On the Security of E-Passports
by Marc Witteman - CTO of Riscure - Monday, 3 December 2007.
The global introduction of electronic passports is a large coordinated attempt to increase passport security. Issuing countries can use the technology to combat passport forgery and look-alike fraud. While addressing these security problems other security aspects, e.g. privacy, should not be overlooked. This article discusses the theoretical and practical issues, which impact security for both citizens and issuing countries.

Existing legacy passports are paper based and use related security features. Despite of advanced optical security features paper based travel documents are sensitive to fraud. Two forms of fraud are most notable:
  • Passport forgery; a relatively complex approach where the fraudster uses a false passport, or makes modifications to a passport.
  • Look-alike fraud; a simple approach where the fraudster uses a (stolen) passport of somebody with visual resemblance.
The ICAO (International Civil Aviation Organization) has been working on what they call MRTD (Machine Readable Travel Document) technology for quite a while. This technology should help to reduce fraud and support immigration processes. The MRTD specifications became a globally coordinated attempt to standardize advanced technology to deliver strong identification methods. Rather then using common practices from the security industry the MRTD standards aimed at a revolutionary combination of advanced technology, including contactless smartcards (RFID), public key cryptography, and biometrics.

The MRTD specs support storage of a certificate proving authenticity of the document data. The signed data includes all regular passport data, including a bitmap of the holder’s picture. Further data that may be stored in the e-passport include both static and dynamic information:
  • Custody Information
  • Travel Record Detail(s)
  • Endorsements/Observations
  • Tax/Exit Requirements
  • Contact Details of Person(s) to Notify
  • Visa
Since 2005 several countries have started issuance of e-passports. The first generation of e-passports includes some, but not all, of the planned security features. Biometric verification is generally not supported by the first generation. All 189 ICAO member states are committed to issue e-passports by 2010. From 2007 onward immigration services will start using e-passports. Authorities promote e-passports by issuing visa-waiver programs for travelers with e-passports. A passport that conforms to the MRTD standard can be recognized by the e-passport logo on the cover.

Figure 1: The Electronic Passport logo.

Electronic Passport security mechanisms

With the aim to reduce passport fraud the MRTD specs primarily addressed methods to prove the authenticity of passport and its data, and the passport holder. The technology used for this includes PKI (Public Key Infrastructure), dynamic data signing and biometrics. The latter (biometrics) however is still under discussion and not yet fully crystallized in the specifications.

Passive Authentication

PKI (Public Key Infrastructure) technology was chosen to prove the authenticity of the passport data. This technology is successfully applied on the internet for e-commerce, and has gained high popularity. Certificate based authentication requires only reading the certificate by the inspection system, which can then use a cryptographic computation to validate the authenticity using the public key of the issuing country. This method is called passive authentication and satisfies with RFID chips without public key cryptographic facilities, since it involves only static data reading. Although the authenticity of the data can be verified, passive authentication does not guarantee the authenticity of the passport itself: it could be a clone (electronically identical copy).


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th