The technical standards for machine readable travel documents (MRTDs) have existed for nearly four decades, as originally published by the International Civil Aviation Organization (ICAO). Today, ICAO-compliant MRTDs securely facilitate millions of travellers across international borders on a daily basis. Despite the widespread availability of these standards, there continue to be non-compliant passports and visas in circulation which cannot be scanned correctly at the border checkpoints. In turn, this creates issues for the traveller, airlines and immigration authorities alike.
This article highlights the notable issues recently investigated by ICAO’s Implementation and Capacity Building Working Group (ICBWG) and is intended to raise awareness amongst document issuing authorities.
Vision for global interoperability
ICAO developed the first technical standard for MRTDs in 1980. The underlying objective was to establish a globally interoperable schema that would enable the traveller’s MRTD data to be efficiently and accurately processed by airlines and immigration authorities. The current technical standards, known as Document (Doc) 9303, continue to provide the framework applicable to all MRTDs.
By 2017, adherence to Doc 9303 by ICAO Member States is nearly universal for machine readable passports (MRPs). The standards are also widely utilised for machine readable visas (MRVs) and other machine readable official travel documents.
Importance of compliance
A compliant MRTD is designed to securely facilitate the traveller through the airline and immigration systems. Modern scanners capture and process the traveller’s document and personal information in mere seconds.
Increasingly, the widespread issuance of e‑Passports (i.e. an ICAO-compliant MRP containing a contactless microchip) has enabled the traveller to use highly efficient and secure automated passport control technologies combined with biometric verification tools.
In most cases, the MRTD performance is fast and highly accurate within both conventional and self-clearance inspection systems. However, when an MRTD has a fundamental defect related to its machine readable attributes, it may create delays for the traveller, airlines and immigration officials. In extreme cases, the bearer of that document may be subjected to unwarranted scrutiny as authorities determine whether the defect is simply a formatting error or more critically, an indication of a counterfeit and/or altered travel document.
Role of ICAO’s ICBWG
Over the last decade, ICAO’s ICBWG has assisted Member States in achieving compliance to Doc 9303 and developing best practices pertaining to the issuance of secure documents. The ICBWG began tracking and investigating suspected cases of non-conformance approximately seven years ago. Select States were unknowingly producing MRTDs with interoperability issues and were unaware of the issues being created for their citizens. Since that time, the group has aided numerous States in correcting their MRTDs and has continued with its monitoring and outreach activities. This article explores several of the recent cases investigated by the ICBWG, involving MRPs, e‑Passports and MRVs.
Steady progress towards compliant MRPs
The majority of Member States appear to be issuing MRPs that are globally interoperable and generally adhere to the technical standards set forth under Doc 9303. Historically, the more common interoperability issues related to data formatting and/or personalisation settings within issuance systems, all of which were easily rectified.
Typical problems included:
- incorrect positioning of the machine readable zone (MRZ);
- incorrect formatting of the data elements within the MRZ;
- incorrect use of check digits within the MRZ;
- intrusions of security features and/or other elements into the MRZ;
- inclusion of 2D barcodes within the MRP’s data page.
Of those cases examined in the past three years, many of the problems originated from embassies and consular operations. Often those locations were not directly linked to the State’s primary personalisation systems, nor were staff aware of Doc 9303 requirements.
Emerging issue within the MRP’s ‘name’ field
While overt issues have been decreasing, the ICBWG has investigated multiple cases pertaining to a subtle error within the representation of the bearer’s name as it appears on the passport’s data page. Doc 9303 Part 3[1] and Part 4[2] provide concise guidance regarding the formatting of the name within the visual inspection zone (VIZ), as well as its conversion into the MRZ. The bearer’s primary identifier (i.e. surname) and secondary identifier (i.e. given name) are to be separated where possible, and accurately represented within the MRZ. As illustrated in Figure 1, the most common approach is to represent the bearer’s name in two separate fields, or use a comma to distinguish the primary and secondary elements within the name.
Figure 2 illustrates several cases involving a discrepancy between the name in the VIZ and the MRZ. A single primary identifier is printed within the VIZ with no distinguishable secondary identifiers.
Yet the MRZ formatting contradicts the name. Authorities inspecting those documents are often unclear as to how to interpret the actual name of the bearer, and the anomaly may create erroneous records and/or inaccurate validations within inspection systems.
Hidden issues within e‑Passports
An e‑Passport is essentially an MRP that contains an ICAO-compliant contactless microchip. Unlike the deficiencies within the MRZ and the VIZ, non-compliance issues associated with an e‑Passport’s logical data structure and/or certificate validation are often more difficult to pinpoint. In cooperation with ISO WG3, several key issues have been confirmed within e‑Passports currently in circulation.
