Embed Size (px)
Citation preview
Looking at the future of travel The fourth generation of ePassport June 2014
GOVERNMENT PROGRAMS
Gemalto in brief
Gemalto is the world leader in digital security with 2013 revenues of €2.4 billion.
In the public sector, Gemalto provides secure documents, robust identity solutions and services for governments, national printers and integrators in the service of citizens. Its products and solutions are deployed in more than 80 government programs worldwide.
Gemalto is contributing to more than 25 ePassport programs with specific expertise in border and visa management projects. The company is active in major eID and eHealthcare schemes and numerous e-driving license and vehicle registration projects.
As the leader in electronic travel documents, Gemalto’s involvement in the standardization process at ICAO can provide you with a head start to capitalize on emerging opportunities. We believe we are in a unique position to help you anticipate forthcoming travel document migrations and leverage the benefits of new technologies to maximize your investment.
Summary The International Civil Aviation Organization is currently working on the next evolution of the ePassport standard, which was initially implemented in 2005. This future version will introduce the ability to add data to the electronic component of the passport post issue, in order to load and read information such as biometric data or electronic visas and entry/exit stamps during its lifetime. This storage area, also known as Logical Data Structure version 2.0 (LDS2) is to be standardized in early 2016. LDS2 will further enhance the benefits of modern, integrated visa management and border management systems. It is a huge opportunity to expedite inspection while also enhancing security by enabling immigration officers to quickly and efficiently check passengers’ visa and travel history by retrieving data from the chip. Because ePassports are contactless documents and in the hands of close to 600 million travelers as of today, LDS2 can do much more than transform visa and border control ecosystems. For example, airlines could use biometrics to securely grant access to their VIP lounges or use a passenger’s travel history for more targeted communications. Duty free operators could also leverage the passport data for promotional activities. These use cases are of course subject to privacy regulations. As the industry moves forward, it is clear that all stakeholders have to start considering how to manage and leverage the impending evolution of travel documents and associated systems. To guarantee a smooth progression to the next generation of ePassport and ensure full interoperability compliance, it is important to select partners and suppliers with long-standing experience of the travel market and a proven track-record in ePassport migrations. Gemalto is one such supplier, active in the ePassport market since 2005. The company provides technologies and services to over 25 national ePassport programs around the world and is geared up to help you succeed in your migration project.
A brief history of ePassports
In 2004, the International Civil Aviation Organization, an agency of the United Nations, defined the specifications of
the electronic Passport. Over the last decade, it has been rapidly adopted around the world.
The chip in an ePassport stores the biographical data of the holder (first and last name, date of birth, sex), as well
as information related to the issuing authority (certificates) and to the document itself (document number, place of
issuance, date of issuance, expiry date).
The data is signed in order to guarantee that it has not been tampered with.
Initially deployed from around 2005, first generation ePassports are based on Basic Access Control (BAC), a
mechanism that was introduced to prevent skimming and eavesdropping and to ensure that the data stored in the
ePassport microprocessor chip is read in a secure way. BAC protects the biographic data and facial image – the
same data that is visible on the ePassport data page and which is therefore considered less sensitive.
BAC is based on a symmetric protocol and the authentication relies on the data provided in the Machine Readable
Zone (MRZ) on the data page. Before access to the chip is granted, the chip and the reading device mutually
authenticate themselves using a specific authentication key that is derived from the MRZ. The MRZ is also used to
generate the session keys used to encrypt the data exchange between the chip and the reading device.
Today, BAC is used in every ePassport in the world, encompassing over one hundred countries. It is an ICAO-
recommended feature for privacy protection.
In 2006, the EU asked all member nations to include on their ePassports additional digital biometric information - in
particular, fingerprint biometric data. Starting in mid-2009, this ushered in the second generation of ePassports. To
protect this extra data, it was clear that a new security mechanism was necessary: Extended Access Control (EAC
v1.11).
