In Part 3 of this exclusive series, the authors explained how Common Criteria Certification (an international standard) is used to evaluate the security of software embedded in an ePassport. Now, to conclude the series, they look ahead toward protection that stays ahead of Cyber threats.
Until recently, the Common Criteria Cybersecurity framework had not defined any coordinated approach related to the time bounding of CC certification. Cybersecurity monitoring was a recommended practice, performed by most of the key actors in the industry, but it was not always formalized administratively except by a few security agencies for their national needs.
A major change occurred in July 2017, when the CCRA (International Organization of National Security bodies dealing with Common Criteria) decided that once granted, the mutual (i.e., international) recognition of a CC certificate validity will come to an end five years later. A default lifespan of 5 years has been considered a good balance between certification bodies’ requirements and business requirements. A re-assessment (surveillance or re-certification) is required before the 5 years to extend the validity of the certificate.
Among the changes in progress, the ability to update products in the field is now an option. New generations of products coming from the industry are starting to offer such “update” capabilities. Such solutions enable issuing governments to react more effectively in the case of Cyberattacks.
It is currently possible to update citizen data, like updating digital signature certificates and loading new applications on electronic identity documents. This is called a post issuance update. The novelty is that such updates focus on the secure embedded software and, as an example, the cryptographic library used for the various security mechanisms.
The diagram below is a visual representation of a typical chip structure (what is inside) and illustrates which components are modified during an update like the one described above.
Figure 1: Before Update/After Update
There are several possible ways to update those documents. This could be when going through border control (in the country of issuance), in self-service kiosks in designated areas (airports, police stations, city halls) or even with a mobile phone using the integrated NFC reader and a dedicated app.
We believe post issuance, remote update capability for electronic identity documents is the security model for tomorrow. Just like computer or a smartphone, secure identity electronic identity document shall offer the updatability to limit the risk from cyberattacks.
Surveillance aims at extensively re-evaluating the product in its original configuration at the time of the initial certification versus up-to-date, state of the art Cybersecurity threats. The surveillance process can result in a FAIL status, voiding the certificate previously obtained. CCRA also strongly recommends that Cybersecurity products can be updated after their issuance. The upgrade will allow, for example, the disabling of an algorithm deemed weak and switch to a more secure one, without having to recall a document and issue a new one – a key benefit for authorities looking to offer their citizens secure, convenient and cost effective solutions.
Quantum computers: A future threat
We must also consider the development of Quantum computers and their potential impact on current cryptographic schemes and how vital the ability to upgrade document security in the field will be in this long transition ahead of us.
Cryptographically Relevant Quantum Computers (CRQC) are far from becoming a reality; current prototypes are far from having the required processing power and many challenges in physics, engineering and computer science must be overcome before scaling up to large quantum computers able to solve the factorization and discrete logarithm problems on which the current PKI is based. The working hypothesis that CRQC will be available in the early 2030s.
However, there is a latent threat of a “store now, decrypt later” attack. The main risks for an ePassport are deciphering issuing authority Document Signer certificates to sign a fake document and the retrieval of additional biometrics (protected by Extended Access Control mechanism).
Ideally, the migration to more robust systems should start well before the availability of CRQC so that threat timeline is as limited as possible. ICAO New Technology Working Group is following the topic closely and plans to draft a proposal for objectives and next steps in the first half of 2023.
ANSSI, the French National Agency for the Security of Information Systems, has drafted some recommendations for the transition over the next decade. Other agencies like BSI (German equivalent of the ANSSI) and the US NIST have released extensive material related to the rise of quantum threats and the recommended first steps to migration.
ANSSI recommends introducing post-quantum defense-in-depth as soon as possible for security products aimed at offering a long-lasting protection of information (until after 2030) or that will potentially still be used beyond 2030. All post-quantum PKC algorithms shall continue to be systematically included inside hybrid mechanisms. ANSSI expects that after years of analysis, the security assurance level provided by post-quantum algorithms will be as high as today’s pre-quantum assurance level. Thus, the usage of some post-quantum schemes should be possible without hybridation.
Conclusion
We hope this series has given you a clear understanding of the benefits of Cyber resilient secure identity documents. Over the past few years, many governments have extended their global Cybersecurity threat assessment to also include identity documents.
The industry, including several SIA member companies, is supporting government initiatives in this area, providing expertise on the topic.
Cyber resilience of ePassports can be achieved through a thorough approach:
- Anticipate: prevent attacks as much as possible, make life difficult for hackers
- Resist: reduce the severity of the attacks
- Monitor: develop a system to track Cyberattacks
- React: manage the impact when an event does happen
- Restore: learn from the experience to improve
Security relies on expertise, anticipation, and reactiveness. Within the fast moving environment detailed in this series, it becomes obvious that only the setup of a well-structured risk management organization is the solution for an efficient handling of demanding Cybersecurity projects.
Risk management will allow to react to an event, while planned migrations over the course of the project will reduce the impact if a threat arises.
Other key elements can be considered to minimize the exposure to Cyberattacks by applying good practices already proven in the field. For example:
- Anticipation by planning regular product renewal/migrations over project life for both the secure embedded software and the issuance platform.
- An ePassport may well be modernized only when it comes to the digital configuration (chip/OS), while the physical configuration (the booklet appearance and security features) is likely to remain the same. There is no visible change for citizens between two versions (only the chip of newly issued documents is updated), but electronic security (Cyber protection of passport holder’s data) is kept state-of-the-art.
- Agile design for Issuance and eDocument management solution (product change and patch deployment). Reactiveness is about detecting potential threats early on and rolling out appropriate patches to the documents in the field to reduce the exposure to the vulnerability.
The Secure Identity Alliance (SIA) is an expert and globally recognised not-for-profit organisation. We bring together public, private and non-government organisations to foster international collaboration, help shape policy, provide technical guidance and share best practice in the implementation of identity programmes. Underpinning our work is the belief that unlocking the full power of identity is critical to enable people, economy and society to thrive.