Validating the integrity of ePassports by verifying their digital signatures

1,787

The security and facilitation advantages of an ePassport are grounded in the presence of an integrated closed-circuit chip. The benefits can only be realized when border control authenticates the chip, if the chip is not authenticated at border control, the ePassport has little advantage over a traditional, non-electronic passport.
                                                                                               
This authentication — usually referred to as ePassport validation—is the process of validating the authenticity and integrity of an ePassport by verifying the digital signature on the chip. ICAO’s Public Key Directory (PKD) is a central repository where the information required to authenticate ePassports is exchanged.

For the border control of a receiving State to authenticate the ePassport of a foreign traveler, the receiving State must have access to certain information from the issuing State. Should states only have the option to exchange the necessary information bilaterally, the volume of information being exchanged would result in a highly complex and ineffective system that would be susceptible to errors. The ICAO PKD provides an efficient means for States to upload their own information and download that of other States.
 
By playing the role of central broker for this information, the ICAO PKD ensures that information adheres to the technical standards required to achieve and maintain interoperability. In addition, the ICAO PKD ensures that information can be exchanged reliably, in a timely manner and on an open-ended, indefinite basis. 


On 16 October 2020 Italy joined the PKD during a unique import ceremony. The Italian representative to ICAO, Ms. Silvia Costantini, provided the Italian CSCA public key certificate that was needed to authenticate Italian electronic passports (ePassports) to ICAO, in a ceremony that was different from years past. After handing over the certificate, she followed the proceedings on a screen in the spacious lobby of the ICAO Headquarters building in Montreal. She watched as ICAO staff undertook the technical steps necessary to add the Italian certificate, alternating their presence in the operator rooms on the PKD operator terminals with the physical distancing that was necessary to prevent COVID-19 transmission.

While remote videoconferencing and modern tools for information-sharing increasingly allow those in different physical locations to interact, there are times when remote interactions simply will not suffice. PKD import ceremonies are a case in point. The PKD is a repository of the public keys that allow validation of the authenticity and integrity of ePassports, with participating States downloading the keys provided by others for use at their borders, for immigration and for other similar purposes.

Trust must be a foundational element of the PKD so that downloading States can rely on the authenticity of the certificates obtained. To ensure such authenticity, ICAO requires a State representative to hand the first certificate over physically, providing the trust anchor upon which everything else is built.

The COVID-19 pandemic has raised challenges for the execution of PKD key import ceremonies. In addition to gathering all ceremony participants in the PKD operator room, which has been the traditional practice, State representatives cannot travel to ICAO Headquarters from abroad due to the closure of the Canadian border to non-Canadian citizens and permanent residents.

Despite this challenge, States continue to issue new ePassports and require certificates to validate the documents issued by others. Looking ahead, with the introduction of the ICAO Digital Travel Credential (DTC), certificates will need to be more readily available than ever given that there might be no paper document to fall back upon in case of need. A way had to be found to permit trustworthy public key importation to the PKD.

ICAO has obtained the support of the national delegations to ICAO that have a permanent presence in Montreal, as well as national embassies and consulates in Canada, to facilitate the continuation of PKD import ceremonies. Since the onset of the pandemic in March 2020, through strong cooperation with those responsible for ePassport issuance in States, ICAO Regional Offices and representatives in Canada and Thailand, Ecuador and Italy have all undertaken PKD key import ceremonies, all following the same physically distanced protocol. The PKD, as a result, continues to fulfill its objective of providing trustworthy and up-to-date information to States to authenticate ePassports, thereby enhancing security in aviation and facilitating travel.