Entrust Digital Signatures Help Protect ePassports

• Jan 10, 2008

When the Department of State decided to move to digital passports -- also known as ePassports -- it also recognized there was an opportunity to add another layer of security to these credentials, and tapped Entrust Inc. to provide the public key infrastructure (PKI)-enabled digital signatures.

A function known as non-repudiation, the digital signature verifies that the digital credential has, in fact, been issued by the Department of State and that it has not been tampered with since its issuance. To date, the Department of State has surpassed the 18 million milestone mark for deploying the new ePassports.

"The digital signatures on the new passports illustrate how PKI technology is being used in a number of new applications, reinforcing PKI as the gold standard for digital security," said Entrust Chairman, President and CEO Bill Conner. "It's really a 'PKI 2.0' trend we're seeing in the market right now. More organizations are realizing the value and unprecedented scalability PKI technology affords them when deploying and managing security for digital identities and information -- especially on a mass scale like this."

Since August 2006 only ePassports have been issued in the United States. As security guidelines to travel between the United States, Mexico, Canada and the Caribbean now require a valid passport, the issuance of ePassports has risen dramatically. This increase is expected to continue, with an eventual production of 15 to 18 million ePassports annually.

"Along with the U.S., we have been able to help secure ePassports and national ID cards in Spain, Singapore, Saudi Arabia, New Zealand, Slovenia and others," Conner said. "This security feature can also help prevent these credentials from being counterfeited, which adds a greater level of assurance to both the border patrol officials, as well as the travelers themselves."

ePassport travel documents contain an electronic chip that stores sensitive personal information that can be verified against the data on the passport as well as against the individual at the border control point. Although U.S. ePassports currently store a digital facial image, the documents have the capability to securely include digitized photographs, fingerprints or other biometrics. To protect these assets, PKI is an integral technology for the security and verification infrastructure of ePassports. The Entrust Authority PKI portfolio is one of the leading solutions to support this capability.

The Department of State has employed a multilayered approach to protect the privacy of the information contained on the ePassport. In addition to a metallic cover that prevents skimming or eavesdropping of the information while the document is closed, Basic Access Control (BAC) technology is used to "unlock" the data on the chip. A PKI digital signature enables alteration or modification of the data on the chip to be detected and enables authorities to validate and authenticate the data.

Modular and fully integrated, the Entrust Authority PKI portfolio is built on the foundation of Entrust Authority Security Manager, the certification authority (CA) system responsible for issuing and managing digital identities. Optional components help organizations manage the entire lifecycle of PKI certificates. Approximately 1,000 government and commercial organizations have purchased Entrust PKI solutions since Entrust brought its first PKI to market in the 1990s.

On the horizon, the next generation of ePassport technology is already being considered. Enhanced security, known as Extended Access Control (EAC), provides an additional layer of security to control access to sensitive information, such as biometric fingerprints and iris scans on these next-generation ePassports. EAC also specifies protocols for authenticating the chip and inspection system to each other. Not based on the X.509 standard, EAC will leverage a different type of certificate known as a card verifiable (CV) certificate.

The EAC concept was introduced by the International Civil Aviation Organization (ICAO) in liaison with the International Organization for Standardization (ISO). EAC technical details, including certificate profiles and protocol specifications, are initially being defined by the Brussels Interoperability Group (BIG) for use within Europe. Entrust actively is participating in BIG as well as in the ISO Task Force on Security for ePassports. These next-generation ePassports, using EAC, will be required by all European Union (EU) Schengen member States by June 2009. Deployment mandates for the United States have yet to be determined.