The Entrust founder behind the UK’s original e-passport and his successor at Gemalto discuss developments in passport security
During the 2016 EU referendum campaign, one of the most emotive issues for Eurosceptics was the chance to reintroduce navy blue passports. It was also among the most irrational, as the EU had never mandated burgundy passports and the UK was free to choose whatever colour scheme it desired. Nevertheless, the Brexit vote meant a new non-EU passport would be required.
In 2018, Gemalto was selected to make the new passports, in a £260 million contract that will run for 11-and-a-half years.
The choice of a Franco-Dutch firm as the manufacturer ahead of a competing bid from British business De La Rue triggered accusations from the press and politicians that the government was being unpatriotic, despite the deal saving the public £10 million per year.
The deal also created an opportunity to introduce new digital security features, including the UK’s first polycarbonate data page. When the layers of polycarbonate are fused they become impossible to separate, which provides secure storage for data and prevents counterfeiters from swapping information.
“Today the combination is a paper biodatabase with a protective laminate,” Renaud Laffont-Leenhardt, Gemalto’s Director for Travel Documents, tells Computerworld UK. “The new passport will use a polycarbonate, which is more durable and also allows for more visual and tactile security features, which are helpful in protecting the documents from forgeries and counterfeiting.”
Passports have been used in the UK since 1414, when King Henry V introduced “safe conduct” travel records to help his subjects prove their identities when in foreign lands.
The counterfeiting technology of today would be unrecognisable to Henry, but the two principal threats remain document fraud, by changing data on a valid document or creating a counterfeit one, and identity theft by making a fraudulent passport application or by using genuine documents stolen from a lookalike.
“The technology is evolving and what we see on the rise now is what we call morphing attacks – taking two portraits of different people and combining them in a single portrait so that you can try and go through the border control,” says Laffont-Leenhardt.
“The idea is to combine two people into a single one so that when going through border verification you can try and pass for another person. For years it’s been done with documents without doing too much forgery but now with the use of the morphing there are more and more attacks where the data is just slightly different on the document.
“Because what is more difficult nowadays is completely changing the portrait and removing the data from one person and putting fake data on top of it. Now with the morphing it’s a more elaborate attack that is more challenging to detect at border control.”
Protective measures include making a live capture of each citizen’s portrait during the passport application process, conducting more thorough background checks and introducing further biometrics at the border.
Around 140 countries currently issue ePassports. All of them use the portrait as the primary form of biometric authentication, while just under half of them also use additional forms of biometrics. The International Civil Aviation Organization (ICAO), a specialised agency of the United Nations, issues recommendations on passport standards. They advise governments to choose between fingerprints and iris as a secondary biometric.
“At border control, usually you have a camera capturing the portrait and trying to make a match with the data that is stored in the chip,” says Laffont-Leenhardt. “When you think the data matching is not very high then you can consider doing additional screening or even using a secondary biometric such as fingerprints or iris if such data is available in the chip. That’s where the technology is supporting the fight against the threat.
“More globally, the document is only as secure as the whole process to enroll a citizen to issue him with a passport and to verify the passport. It’s a question of securing the complete chain of trust so that there are no weak points that fraudsters can use to attack a passport programme.”
Digital passport history
The first digital passports were issued in 2006. Entrust was the company behind the encryption, which used an electronic chip to store the holder’s data.
The first generation inserted an encryption signature into a barcode that could be scanned, but its successor allowed multiple technologies to be added to a chip, which laid the foundations for a range of biometrics.
“The first one really was a digital signature,” Bill Conner, the former Entrust CEO, tells Computerworld UK. “The UK and US were the big leaders in the first digital passports.
“It was called basic access control. You would go to your Home Office and we could go to our Department of State, and you would give them 19 lines of your personal information: name, address, birthday – 19 lines of data – and you could digitally sign it and fit it in the barcode at the bottom of your passport.”
The problem was the barcode was too easy to compromise by using a hijacked document reader. The second generation ePassport reduced this risk by creating a chain of encryption from the document to the reader all the way to a country’s servers and across international networks.
“I remember when I was doing this first with Interpol, Gartner said this was impossible, you’d never be able to put four digital signatures or digital encryptions on it because they’d take up space on a chip,” Conner recalls.
“We were able to do it. We did it for Interpol, putting the national ID, your employee information and your access to credentials for all systems all on one chip.”
In 2009, Conner engineered the sale of Entrust to private equity firm Thoma Bravo. He later shifted his focus from identity management to network security as CEO of SonicWall, leaving the UK to find another vendor to secure its digital passports.
Today’s ePassports typically store biographical data, biometrics and digital signatures from the registering authority. The next generation will also be capable of storing eVisas, entry and exit stamps and other travel information, which would further secure the passports and, in theory, hasten border checks.
“We see use cases where you could remotely apply for a passport and you could remotely receive a visa that you could then download somewhere into your passport,” says Laffont-Leenhardt.
He also expects virtual passports to gain traction as a secure companion to the physical version. The International Air Transport Association (IATA) expects 7.8 billion passengers to travel by plane in 2036, nearly double the 4 billion travelers that flew in 2017, which will cause massive airport congestion that virtual passports can help to mitigate.
“The interest of the virtual passport is that it’s a digital companion derived from a physical document that’s used to smoothen the traveller experience and speed up the flow by reducing the amount of time taken to take the passport out of your pocket and show it at the various checkpoints during the journey to prove your identity,” explains Laffont-Leenhardt.
“We see a future where you will carry a physical passport in your pocket, but you will rely on your digital credential to carry out your journey and use biometrics to validate your identity.”
Source : https://www.computerworlduk.com