DocVal Server – eMRTD Security Mechanisms ICAO Doc9303
This document provides a short overview of eMRTDs (electronic machine readable travel documents) and the involved security mechanisms. Please refer to ICAO Doc9303 (Part 10 and 11 in particular) for the full details.
The German Federal Office for Information Security BSI can be an additional resource on machine readable travel documents and on the security mechanisms involved.
Files on the eMRTD Chip
Card Access File
File is optional. The Card Access file must be present and contain public key info for the Access Control protocol PACE, if PACE is supported by the chip.
Document Security Object (SOD)
The SOD is a file on the Chip. The SOD is implemented as a SignedData Type. The content is signed by a document signing certificate which in turn is signed by the issuing country of the eMRTD.
The SOD contains a hash value for each Data Group present on the Chip. The Inspection System knows which Data Groups are present on the Chip after reading the SOD.
Mandatory Data Groups
Data Group 1
Contains the MRZ Info (as printed on the data page of the passport).Data Group 2
Contains one or more Face Info. At least one Face Info with a photo of the face is mandatory.
Note to the Date of Expiry (date_of_expiry
) in the MRZ Info (Data Group 1): The Date of Expiry from the MRZ is often before the Not After-Date of the Document Certificate. Hence, To check if a document is expired, check the Date of Expiry from the MRZ/DG1.
Optional Data Groups
Some other available optional Data Groups are listed below:
Data Group 7
Signature or Usual MarkData Group 11
Additional Personal DetailsData Group 12
Additional Document DetailsData Group 14
Security Options (May include a public key info for Chip Authentication)Data Group 15
Active Authentication Public Key Info
The file emrtd_datagroups.png lists all 16 Data Groups.
Protocols
Access Control
The Inspection System uses an Access Key
to access the Chip. An Access Key
can be derived from MRZ (Machine Readable Zone) or from the CAN (Card Access Number). The CAN is optional and may be printed on the document.
For Access Control two protocols exist:
- Basic Access Control (BAC)
- Password Authenticated Connection Establishment (PACE)
BAC
is deprecated and has been replaced by the newer PACE.
PACE
employs asymmetric cryptography to provide higher session entropy keys and therefore a better encryption of the communication between Chip and Inspection System. The file CardAccess with public key info for PACE must be present on the chip.
After Access Control
the communication between Inspection System and Chip is secured with a symmetric encryption.
Passive Authentication
With Passive Authentication the integrity and authenticity of the data (like MRZ info, photo of face) is verified based on a list of trusted country certificates.
The Document Validation Server implements the steps as they are described by ICAO in Doc9303
:
The Inspection System performs the following steps:
- The Inspection System SHALL read the Document Security Object (SOD) (which MUST contain the Document Signer Certificate (CDS), see also Doc 9303-10) from the contactless IC.
- The Inspection System SHALL build and validate a certification path from a Trust Anchor to the Document Signer Certificate used to sign the Document Security Object (SOD) according to Doc 9303-12.
- The Inspection System SHALL use the verified Document Signer Public Key to verify the signature of the Document Security Object (SOD).
- The Inspection System MAY read relevant Data Groups from the contactless IC.
- The Inspection System SHALL ensure that the contents of the Data Group are authentic and unchanged by hashing the contents and comparing the result with the corresponding hash value in the Document Security Object (SOD).
— ICAO Doc9303 Part 11, Chapter 5.1.1 Passive Authentication – Inspection Process (accessed on the 12.10.2021)
Active Authentication (AA)
Verifies that the Chip is not cloned. The Active Authentication protocol is optional and may therefore not be supported by all eMRTDs.
Basic/Simplified Process of Active Authentication protocol:
- (Conditional) Inspection System reads the AA-Info from Data Group 14 (DG14).
- Inspection System reads the public key for AA from Data Group 15 (DG15)
- Inspection System generates a random challenge and sends the challenge to the Chip.
- The challenge is signed by the Chip with a secret private key associated with the public key for AA from DG15.
- The Inspection System is able to verify that the Chip is indeed in possession of the private key.
The chip will sign the challenge using either the RSA or the ECDSA algorithm. If the ECDSA is used, the Hash algorithm is mentioned by an Active-Authentication-Info (AA-Info) from DG14.
A cloned Chip can not know the private key as the private key can not be extracted from the Chip.
The authenticity of the public key in DG15 can be verified with Passive Authentication. The authenticity of the AA-Info (conditional) in DG14 can be verified with Passive Authentication. The result of AA is only meaningful in combination with a successful Passive Authentication.
Chip Authentication (CA)
Verifies that the Chip is not cloned and establishes new encryption keys (encryption-key, message-authentication-key) for the encrypted communication between Inspection System and Chip. CA has a similar purpose than AA but is the newer protocol that additionally strengthens the encryption for the communication between Inspection System and Chip.
The Chip Authentication protocol is optional and may therefore not be supported by all eMRTDs.
Basic/Simplified Process of Chip Authentication protocol:
- The Inspection System reads the public key for CA from Data Group 14 (DG14).
- The Inspection System generates a public-/private-key pair.
- The Inspection System sends his public key to the Chip.
- Both parties use their secret private key and the other’s public key to derive a shared secret.
- Both parties derive new keys (encryption-key, message-authentication-key) from the shared secret for the encrypted communication.
A cloned Chip can not know the private key matching the public key for CA from DG14, as the private key can not be extracted from the Chip. A cloned Chip is not able to continue the communication with the Inspection System.
The authenticity of the public key in DG14 can be verified with Passive Authentication. The result of CA is only meaningful in combination with a successful Passive Authentication.
Simplified eMRTD Verification Procedure
To summarize this a simplified rundown of an eMRTD verification:
- Read File Card Access (if present)
- Perform Access Control (either BAC or PACE)
- Read SOD File
- Read Data Group 14 (if present) & Perform Chip Authentication (if available)
- Read Data Group 15 (if present) & Perform Active Authentication (if available)
- Read Data Groups 1, 2 and other Data Groups (if present)
- Verify Integrity and Authenticity of the read Data-Groups with the steps described in Passive Authentication