Security Technology For E-passport Based On Identity-Based Public Key Cryptography

The most concerned problem about E-passport is how to ensure its security.Compared with the paper-based passports,E-passports will suffer some threats from the chip,the data stored in the chip and the wireless communications between the chip and the reader. Credibility,integrity and authenticity,privacy,confidentiality,consistency and anti-copy are the security requirements of E-passport.Four security mechanisms are recommended by International Civil Aviation Organization(ICAO).There are Passive Authentication(PA), Active Authentication(AA),Basic Access Control(BAC) and Extension Access Control (EAC).But our investigation indicates these mechanisms recommended by ICAO don't meet the need of E-passport security fully.And their corresponding implementation scheme has few drawbacks.This paper makes a thorough analysis of the customized Certificate-Based PKI implementation scheme for PA recommended by ICAO in Doc9303.The drawbacks such as a complex certificate management,resources wasted arising by storing a number of certificates, high-cost,potential security leaks and the problems arising from CRL are pointed out. Extended Access Control enforces that only authorized inspection systems can access sensitive data(like finger and/or iris).But ICAO leaves the specification and implementation of EAC to be done independently by each issuing state.ID-PKC(Identity-Based Public Key Cryptography) is introduced into the E-passport security architecture in this paper.It provides a new solution for PA and EAC.ID-PKC has many merits over CA-PKC(Certificate-Based Public Key Cryptography), such as no Certificate and CA,no PKD(Public Key Directory),no CRL et al.ID-PKC can be used into the E-passport security system because of its relatively closed application scenario. The security framework for PA based on IBS(Identity-Based Signature Scheme) and the security framework for EAC based on Identity-Based Authentication technology are proposed. The systems for PA and EAC following by these frameworks have the advantages of low construction and management cost because of its simple structure.It's the first trail for putting ID-PKC into E-passport security application.An implementation scheme for EAC based on Identity-Based Authentication(ID-EAC) is designed.ID-EAC overcomes the shortcomings of the EAC schemes proposed by EU and Singapore.The authorization mechanism and authentication protocol of ID-EAC scheme are presented in detail.In this scheme,the access to sensitive biometric data is granted through ID certificates stored in an authorized smartcard.An authentication protocol based on ID-EAC will be performed before the Inspection System gets the sensitive data.Though ID-PKC has many advantages,the problems of key escrow and key update should be solved when putting IBS(Identity-Based Signature scheme) into practice.In this paper,a new Identity-Based Strong key-insulated signature scheme without key escrow (IBKIS-NOKE) is proposed.The mechanism using the secret key from both PKG and user to perform the signing algorithm solves the key escrow problem.The user can update the temporary private key autonomously and securely.It makes the IBS scheme more applicable to the real world.It combines the merits of Identity-Based Cryptosystem and strong key-insulated security.An implementation scheme for PA based on IBKIS-NOKE(IBKIS-NOKE-PA) is designed.It not only can overcome the shortcomings of ICAO PKI scheme but also minimize the damage arising when the secret private key is exposed.The algorithm of IBKIS-NOKE is utilized.A prototype system of IBKIS-NOKE-PA scheme is designed and implemented.A running instance of IBKIS-NOKE-PA system is also given.Though the absence of the international standards for ID-PKC system,the new implementation system for PA based on IBKIS-NOKE can be taken in the trial implementation process by accompanied with the CA-PKC implementation scheme recommended by ICAO.