VALIDATING E-PASSPORTS AT THE BORDER: THE ROLE OF THE PKD R RAJESHKUMAR CHIEF EXECUTIVE AUCTORIZIUM PTE LTD

Similar documents
Verifying emrtd Security Controls

Experiences of w S itz w e itz rland

E-Passport validation: A practical experience

E-Passport Validation: A practical experience

EU Passport Specification

A Trust Infrastructure for epassports

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

A National Public Key Directory

The epassport: What s Next?

2 Electronic Passports and Identity Cards

Technology Advances in Authentication. Mohamed Lazzouni, SVP & CTO

The New Seventh Edition of Doc Barry J. Kefauver Nairobi, Kenya November 2015

Biometric Passport from a Security Perspective

September OID: Public Document

Future Expansion for emrtd PKI Mark Joynes, Entrust

Machine Readable Travel Documents

Introduction of the Seventh Edition of Doc 9303

LDS2 Concept and Overview: Exploring Possibilities in Travel Border Clearance

EXBO e-signing Automated for scanned invoices

Roadmap for Implementation of New Specifications for MRTDs

Security Digital Certificate Manager

IBM. Security Digital Certificate Manager. IBM i 7.1

Document reader Regula 70X4M

SSL Certificates Certificate Policy (CP)

Validation Policy r tra is g e R ANF AC MALTA, LTD

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

IFY e-signing Automated for scanned invoices

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

Introduction to Electronic Identity Documents

Apple Inc. Certification Authority Certification Practice Statement

Sparta Systems Stratas Solution

IBM i Version 7.2. Security Digital Certificate Manager IBM

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

Apple Inc. Certification Authority Certification Practice Statement

An Overview of Electronic Passport Security Features

Overview of the Resource PKI (RPKI) Dr. Stephen Kent VP & Chief Scientist BBN Technologies

e-authentication guidelines for esign- Online Electronic Signature Service

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Bugzilla ID: Bugzilla Summary:

Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Austrian State Printing House

Technical Trust Policy

ECA Trusted Agent Handbook

Leveraging the LincPass in USDA

10 minutes, 10 slides, goals, tech details and why it matters. Decentralized ID & Verifiable Claims

CERTIFICATE POLICY CIGNA PKI Certificates

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

Part 9: Deployment of Biometric Identification and Electronic Storage of Data in MRTDs

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Whitepaper: GlobalTester Prove IS

An Overview of Electronic Passport Security Features

THE BUSINESS VALUE OF EXTENDED VALIDATION

Transportation Worker Identification Credential (TWIC) Steve Parsons Deputy Program Manager, TWIC July 27, 2005

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Entity authentication assurance framework

Lecture Note 6 KEY MANAGEMENT. Sourav Mukhopadhyay

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

Sparta Systems TrackWise Solution

SECURITY TARGET LITE FOR IDEAL PASS V2.0.1 EAC WITH PACE APPLICATION

Federated Access. Identity & Privacy Protection

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Sparta Systems TrackWise Digital Solution

Machine Readable Travel Document with ICAO Application", Basic Access Control

(1) Jisc (Company Registration Number ) whose registered office is at One Castlepark, Tower Hill, Bristol, BS2 0JA ( JISC ); and

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

U.S. E-Authentication Interoperability Lab Engineer

WP doc5 - Test Programme

Single Secure Credential to Access Facilities and IT Resources

Electronic passports

Security Target Lite for CEITEC epassport Module CTC21001 with EAC

IBM KeyWorks Accelerate Development of your Secure e-business Solutions Sekar Chandersekaran IBM

Public Key Infrastructure

GLOBAL PKI TRENDS STUDY

Trust Anchor Constraint Tool (TACT) v1.2.6 User Guide

Mobile: Purely a Powerful Platform; Or Panacea?

Public-key Cryptography: Theory and Practice

Volvo Group Certificate Practice Statement

AlphaSSL Certification Practice Statement

Some Lessons Learned from Designing the Resource PKI

Helping Meet the OMB Directive

Signe Certification Authority. Certification Policy Degree Certificates

STATUS: For NP ballot for development as a Type 2 Technical Report.