Missing NULL parameter in Signature Algorithm Identifier
RFC 5754 covers the use of SHA2 Algorithms with Cryptographic Message Syntax (CMS). The note in section 2 of the RFC attempts to clarify the requirement of using NULL for absent parameters when creating RSA signatures. The language in the RFC is a bit confusing. Hence, the following language was added to Doc 9303, Part 10 – Section 5.2.3, note 2: DigestAlgorithmIdentifiers MUST omit “Null” parameters, while the SignatureAlgorithmIdentifier (as defined in RFC 3447) MUST include NULL as the parameter if no parameters are present, even when using SHA2 Algorithms in accordance with RFC 5754. Implementations MUST accept DigestAlgorithm Identifiers with both conditions, absent parameters or with NULL parameters.[3]
Some inspection systems are not able to verify RSA signatures with the NULL parameter missing in the Signature Algorithm Identifier and report the document security object (SOD) as failing Signature Verification and hence report it as a fraudulent document. Currently, there are nine countries issuing e‑Passports with this defect.
Wrong specification of Digest Algorithm Identifier
The SOD is a CMS structure as defined in RFC 5652. As per the RFC, the hashes of the Data Groups are stored in the Encapsulated Content Info attribute. This attribute is then hashed and the message digest is stored as the message Digest in the Signed Attributes. The Hashing (Digest) Algorithm used to create the message Digest is stored in the Digest Algorithm Identifier of the SignerInfo. The Digest Algorithm is then used to hash the contents of the Signed Attributes and then the Signature process is carried out on the hash.
In the case of one country, the Digest Algorithm (SHA512) has been used to create the Message Digest. However, instead of using the same Digest Algorithm to hash the contents of the Signed Attributes, a different Algorithm (SHA256) has been used. The signature is computed on this hash. Most inspection systems are unable to verify these e‑Passports and report them as fraudulent documents. This accounts for 80% of all e‑Passports issued by this country.
Validity of Document Signer is shorter than validity of Passport
Doc 9303, Part 12, Section 4.1.1 clearly specifies that the Document Signer should have a validity that is longer than the longest validity of any e‑MRTD issued under that key.[4]
Many countries have issued e‑Passports that are still valid after the Document Signer has expired. In most cases, this happens as a result of the issuance process. For example, if a country issues e‑Passports with a 5-year validity, and assuming that the Document Signer is used for 3 months, the validity of the Document Signer would be at least 5 years and 3 months, say 5 years and 6 months. If a citizen were to request a new e‑Passport at the beginning of year 5, it is the practice in many countries to add the remaining validity of the current document to the new document and issue an e‑Passport valid for 6 years. This leads to the case where the e‑Passport has a validity (6 years) longer than the validity of the Document Signer (5 years and 6 months). This will lead to verification issues in the last 6 months of the document’s validity.
There are two specific cases that are different. In one case, the country has set the validity of the Document Signer to be 3 months, when the intent was to set the private key usage period to 3 months. In the other case, it was a legal requirement in the country that the maximum validity of the Document Signer was set to
3 years. As the country issues their e-Passports with a 5-year validity, these all have this defect. Although both countries have now rectified the issue, there are still a significant number of e‑Passports already in circulation with this defect.
Single Document Signer used to sign all e‑Passports
It is recommended in Doc 9303 that the maximum period that a Document Signer Private Key is used to sign e‑MRTDs be 3 months. This recommendation takes into account the possibility of key compromise if the same key is used for a long time.
There are five countries which have each issued a single Document Signer and use this to sign all their e‑MRTDs which have a 10-year validity. The trust in the e‑MRTDs issued by these countries will be the same as the trust in their paper Passports.
Authority Key Identifier missing in Document Signer Certificates
Document Signer Certificates are signed by the Country Signer Certificate. The Document Signers contain a reference to the Country Signer, which is called the Authority Key Identifier. This identifier is used to build an association between the Document Signer and the Country Signer as part of the verification of the Document Signer.
Five countries have issued Document Signers that do not contain the Authority Key Identifier and hence the association with the Country Signer cannot be done. As this prevents the verification of the Document Signers, the e‑MRTDs issued by these countries cannot be successfully verified. They will therefore be treated as basic MRPs rather than e‑Passports.
Country code is wrong or missing in CSCA
The Country Signer (CSCA) must contain the two-letter country code of the issuing country in its Subject DN.
Ten countries have issued Country Signers that either do not have a country code or have a wrong country code. This prevents an association between the Country Signer and the issuing country and hence e‑MRTDs issued by these countries cannot be verified.
Common mistakes found in MRVs
Although the ICBWG has been focusing on MRPs and e‑Passports, the group has examined several cases pertaining to non-compliance issues in MRV labels.
Position errors
The MRV label within the interior page of the passport is often physically misplaced. Appendix C to Doc 9303 Part 7 defines the correct positioning of the MRV label as shown in Figure 3.[5] The MRZ is positioned at the edge of the page to allow the data lines to be scanned accurately.
Yet MRVs are frequently positioned upside down as illustrated in Figure 4, making it impossible for many scanners to capture the MRZ data. While incorrect positioning does not nullify the validity of the visa, the non-compliance creates inconvenience for airlines and immigration authorities alike, who are then forced to manually enter the data.
Positioning errors can be easily corrected through proper training of staff responsible for affixing the MRV label within a passport. A basic instruction guide coupled with a pictogram prominently displayed at visa processing centres is an effective mitigation strategy. The introduction of a system-based quality assurance check will further ensure compliance.
Incorrect data formatting
Doc 9303 Part 7 contains the technical specifications to ensure that the information on an MRV can be read both by human beings and by machines.[5] MRVs are often used by other stakeholders within the travel continuum, including airlines, states where the traveller is in transit, etc. Yet, adherence to the ICAO standards is often not as stringent compared to MRPs and e‑Passports.
The second case (see Figure 5) presents an MRV containing multiple formatting errors that prevent it from being scanned correctly by inspection systems. In addition to deviations related to the VIZ layout and its physical attributes, the formatting of the MRZ contains a number of critical errors:
Document prefix
Doc 9303 requires that visas are identified by a ‘V’ prefix within the MRZ, in order to be identified as a visa document. The document in Figure 5 contains an ‘S’ prefix which will not be recognised by inspection systems.
Data structure
Doc 9303 requires that MRV-A (Type A) labels of the larger 80mm x 120mm size must contain two data lines with 44 characters per line. An MRV-B (Type B) has a smaller layout of 74mm x 104mm and must contain 36 characters per line. Although the visa in Figure 5 appears to be an MRV-B, it contains only 40 characters per line, and does not conform to either Type A or B specifications.
Potential obstructions of the data lines
The MRZ must be clear of any security features which may impede the effective reading of the data. The example in Figure 5 contains an embossed seal within the MRZ which may affect readability of the data. Furthermore, the authorities have applied two stamps across the MRZ which may further impede accurate scanning.
The aforementioned issues will necessitate system-based changes in order to achieve compliance and become interoperable with airline and immigration systems.
Conclusion
The quality of MRTDs and their compliance to Doc 9303 has significantly improved over the past decade. Overall, the cases of non-compliance related to the MRZ and VIZ within MRP data pages appear to be on the decline. However, recent data indicate that there are key non-compliance issues found within e‑Passports and/or the digital PKI certificates as issued by select States. Those issues are not often evident to authorities who are inspecting the travel documents, yet are known to have a negative impact on the document’s readability and its validation within inspection systems. The compliance of MRVs to Doc 9303 is often not as stringent compared to MRPs and e‑Passports. In the majority of cases examined by the ICBWG thus far, most can be addressed through improved training of the staff involved with the personalisation processes.
In all cases, issuing authorities are encouraged to validate any newly designed MRTDs against the applicable Doc 9303 standards, and if necessary, enlist the support of a competent laboratory that is capable of providing an independent assessment. The second mitigation strategy is to integrate system-based quality assurance tools as part of the personalisation process. These steps will ensure that only ICAO-compliant documents are issued to the traveller.
Closing remarks
The ICBWG continues to monitor and investigate suspected cases of non-compliant MRTDs, with the focus on MRPs and e‑Passports. Should you encounter a questionable travel document, or have questions regarding this article, please direct your enquiries to the ICBWG non-compliance subgroup at ICBWG@icao.int.
References
1 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents, Part 3: Specifications Common to all MRTDs. Current version: seventh edition 2015. http://www.icao.int/publications/Documents/9303_p3_cons_en.pdf
2 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents, Part 4: Specifications for Machine Readable Passports (MRPs) and other TD3 Size MRTDs. Current version: seventh edition 2015. http://www.icao.int/publications/Documents/9303_p4_cons_en.pdf
3 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents, Part 10: Logical Data Structure (LDS) for Storage of Biometrics and Other Data in the Contactless Integrated Circuit (IC). Current version: seventh edition 2015. http://www.icao.int/publications/Documents/9303_p10_cons_en.pdf
4 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents, Part 12: Public Key Infrastructure for MRTDs. Current version: seventh edition 2015. http://www.icao.int/publications/Documents/9303_p12_cons_en.pdf
5 International Civil Aviation Organization (ICAO). Doc 9303: Machine Readable Travel Documents, Part 7: Machine Readable Visas. Current version: seventh edition 2015. http://www.icao.int/publications/Documents/9303_p7_cons_en.pdf
Dwight MacManus has more than 23 years of experience in the field of identification management. He has been an active contributor to the Implementation and Capability Working Group (ICBWG) and has led the subgroup examining non-compliant travel documents since 2010. He currently holds the position of Executive Director, Border Security Solutions with the Canadian Bank Note Company, Limited.