ePassport EAC support in KeyOne
- Thursday, 22 July 2010
This document provides a general knowledge about Extended Access Control (EAC)(1) electronic passport (ePassport) and its integration in KeyOne PKI products. It assumes the reader is familiar with International Civil Aviation Organization (ICAO) electronic passport (ePassport). A general knowledge of the KeyOne architecture (particularly of KeyOne CA) is recommended but not required.
The European Union adopted Extended Access Control (EAC) standard for the second generation of ePassports. These passports offer improved security mechanisms against the fraudulent use of the personal data stored on the ePassport’s chip.
The objective of Extended Access Control is protecting the authenticity, originality, and confidentiality of the biometric data stored on ePassport (Machine Readable Travel Document) chips. This is done by adding to the electronic passport chip the capability of authenticating (national and foreign) inspection systems (IS) that want to access the data in the chip. Each inspection system is provided with card-verifiable (CV) digital certificates for this purpose.
Each country manages one Country Verifying Certification Authority (CVCA) that issues CV digital certificates to national and foreign Document Verifiers (DV). The CVCA typically delegates registration responsibilities to an associated Registration Authority (the CVRA).
In turn, each national DV acts as a subordinate Certification Authority that issues CV digital certificates to national inspection systems (IS). IS are the end-entities of the PKI, and hold certified keys for authenticating with electronic passport chips. A DV must be certified by both:
- the national CVCA, and
- the foreign CVCAs of all countries whose ePassports wishes to inspect via the inspection systems in its domain.
When issuing a CV digital certificate to a DV, the CVCA of country "X" may grant the DV access rights to sensitive information stored in the electronic passports of citizens of country "X" (these access rights are included in the CV digital certificate).
The DV, in turn, must issue digital certificates to all its IS for each country (possibly further restricting the access rights). Thus, a national IS obtains from DV a digital certificate for each digital certificate hierarchy of the different CVCA. Every DV and IS needs to hold multiple certified key pairs, one per State.
To read the ePassport of a citizen of country "X", an IS must authenticate against the chip by presenting its CV digital certificate for country "X" CVCA digital certificate hierarchy, plus the corresponding digital certificate chain. The chip validates the IS certificate and grants the IS access rights to sensitive data according to the information in the digital certificate. The chip is capable of validating the digital certificate chain because it knows the public key of the country "X" CVCA (this public key was inserted in the chip at the electronic passport personalization phase).
Because there is no digital certificate revocation mechanism, validity periods of DV and IS digital certificates are kept very short (see CCP(2) for the allowed minimum and maximum validity periods for each PKI participant). An automatic re-keying capability is therefore very desirable in DVs and inspection systems.
Every country communicates with the rest of the countries through a Single Point of Contact (4)(SPOC). The SPOC acts as a web service interface for automated operations (DV certification) and for notifications (CVCA service suspension, DV key compromise, etc.). The communication is transport-secured via SSL/TLS.
KeyOne offers products for all these PKI components except for inspection systems. Safelayer provides a full ePassport PKI software solution both for the ICAO side (first phase, already deployed) and the EAC side (2nd phase, on final standardization of communication processes(3)).
KeyOne ePassport ICAO products include: CSCA (Country Signing Certification Authority) and DS (Document Signer).
KeyOne ePassport EAC product includes: CVCA (Country Verifier Certification Authority) - that issues CV digital certificates to Document Verifiers (DV), CVRA-SPOC (Country Verifier Registration Authority-Single Point of Contact), DV (Document Verifier) - that issues CV digital certificates to national inspection systems (IS). All tests were OK on last Prague Bench tests (see http://www.e-passports2008.org/). To see a demonstration of the KeyOne electronic passport SPOC platform go to ePassport SPOC Test Area.
Support of ECDSA algorithms (including brainpool family) on homologated HSMs. Support of RSA and DSA as well.
(1) TR-03110, "Advanced Security Mechanisms for Machine Readable Travel Documents - Extended Access Control (EAC)", version 1.11, Bundesamt fur Sicherheit in der Informationstechnik
(2) "Common Certificate Policy For The Extended Access Control Infrastructure For Passports And Travel Documents Issued By EU Member States", version 1.0 (March 2008), European Commission
(3) SPOC concept and the related interfaces under discussion by the Brussels Interoperability Group (BIG)
(4) “Country Verifying Certification Authority Key Managment Protocol for SPOC”, version 1.0.