One Year Later, U.S. E-Passport’s Architect Says System Is a Success

By Mary Catherine O'Connor

Frank Moss, the U.S. State Department's former deputy assistant secretary for passport services, says the electronic passport is not a panacea, but does provide a number of real and potential benefits.

image_pdfimage_print

One year ago this month, the U.S. State Department began issuing passports carrying 13.56 MHz, ISO 14443-compliant RFID inlays (see RFID News Roundup: U.S. Department of State to Begin Issuing e-Passports to the General Public). Between Aug. 1, 2006, to Aug. 15, 2007, the department issued 6,422,677 electronic passports (e-passports). Based on technical specifications set by the International Civil Aviation Organization (ICAO), these RFID-enabled documents are designed to deter passport counterfeiting and help inspectors verify the authenticity of the passports that travelers present.

To prevent unauthorized parties from reading personal data stored on its RFID chip, the e-passport includes basic access control, consisting of a personal identification number (PIN) printed on the passport. Before an RFID interrogator can read this data, this PIN must first be optically read. To further deter unauthorized access to the chip, the e-passport’s cover contains a metallic liner that blocks the inlay from receiving or transmitting RF signals whenever the cover is closed.


Frank Moss

Frank Moss spent 32 years working for the State Department before retiring in March of this year. He spent his last four years overseeing the U.S Passport program and the development of the electronic passport in this country. During his time as deputy assistant secretary of state for passport services at the State Department, Moss defended the e-passport’s design and security features before Congressional committees, privacy and travel groups, and private sector representatives. He also worked on the proposed PASS card, a passport alternative designed to satisfy border security requirements set forth by the Western Hemisphere Travel Initiative.

After leaving the State Department, Moss founded Identity Matters, a consultancy, and is presently working with a range of vendors that contribute to e-passports and other security documents. These include RFID chip maker Texas Instruments and security products and services provider L-1 Identity Solutions. Recently, RFID Journal interviewed Moss about the e-passport program.

Q: Has the electronic passport program improved border security?

A: The way I’ve often described the [RFID] chip in the passport is to say that it is another arrow in the quiver of our border security system. It’s not a panacea; it doesn’t solve all problems. When the U.S. introduced our e-passport, we did it as part of introducing a new book, which has other new security features, as well as changes to our underlying process to adjudicate [verify the authenticity of] passports. It’s a whole-systems approach.

The e-passport, in particular, was intended to establish an electronic link between you, the traveler; your photograph, which is in the book; and the biometric data that is written to the chip. It helps the inspector ensure that the person carrying the passport is the one to whom it was legitimately issued. That is a major border security enhancement. It also makes it more difficult for someone other than the person to whom the passport was issued to use it.

Q: E-passports have been identified as a means for improving the flow of people through checkpoints. Has the U.S. e-passport done that?

A: Actually, the e-passport was looked upon more as a security enhancement. It really was not seen, in the post-9/11 perspective, as a recipe to facilitate movement of people through ports of entry. I think, though, that it has a secondary benefit worth noting, and that is that you present your e-passport to the inspector, he puts it on his reader and your image pops up and he can make certain that, yes, you match the photo saved to the chip and the photo printed on the passport…that lets him focus much more quickly on other indicators—behavioral indications—that might be important, and helps move people through airports a little more quickly. But I have no data on that.

Q: While the State Department is using high-frequency 13.56 MHz technology with a short read range and data encryption for electronic passports, the U.S. Department of Homeland Security is moving forward with ultra-high frequency 918 MHz EPC Gen 2 technology, to enhance the security on PASS cards and licenses meant to satisfy increased security requirements at borders, post 9-11. EPC Gen 2 has a long read range and no data encryption [see RFID Vendors Brief Congress on PASS Card Security]. Why didn’t the DHS follow the lead of the State Department and use the more secure approach?

A: The different technologies being used are driven by the fact that in the two instances, you are transmitting very different types of information. A passport needs to be globally interoperable. Not only does the United States need to be able to read your passport, so does Australia, China, Japan, etc. Therefore, your biometric data—the facial image—and all your personal data has to be written to the chip [otherwise, various countries would not be able to access the data]. So you need to keep that data more secure. For that reason, the ISO 14443 chip architecture, with its very short read range, is used [for the passport]. You also have techniques such as basic access control and anti-skimming control [metal-mesh passport cover] to keep that data secure.

In the case of a PASS card, you are dealing with another issue. This is a document intended to be read by the United States [Customs and Border Protection] for land travel to Canada or Mexico, or on some maritime cruises. And in that case, all you are transmitting is a pointer back to a secure database that the U.S. controls. All you need that pointer to do is tell the system “pull out file such-and-such and make it available to the inspector.”

I also think that it is noteworthy to mention that even in the PASS card, the vendors proposing a solution must provide a [metallic] sleeve to keep that card from being read until it is removed from the sleeve.

Q: How do you see the e-passport program changing in the future?

A: The e-passport marks the beginning of the migration of the passport away from being a paper-based document, toward one that has an integrated chip. I feel that embedding a chip into the passport opens the door—over time, perhaps over the next five to seven years—toward additional functionality being assigned to that chip. For example, right now when you travel abroad, you get a rubber stamp that says you were here or there. Perhaps over time, as the chips become faster, have more memory, and we add the ability to write data to them, we may be able to do entry and exit stamps on the passport, electronically, saving them to the chip, rather than stamping them in the book.

There would be several advantages to this. For one, it would give border inspectors access to an instantaneous history of where the person has been, so they won’t have to look through the pages of the passport book. It also has the advantage of making the passport a more modern document, and perhaps, one that is even less susceptible to fraud, even in terms of entry caches and things like that, because they would be electronic, as opposed to a stamp.

As e-passports become more common around the world, and as more countries buy more readers [required to read the data on the embedded chips], you’ll also see evolutions in the border inspection process. What happens now is that you hand the passport to the inspector, the machine-readable part is read, the chip is unlocked and the data pops up on the inspector’s computer screen. Because it is [an] ISO 14443-compliant tag, you’re never going to be able to read it from a distance—but what if, rather than having the chip read at the time you hand the passport to the inspector, there was a reader prepositioned in line [to which you’d open and present your passport while waiting in line], so that the inspector would see your data on his or her computer screen when you arrive at the checkpoint? I don’t believe this is happening yet, but it certainly is in the realm of possibilities.

I’m not saying we’d take the inspector out of the process. He or she is still going to be there, but to the extent that the inspector can get the data from the chip pulled up on the screen faster, that would let them concentrate more on the passport book and the person presenting it. The behavior of the traveler can be very useful in detecting people who may be a security concern to the United States or other governments.

Q: Some security experts say the data protections used in e-passports—not just those issued by the U.S., but those issued by other countries following the ICAO specifications—have been poorly vetted and are vulnerable to hacking. Just last week, a German hacker named Lukas Grunwald, who last year cloned a passport chip, announced he had crashed two different passport interrogators by bombarding them with data. What is your take on these alleged shortcomings?

A: Cloning the chip is possible—it’s essentially taking a digital photocopy of a chip. But cloning a chip doesn’t mean you’ve made a fake passport that will get you into a country. [U.S.] passports also use watermarks, ultraviolet and infrared security features. And at the end of the day, you have the inspector doing checks on the passport and on you. If a reader were to crash because of the passport you were carrying, it would mean you’d be inspected more carefully.