Electronic passports are modern security documents with many security features. Several components are required in order to produce and inspect ePassports. The important security features are standardized by ICAO and the EU. Thanks to the standardization, possible ePassport fraud is easier to detect at member states’ border checkpoints.
From a PKI perspective the ePassport security features can be divided into two categories: Basic Access Control (BAC) ensuring the authenticity of the passport and Extended Access Control (EAC) protecting privacy of fingerprints stored in the passport chip. To produce ePassports, PKI and a Digitial Signature solution is needed. To verify ePassports from different countries, you need PKI and a Directory for different countries (NPKD), and also a Single Point of Contact (SPOC) for exchanging on-line information with other countries.
PrimeKey’s ePassport Solution
Our ePassport Solution contains all the PKI and digital signature components needed to produce and handle ePassports securely, and your ePassport implementation will automatically benefit from PrimeKey’s extensive experience in many strategic, mission-critical, large-scale PKI projects.
All software within our ePassport offering is reliable during production operations and integrate well with other necessary ePassport technologies. When needed, the software is easily adapted to evolving legal and technical demands. All included technology meet the requirements of ICAO and the EU.
Country Signing and Country Verifying
PrimeKey’s EJBCA PKI implements Country Signing Certificate Authority (CSCA), Country Verifying CA (CVCA) and Document Verifier (DV). Compliant with the ICAO 9303 and EAC specifications, EJBCA PKI has full support for both RSA and ECC algorithms.
A server-side signature service, PrimeKey’s SignServer is suitable for signing biometric ePassport (MRTD) data compliant with the ICAO specification. SignServer stores its keys in a hardware security module (HSM) to enhance security and performance.
PrimeKey’s EJBCA SPOC application implements a standard mechanism for certificate management of the Extended Access Control (EAC) for passports. By handling incoming and outgoing certificate requests and responses, it acts as a front end between a country’s EAC implementation and SPOCs of other nations. EJBCA SPOC is compliant with the specification defined by Brussels Interoperability Group (BIG).
The NPKD provides a local repository for ICAO PKD objects. In addition to storage, the NPKD validates and controls the distribution of these objects. The NPKD manages content from the upstream ICAO PKD, including master and defect lists. The NPKD distributes this to inspection systems, to ensure that the content is validated and current.