Public key infrastructure
High security and multiple applications with a document PKI
Certificate management for e-ID documents
Electronic signatures and digital certificates are required for various aspects of e-ID document security. The public key infrastructure (PKI) for managing these certificates therefore plays a central role in the e-ID background system.
Document verification and the Country Signing CA
To prevent counterfeiting and modification of the data stored on the chip of an e-ID document, these are electronically signed by a Document Signer (DS). An inspection system can verify this signature during readout and ensure the authenticity and integrity of the data. The authenticity of the Document Signer, in turn, can be verified by means of the DS certificate that has been issued by a central root authority, the so-called Country Signing Certification Authority (CSCA). The DS certificate is usually read directly from the inspected document; the CSCA certificate is either exchanged bilaterally through diplomatic channels or published in the ICAO Public Key Directory (PKD).
Access Control
Many electronic passports contain sensitive information such as fingerprints or iris scans in addition to the general holder data. This information is usually protected in such a way that it can only be read by authorized inspection systems after they have authenticated themselves to the document – a process called Terminal Authentication (TA). For this purpose, the document issuer operates a separate Country Verifying Certification Authority (CVCA). This CA issues so-called Document Verifier (DV) certificates for national or even foreign institutions; these certificates encode the access right for reading fingerprints or iris scans. The Document Verifiers finally issue Inspection System (IS) certificates that “inherit” the right to read from the IT certificate.
During terminal authentication, the document checks the entire certificate chain from CVCA – DV – IS and checks whether the inspection system has been granted the right to read by a trustworthy authority. The CVCA infrastructure issues special Card Verifiable (CV) certificates, who’s reduced encoding compared to common X.509 certificates facilitates the verification in the document.
The same mechanisms can also be extended to other e-ID documents in order to protect sensitive data and to allow different authorities or private companies to read or even change information.
Our products: