Supplemental access control

Last updated July 23, 2021

Supplemental access control (SAC) is a set of security features defined by ICAO ^[1] for protecting data contained in electronic travel documents (e.g. electronic passports). SAC specifies the Password Authenticated Connection Establishment (PACE) protocol, which itself supplements and improves upon the Basic Access Control (BAC) protocol also established by ICAO.^[2] PACE, like BAC, prevents two types of attacks:^[3]

Skimming (online attack that consists in reading the RFID chip without physical access to the document and without the holder's approval). Prior to reading the chip, the inspection system needs to know some data that is printed on the document (e.g. the MRZ) or a key that is known only to the holder (personal identification number (PIN)), which means he has willingly handed the document for inspection. While BAC works only with the MRZ, PACE allows using card access numbers (short keys printed on the document) and PINs.
Eavesdropping (offline attack that starts by recording the data exchanged between the reader and the chip, to be analyzed later). The inspection system uses PACE for establishing a secure communication channel with the contactless chip, but using stronger cryptography than BAC. PACE offers an excellent protection against offline attacks, raising the security of documents containing contactless chips to the level of documents using contact chips.

With the implementation of PACE begins the third generation of electronic passports.^[4]^[5]^[6] EU members must implement PACE in electronic passports by the end of 2014.^[7] States, for the sake of global interoperability, must not implement PACE without implementing BAC, and inspection systems should implement PACE and use it if supported by the MRTD chip. Thus, it is important that global interoperability is achieved, to make the enhancement reliable for the document verification process. To achieve interoperability, there are so called Interoperability Tests. The results of the last test focusing on SAC describe the current state of implementation in the field. ^[8]

Version 1.1 (April 2014) of ICAO's "Supplemental Access Control" Technical Report introduces the Chip Authentication protocol as an alternative to Active Authentication and integrates it with PACE, achieving a new protocol (Chip Authentication Mapping, PACE-CAM ^[9] ) which allows faster execution than the separate protocols. ^[10]

Related Research Articles

Passport Travel document usually issued by a countrys government

A passport is an official governmental document that contains your identity, it helps you travel under its protection to and from foreign countries. The document certifies the personal identity and nationality of its holder. Standard passports contain the full name, photograph, place and date of birth, signature, and the expiration date of the passport.

Smart card Pocket-sized card with embedded integrated circuits for identification or payment functions

A smart card, chip card, or integrated circuit card is a physical electronic authorization device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, mobile phones (SIM), public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

A biometric passport is a traditional passport that has an embedded electronic microprocessor chip which contains biometric information that can be used to authenticate the identity of the passport holder. It uses contactless smart card technology, including a microprocessor chip and antenna embedded in the front or back cover, or centre page, of the passport. The passport's critical information is printed on the data page of the passport, repeated on the machine readable lines and stored in the chip. Public key infrastructure (PKI) is used to authenticate the data stored electronically in the passport chip, making it expensive and difficult to forge when all security mechanisms are fully and correctly implemented.

A machine-readable passport (MRP) is a machine-readable travel document (MRTD) with the data on the identity page encoded in optical character recognition format. Many countries began to issue machine-readable travel documents in the 1980s.

A contactless smart card is a contactless credential whose dimensions are credit-card size. Its embedded integrated circuits can store data and communicate with a terminal via NFC. Commonplace uses include transit tickets, bank cards and passports.

Malaysian passport Passport of Malaysia issued to Malaysian citizens

The Malaysian passport is the passport issued to citizens of Malaysia by the Immigration Department of Malaysia.

Gemalto International digital security company

Gemalto was an international digital security company providing software applications, secure personal devices such as smart cards and tokens, and managed services. Formed in June 2006 by the merger of two companies, Axalto and Gemplus International. Gemalto N.V.'s revenue in 2018 was €2.969 billion.

German passports are issued to nationals of Germany for the purpose of international travel. A German passport is, besides the German ID card and the German Emergency Travel Document, the only other officially recognised document that German authorities will routinely accept as proof of identity from German citizens. Besides serving as proof of identity and presumption of German nationality, they facilitate the process of securing assistance from German consular officials abroad. German passports are valid for ten years or six years and share the standardised layout and burgundy red design with other EU passports. Every German citizen is also a citizen of the European Union. The passport, along with the national identity card, allows for free rights of movement and residence in any of the states of the European Union, European Economic Area and Switzerland.

Pakistani passports are passports issued by the Government of Pakistan to Pakistani citizens and nationals for the purpose of international travel. They are issued by the Directorate General of Immigration & Passports (DGIP) of the Ministry of Interior from regional passport offices and Pakistani embassies. Since January 2014, Pakistani passports have validity for 5 and 10 years. Under national law, Pakistani passports are explicitly invalid for all travel to the State of Israel, and Pakistani nationals are likewise strictly barred from travelling to the Jewish state under all circumstances.

Basic access control (BAC) is a mechanism specified to ensure only authorized parties can wirelessly read personal information from passports with an RFID chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt the communication between the passports chip and a reading device. This mechanism is intended to ensure that the owner of a passport can decide who can read the electronic contents of the passport. This mechanism was first introduced into the German passport on 1 November 2005 and is now also used in many other countries.

The Swedish national identity card is a non-compulsory biometric identity document issued in Sweden. It is one of two official identity documents issued by the Swedish Police, the other being the Swedish passport. It is only issued to Swedish citizens, and indicates the citizenship.