EAC restricts access to highly sensitive biometric data (fingerprints and iris) to authorized parties only and adds
functionality to verify the authenticity of the chip (chip authentication) and the reading device (terminal
authentication). EAC is based on an asymmetric protocol and uses stronger encryption.
To grant reading access to additional biometrics (usually the fingerprints), the inspection terminal has to present a
valid certificate chain, from the root to the last certificate. The root certificate contains the public key associated
with the private stored at the issuing state, the Document Verifier certificate of the welcoming country, signed by
the issuing country, and the Inspection System certificate signed by the welcoming country. That means that if
‘Country-A’ wants to allow ‘Country-B’ to access its citizens’ fingerprints, Country-A will have to sign the DV keys of
Country-B.
Designed over a decade ago, BAC’s level of security is limited by the protocol’s symmetric (secret key)
cryptography design and there is no straightforward way to strengthen it. A cryptographically strong access control
mechanism must also use asymmetric (public key) cryptography.
While BAC is still considered an adequate access control mechanism, it is clear that the strength of the keys that
are dependent on the MRZ no longer resists modern threats for very long. To ensure long-term security, it is
therefore important to anticipate and prepare for a new generation of ePassports that combat the ever-increasing
attempts at fraud. This is particularly important with documents that are usually valid for five to ten years.
While BAC is still a safe way to protect data, as security levels are ramped up to meet the evolving threat posed by
eavesdroppers and hackers with access to greater computing resources, a new security mechanism, Supplemental
Access Control (SAC), has been introduced. This aims to overcome the limitations of BAC.
The major advantage of SAC is that the security level is independent of the strength of the password used to
authenticate the terminal and generate the keys for secure messaging.
SAC is based on Password Authenticated Connection Establishment (PACE v2). During the authentication phase,
it implements asymmetric cryptography and bases data encryption on a shared key between the reading device
and the chip. Data confidentiality is thus enhanced and eavesdropping becomes impossible.
Thanks to SAC the data is strongly protected both when stored on the chip and when transmitted to the reading
device. As a result, it provides a superior level of security than BAC.
SAC is recommended by ICAO as of the end of 2014. It is mandated in the European Union for all member states
by the end of 2014.
Use of biometrics
Because it offers the broadest interoperability, the holder’s face is the only mandatory biometric information
required in the ePassport. It is the primary biometric element stored in all electronic passports issued and allows for
the use of facial recognition algorithms at border control.
Fingerprints are secondary biometric elements, which are mostly used in the European Union (all member states).
Access to fingerprints is restricted, as this is considered sensitive information; availability to other countries can be
chosen by the issuing country. For maximum privacy and security, it is based on the exchange of certificates in a
PKI scheme.
The iris is also defined as a possible secondary biometric element. However, to date no country is using it in an ePassport scheme.
Use cases for ePassports
At present, the number of use cases is rather limited. The main purpose of a passport, with or without a chip, is to
cross a border, whether going abroad or returning to the home country. The passport is also often used to apply
for a visa, to prove the holder’s identity when checking in, and going through security and boarding.
The content stored in the chip is limited to the datapage. No travel stamps or visas are stored in the chip. It does
not allow for automated retrieval of travel history for more efficient background checks and visa processing.
Visa and travel records are placed in the ePassport as a visible stamp or a sticker, so
border control officers must look for them during the inspection. This can be cumbersome for frequent travelers
with numerous visas for the same country. It is also a slow process: a visa sticker may have its own Machine
Readable Zone (MRZ), which must be scanned in addition to the ePassport’s MRZ.
Clearly, current ePassports do not take full advantage of the smart card technology they are based on. While data
can be added or updated in other types of secure electronic credentials (e.g. national eID cards, electronic driving
licenses), ePassports are rather static and no data is added during their time in the citizen’s pocket.
