Three letters to ease electronic document inspection: PKIIn this interview, German identity security expert Heiko Bihr, Principal at secunet tells Security Document World about secunet's innovative approach to PKI.Why should we talk about PKI – doesn't it work like a charm already? PKI might be considered "old hat" as certificates have been around for a long time. Secure certificates can be issued without problems. The new aspect is that PKI instances are located in different authorities and these instances have to communicate with each other. Many countries still have to do some homework with regards to their infrastructure: While systems for document issuance do exist, the background infrastructure for comprehensive document checks at the border is lacking – in many countries the checks are therefore confined to the optical level. However, in order to secure international borders, it is not sufficient to only issue electronic ID documents, they also have to be reliably and comprehensively checked at the border.What are the specific challenges to establish a comprehensive security infrastructure to issue and check electronic eIDs based on PKI? Firstly, managing trust anchors is important. CSCA certificates issued by a nation's certificate authority are the trust anchor to ensure the authenticity and integrity of the electronic data stored in the eID document. During electronic document verification, the electronic signature used to protect the data stored on the chip is verified against the Document Signer (DS) certificate of the issuing authority in the country of origin (Passive Authentication). These certificates must be accessible and trustworthy in order to establish a chain of trust.Secondly, establishing communication interfaces between countries to enable/support verification of fingerprints is crucial. In order to access fingerprints stored on an electronic ID document at border control, an Extended Access Control (EAC) authorisation certificate is needed. The issuance and exchange of prerequisites for EAC requires communication via designated aligned interfaces to handle incoming and outgoing certificate requests (SPOC).Last but not least the high availability of central systems is essential: To assure an efficient border control process, the above mentioned tasks are performed by central systems. Their availability is mandatory during the border control check.How does an authority decide whether or not a certificate is trustworthy? Since CSCA certificates are the trust anchor to prove authenticity of electronic travel documents, quality assurance is key in order to determine their trustworthiness. One of the means used here is the concept of Masterlists, which are exchanged internationally via the ICAO PKD. However, this concept provided by ICAO is not complete as not all nations are participating in it and countries may want to assign individual trust levels to certificates. The solution is a national Public Key Directory (N-PKD) as counterpart to the ICAO PKD. The N-PKD exchanges certificates and Masterlists with the ICAO PKD and allows countries to merge this data with certificates from other sources. The N-PKD manages individual trust levels for each certificate allowing distinct control of which certificate to trust at border control. Masterlists are used by the N-PKD to communicate this information. [secunet offers an integrated solution for checking the quality of certificates and ensuring that only trustworthy certificates are stored in Masterlists.]Which difficulties do you still see with the communication interface, although there already is an existing specification (SPOC) for it? The problem lies in the detail of interoperability. It is comparable to two people with different dialects trying to understand each other. These problems can occur when setting up the encrypted communication (where TLS is used) as well as during data transmission via this communication channel. The SPOC therefore has to be highly flexible in understanding and speaking all different possible dialects -not so many solutions available at the market offer this capability.What are the reasons why not many countries have established a PKI infrastructure for border control? The effort to equip each border control system (with certificate exchange capabilities) would be enormous and is not very efficient. A central system is needed to provide the respective functionality. This type of system must be highly available and reliable since access to certificates is essential to perform electronic document authentication at border control. Such centralised document verification infrastructure that allows the connection of various distributed terminals is called Terminal Control Center (or TCC). A secure centralised certificate and key storage are part of the solution allowing the TCC to take over the authentication procedure for authorised document readers. In Europe Germany, Czechia and Norway for example use a TCC for their border control and benefit from the fully comprehensive document check as the security level rises significantly.This sounds very complex. Do you see more countries heading this way in the near future? While the challenges as outlined above exist, they can be tackled using high-performance, easy to operate PKI components. Countries and respectively issuance and border control authorities simply need to embrace this technology and make use of it. Many still seem to fear interconnected PKIs for border control as extremely complex and unfathomable. However it truly is not that difficult as our current projects have proven.To find out more, visit secunet's lecture during SDW in London: " Challenges and best practice examples for complex PKI infrastructures for the issuance and verification of eIDs" . The lecture will be held on Wednesday 27 June 2018 at 2:25 pm (Knowledge Theatre).