The passport of the Republic of Lebanon is a passport issued to the citizens of the Republic of Lebanon to enable them to travel outside the Republic of Lebanon and entitles the bearer to the protection from the diplomatic missions and consulates of the Republic of Lebanon if necessary. It is issued exclusively by the Lebanese Directorate General of General Security (DGGS), and can also be issued at various Lebanese diplomatic missions and/or consulates outside the Republic of Lebanon. It allows the bearer a freedom of living in the Republic of Lebanon without any immigration requirements, participate in the Lebanese political system, entry to and exit from the Republic of Lebanon through any port, travel to and from other countries in accordance with visa requirements, facilitates the process of securing consular assistance abroad from the diplomatic missions and consulates of the Republic of Lebanon if necessary, and requests protection for the bearer while abroad.

Extended Access Control (EAC) is a set of advanced security features for electronic passports that protects and restricts access to sensitive personal data contained in the RFID chip. In contrast to common personal data which can be protected by basic mechanisms, more sensitive data must be protected further for preventing unauthorized access and skimming. A chip protected by EAC will allow that this sensitive data is read only by an authorized passport inspection system.

Maldivian passport is a proof of citizenship, issued by Maldives Immigration, to all the nationals of the Maldives for international travel. The current passport, the 2nd generation e-passport, was launched on 24 January 2016. This passport consists of a highly secured poly-carbonate data page with laser engraved photo and data. Each visa page of the passport has a different design, represented with numerous illustrations by the Maldivian local artist, Hussain Ali Manik. A Maldivian Passport can be issued to any Maldivian citizen who applies for a passport.

The German Identity Card is issued to German citizens by local registration offices in Germany and diplomatic missions abroad, while they are produced at the Bundesdruckerei in Berlin.

Biometrics refers to the automated recognition of individuals based on their biological and behavioral characteristics, not to be confused with statistical biometrics; which is used to analyse data in the biological sciences. Biometrics for the purposes of identification may involve DNA matching, facial recognition, fingerprints, retina and iris scanning, voice analysis, handwriting, gait, and even body odor.

National identity cards are issued to their citizens by the governments of all European Economic Area (EEA) member states except Denmark, Iceland and Ireland. Ireland however issues a passport card which is valid as a national identity card in the EEA and Switzerland. Denmark and Iceland issue simpler identity cards that are not valid as travel documents. The various identity card styles currently in use in the EEA are intended to be harmonised and replaced by a new common model from 2 August 2021.

The security features governing the security of an identity can be divided into three levels of security, i.e. Level 1 Security (L1S) (Overt), Level 2 Security (L2S) (Covert) and Level 3 Security (L3S) (Forensic). The three levels of security, in combination, provide comprehensive security coverage for identities and related documents to ensure their validity and authenticity. These are typically used to protect identity information on crucial documents such as identity cards, driving licenses and passports to ensure originality and accuracy of the identities they represent. The diagram below illustrates the different levels of security and how they ensure complete security coverage of an identity.

ISO/IEC JTC 1/SC 37 Biometrics is a standardization subcommittee in the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of biometrics. The international secretariat of ISO/IEC JTC 1/SC 37 is the American National Standards Institute (ANSI), located in the United States.

Passports of the EFTA member states are passports issued by the European Free Trade Association (EFTA) member states Iceland, Liechtenstein, Norway and Switzerland. EFTA is in this article used as a common name for these countries.

References

↑ Supplemental Access Control for Machine Readable Travel Documents (PDF). International Civil Aviation Organization (ICAO). November 2010.
↑ ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability (PDF) (Sixth ed.). International Civil Aviation Organization (ICAO). 2006. Archived from the original (PDF) on 2015-06-05.
↑ Jens Bender, Dennis Kügler (2009). Introducing the PACE solution (PDF). Bundesamt für Sicherheit in der Informationstechnik.
↑ Gemalto (October 2011). Moving to the third generation of electronic passports (PDF).
↑ Verna Heino (Gemalto) (April 2011). Moving to the third generation of electronic passports. Silicon Trust.
↑ Markus Mösenbacher (2013). Preventing fraud in ePassports and eIDs (PDF). NXP.
↑ European Commission (August 2011). Commission Decision C(2011) 5499 amending Commission Decision C(2006) 2909 laying down the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States (PDF).
↑ Holger Funke (2014). "Results of Interoperability Tests in Madrid". blog.protocolbench.org.
↑ Holger Funke (2015). "Chip Authentication Mapping". blog.protocolbench.org.
↑ TR - Supplemental Access Control for MRTDs V1.1 (PDF). ICAO. 2014.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Supplemental Access Control for Machine Readable Travel Documents (PDF). International Civil Aviation Organization (ICAO). November 2010.

[2] ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability (PDF) (Sixth ed.). International Civil Aviation Organization (ICAO). 2006. Archived from the original (PDF) on 2015-06-05.

[3] Jens Bender, Dennis Kügler (2009). Introducing the PACE solution (PDF). Bundesamt für Sicherheit in der Informationstechnik.

[4] Gemalto (October 2011). Moving to the third generation of electronic passports (PDF).

[5] Verna Heino (Gemalto) (April 2011). Moving to the third generation of electronic passports. Silicon Trust.

[6] Markus Mösenbacher (2013). Preventing fraud in ePassports and eIDs (PDF). NXP.

[7] European Commission (August 2011). Commission Decision C(2011) 5499 amending Commission Decision C(2006) 2909 laying down the technical specifications on the standards for security features and biometrics in passports and travel documents issued by Member States (PDF).

[8] Holger Funke (2014). "Results of Interoperability Tests in Madrid". blog.protocolbench.org.

[9] Holger Funke (2015). "Chip Authentication Mapping". blog.protocolbench.org.

[10] TR - Supplemental Access Control for MRTDs V1.1 (PDF). ICAO. 2014.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]