Public Key Directory: What is the PKD and How to Make Best Use of It Christiane DerMarkar ICAO Programme Officer Public Key Directory ICAO TRIP: Building Trust in Travel Document Security 19/10/2015 Footer 1
PKD and TRIP Strategy For the efficient and secure reading and verification of MRTDs, including the use of PKD 2
MRP Connection between PKD and epassports epassport 0111001001010 Machine Readable Passport (MRP) CHIP RFID 14443 IMAGE FACE Logical Data Structure (LDS) PKI DIGITAL SIGNATURE Public Key Directory (PKD) 3
What is the PKD & What does it do? A central storage location, highly secure where States and other entities can input and retrieve the security information to validate the electronic information on the passport. It allows Border control authorities to confirm that the epassport: Was issued by the right authority Has not been altered Is not a copy or cloned document 4
The Role of The PKD Minimizing the volume of certificate exchange: Document Signer Certificates (DSCs) Certificate Revocation Lists (CRLs) Country Signing Certificate Authority (CSCA) Master List Ensuring timely uploads Managing adherence to technical standards Facilitating the validation process 5
Central Broker Distribution of Certificates and CRLs via bilateral Exchange via ICAO PKD Conformity validated certificates Country A Country B Country A Country B Country H Country C Country H ICAO PKD Country C Country G Country D Country G Country D Country F Country E Country F Country E This example shows 8 States/non-States requiring 56 bilateral exchanges (left ) or 2 exchanges with the PKD (right) to be up to date with DSCs and CRLs. In case of 191 ICAO States 36,290 bilateral exchanges would be necessary while there are still 2 exchanges with the PKD. This example shows 8 states requiring 56 bilateral exchanges (left) or 2 exchanges with the PKD (right) to be up to date with certificates and CRLs. In case of 188 ICAO States 35,156 bilateral exchanges would be necessary while there are still 2 exchanges necessary with the PKD. 6
Current Services of the PKD Validated DSCs and CRLs of Participants CSCA Master List List of CSCAs used by Participants Country Signing Certificate Authority (CSCA) Registry Yellow Pages for the Passport Issuance Agency of the Participant A reference for compliance to Doc 9303 for DSCs and CRLs Contains lists on non-compliant certificates 7
8 46 Participants New Participant COLOMBIA
ANNEX 9: Recommended Practice 3.9.1 & 3.9.2 The Standards and Recommended Practice of Annex 9 recommend the following: 3.9.1: Contracting States issuing, or intending to issue emrtds should join the ICAO Public Key Directory (PKD) and upload their information to the PKD. 3.9.2: Contracting States implementing checks on emrtds at border controls should join the ICAO Public Key Directory (PKD) and use the information available from the PKD to validate emrtds at border controls. 9
Some Arguments repeated over and over. It s too expensive Bilateral exchange works good enough It s not necessary DSCs are (mostly) on the chip It s too complicated we must first introduce epassports As of 01.01.2016 Fee reduction cumbersome, time consuming and possible security risk A DSC on the epassport but not on the PKD could mean a compromised private signing key. & CRLS are only distributed via PKD 1. Participation in the PKD should go hand in hand with introduction of epassports 2. PKD participation is key for setting up any successful epassport based border control. 10
Reasons to Participate The need to exchange certificates is the logical step forward from the well known specimen exchange (you must know what you're looking for, when inspecting a travel document). Without the ability of validating the digital signature in a epassport at the border, the travel document must be treated exactly as a simple MRP not an epassport Using the PKD in epassport validation is essential to capitalize on the investment made by States in developing epassports to improve Border Security 11
It s not complicated : All you have to do is. Find out who is responsible Check legislation and budget Different organizations in different states (try to make it as simple as possible) Contact ICAO or any PKD Board Member or PKD Participant if you have questions 12
