Bundesdruckerei and its partners, joint-venture partner Veridos and Emirates German Security Printing (EGSP) in Abu Dhabi, have successfully won an international tender to design and operate the ICAO Public Key Directory (PKD) Service of the International Civil Aviation Organization (ICAO), a specialised agency of the United Nations.
“We are pleased that our technical concept was selected competitively by ICAO and PKD Board Members. The contract underpins Bundesdruckerei’s expertise and its role as a market leader for secure identities in public-sector infrastructures“, says Ulrich Hamann, CEO of Bundesdruckerei. “Through our German trust service provider D-TRUST, we can offer an infrastructure made in Germany that offers high security and high availability and fully meets the customer’s requirements.”
At borders in many countries around the world, control officers use special reading devices to check whether the electronic passports presented are genuine, forged or manipulated. Checks like these are also carried out by electronic gates, so-called eGates, which are becoming a familiar sight at many airports. Every chip in an electronic passport has its own unique signature that warrants authenticity and integrity. When checks are carried out at eGates, the signature on the chip of the passport is verified with the certificate of the country that issued the passport. These signature certificates and the pertinent revocation lists are made available in the PKD which ICAO operates from its headquarters in Montreal in Canada. There are currently 45 countries taking part in this system. Each country can update its signature certificates and revocation lists so that the signature certificates do not have to be exchanged bilaterally with each individual country, instead, the latest versions can be retrieved from the ICAO PKD and imported into the respective country’s border control solutions. If the participating countries also set up a so-called national PKD, the certificates can be automatically and hence quickly distributed to all national border control points.
Background: Public Key Infrastructure (PKI) and Public Key Directory (PKD)
Public key infrastructures enable encrypted communication between subscribers (for instance, countries) via a public communication system like the Internet. What’s special about this is that the subscribers do not have to exchange a joint secret key for every message via another trusted channel. All subscribers have to do is exchange their public keys which can be used to send messages to them. The messages can then only be decrypted by the recipient using their private key. So-called digital signatures can also be generated with this same mechanism, however, in this case, a signature is generated with the private key and verified with the pertinent public key. These signatures prove whether or not a message is from the sender stated or whether or not it was changed by an unauthorised person, i.e. whether or not data from the respective agency was written onto an electronic passport or whether it was manipulated.
What’s important here is the authenticity of the sender, i.e. proof that an issuer of a public key is in fact who they claim to be. This is where the public key infrastructure (PKI) comes into play as it ensures that a public key is trusted by retrieving this from a trusted key directory. In the case of electronic passports, ICAO provides this kind of exchange platform (Public Key Directory) where countries that issue documents can publish their public keys which are needed for verification. Operators of national PKD solutions can also retrieve these same public keys from the platform.