In this blog, I explain the numerous ways to identify sensitive data. The main point in this posting is to articulate the complex nature of identifying sensitive data to comply with regulation, compliance, data governance, and data hygiene practices. In scenarios such as these, the advantages of using automated tools such as "Spirion.com" to augment manual approaches is obvious.
Passports and passport cards have numerous technologies built into the process of validating a subject such as myself "Cory Retherford". Passports use numerous codes, which will discuss in the following paragraphs, watermarks, steganography, RFID technologies similar to that of certificate authorities when validating website TLS certificates "HTTPS" and other approaches ill address.
This information is not at all intended to help you create fake identities but is intended to explain the nature of how identities are secured and to inform you as a Cyber Security Expert "White Hat". For those others use TOR where the DOJ can track your bad habits.
Contexual Validation
The first two numbers indicate which passport office issued your passport or where you applied for the passport.
Pre-Fix | Passport Office |
40 | New Orleans |
1 | Washington |
15, 20, 21 | New Hampshire |
60 | Military |
90 | Diplomatic |
Z or 70 | Temporary |
The format of the first row
Positions | Length | Characters | Meaning |
1 | 1 | alpha | P indicates a passport, C indicates a Passcard |
2 | 1 | alpha+< | Type (for countries that distinguish between different types of passports) |
3–5 | 3 | alpha+< | Issuing country or organization. |
6–44 | 39 | alpha+< | Surname, followed by two random characters, followed by given names. |
In the name field, spaces, hyphens and other punctuation are represented by <, except apostrophes, which are skipped. If the names are too long, names are abbreviated to their most significant parts. In that case, the last position must contain an alphabetic character to indicate possible truncation, and if there is a given name, the two fillers and at least one character of it must be included.
The format of the second row is:
Positions | Length | Characters | Meaning |
1–9 | 9 | alpha+num+< | Passport number |
10 | 1 | numeric | Check digit over digits 1–9 |
11–13 | 3 | alpha+< | Nationality (ISO 3166-1 alpha-3 code with modifications) |
14–19 | 6 | numeric | Date of birth (YYMMDD) |
20 | 1 | numeric | Check digit over digits 14–19 |
21 | 1 | alpha+< | Sex (M, F or < for male, female or unspecified) |
22–27 | 6 | numeric | Expiration date of passport (YYMMDD) |
28 | 1 | numeric | Check digit over digits 22–27 |
29–42 | 14 | alpha+num+< | Personal number (may be used by the issuing country as it desires) |
43 | 1 | numeric+< | Check digit over digits 29–42 (may be < if all characters are <) |
44 | 1 | numeric | Check digit over digits 1–10, 14–20, and 22–43 |
U.S. Passport numbers must be between six and nine alphanumeric characters (letters and numbers).
The "C" that precedes a U.S. Passport Card number is no longer case sensitive.
RFID Verification process.
If you have ever been to the airport or through customs, TSA first visually and/or scans the MRZ of the passport. This printed info contains the basic access control keys needed to "unlock" the embedded chip.
- The scanning device then sends this info to the chip via RFID.
- The chip responds with all pertinent data verification which includes a cryptographic signature.
- The verification process verifies the public keys belonging to the US State Department maintained by ICAO.
- This process also includes checking the revocation list, also maintained by ICAO.
- The passport is then verified as it would be when verifying any secure website (HTTPS) using a TLS certificate by a CA.
Other nations such as India and the Maldives for example first digit is alphabetic and the remaining seven digits are numbers.
Many organizations can verify Passports using services such as - https://protect.hooyu.com/document/verify/passport