SWAMID Person-Proofed Multi-Factor Profile

Configuration Guide - Single-Sign On for OneDesk

Public Key Establishment

Version 3 X.509 Certificates

Development Authority of the North Country Governance Policies

Public Key Infrastructure & esign in India November 2015

Version 3.4 December 01,

Web and e-registration Vendor Help Manual

Operational Research Consultants, Inc. (ORC) Access Certificates For Electronic Services (ACES) Certificate Practice Statement Summary. Version 3.3.

ITU activities on secure vehicle software updates

Security Target Lite for CEITEC epassport Module CTC21001 with BAC

IMPLEMENTING AN HSPD-12 SOLUTION

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

Visible Digital Seals for Non-Electronic Documents

FPKIPA CPWG Antecedent, In-Person Task Group

Transcription:

VALIDATING E-PASSPORTS AT THE BORDER: THE ROLE OF THE PKD R RAJESHKUMAR CHIEF EXECUTIVE AUCTORIZIUM PTE LTD

THE TRUST IMPERATIVE E-Passports are issued by entities that assert trust Trust depends on the requirements of the relying party Border Control of foreign countries E-Passports are Passports with a chip. The chip augments the security of the Passport, it does not replace it. Improper validation of E-Passport leads to a false sense of security.

WHAT DOES CHIP CONTAIN? Chip contains Logical Data Structure (LDS) with 16 Data Groups (DGs). DG1 contains the contents of the MRZ - mandatory DG2 contains photograph of the holder - mandatory DG3 contains fingerprint biometric Optional and so on Chip contains Security Data Object (SO D ) Contains hash of the Data Group present in LDS Contains a signature that encapsulates the stored hashes. 3

VALIDATING CONTENTS OF CHIP Extract each DG from LDS and hash it. Compare with hash stored in SO D If all hashes match, then verify signature of SO D using the Document Signing Certificate (DSC) used to sign the SO D DSC may be available on chip If not, DSC must be received from Issuing Authority 4

VALIDATING CONTENTS OF CHIP If signature passes, verify DSC using Country Signing Certificate Authority (CSCA) CSCA must be received from Issuing Authority If DSC is verified, check Certificate Revocation List (CRL) to check if DSC and CSCA are still valid CRL must be received from Issuing Authority CRL checking is blacklist checking 5

VALIDATING CONTENTS OF CHIP IF ALL STEPS SUCCEED, THEN CHIP IS NOT TAMPERED HOWEVER THIS IS NOT THE END OF THE VALIDATION. DG1 must match MRZ of the passport DG2 must match the face of the holder AT THIS POINT, FULL ASSURANCE OF INTEGRITY OF DOCUMENT 6

VALIDATION ISSUES DSC may not be on chip and not available through diplomatic means CRL may not be available or may not be latest CSCA exchange may not have been done with that country So, can you trust the E-Passport? 7

TRUST LEVELS Ideally, entire process must be completed. In real life, ideally does not exist. Treat E-Passport validation as a series of increasing confidence in the validity of the document. 8

TRUST LEVELS DSC is in whitelist Pre-approved DSCs CSCA and DSC verified against CRL DSC verified against CSCA Signature Verification successful DG hash compare successful Any check fails 9

PRE-APROVED DSC Reliability of DSC Any certificate issued under the CSCA can sign a document Document Signer - has intent and authorization to sign travel documents Receive list of DSCs used to sign passport from the Issuing Authority White List of Document Signers. 10

OPERATIONAL ISSUES Getting a white list of Document Signers from all E- Passport Issuing agencies DSCs are issued at least every three months by 70 Passport issuers. Bilateral Exchange is complicated and time consuming CRL distribution CRLs are issued at least once every 90 days. Some Issuers are issuing CRL every 48 hours. If there is a compromise, an emergency CRL will be issued between the regular updates. CSCA distribution Diplomatic channels may not be in place to exchange CSCAs in time 11

OPERATIONAL ISSUES Issuing Authority Contacts If a batch of passports fail validation, the Issuing Agency must be contacted to check on this. There is no Address Book which lists all the addresses of the Passport Issuers and their contact details. Compliance to Doc 9303 Certificate Profile has 18 fields With the different values allowed per field, total permutations possible is not manageable Managing the consequences of the various permutations is not practical Best if all issuers followed a single profile Need a reference implementation and control 12

