Extended Access Control

Last updated

Extended Access Control (EAC) is a set of advanced security features for electronic passports that protects and restricts access to sensitive personal data contained in the RFID chip. In contrast to common personal data (like the bearer's photograph, names, date of birth, etc.) which can be protected by basic mechanisms, more sensitive data (like fingerprints or iris images) must be protected further for preventing unauthorized access and skimming. A chip protected by EAC will allow that this sensitive data is read (through an encrypted channel) only by an authorized passport inspection system. [1] [2]

Contents

EAC was introduced by ICAO [3] [4] as an optional security feature (additional to Basic Access Control) for restricting access to sensitive biometric data in an electronic MRTD. A general idea is given: the chip must contain chip-individual keys, must have processing capabilities and additional key management will be required. However, ICAO leaves the actual solution open to the implementing States.

There are several different proposed implementations of the mechanism, all of which must retain backward-compatibility with the legacy Basic Access Control (BAC), which is mandatory in all EU countries. The European Commission described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German Federal Office for Information Security (BSI) in their technical report TR-03110. [5] Several other countries implement their own EAC.

EAC as defined by the EU

EAC as defined by the EU has two requirements: chip and terminal authentication. [6]

Chip authentication (for strong session encryption)

The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters. Chip authentication (CA) has two functions:

Chip authentication has an add-on Basic Access Control (BAC) with protection against skimming and eavesdropping.

Terminal authentication (access restricted to authorized terminals)

Terminal authentication (TA) is used to determine whether the inspection system (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on digital certificates which come in the format of card verifiable certificates.

A document verifier certificate is granted from the country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years. [7]

  1. G. S. Kc; P. A. Karger (1 April 2005). "Security and privacy issues in machine readable travel documents (MRTDs)" (PDF). RC 23575 (W0504-003). IBM. Retrieved 4 Jan 2012.
  2. Javier López; Pierangela Samarati; Josep L. Ferrer (2007). Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007. Springer. p. 41. ISBN   978-3-540-73407-9.
  3. "5.8 Security for additional biometrics". ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability (Sixth ed.). International Civil Aviation Organization (ICAO). 2006. p. 84.
  4. "Temporat Secure Digital Identity" (PDF). EPassport Extended Access Control. White Paper. Archived from the original (PDF) on 21 October 2006. Retrieved 19 June 2013.
  5. "Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC)" (PDF). BSI. Retrieved 2009-11-26.
  6. Kugler, Dennis (1 June 2006). "Extended Access Control; Infrastructure and control" (PDF). Retrieved 19 June 2013.
  7. 1 2 Kügler, Dennis. "Extended Access Control: Infrastructure and Protocol" (PDF). Retrieved 2016-05-03.[ permanent dead link ]

Related Research Articles

<span class="mw-page-title-main">Biometric passport</span> Traditional passport that has an embedded electronic microprocessor chip

A biometric passport is a traditional passport that has an embedded electronic microprocessor chip, which contains biometric information that can be used to authenticate the identity of the passport holder. It uses contactless smart card technology, including a microprocessor chip and antenna embedded in the front or back cover, or centre page, of the passport. The passport's critical information is printed on the data page of the passport, repeated on the machine readable lines and stored in the chip. Public key infrastructure (PKI) is used to authenticate the data stored electronically in the passport chip, supposedly making it expensive and difficult to forge when all security mechanisms are fully and correctly implemented.

A machine-readable passport (MRP) is a machine-readable travel document (MRTD) with the data on the identity page encoded in optical character recognition format. Many countries began to issue machine-readable travel documents in the 1980s.

<span class="mw-page-title-main">Malaysian passport</span> Passport of Malaysia issued to Malaysian citizens

The Malaysian passport is the passport issued to citizens of Malaysia by the Immigration Department of Malaysia.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

<span class="mw-page-title-main">Merchant Mariner Credential</span>

The Merchant Mariner Credential (MMC) is a credential issued by the United States Coast Guard in accordance with guidelines of the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers (STCW) to United States seafarers in order to show evidence of a mariner's qualifications. It is the standard documentation required for all crew members of U.S. ships for all vessels required to operate with a licensed Master or Operator, regardless of size. The MMC replaced the Merchant Mariner's Document, merchant mariner license, Certificate of Registry, and STCW Certificate.

<span class="mw-page-title-main">German passport</span> Passport issued to German citizens

A German passport is an identity document issued to nationals of Germany for the purpose of international travel. A German passport is, besides the German ID card and the German Emergency Travel Document, the only other officially recognised document that German authorities will routinely accept as proof of identity from German citizens. Besides serving as proof of identity and presumption of German nationality, they facilitate the process of securing assistance from German consular officials abroad. German passports are valid for ten years or six years and share the standardised layout and burgundy red design with other EU passports. Every German citizen is also a citizen of the European Union. The passport, along with the national identity card, allows for free rights of movement and residence in any of the states of the European Union, European Economic Area and Switzerland.

<span class="mw-page-title-main">Swedish passport</span> Passport of the Kingdom of Sweden issued to Swedish citizens

Swedish passports are issued to nationals of Sweden for the purpose of international travel. Besides serving as proof of Swedish citizenship, they facilitate the process of securing assistance from Swedish consular officials abroad.

