Moving to the third generation of electronic passports

By Verna Heino, Gemalto

A new dimension in electronic passport security with Supplemental Access Control – Recognizing that ePassport should be protected for the long term (10 to 20 years), the International Civil Aviation Agency (ICAO) is introducing Supplemental Access Control (SAC), a new supplemental security mechanism for  the next generation of ePassport. The ICAO and the European Union have recently decided to enforce the  use of this mechanism for all travel documents to be issued as of 2014. As the industry moves forward, it is clear that countries have to start thinking about how to manage the approaching SAC migration in travel documents and the systems around them.

ePassports are biometrics-enhanced machine readable travel documents (MRTDs) based on specifications defined by the ICAO, and introduced with the aim of strengthening international border security by preventing illegal immigration and trans-border crime as well as reducing the threat of identity theft.

ePassports incorporate a contactless microprocessor chip, on which information on the passport holder is stored. This may include holders’ biographic data like the holder’s name, date and country of birth, as well as the holder’s facial image, fingerprints and iris as biometric data. This data can be read from the passport using a contactless reader.

While contactless technology is well suited for border control and international interoperability, contactless communication is inherently vulnerable to threats such as skimming and eavesdropping by its nature. Several security schemes have been developed to protect the passport holders’ privacy, anonymity and personal data, since the first generation of ePassports were issued by the governments.

As a travel document lifetime spans 5 to 10 years, one of the major challenges for the whole industry is to protect the passport holder’s data with efficient security mechanisms that are vital for the intended operational life. Continuous efforts are beeing invested in secure identification to stay on top of the threats of ever-growing international terrorism, illegal immigrating and organized crime.

The ePassports generations

In November 2004, the first generation of ePassports appeared. It followed the publishing of a set of technical requirements by the ICAO, which defined the cryptographic protocols to be used to ensure the ePassport’s data integrity and authenticity.

First generation ePassports are based on Basic Access Control (BAC), a mechanism that was introduced to prevent skimming and eavesdropping and to ensure that the data stored in the ePassport microprocessor chip is read in a secure way. BAC protects the biographic data and facial image, i. e. the same data that is visible on the ePassport datapage and is considered less sensitive.

BAC is based on symmetric protocol and the authentication relies on the data provided in the Machine Readable Zone (MRZ) that is optically available on the datapage. Before access to the chip is granted, the chip and the reading device mutually authenticate themselves using a specific authentication key that is derived from the MRZ. MRZ is also used as a basis when generating the session keys that are used to encrypt the data exchange between the chip and the reading device.

Today BAC is implemented in almost every ePassport in the world and it is an ICAO-recommended feature for privacy protection. In 2006, the European Union requested that all member nations include additional digital biometric infor-mation and, in particular, fingerprint biometric data on ePassports by mid-2009.

The European Union made it clear that a new security mechanism known as Extended Access Control (EAC) was necessary to protect this data. Extended Access Control restricts the access to highly sensitive biometric data (fingerprints and iris) to authorized parties only and adds functionality to verify the authenticity of the chip (chip authenti-cation) and the reading device (terminal authentication). Compared to BAC, EAC is based on asymmetric protocol and uses stronger encryption.

With the third generation of ePassports, a new security me-chanism Supplemental Access Control is introduced to overcome the weaknesses of BAC. While BAC is still considered as an adequate access control mechanism, it is clear that the entropy of the keys that are dependent on the MRZ does not sustain modern threats for a long time any longer. It is therefore important to anticipate and prepare for a new generation of ePassports that challenges the ever-increasing attempts at fraud to ensure long-term security.

Supplemental Access Control (SAC)

SAC is an evolution of BAC for future-proof security in travel documents. It is similar in function to BAC and ensures that the contactless chip cannot be read without physical access to the travel document and that the data exchange between the chip and the reading device is encrypted.

SAC is based on Password Authenticated Connection Establishment (PACE v2). During the authentication phase, it
implements asymmetric cryptography while BAC only uses symmetric cryptography. In addition, during the authentication phase, data encryption is based on a shared key between the reading device and the chip in contrast to BAC, which generates a key based on the data in Machine Readable Zone (MRZ). Data confiden-tiality is thus enhanced and eavesdropping becomes impossible.

The major advantage provided by SAC is that the security level is independent of the strength of the password used to authenticate the terminal and generate the keys for secure messaging. Thanks to SAC the data is strongly protected both when stored on the chip and when transmitted to the reading device. This new mechanism constitutes a superior level of security compared to BAC and guarantees a high level of privacy.

Specifications immediately available

The SAC mechanism has been defined and it is currently being standardized by ICAO. The technical specifications illustrating SAC-based travel document interoperability are already available, as are the conformity test plan and the protection profile to be used for Common Criteria certification (EAL4+).

Furthermore a software reader tool is at disposal of ePassport application, personalization solution, and reading device solution providers to validate their SAC implementation and conformity with the specifications.

A migration to plan now

The ICAO and the European Union have recently decided to enforce the use of this protocol for all ePassports and eResidence Permits to be issued as of 2014. As travel documents’ life spans up to ten years, migrating to this new generation of ePassport should be planned now. In order to organize harmonious migration and to allow the reading devices to keep on verifying travel documents in the coming years, BAC and SAC protocols will be working together even after 2014.

The forerunners are already taking the first steps in the transition to the new security mechanism and the first SAC-enabled travel documents will be issued in Europe some three years ahead of the EU mandate. These countries will effectively protect the privacy of their citizens with travel documents providing a superior level of security.

Systematic migration for involved parties

For the traveler, SAC upgrade will be completely seamless and the experience at the border control will remain the same as today. However, the reading devices at the border control must be updated to support SAC. When a traveler presents his/her travel document at the border to prove his/her identity, the reading device must choose whether to use SAC or BAC. This decision is made based on the existence of a specific file (CardAccess) that specifies the SAC-related parameters supported by the travel document. If such a file does not exist, the border control device continues to communicate with the ePassport in a traditional manner using BAC.

For global interoperability and backward compatibility, both SAC and BAC must be supported by the reading devices for some time still. However, to guarantee secure access to the chip, SAC should always be used if it is embedded in the travel document.

Launching SAC in their travel documents has two impacts for governments: Firstly, the ePassport issuers need to source SAC-enabled ePassport application. Secondly, the personalization systems, particularly data preparation and quality control, must be updated to support new security algorithms and SAC-related parameters.

Conclusion

SAC migration is approaching and is a necessity to protect the travel document against foreseeable threats. SAC mechanism ensures increased, future-proof protection of the document holder’s privacy by strengthening the crypto-mechanism provided by BAC and thus provides a higher level of protection against eavesdropping.

By combining available secure mechanisms, both physical (=visual) and electronic, the future ePassports will be effectively protected against versatile attacks and misuse. They will better serve border control authorities and protect traveler’s confidentiality in the long run.

SAC is well-established in the industry as the technical specifications, conformity tests, as well as the test tools are already available. The time is right to take the step for the 3rd generation of ePassports.