27 Oct 2020 Eurosmart advocates for a new paradigm of security certification of chip-based identity documents
It is time to change paradigm. This is what Eurosmart concludes in its newly published guidance document on chip certification. This expert publication describes in a very concrete and illustrative way the ground-breaking developments currently happening in the world of chip-based identity documents. Cyber-threats on chips are evolving at a fast pace in an identity document market where security -by essence- is crucial. How to ensure that these long-lasting documents (the validity period of a passport is ten years) remain secure throughout their lifetime?
Currently, certification of chips under the SOG-IS Mutual Recognition Agreement only demonstrates security of the embedded software at the time of certification. The agreement does not require monitoring of the effective security after certification, for instance when identity documents are already in use. This is problematic given the long validity period of a chip-based identity document and the evolving nature of cyber-attacks on chips. This problem should be solved with the transposition of the SOG-IS into a European certification scheme (EUCC scheme), where national authorities will have to guarantee continuous security surveillance.
However, if a flaw on a chip is discovered, how should national governments react? Should they recall the identity documents? Can the chip be upgraded to correct the flaw? All these questions will need urgent answers. Eurosmart’s guidance document argues that these questions should be answered when launching the identity document project. In other words, national governments need to get familiar with the notion of risk management. They should acknowledge that risks exist and will continue existing. The objective is to manage them in a way that ensures the best possible balance between security, costs and user convenience.
Full guidance document below.
Eurosmart_guidance_chip_security_27102020