<span class="mw-page-title-main">Pakistani passport</span> Passport of the Islamic Republic of Pakistan issued to Pakistani citizens

A Pakistani passport is an essential travel document granted by the Government of Pakistan to its citizens for international travel purposes. The Directorate General of Immigration & Passports (DGIP) holds the responsibility for passport issuance, under the regulation of the Ministry of Interior.

Basic access control (BAC) is a mechanism specified to ensure only authorized parties can wirelessly read personal information from passports with an RFID chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt the communication between the passports chip and a reading device. This mechanism is intended to ensure that the owner of a passport can decide who can read the electronic contents of the passport. This mechanism was first introduced into the German passport on 1 November 2005 and is now also used in many other countries.

<span class="mw-page-title-main">Lebanese passport</span> Passport of the Republic of Lebanon issued to Lebanese citizens

The passport of the Republic of Lebanon is a passport issued to the citizens of the Republic of Lebanon to enable them to travel outside the Republic of Lebanon and entitles the bearer to the protection from the diplomatic missions and consulates of the Republic of Lebanon if necessary. It is issued exclusively by the Lebanese Directorate General of General Security (DGGS), and can also be issued at various Lebanese diplomatic missions and/or consulates outside the Republic of Lebanon. It allows the bearer a freedom of living in the Republic of Lebanon without any immigration requirements, participate in the Lebanese political system, entry to and exit from the Republic of Lebanon through any port, travel to and from other countries in accordance with visa requirements, facilitates the process of securing consular assistance abroad from the diplomatic missions and consulates of the Republic of Lebanon if necessary, and requests protection for the bearer while abroad.

<span class="mw-page-title-main">German identity card</span> German identity document

The German Identity Card is issued to German citizens by local registration offices in Germany and diplomatic missions abroad, while they are produced at the Bundesdruckerei in Berlin.

ISO/IEC 19794 Information technology—Biometric data interchange formats—Part 5: Face image data, or ISO/IEC 19794-5 for short, is the fifth of 8 parts of the ISO/IEC standard ISO/IEC 19794, published in 2005, which describes interchange formats for several types of biometric data. ISO/IEC 19794-5 defines specifically a standard scheme for codifying data describing human faces within a CBEFF-compliant data structure, for use in facial recognition systems. Modern biometric passport photos should comply with this standard. Many organizations and have already started enforcing its directives, and several software applications have been created to automatically test compliance to the specifications.

The Lebanese identity card is a compulsory Identity document issued to citizens of the Republic of Lebanon by the police on behalf of the Lebanese Ministry of Interior or in Lebanese embassies/consulates (abroad) free of charge. It is proof of identity, citizenship and residence of the Lebanese citizens.

Biometrics refers to the automated recognition of individuals based on their biological and behavioral characteristics, not to be confused with statistical biometrics; which is used to analyse data in the biological sciences. Biometrics for the purposes of identification may involve DNA matching, facial recognition, fingerprints, retina and iris scanning, voice analysis, handwriting, gait, and even body odor.

<span class="mw-page-title-main">Levels of identity security</span>

The security features governing the security of an identity can be divided into three levels of security, i.e. Level 1 Security (L1S) (Overt), Level 2 Security (L2S) (Covert) and Level 3 Security (L3S) (Forensic). The three levels of security, in combination, provide comprehensive security coverage for identities and related documents to ensure their validity and authenticity. These are typically used to protect identity information on crucial documents such as identity cards, driving licenses and passports to ensure originality and accuracy of the identities they represent. The diagram below illustrates the different levels of security and how they ensure complete security coverage of an identity.

ISO/IEC JTC 1/SC 37 Biometrics is a standardization subcommittee in the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of biometrics. The international secretariat of ISO/IEC JTC 1/SC 37 is the American National Standards Institute (ANSI), located in the United States.

Supplemental access control (SAC) is a set of security features defined by ICAO for protecting data contained in electronic travel documents. SAC specifies the Password Authenticated Connection Establishment (PACE) protocol, which itself supplements and improves upon the Basic Access Control (BAC) protocol also established by ICAO. PACE, like BAC, prevents two types of attacks:

<span class="mw-page-title-main">Passports of the EFTA member states</span>

Passports of the EFTA member states are passports issued by the European Free Trade Association (EFTA) member states Iceland, Liechtenstein, Norway and Switzerland. EFTA is in this article used as a common name for these countries.

<span class="mw-page-title-main">Documento Nacional de Identidad (Peru)</span> National identity card of Peru

The Documento Nacional de Identidad (DNI) (Spanish for 'National Identity Document') is the only personal identity card recognized by the Peruvian Government for all civil, commercial, administrative, judicial acts and, in general, for all those cases in which, by legal mandate, it must be presented. It is a public document, personal, and non-transferable and also constitutes the only title of right to the suffrage of the person in whose favor it has been granted. Its issuance is in charge of the National Registry of Identification and Civil Status (RENIEC).

<span class="mw-page-title-main">Documento de Identidad (Uruguay)</span>

The identification document of Uruguay, formerly known as "Cédula de identidad". is issued by the Ministry of the Interior and the

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.