Today, most ePassport projects do not store fingerprints. One of the underlying reasons is the lack of infrastructure
to capture fingerprints at the time of application. It is both expensive and complex to deploy such an infrastructure
across an entire country.
Areas of improvement
Tampering with stamps and visas are now common fraud techniques. Stamps in particular offer a low level of
security, while visas usually have a higher level of protection (with a secure background) but little defense of the
personalized data (related to the visa applicant).
There is an opportunity to provide new services to citizens.
A large number of airports have deployed fast track programs for frequent travelers. These programs require a
registration process and usually the issuance of a dedicated token (a plastic card, or in some cases a smart card).
This complexity is a deterrent for many citizens. However, the convergence with a well known token, the
ePassport, could foster wider use of these traveler programs.
Online services are best done in a secure manner, to provide security and enhance privacy. The best solutions
require a dedicated document, either an electronic identification document or a secure element in a mobile phone.
ePassports are cryptographic tools that securely store certificates that can be used to provide strong authentication
when accessing online services. Used in conjunction with an NFC enabled smart phone, the certificates could be
retrieved from the ePassport by a dedicated application on the phone and used to connect to either a government
or third party web portal (e.g. airport authorities, airlines). It can be particularly useful in countries where electronic
ID documents have not been deployed.
Coping with rapidly increasing numbers of air travelers
According to Airports Council International estimates, air travel will double between 2012 and 2030 to reach 11
billion travelers per year in 2030. During the same period, it is not expected that border control resources or the
consular services that issue visas will increase at the same rate.
Governments are therefore looking for ways to automate the visa and border control processes while maintaining
and even increasing the level of security. A delicate equilibrium between productivity, security and convenience
must be implemented.
The current method of gathering details on the travel history of those crossing a border is to scan all pages of the
passport and then process manually all entry and exit stamps in a database.
It would be far better if there was a faster and more accurate way to perform this task. By cross checking data and
looking for discrepancies, this would greatly enhance passenger profiling and risk assessment - and could pinpoint
potential fraud.
The world has gone mobile. Nowadays, boarding passes are often loaded on smart phones. With an ever
increasing number of mobile phones making use of NFC, which is a subset of the ISO contactless protocol used in
ePassports, a convergence path is slowly emerging.
Gemalto is encompassing new use cases, such as visa registration, where the eVisa can be remotely loaded in the
ePassport chip through the mobile phone. Using this approach, a traveler could apply for a visa from his or her
mobile phone, reducing the need in most cases (i.e. low risk travelers) for a visit to a consulate.
Next generation ePassports A decade after the initial launch of the ePassport, ICAO is looking to issue an optional standard named LDS2,
alongside the current one. This will focus on the writing or appending of data by the issuing country as well as other
countries.
LDS2 is aimed at the storage of the visa pages in the chip, with the entry/exit stamps and the visas, as well as
allowing the storage of additional biometrics in different formats (interoperable or country-specific format).
Crucially it will enable dynamic content update of the ePassport chip throughout its validity period, paving the way
for new use cases.
The ability to store and to retrieve travel history from the chip will allow faster and more secure border control
processes, supporting efforts to address fraud. Even if a traveler is able to physically remove or change a travel
stamp or a visa on his or her passport, the data in the chip will be protected against tampering, having been signed
by the rightful border control authority.
Storing the travel history in the chip and automatically retrieving it brings accuracy and reliability, and eliminates the
need for manual calculation of the duration of a stay.
LDS2 also improves risk assessment, sending the data to back end databases to check against existing records
and look for discrepancies in the travel history, which can highlight potential fraud.
