E-passports go down under

The Australian government has awarded a contract to a Herndon, Va.-based company to help develop a secure electronic passport for its citizens.

Cybertrust is developing a public-key infrastructure (PKI) technology component, which involves unique and secure electronic identities or credentials, in a 10-month pilot test that will look at 6,000 e-passports for the Department of Foreign Affairs and Trade (DFAT), which is the Australian equivalent of the State Department.

Kerry Bailey, Cybertrust's senior vice president of global services, said he believes that Australia is the first country to implement the e-passport initiative. The pilot test is already under way, he said.

The United States has set an October 2005 deadline for requiring citizens from Australia and 26 other Visa Waiver Program nations to develop machine-readable passports carrying biometric information on an electronic chip. The International Civil Aviation Organization (ICAO) established facial mapping as the global biometric standard for the e-passports.

In Australia's program, when a citizen applies for a passport, his or her biometric and biographic data, such as name and date of birth, are encoded and sent to DFAT, which hosts the Cybertrust Security Server. The server gets its authentication or signing keys from Cybertrust's UniCERT Certificate Authority, which is hosted at a company-owned secure data center.

The server provides the data encoding, signing and verification functions — in essence, combining personal data with the authentication keys — and loads the information on a radio frequency identification chip prior to issuance of the passport.

"This provides DFAT with nonrepudiation for the overall solution and ensures that the passports have been issued by a genuine DFAT-authorized registration point and the data has not been tampered with since issuance," Jennie McLaughlin, Cybertrust's general manager of marketing for the company's Asia Pacific sector, wrote in an e-mail.

The DFAT public keys are published in the ICAO global directory for real-time validation at verification points around the world, she added.

Tom Greco, general manager of the company's federal business unit, said other countries likely would also use PKI technology to ensure the authenticity of the machine-readable passports. Company officials said they knew Thailand has an e-passport program was under way, but they didn't know whether it was using PKI technology.

When it emerged several years ago, PKI was characterized as a technology looking for a solution. In other words, it was too complex. There weren't many applications justifying its use and other simpler technologies could do almost as good a job.

The technology probably got ahead of the business use, Bailey said. But with a focus now on securing and verifying identities, PKI has become the way to ensure the integrity of issued credentials, he added.

Cost was another factor, but Greco said leveraging across an organization lowers the price.

"Running the secure infrastructure has its cost and there's also a cost from creating what I'll call PKI-aware applications," he said. "But if done correctly and done in an outsourced environment, the actual cost of use to the agency can be driven down very low."

Both company officials said PKI technology could be used in other e-passport programs.

Cybertrust was formed this fall following the merger of Betrusted Holdings and TruSecure and is now considered the largest privately held information security company. The Australian pilot was actually awarded to Betrusted prior to the merger. Terms of the contract were not disclosed.