How to Best Benefit From an e-Passport’s Security
Around 50% of the countries that have switched from a non-electronic to an e-Passport (also known as a biometric passport) are not profiting from its new security potential. The reason is that they share the certificates that validate the personal data of a traveler on the e-Passport in a non-efficient manner — and sometimes they do not share at all. These issuing countries risk having made all their efforts in transitioning to an e-Passport in vain.
What Happens if You Don’t Manage Your Certificates Effectively?
When travelers go through border control, their e-Passport is checked and the chip is read. To be able to read the chip’s information, border control must have a copy of the so-called digital signature of a country. If the travel document is signed by the country of issue, border control can be certain that the passport being checked is not fake. For one country to check the digital signature of another, certificates need to be shared between them beforehand. If you don’t do that, the e-Passport cannot be authenticated properly. In other words, you cannot be sure a passport that has Hong Kong written on it is really a Hong Kong passport issued by that government.
Five Different Ways to Share Certificates — But Only One That is Efficient
There are five different ways to share certificates:
- Via diplomatic channels, as when a representative of one country hands over the certificates on a USB key to a representative of a foreign country
- Via a master list, where a larger country or regional organization sponsors the trustworthiness of an issuing country’s certificates
- Via a website, where a country publishes their certificates for all to see and download
- Via email, which you might guess is also not very efficient due to the efforts one must put into maintaining an up-to-date distribution list and sending out these emails, not to mention checking they have been received correctly
- Via ICAO Public Key Directory (PKD), a centralized directory of shared certificates
Just to put some numbers behind some of these concepts of sharing certificates: If 191 countries choose to share and receive certificates via a bilateral agreement with another country, this would mean that 35,910 exchanges would be necessary in total - whether through mail or a USB stick. How likely do you think it is that there will be mistakes and misplacements in that process?
ICAO PKD — The One and Only
The International Civil Aviation Organization (ICAO) created a system to facilitate the sharing of information between states with the ICAO PKD — a centralized directory. A country that becomes part of the ICAO PKD can focus its efforts and build trust in its e-Passports by sharing the certificates with ICAO. Using this approach, it is ICAO who ensures the correctness and trustworthiness of the certificates. Other countries only need to access the directory to download all the certificates of the member states. Not 35,910 exchanges; just 2 if you are a member. Much less work for everyone and much more trust in e-Passports.
Becoming a member of the ICAO PKD is not difficult — certainly not with the right support. Besides an established process that countries need to go through, future member states need a national PKD service to connect with ICAO PKD securely — which can be provided by identity solution experts such as HID Global.
If you need support or would like to understand how HID Global can support you, contact us. If you are thinking of switching from passport to e-Passport read our previous blog or our white paper on the benefits of the e-Passport migration.
For more information check out our infographic.
Natascha Trivisas is Product Marketing Manager at HID’s Citizen Identity Business Area in Hong Kong. She works closely with product managers and sales organizations across the globe. She defines the most important part of a product or solution from a customer’s perspective and determines how to communicate it in an understandable way.