Zim Introduces Electronic Chip Passports

Government through the Registrar general’s office has introduced the electronic chip passports in a bid to reduce cases of counterfeit passports.

Briefing journalists in the capital recently, Registrar General Tobaiwa Mudede said the move would go as long way in alleviating fraudulent activities at the boarder posts.

This will help us counter cases whereby people lose passports to unscrupulous individuals as it has a chip that’s loaded with details of a passport holder,” said Mudede.

Old passports will however remain functional up their expiry dates.

Electronic Chip or biometric passport, also known as an e-passport, ePassport or a digital passport, is a combined paper and electronic passport that contains biometric information that can be used to authenticate the identity of travelers. It uses contactless smart card technology, including a microprocessor chip (computer chip) and antenna (for both power to the chip and communication) embedded in the front or back cover, or center page, of the passport. Document and chip characteristics are documented in the International Civil Aviation Organization‘s (ICAO) Doc 9303.[1] The passport’s critical information is both printed on the data page of the passport and stored in the chip. Public Key Infrastructure (PKI) is used to authenticate the data stored electronically in the passport chip making it expensive and difficult to forge when all security mechanisms are fully and correctly implemented.

The currently standardized biometrics used for this type of identification system are facial recognition, fingerprint recognition, and iris recognition. These were adopted after assessment of several different kinds of biometrics including retinal scan. The ICAO defines the biometric file formats and communication protocols to be used in passports. Only the digital image (usually in JPEG or JPEG2000 format) of each biometric feature is actually stored in the chip.

The comparison of biometric features is performed outside the passport chip by electronic border control systems (e-borders). To store biometric data on the contactless chip, it includes a minimum of 32 kilobytes of EEPROM storage memory, and runs on an interface in accordance with the ISO/IEC 14443 international standard, amongst others. These standards intend interoperability between different countries and different manufacturers of passport books.

Biometric passports are equipped with protection mechanisms to avoid and/or detect attacks:

  • Non-traceable chip characteristics. Random chip identifiers reply to each request with a different chip number. This prevents tracing of passport chips. Using random identification numbers is optional.
  • Basic Access Control (BAC). BAC protects the communication channel between the chip and the reader by encrypting transmitted information. Before data can be read from a chip, the reader needs to provide a key which is derived from the Machine Readable Zone: the date of birth, the date of expiry and the document number. If BAC is used, an attacker cannot (easily) eavesdrop transferred information without knowing the correct key. Using BAC is optional.
  • Passive Authentication (PA). PA is aimed at identifying modification of passport chip data. The chip contains a file (SOD) that stores hash values of all files stored in the chip (picture, fingerprint, etc.) and a digital signature of these hashes. The digital signature is made using a document signing key which itself is signed by a country signing key. If a file in the chip (e.g. the picture) is changed, this can be detected since the hash value is incorrect. Readers need access to all used public country keys to check whether the digital signature is generated by a trusted country. Using PA is mandatory. According to a September 2011 United States Central Intelligence Agency document released by Wikileaks in December 2014, “Although falsified e-passports will not have the correct digital signature, inspectors may not detect the fraud if the passports are from countries that do not participate in the International Civil Aviation Organization’s Public Key Directory (ICAO PKD). As of January 2017, 55 of over 60 e-passport-issuing countries belong to the PKD program.
  • Active Authentication (AA). AA prevents cloning of passport chips. The chip contains a private key that cannot be read or copied, but its existence can easily be proven. Using AA is optional.
  • Extended Access Control (EAC). EAC adds functionality to check the authenticity of both the chip (chip authentication) and the reader (terminal authentication). Furthermore, it uses stronger encryption than BAC. EAC is typically used to protect fingerprints and iris scans. Using EAC is optional. In the European Union, using EAC is mandatory for all documents issued starting 28 June 2009.
  • Supplemental Access Control (SAC) was introduced by ICAO in 2009 for addressing BAC weaknesses. It was introduced as a supplement to BAC (for keeping compatibility), but will replace it in the future.
  • Shielding the chip. This prevents unauthorized reading. Some countries – including at least the US – have integrated a very thin metal mesh into the passport’s cover to act as a shield when the passport cover is closed. The use of shielding is optional.
  • To assure interoperability and functionality of the security mechanisms listed above, ICAO and German Federal Office for Information Security (BSI) have specified several test cases. These test specifications are updated with every new protocol and are covering details starting from the paper used and ending in the chip that is included.

Leave a Reply

Your email address will not be published. Required fields are marked *