The ability to add biometrics after the initial issuance of the passport serves several purposes. It is primarily aimed
at addressing the lack of a live biometric capture infrastructure across a country. If they were not able to have their
fingerprints captured at the time of application, citizens can enroll at the airport instead. This is most relevant in
countries without biometric passports. It is also possible to either add additional fingers or to update the fingerprints
provided at the initial application for the passport (for example, children whose fingerprints were not fully formed at
the time of application). It is also useful for addressing citizens’ concerns over privacy and the storage of their
biometric data. If they want to have the convenience of fast track through the eGates, citizens could provide their
data on a voluntary basis. Finally, extra data can accompany the additional biometrics, to support registered
traveler programs. This could provide more convenience and wider adoption of such programs. Authorized
additional biometrics include face, fingerprints and iris.
The impact of LDS2
All data written to the LDS2 application must be signed by the inspection or visa issuance system storing the data
on the chip. Verification of its authenticity prevents the storage of invalid data
The impact of LDS2 on enrolment systems is varied. There is no change for countries which are already capturing
biometrics at application. However, there are benefits for countries which are not capturing biometrics at
application: they can add biometric capture at airports or in a restricted number of sites, which are then loaded onto
ePassports that have already been issued.
LDS2 does not have a major impact on issuance systems. ePassports with LDS2 will be issued in the same way,
with the same set of data. Naturally, security mechanisms (SAC, EAC v2.10 part 1) will have to be either deployed
or upgraded.
LDS2 will have an impact on visa management systems, requiring both front and back office upgrades in airports,
consulates and embassies to be able to store visas in the chip during visa processing and to retrieve visa and
travel history from the chip when crossing a border.
Border management systems and, in particular, automated border control has much to gain from LDS2. The
ePassport enabled ABC and LDS2 will bring it to new levels. eGates will no longer be restricted to citizens of the
country where the airport is located (or surrounding countries in the case of regional agreements). Visa and stamp
processing opens the door to more customers being channeled through the eGates. Visas can be read by the
eGates, stamps can be added in the chip and even physically on the passport booklet. Visa stickers can be printed
in those gates (or on separate paper).
Travelers increasingly choose both their airlines and hubs based on convenience. Passenger facilitation is
therefore key to building customer loyalty. LDS2 and ABC is a win/win: it answers the issue of increased
passenger flow and the quest for enhanced customer convenience.
For airport authorities, it provides better facilitation of an increasing number of passengers, improves the flow of
airport foot traffic and optimizes floor space and throughput. Furthermore, it projects a modern image of the airport,
attracting more travelers, and allows travelers to spend more time in duty-free shops rather than standing in
queues.
Passengers cross borders more rapidly, with reduced stress, and enjoy a more pleasant travel experience. Given
the competition between airports, customers will be loyal to those which put the most effort into making the travel
experience more enjoyable.
Subject to privacy laws, airlines can use biometrics from passports to grant access to the lounge and mine travel
history retrieved from the ePassport to offer targeted promotions.
Again subject to privacy regulations, duty free operators can also retrieve customer data from their passports for
mailings and promotions. They can more easily offer a loyalty system without a specific loyalty card (which is
important given that it’s not easy to carry 20 different cards when you are a business traveler going around the
globe). For retail chains and duty free operators with a presence across many airports, it is also a good opportunity
to strengthen customer retention (by allowing travelers to earn points across several locations).
Conclusion While current electronic passports already bring tangible benefits with the implementation of automated gates for
border crossing, next generation documents will bring additional advantages to more stakeholders: border
agencies, airport operators, airlines, duty free operators and passengers.
Many benefits will come from next generation ePassports:
- Optimized passenger processing
- Automated document and traveler verification
- Shorter queues for passengers
- Better and innovative services for travelers
Standardization is under way and LDS2 should be ready by the beginning of 2016. Now is a good time to start
planning a migration path and upgrades to current systems.
Gemalto’s experts can assist you in auditing your current passport, visa and border management systems, looking
at potential improvements and creating a unique migration path to a more convenient and more secure travel
experience for your citizens and your visitors.
About the white paper
The International Civil Aviation Organization is currently working on the next evolution of the
ePassport standard, which was initially implemented in 2004.
This white paper explores the opportunities and potential changes of this future version.
