Inverid Honorable Mention in Gartner Magic Quadrant for IDV
Using our App? Go here

Authenticity of ePassports

Originally published: December 20, 2020

Last updated: 25 October, 2024

In previous blog posts, we have provided an overview of the security mechanisms that are commonly found in ePassports, namely privacy, authenticity and cloning detection mechanisms. This follow-up post focuses on the authenticity mechanism of ePassports and similar documents, called Passive Authentication. This mechanism has been standardised by ICAO in Document 9303. Passive Authentication is performed to determine whether the information stored on the passport is authentic. It does not protect the information against eavesdroppers, nor does it ensure that the sender of the information is currently in possession of the original passport. Respectively, privacy and clone detection mechanisms exist for that.

Passive Authentication

The implementation of Passive Authentication varies greatly between passports. The ICAO 9303 standard allows a wide variety of cryptographic algorithms, and different countries also use these in practice. Despite the many differences in the used algorithms, Passive Authentication is always based on the principle of digital signatures and uses a ‘chain of trust’. A country that issues ePassports constitutes a Country Signing Certificate Authority (CSCA), and issues one or more Country Signing Certificates. A Country Signing Certificate is used to cryptographically sign Document Signing Certificates, which in turn can be used to sign the contents of a passport. Consequently, the contents of a document may be considered authentic if signed using a Document Signing Certificate, which in turn has been signed by a trusted Country Signing Certificate.

Supporting all allowed varieties of cryptographic algorithms significantly complicates the development and testing of inspection systems like ReadID. Getting access to real or specimen documents for testing purposes is complicated, mainly due to the risk of these documents being used for identity fraud. Our technical team spends quite some time on testing, and we participate in interoperability events to test our software with identity documents that have not yet been issued, such as the EU eMRTD interop event (Sept 2017, Italy).

Country Signing Certificates: 4 questions

As explained above, Country Signing Certificates are at the top of the ‘chain of trust’, which makes them a crucial component for Passive Authentication. Below are the four most often asked questions related to such certificates.

1. Why are Country Signing Certificates important?

In short, the Country Signing Certificates determine which passports will pass Passive Authentication and which will fail: they are the ‘trust base’. Great care must be taken when including or excluding these certificates on the trusted list. For example, excluding a certificate will result in passports which have been signed using that certificate to be rejected by Passive Authentication.

2. Where do the Country Signing Certificates come from?

Several online databases of trustworthy Country Signing Certificates exist. For example, the French, German, Italian, Schengen, Swiss and Spanish CSCA master lists are published by each of these respective countries, specifying which certificates it considers trustworthy. Typically, the Country Signing certificates are obtained through diplomatic exchanges. ReadID is flexible in this regard and can work with any provided database. Providing ReadID with a recent and correct list of trusted Country Signing Certificates is a continuous effort conducted by the ReadID team to the best of our efforts, as a service to our customers. We cannot, however, offer any guarantees to the completeness and correctness of our list, only transparency. Ultimately it is our customers who decide which certificates they trust.

3. Why are those master lists incomplete?

Most but not all countries publish their Country Signing Certificate, which makes it impossible to perform Passive Authentication on the passports of the countries who do not do so. United Nation member states may participate in the Public Key Directory to share their Country Signing Certificates with other governments, but private companies are not allowed to participate. We consider this a missed opportunity, as many private companies may also benefit from a complete list of Country Signing Certificates and no information shared in the Public Key Directory needs to be secret. We also advocated this at an ICAO Technical Advisory Group on Traveller Identification Programme (TAG/TRIP), when invited to present at a New Technologies Work Group meeting April 2017. It should be noted that the Public Key Directory is now much more complete in 2023 than it was in 2017. Following our attendance at the ICAO NTWG meeting in Denmark in September of 2024, we see improvements in private sector access to CSCA certificates, but it is still by no means complete.

4. Why do we need Document Signing Certificates when you already have a trust base of Country Signing Certificates?

The simple answer is security. Whenever a certificate is used for signing, there is a risk of compromise. Additionally, most countries do not produce passports themselves. Instead, they often contract a supplier to produce them, possibly in more than one factory. These factories may potentially produce passports or other identification documents for other countries as well. To limit the probability of misuse of a Country Signing Certificate, the Document Signing Certificate has been included as an intermediate step. For example, Document Signing Certificates may be issued for a specific period of time to a single supplier, factory or any other entity. The impact of a compromised Document Signing Certificate is limited to the passports signed by that certificate, instead of all passports of a certain country.

readid-app-passport-demo

Try it yourself for free

Interested in NFC-based identity verification? Our free personal app ReadID Me is available in the App and Plays stores. No personal information is shared with Inverid or other parties; it is a client-only verification.

Or subscribe to our newsletter, sent about 6 times per year.