Access control mechanisms in ID document chips are crucial for maintaining the confidentiality, integrity, and authenticity of the data stored on the chips. These chips, commonly found in passports, identity cards, and other secure documents, employ a variety of technologies to ensure that sensitive personal information is safeguarded against unauthorized access.
This article explores the primary access control methods used in these contexts, including the use of a password (MRZ or CAN), Basic Access Control (BAC), Password Authenticated Connection Establishment (PACE), and the establishment of Secure Messaging.
Password: MRZ or CAN
Access to the chip on an ID document typically begins with a password-based authentication process. The two main types of passwords used are the Machine Readable Zone (MRZ) and the Card Access Number (CAN):
Machine Readable Zone (MRZ)
This is a standardized format used mainly in travel documents. It includes personal data such as the document holder’s name, passport number, nationality, date of birth, sex, and document expiration date. This data, printed on the identity document, can be visually read and electronically scanned. For electronic reading, several lines at the bottom of the document encode the information, where document number, date of birth and date of expiry are serving as a key to unlock the chip.
Card Access Number (CAN)
This is a shorter numerical code, often used in identity cards or other non-passport travel documents. It serves a similar purpose to the MRZ but is used primarily where MRZ is not applicable. The CAN is typically a six-digit number that must be manually input to gain initial access to the chip.
Basic Access Control (BAC)
BAC is implemented to protect the communication channel between the chip in the ID document and the reader. Once the MRZ or CAN is correctly entered, BAC uses this information to generate cryptographic keys for securing subsequent data transmissions. BAC is deprecated and has been replaced by the newer protocol Password Authenticated Connection Establishment (PACE). Here’s how BAC works:
Key Derivation
Based on the MRZ or CAN, along with additional data such as the document expiration date and the document holder’s date of birth, a symmetric key is derived.
Authentication and Encryption
This key is then used both to authenticate the data communication and to encrypt the data transmitted between the chip and the reader, ensuring that intercepted communications remain confidential and tamper-proof.
Password Authenticated Connection Establishment (PACE)
An advancement over BAC, PACE provides a more robust security framework for the authentication process between the chip and the reader. PACE can use a PIN (like CAN), a password, or biometric data as the authentication token. The process enhances security in several ways:
Improved Key Agreement
PACE employs a Diffie-Hellman key agreement protocol, which allows the chip and the reader to establish a mutual cryptographic key without the key being transmitted over the air.
Mutual Authentication
Both the chip and the reader authenticate each other, ensuring that each party is legitimate.
Resistance to Eavesdropping and Skimming
The encryption and authentication mechanisms in PACE are designed to be resistant to eavesdropping and skimming attacks, making it significantly harder for unauthorized entities to access the data.
Establishing Secure Messaging
Once BAC or PACE has been successfully completed, the communication channel between the ID document chip and the reader is considered secure. At this stage, Secure Messaging (SM) is established, which ensures that all subsequent data transmissions are encrypted and integrity-protected. Secure Messaging involves:
Encryption
Data sent from the chip to the reader is encrypted using keys agreed upon during the BAC or PACE process, ensuring that the data cannot be read by others.
Integrity Protection
Each message includes a cryptographic checksum or MAC (Message Authentication Code), which allows the recipient to verify that the message has not been altered during transmission.
Access Control for Accessing the Chip of an ID Document – Conclusion
The security protocols implemented in ID document chips, including the use of MRZ or CAN, BAC, PACE, and Secure Messaging, play a critical role in protecting personal data against unauthorized access and misuse. These technologies not only secure the data but also ensure that the privacy of the individuals is maintained, bolstering trust in the security of international travel and identity verification processes.