.karsofsystems.com
Figure 7 â eDocument Reader with Forensic
Figure 8 â FingerPrint Reader Figure 9 â eID Reader
Karsof Secure Foreign Worker Card
The Secure Foreign Worker card enables enforcement officers to check foreign workers and their visa
status anywhere and at any time, as the mobile card reader system links to the central database.
Karsof Amnesty System
17. Border Control & Management System Karsof Systems
17
www.karsofsystems.com
The Amnesty system enables the Home Ministry to determine that deportees sent back by the
government are able to return as legal foreign workers by sharing a central database with Malaysian
embassies in other countries before issuing travel visas. This system is in place for a limited time only.
The Home Ministry can view management information system (MIS) reports in real time, with information
such as the total number of foreign workers and a complete breakdown of numbers according to entry
and exit points. They can also view the total number of illegal immigrants detained in each depot and the
total number returned to their home countries.
Karsof solutions are robust and universally available to top management and enforcement management
to access the central database in a secure manner, enabling them to take prompt and accurate action
when the need arises.
About the technology
Karsof technology provides complete solutions. The highly-secure Karsof biometric technology solution
encompasses five patent pending inventions, of which âKarsof Biometric authentication over the Webâ
was granted a patent in the year 2005.
Karsof solutions are proven in real life, mission critical environments to be performing at optimal levels
and implemented in all locations are linked through broadband connections. It is crucial to have a dual
network failsafe; if one critical solution goes down, another takes over automatically using the Karsof
Business Continuity System. In the event that the broadband connection fails, we will be able to use
satellite communications technologies to transfer data ensuring the continuity of operations.
For enhanced security, Karsof Network Security offers encryption to our Web-based system and provides
network infrastructure security at all locations.
All of our solutions use open source architecture and are cost effective. In fact, our solutions are
accessible through portable devices such as PDAs, mobile phones and notebooks with the use of
3G/GPRS technology.
The implemented systems and technology offers the following:
1) Unique: a measurable characteristic of identification that is difficult to counterfeit.
2) Accurate: Karsof biometrics verification and authentication is proven to be highly accurate with
zero false identification.
3) Secure: Using patent pending, highest Karsof encryption technology.
4) Least intrusive: Karsof encryption methodology ensures that the data cannot be misused.
5) Cost effective: Cost effective roll out of solutions.
6) Scalable and Interoperable: Proven to integrate with other local and international enforcement
systems.
7) Compatibility: Data sharing has already been proven in Malaysia. Our biometrics security
solution is currently accepted as a best practice by Asia-Pacific Economic Cooperation (APEC).
18. Border Control & Management System Karsof Systems
18
www.karsofsystems.com
8) Control â The system is designed to be tamper-proof and has sound management modules
with a high level of encryption for different authority levels.
CONCLUSION
Based on the Malaysian case study and the above-mentioned points, Karsof biometrics technology
successfully addresses crucial aspects of border security, greatly contributing towards creating a âsmart
borderâ environment in Malaysia.
Through our hands-on experience, we have acquired valuable knowledge with regards to the use of
biometrics technology for border security, and conclude this discussion with recommendations for the
following measures:
1) Security improvement of all ports of entry (POE) thorough biometric technology.
2) Requiring the verification of travelersâ identities before leaving a country
3) Checking the authenticity of travel documents with the travelerâs source countryâs authorities
(with forensic option)
4) Watch list and blacklists data sharing among countries
5) International cooperation
6) Wide-scale systems integration
19. Border Control & Management System Karsof Systems
19
www.karsofsystems.com
CONTACT US
âĸ For more information, visit our website at: www.karsofsystems.com
âĸ Or email us on info@karsofsystems.com
âĸ Or give us a call on (877) 9KARSOF or (877) 952-7763
Jeff Rosen â Vice President Sales
Barney T. Villa â Senior Vice President