Formalities: The steps to join the PKD 1. Deposit a Notice of Participation with the Secretary General of ICAO 2. Deposit a Notice of Registration with the Secretary General of ICAO 3. Effect payment of the Registration Fee and Annual Fee to ICAO a) 1.1.2016 Registration Fees : US $ 15,900 b) Annual Fees: +/- US $40,000 4. Securely submit to ICAO and all Participants, the CSCA certificate 5. Use the PKD : upload/download certificates 6. http://www.icao.int/security/mrtd/pages/pkd-howtopartici.aspx 13
2016 a year that will bring changes New Fees New Services New service provider 14
01.01.2016 : Fees reduction A. For new Participants - Registration Fee: US $15,900 B. Annual Fees based on 45 Participants: 1. Operator: US $ 29,900 2. ICAO: US $10,000 3. Total: US $39,900 C. More Participants = reduction in Operators and ICAO Annual Fees 50 Participants 27,000.00 US$ 55 Participants 24,500.00 US$ 60 Participants 22,500.00 US$ 65 Participants 20,900.00 US$ 15
New Service ICAO Global Master List A fact: heir full extend Border Agencies need the tools (certificates) necessary, bilateral exchange doesn t meet the requirements One-Stop Shop For epassport Validation K L I + A M B D H PKD G F E C + CSCA + DSCs + + CRLs CSCA = ICAO Master List (new) = currently in the PKD = currently in the PKD 16
01.01.2016 : New Service Provider Bundesdruckerei - Germany Operations at ICAO HQ Montreal Site BDr Berlin Site MOI UAE, Abu Dhabi 17
Technology and Security ICAO HQ Montreal 1 2 1 2 Site A: D-Trust Berlin (Germany) Fully redundant system at each location Outer Firewall Inner Firewall incl. Intrusion Detection & Prevention System High Security VPN Network 1 2 Disaster Scenario: Geo-redundant, TLS encrypted and load-balanced up- and Even certificate with one download based access site completely d download sites own, additional failures at the remaining s ites the system is still fully functional with Trust Center without service interruption Security Level, Min. 99.8% availability Site B: Abu Dhabi Police (UAE) ICAO PKD October 2015 18
ICAO PKD - how does it work? D S New generation of DS certificates in DS issued passports Access to ICAO PKD Service CSCA Official key ceremony by diplomatic means cryptographic check ICAO PKD D S Access to ICAO PKD Service e.g.national PKD system ICAO PKD October 2015 19 D S Border Control
ICAO PKD - Advantages for participants Unique chain of trust: Supervision by ICAO as supra-national institution Transparent and reliable processes (initial key ceremony at ICAO HQ) High security and high availability of ICAO PKD system, available end of 2015 Additional advantages: A combination with National PKD systems (npkd) allows for secure and automated distribution of certificates to border control stations nation-wide Live support via phone and ticket system ICAO PKD October 2015 20
Support for ICAO PKD by Veridos/BDr Site A: D-Trust, Berlin (Germany) Site B: MoI, Abu Dhabi (UAE) ICAO HQ Montreal Local Technical support downlaod sites Berlin & Abu Dhabi 46 ICAO PKD Participants Local technical support ICAO HQ Montreal Monthly reports on system usage and performance for ICAO Participant support - Live Phone support - Online Support System - 2h reaction time (Monday- Friday) High Security High Availability min. 99.8% 24/7 ICAO PKD October 2015 21
Schedule & Transition to new ICAO PKD Pilot Testing (AUS, Sweden, UK) Beg. August 2015 Testing period Test Environment New PKD system Bundesdruckerei Current Structure Switch-Over Date Beg. Dec 2015 PKD Pre-Production System Bundesdruckerei (new structure) Current Structure All participants can perform Implementation migration and tests Testing for of 4 month Implementation prior to the and switch-over Testing of day New Structure New Structure The test environment provides identical interface and functions as the production system Testing Current Structure PKD Production System Bundesdruckerei (new structure) Current Structure Step 1: Testing and migration to current structure guarantee business continuity on switch-over day Step 2: Testing and migration to new structure gain more time even until after the switch-over day ICAO PKD October 2015 22
Project Setup involved companies ICAO Customer and ICAO PKD system principal Bundesdruckerei Prime Contractor Bundesdruckerei GmbH D-Trust Abu Dhabi Police GHQ EGSP Veridos IT operations ICAP PKD Housing the ICAO PKD System Site Berlin Local service Berlin Housing the ICAO PKD System - Site Abu Dhabi Local service Abu Dhabi Service Management ICAP PKD System Local service Montreal ICAO PKD October 2015 23
Contact Details Name: Christiane DerMarkar Email: cdermarkar@icao.int PKD website: http://www.icao.int/security/mrtd/pages/icaopkd.aspx 19/10/2015 24