According to a survey conducted by ICAOís NTWG, over 500 million e-Passports, issued by more than a 100 different states and non-state entities, are in circulation today. This is a tremendous success, taking into account that the introduction of e Passports on a large scale only started in 2004. As these documents must all be verified in an efficient and reliable way, Roman Vanek strongly recommends that issuing authorities and border control authorities should join the ICAO PKD to enhance border control security and to facilitate cross border travel.
As air traffic and passenger numbers are expected to grow substantially over the coming years, border control authorities, airport operators and airlines are looking at ways to handle these growing numbers efficiently, while at the same time having to compensate for tight budgets by increasing their efficiency and productivity. Travellers and citizens on the other hand wish to cross borders as hassle-free and quickly as possible while expecting maximum security and facilitation. There are different ways to meet these sometimes diverging requirements. Many countries see automated gates that might even include a self-service security scan as a possible way out, whereas other countries just increase the number of staffed control gates. But no matter what kind of border control operation countries are looking for, if they wish to authenticate e-Passports in a correct and efficient way they should make use of the ICAO Public Key Directory (PKD).
What is the Public Key Directory?
The RFID chip embedded in an e-Passport stores at least the holder’s photo and personal information found in the-Passport data page. Public Key Infrastructure (PKI) technology is used to prevent that the information stored on the chip is being altered.
In addition to the holder’s information, the e-Passport chip stores a country specific digital security feature, known as a digital signature, which is derived from the country’s security certificates, i.e. Document Signer Certificates (DSCs), Certificate Revocation Lists (CRLs) and the Country Signing Certificate (CSCA). These digital signatures are unique to each passport and country and can be verified using the public key certificates of the issuing country. When the e-Passport is scanned and the chip data is read, its authenticated digital signature tells border authorities that the data on the chip is authentic, that it was issued and signed by the given country and that it has not been tampered with.
To be used effectively, border and other authorities must have access to the security certificates of all e-Passports issuing countries. This is where the ICAO Public Key Directory (PKD) comes into play: a central repository for certificates that has been created to facilitate the sharing and use of certificates. In 2007 the PKD went into operation, based on the initiative of Australia, New Zealand, Canada, United States of America, United Kingdom and Singapore. Today, 37 countries participate in the PKD (see figure 1). This may seem a small number, but when these figures are put into context with the overall number of issued e-Passports, it is a very different picture. In fact, based on a survey conducted by ICAOs NTWG 74 % of the e-Passports issued up until now have been issued by a PKD participant. This means that border control authorities that use the PKD have access to the elements necessary to successfully authenticate the majority of the e-Passports in circulation.
Reasons for using the PKD
The PKD provides an organised, simple, secure, seamless and cost-effective system for the sharing of validated up-to-date information. It enables national authorities to automatically upload certificates to a single and secure multilateral technical platform after a secure initial CSCA certificate exchange with ICAO.
For the validation of e-Passports, countries should set at least two – some might even chose three – conditions:
1. The border control system must know the CSCA, which is the root of trust under which a country issues its travel documents.
2. The border control system must know whether these certificates are still valid or whether they have been revoked and published in a CRL, which is essentially a ‘blacklist’ of DSCs, the certificate signed by a Country CSCA. ICAO Doc 9303 requires CRLs to be issued at least every 90 days. Some countries are issuing CRLs every 48 hours.
3. Some border control operators also want to receive the DSC from an independent source.
It is strongly recommended that border control authorities make use of the PKD for these checks and download the available certificates, master lists and revocation lists. One could argue that this is not necessary and that there are other ways to get hold of the certificates. And yes, there are other ways; however, none of them is so convenient and reliable. The PKD is the only independent source for validated up-to-date information. The Master Lists, which are also available from the PKD and which contain validated CSCAs of other countries by other participants, give access to CSCAs even if a country has not yet established the initial CSCA exchange with all e-Passports issuing countries. Looking at the operational experience in Switzerland, getting hold of the CSCA of a country and the means to validate it independently through a thumbprint comparison proved to be one of the real-life challenges when implementing e-Passport based border controls. The Master List scheme gives the border control authorities a valid alternative to the bilaterally not always feasible CSCA exchange. By comparing CSCAs which have been received through bilateral means to the CSCAs existing in the published Master Lists, an added measure of assurance can be derived for the CSCA.
PKD participation of border control agencies
Countries participating in the PKD are traditionally represented by their e-Passport issuing authority, but the focus now has to be shifted towards the control authorities. Even if a country doesn’t issue e-Passports yet, it should join the PKD and be represented in the PKD by its border control agency. Such a country can use the PKD without any restrictions in its border control operation. In the meantime the issuing of e-Passports can be prepared and the experiences from cooperating with other PKD participants can be used in the e-Passport implementation programme. The current Chairman of the PKD welcomes such participation and is looking forward to the input and requirements of these bodies to the discussions in the PKD Board.37 e-Passport issuers have already decided to join the PKD and take advantage of its benefits. The PKD offers the participants a rapid and reliable distribution of certificates all over the globe. The certificate distribution can be compared to the distribution of specimens every time a new passport model is introduced. In today’s digital world, however, the certificate distribution takes place more often and border control authorities therefore need to have immediate access to the certificates.
PKD participation costs
Compared to the costs of national e-Passport projects and the costs of setting up and running national border control posts (with or without automation) the annual PKD participation fee is very reasonable: USD 47,950 in 2013. This amount is about 19% less compared to 2012, thanks to a generous participation from ICAO. ICAO has recognised the importance and the need of the PKD and invited States to consider joining the PKD in its conclusion of the High Level Conference on Aviation Security in September 2012. Bearing in mind the different situations and challenges that ICAO Member States are facing, this is a very strong and clear message to all the countries that have the capabilities to join the PKD and make use of it in the interest of global security.
Growing participation has also lead to a reduction of the operator fee by 21%: as of 1 January 2014 the operator fee will be USD 34,000 compared to USD 43,000 in 2013. When looking at the figures, issuing authorities should consider that the citizens and holders of e-Passport want fast, easy, reliable and hassle-free border controls, to which the PKD is a valuable contribution.
Additional benefit for issuing authorities
The PKD is not only a repository for certificates, it is also the instrument that guarantees the compliance of the distributed and therefore available certificates to ICAO Doc 9303. The built-in conformity checking engine checks every certificate forwarded to the PKD for publication. Should an inconsistency occur, the issuer will be contacted immediately to allow him to stop the production of a non-conformant certificate. Non-conformant certificates will be detected in properly set up border controls and cause problems for the holders of e-Passports issued using non-conformant certificates. By assuring the conformity and origin of the certificate worldwide, verification of the travel document and trouble free travels are facilitated. These e-Passports are still valid travel documents, and the validation of these-Passports must also be facilitated, meaning that non-conformant certificates must also be distributed. These certificates are therefore also published and made available for border control use but in a separate directory for non-conformant certificates (see figure 2).
Private sector use of the PKD
So far only government agencies have been mentioned, but in principle the use of the PKD is also open to other parties that need to check travel documents, especially airlines and ground handling agents mandated by airlines. There are already basic mechanisms in place to allow private companies that have a proven need to check documents to access the PKD. For this purpose a country participating in the PKD may agree to use its download credentials to create additional credentials for a trusted national company. As not all participating countries may agree to this, work is pursued to define new ways for a web-based download for the travel industry. As soon as this work is finalised the necessary information will be made available in the FAQs on the ICAO website1.
The PKD has benefits for both border control authorities and issuing authorities. Border control authorities benefit from being able to protect the borders in a reliable, cost-effective and fast way, living up to the citizens’ expectations for facilitation and security. For issuing authorities, participating in the PKD means that their nation’s e-Passport is recognised worldwide, allowing its citizens to cross borders as easily as possible.
An alternative to the PKD is the bilateral exchange of certificates. However, with an increasing number of States issuing e-Passports, this alternative could be ineffective and represent security risks. If a country does not want to join the PKD, then it must build its own PKD for checking e-Passports. This would involve considerable costs compared to the current PKD membership fees. That country should also keep in mind that the other countries must have the infrastructure in place to provide them with the necessary information on time. Interoperability will then become a major issue.
Roman Vanek has a law degree and joined the Swiss Federal Office of Police in 2003. He is currently Chief of the Division Identity Documents & Special Tasks, and responsible for the Swiss passport and identity card, among other things. In this function he is the Swiss representative at ICAO’s Technical Advisory Group on Machine Readable Travel Documents (TAG-MRTD) and the Article 6 Committee of the European Commission. In May 2012 he became Chairman of the ICAO PKD Board.