Last week Senators Ron Wyden and Claire McCaskill released a letter demanding that US Customs and Border Patrol (CBP) close a critical gap in our nation’s border security. The gap is not related to the border wall or drug submarines, but that we are not checking digital signatures on e-Passports. Even though it sounds like an obscure cybersecurity issue, the fact that CBP is not checking digital signatures is a big deal. This gap, if exploited, could allow bad guys to access the United States with forged passports.
As any James Bond fan knows, forged passports are a problem. For example, a recent Reuters article detailed how Kim Jong-il and Kim Jong-un of North Korea allegedly used a Brazilian passport to obtain visas from foreign countries. To combat this threat e-Passports were developed over a decade ago and since 2015 the US has required them from countries on the visa-waiver list.
e-Passports include a chip containing electronic information that matches the physical information on a passport. To prevent forged passports, the information on this chip is digitally signed by the issuing country’s Certificate Authority (CA).
The digital signing process involves hashing the electronic passport data and then encrypting that hash with the CA’s private key. Software then decrypts the signature with the CA’s public key and compares the result to its own hash of the passport data. The only way these two values would match is if the signature was created from a matching public-private key pair. For more information on how digital signatures work watch our video tutorial on Public Key Infrastructure (PKI).
Even though CBP is checking that the electronic and physical information match, there is no way to guarantee that both are not fake if the digital signature is not verified. This leaves our border open to forged passports.
In a 2010 report the Government Accountability Office (GAO) gave the two main reasons why CBP is not checking digital signatures.
1) “A database needs to be established and populated with the digital certificates needed to fully validate the digital signatures that can be accessed by CBP inspection workstations at the ports of entry.”
2) “CBP needs to develop and implement functionality on its inspection workstations to access the database.”
The first issue could be resolved by accessing the ICAO Public Key Directory (PKD) and downloading the CA certificates. The International Civil Aviation Organization (ICAO) specifically created the PKD as a central repository for countries to exchange information required to validate e-Passports.
The second issue I do not believe is a question of a software upgrade since checking digital signatures is a standard process. Rather, I believe it is the time to access the certificate database and perform revocation checking. This is similar to the issue the retail sector had when chip based credit cards were introduced. Considering how many people CBP has to clear each day I understand the concern. However, there are solutions available. To speed up revocation checking CBP can create local CRLs or OSCP responders that are updated daily. This is similar to the approach the US Army takes with revocation checking on its tactical networks.
At the end of the day, these are not difficult problems and I expect CBP to solve them quickly – most likely by contacting TELEGRID (hint, hint).
Eric Sharret is Vice President of Business Development at TELEGRID. TELEGRID has unique expertise in secure authentication, PKI, Multi-Factor Authentication, and secure embedded systems.
Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc. The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use. All information is provided on an as-is basis.