Browse archive

Latest news

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

F-Secure advances fight against exploits

Free anti-spam software for the Mac

Information security executives need to be strategic thinkers

U.S. tech companies sharing bug info with U.S. govt before releasing fixes

Account takeover attempts have nearly doubled

It takes 10 hours to identify a security breach

Guccifer hacks U.S. nuclear security agency chief

British GCHQ spied on G20 delegates to gain advantage in talks

Hacking charge stations for electric cars

On the Security of E-Passports

by Marc Witteman - CTO of Riscure - Monday, 3 December 2007.

The global introduction of electronic passports is a large coordinated attempt to increase passport security. Issuing countries can use the technology to combat passport forgery and look-alike fraud. While addressing these security problems other security aspects, e.g. privacy, should not be overlooked. This article discusses the theoretical and practical issues, which impact security for both citizens and issuing countries.

Existing legacy passports are paper based and use related security features. Despite of advanced optical security features paper based travel documents are sensitive to fraud. Two forms of fraud are most notable:

Passport forgery; a relatively complex approach where the fraudster uses a false passport, or makes modifications to a passport.
Look-alike fraud; a simple approach where the fraudster uses a (stolen) passport of somebody with visual resemblance.

The ICAO (International Civil Aviation Organization) has been working on what they call MRTD (Machine Readable Travel Document) technology for quite a while. This technology should help to reduce fraud and support immigration processes. The MRTD specifications became a globally coordinated attempt to standardize advanced technology to deliver strong identification methods. Rather then using common practices from the security industry the MRTD standards aimed at a revolutionary combination of advanced technology, including contactless smartcards (RFID), public key cryptography, and biometrics.

The MRTD specs support storage of a certificate proving authenticity of the document data. The signed data includes all regular passport data, including a bitmap of the holder’s picture. Further data that may be stored in the e-passport include both static and dynamic information:

Custody Information
Travel Record Detail(s)
Endorsements/Observations
Tax/Exit Requirements
Contact Details of Person(s) to Notify
Visa

Since 2005 several countries have started issuance of e-passports. The first generation of e-passports includes some, but not all, of the planned security features. Biometric verification is generally not supported by the first generation. All 189 ICAO member states are committed to issue e-passports by 2010. From 2007 onward immigration services will start using e-passports. Authorities promote e-passports by issuing visa-waiver programs for travelers with e-passports. A passport that conforms to the MRTD standard can be recognized by the e-passport logo on the cover.