THE PUBLIC KEY DIRECTORY Single repository of validated DSCs and CRLs Repository of Master Lists published by Participants CSCA Registry Yellow Pages for the Passport Issuance Agency of the Participant Compliance reference for DSC/CRL/ML against Doc 9303 13

MASTER LIST For CSCA Exchange: If all countries published the list of CSCAs that they have received, comparison and validation can be done CSCA Master List Country C - Country A - Country B Country A ML - Country A - Country B - Country C Country B ML - Country A - Country B - Country C - Country D OTHERS HAVE THE SAME CSCA If we trust Country B, then we can use Country D CSCA at border 14

STRUCTURE OF THE PKD Country upload point a mailbox for Passport Issuers to upload their DSC, CRL and Master List An internal process of validation and due diligence A Download directory where validated entries are available for download

STRUCTURE OF THE PKD Supply side Passport authorities Regulatory body Compliance (ICAO) Market formed by members Technology platform (Netrust) Demand side Border Control

COMPONENTS OF THE PKD Two locations connected through redundant MPLS connection Synchronised in real time 4 directories each location + 2 backup directories Upload is the only directory that can be accessed by the internet. Copy of data from Upload to Staging directory handled by software Montreal Operations office Can only connect to Netrust datacenter through VPN CSCAs of Participants are maintained in HSM

18

NON CONFORMANT ENTRIES A Participant s CSCA, DSC or CRL may not be compliant to Doc 9303 There are valid passports in circulation issued using these non-conformant credentials and cannot be ignored PKD allows for the publishing of nonconformant entries

PUBLISHING OF ENTRIES The PKD board has approved a list of Machine Readable Error Codes (MREC) to list the deviations in the CSCA, DSC or CRL. All entries with deviations are published along with MREC to allow downloading entities to differentiate the entries and decide whether to accept them at border or not in an automated fashion.

PUBLISHING OF ENTRIES The intent is to allow all entries into the PKD, while ensuring that all Participants will eventually be fully compliant to Doc 9303.

DOWNLOADING OF ENTRIES Web based access anybody can download only complete ldif can be downloaded. Participants use LDAP access to download Either full LDIF or can do ldap query. Authentication is username+password over SSL Main concern is quality of service, not access control

DOWNLOADING OF ENTRIES Accessible at https://pkddownloadsg.icao.int https://pkddownloadth.icao.int Script prevention measures in place Version number is listed and file is available for download Checksum available at https://pkddownloadsg.icao.int/icao/pkdchksum.jsp https://pkddownloadth.icao.int/icao/pkdchksum.jsp Soon, law enforcement of non-participants will be able to automate download as well

VENDOR TEST BENCH Available to any vendor interested in implementing the PKD interface. A one time charge of US$9,600 Allows for access and support for 6 months for implementing the PKD interface and allows access to Doc 9303 compliance tool. If Interface Specifications change, registered vendors will get another 6 months of access for free. Currently five registered vendors: Entrust, Bundesdrukerei, Primekey, IRIS/Digicert, Oberthur

PKD ADVANTAGES Authoritative source of validated DSCs and CRLs Authoritative source of country CSCAs through CSCA master list Yellow pages for contacting the Passport Issuing agency of each Participant A reference for compliance to Doc 9303 for Certificates and CRLs Defect lists are being discussed and might soon be a part of the PKD

OTHER CONSIDERATIONS AT BORDER DSC, CRL and CSCA must be available at each terminal 26

OTHER CONSIDERATIONS AT BORDER All Terminals must be up to date with CRL at least 27

TRUST LEVEL Too Many Error Codes can confuse officer Concept of mapping error codes to trust level 5 trust levels -1 Forged document 0 Not an E-Passport 1 Document okay but full validation not possible 2 Document okay and fairly confident about document integrity 3 Document integrity guaranteed 28

THANK YOU R Rajeshkumar E-mail: R.Rajeshkumar@auctorizium.com rraj88@gmail.com 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback