When the U.S. Department of State decided to
move to digital passports — also known as ePassports — it also recognized
there was an opportunity to add another layer of security to these
credentials, and it turned to Entrust, Inc. (Nasdaq: ENTU) to provide the
public key infrastructure (PKI)-enabled digital signatures.
A function known as non-repudiation, the digital signature verifies that
the digital credential has, in fact, been issued by the U.S. Department of
State and that it has not been tampered with since its issuance. To date, the
U.S. Department of State has surpassed the 18 million milestone mark for
deploying the new ePassports.
“The digital signatures on the new passports illustrate how PKI
technology is being used in a number of new applications, reinforcing PKI as
the gold standard for digital security,” said Entrust Chairman President and
CEO Bill Conner. “It’s really a ‘PKI 2.0’ trend we’re seeing in the market
right now. More organizations are realizing the value and unprecedented
scalability PKI technology affords them when deploying and managing security
for digital identities and information — especially on a mass scale like
this.”
Since August 2006 only ePassports have been issued in the U.S. As
security guidelines to travel between the United States, Mexico, Canada and
the Caribbean now require a valid passport, the issuance of ePassports has
risen dramatically. This increase is expected to continue, with an eventual
production of 15 to 18 million ePassports annually.
“Along with the U.S., we have been able to help secure ePassports and
national ID cards in Spain, Singapore, Saudi Arabia, New Zealand, Slovenia and
others,” Conner added. “This security feature can also help prevent these
credentials from being counterfeited, which adds a greater level of assurance
to both the border patrol officials, as well as the travelers themselves.”
ePassport travel documents contain an electronic chip that stores
sensitive personal information that can be verified against the data on the
passport as well as against the individual at the border control point.
Although U.S. ePassports currently store a digital facial image, the documents
have the capability to securely include digitized photographs, fingerprints or
other biometrics. To protect these assets, PKI is an integral technology for
the security and verification infrastructure of ePassports. The Entrust
Authority PKI portfolio is one of the leading solutions to support this
capability.
The Department of State has employed a multilayered approach to protect
the privacy of the information contained on the ePassport. In addition to a
metallic cover that prevents skimming or eavesdropping of the information
while the document is closed, Basic Access Control (BAC) technology is used to
“unlock” the data on the chip. A PKI digital signature enables alteration or
modification of the data on the chip to be detected and enables authorities to
validate and authenticate the data.
Modular and fully integrated, the Entrust Authority PKI portfolio is
built on the foundation of Entrust Authority Security Manager, the
certification authority (CA) system responsible for issuing and managing
digital identities. Optional components help organizations manage the entire
lifecycle of PKI certificates. Approximately 1,000 government and commercial
organizations have purchased Entrust PKI solutions since Entrust brought its
first PKI to market in the 1990s.
On the horizon, the next generation of ePassport technology is already
being considered. Enhanced security, known as Extended Access Control (EAC),
provides an additional layer of security to control access to sensitive
information, such as biometric fingerprints and iris scans on these
next-generation ePassports. EAC also specifies protocols for authenticating
the chip and inspection system to each other. Not based on the X.509 standard,
EAC will leverage a different type of certificate known as a card verifiable
(CV) certificate.
The EAC concept was introduced by the International Civil Aviation
Organization (ICAO) in liaison with the International Organization for
Standardization (ISO). EAC technical details, including certificate profiles
and protocol specifications, are initially being defined by the Brussels
Interoperability Group (BIG) for use within Europe. Entrust actively is
participating in BIG as well as in the ISO Task Force on Security for
ePassports. These next-generation ePassports, using EAC, will be required by
all European Union (EU) Schengen member States by June 2009. Deployment
mandates for the U.S. have yet to be determined.
