MCS had developed versions of the e-passport on-chip application and inspection system software module before the International Civil Aviation Organisation (ICAO) standardised the e-Passport specifications in 2006. We continued our development to this date based on ICAO requirements, and partnered with a terminal manufacturer to create an e-passport system.
The MCS ICAO Applet, an up-to-date implementation of the e-passport, was available on JavaCard and SMOS platforms. Since 2004, our e-passport prototypes have been submitted to the LDS, BAC, EAC and now SAC interoperability test sessions organised by ICAO and other parties. They have been validated by third-party test tools as compliant to ICAO Application Layers 6 and 7 test cases.
ICAO SOD Codec
On the host end, we developed the SOD Codec which generates and decodes the e-passport Document Security Object (SOD) - its digital signature. It takes as input the data groups and outputs the digital signature, and in reverse, verifies the digital signature itself and the data groups against the digital signature. This software library employed cryptographic hash, encoding/decoding, encryption/decryption and signing/verification functions, such as SHA, TDES, RSA and PKCS. It was implemented in J2SE for Java platform and supports Microsoft platform via Java Native Interface (JNI).
Card Management Systems
In 2001, after the successful launches of our card operating systems, MCS undertook the development a card lifecycle management system named IdenSafe. It was a web-based server application that was built on ASP technology meant for national identification projects. IdenSafe managed card inventory, generated the personalisation scripts, kept track of card issuance and handled card deactivation and termination. Hardware interfaces for card reader-terminal, biometric scanner and personalisation interfaces were implemented. In addition, a Key Management System (KMS) was developed to handle the key generation, derivation and distribution, and digital signature generation and verification, with the support of hardware security module (HSM).
A card management system will be required to serve and safeguard an open card system like the one supporting our next-generation COS, that manages card inventory and distribution, generates the personalisation scripts, keeps track of the health and status of cards in circulation, and handles de/reactivation and termination. User interface will take place over the internet, whereas urgent alerts and announcements may be delivered via email and phone messages.
The card management system will coordinate the actions of the stakeholders:
- Service providers, e.g. government, bank, transport authority, retailer
- Card issuer
Its operation shall meet industry security levels, including ISO/IEC 27001 information security management system (ISMS), Payment Card Industry Data Security Standard (PCI-DSS), privacy and data protection laws and national Trustmark.
Card application provisioning and personalisation
Expanding on the next-generation COS project, we see card owners/holders sourcing their applications from the internet and installing them on-the-fly. The authenticity of the applications can be verified through PKI technology. Subsequently, the installed application may be activated and personalised by the relevant application provider. For example, the cardholder signs up for an ATM card with a bank, downloads and installs the ATM application into the card, and finally have it activated and personalised by the bank, where the entire procedure is performed over the network. Subsequently, the card may be used at all ATMs like a regular, single-purpose ATM card.
The above card application provisioning and personalisation system should be a familiar concept - think Google Play Store for card applications. Application providers will comprise conventional smart card vendors, retail businesses, financial institutions, governmental agencies, hobbyists and other groups who wish to serve the greater public. Downloads may take place through the existing infrastructure, i.e. payment terminals, ATMs, NFC-enabled mobile devices, public kiosks and home PCs with smart card readers.
The mobile device has become an important computing and communication tool that is gradually gaining traction in the data security space, what with the implementation of secure elements and near-field communication interface. We envision the mobile device playing an important role in facilitating the use of our next-generation smart cards through connecting smart cards to the internet via its built-in NFC interface. Furthermore, security standards and application specifications developed to accommodate the secure element (SE) can be applied to our new smart cards.