The world is beleaguered by the Covid 19 pandemic and MCS is developing a Health Passport solution. In its latest venture, MCS is building a Cloud service that combines leading-edge technologies to enable users, organisations and governments to minimise the risk of infections from physical interactions. The secured Travel / Work Health Passport Service uses Covid-19 detection tools, real-time Covid-19 testing, self-assessment mobile application, vaccination status, and on-site indoor and outdoor mobile laboratories.
Parties at designated checkpoints throughout the system are obligated to upload user interactions, test reports, and vaccination records. All updates must be added by authorised personnel who are registered with the Health Passport Service. Persons under quarantine and those under surveillance would check-in through their mobile application for authorities to track their whereabouts.
Records which may be subject to future scrutiny or inspection for the purpose of work or travel are further secured by adding its metadata to our distributed ledger. Also, the Health Passport Service will generate a QR Code that contains a URL (uniform resource locator). The URL links to a webpage that holds public version of the user's record and the document hash that was placed on the blockchain network for security, verification, and most important end-user validation.
Inspection of the secured QR code can be done with any QR code scanner app on a smartphone, and do not require any other special device. When scanned, the inspector will be able to retrieve the personal particulars and a photograph of the User from the HPS web server. Details of the blockchain transaction ID is available for verification as well.
The distributed ledger is a private blockchain based on the Proof of Authority algorithm, custom-designed by the solution provider. Proof of Authority (PoA) is a reputation-based consensus algorithm that introduces a practical and efficient solution for blockchain networks (especially the private ones). It is more efficient than the algorithms used by cryptocurrencies because it is able to perform many more transactions per second.
MCS had developed versions of the e-passport on-chip application and inspection system software module before the International Civil Aviation Organisation (ICAO) standardised the e-Passport specifications in 2006. We continued our development to this date based on ICAO requirements, and partnered with a terminal manufacturer to create an e-passport system.
The MCS ICAO Applet, an up-to-date implementation of the e-passport, was available on JavaCard and SMOS platforms. Since 2004, our e-passport prototypes have been submitted to the LDS, BAC, EAC and now SAC interoperability test sessions organised by ICAO and other parties. They have been validated by third-party test tools as compliant to ICAO Application Layers 6 and 7 test cases.
ICAO SOD Codec
On the host end, we developed the SOD Codec which generates and decodes the e-passport Document Security Object (SOD) - its digital signature. It takes as input the data groups and outputs the digital signature, and in reverse, verifies the digital signature itself and the data groups against the digital signature. This software library employed cryptographic hash, encoding/decoding, encryption/decryption and signing/verification functions, such as SHA, TDES, RSA and PKCS. It was implemented in J2SE for Java platform and supports Microsoft platform via Java Native Interface (JNI).
Card Management Systems
In 2001, after the successful launches of our card operating systems, MCS undertook the development a card lifecycle management system named IdenSafe. It was a web-based server application that was built on ASP technology meant for national identification projects. IdenSafe managed card inventory, generated the personalisation scripts, kept track of card issuance and handled card deactivation and termination. Hardware interfaces for card reader-terminal, biometric scanner and personalisation interfaces were implemented. In addition, a Key Management System (KMS) was developed to handle the key generation, derivation and distribution, and digital signature generation and verification, with the support of hardware security module (HSM).
A card management system will be required to serve and safeguard an open card system like the one supporting our next-generation COS, that manages card inventory and distribution, generates the personalisation scripts, keeps track of the health and status of cards in circulation, and handles de/reactivation and termination. User interface will take place over the internet, whereas urgent alerts and announcements may be delivered via email and phone messages.
The card management system will coordinate the actions of the stakeholders:
- Service providers, e.g. government, bank, transport authority, retailer
- Card issuer
Its operation shall meet industry security levels, including ISO/IEC 27001 information security management system (ISMS), Payment Card Industry Data Security Standard (PCI-DSS), privacy and data protection laws and national Trustmark.
Card application provisioning and personalisation
Expanding on the next-generation COS project, we see card owners/holders sourcing their applications from the internet and installing them on-the-fly. The authenticity of the applications can be verified through PKI technology. Subsequently, the installed application may be activated and personalised by the relevant application provider. For example, the cardholder signs up for an ATM card with a bank, downloads and installs the ATM application into the card, and finally have it activated and personalised by the bank, where the entire procedure is performed over the network. Subsequently, the card may be used at all ATMs like a regular, single-purpose ATM card.
The above card application provisioning and personalisation system should be a familiar concept - think Google Play Store for card applications. Application providers will comprise conventional smart card vendors, retail businesses, financial institutions, governmental agencies, hobbyists and other groups who wish to serve the greater public. Downloads may take place through the existing infrastructure, i.e. payment terminals, ATMs, NFC-enabled mobile devices, public kiosks and home PCs with smart card readers.
The mobile device has become an important computing and communication tool that is gradually gaining traction in the data security space, what with the implementation of secure elements and near-field communication interface. We envision the mobile device playing an important role in facilitating the use of our next-generation smart cards through connecting smart cards to the internet via its built-in NFC interface. Furthermore, security standards and application specifications developed to accommodate the secure element (SE) can be applied to our new smart cards.