The NFC chips in ePassports and similar documents contain personal information such as name, birthdate, nationality and face image.
In this blogpost we’ll provide an overview of the different security mechanisms that are implemented by these RFID chips to secure this information. We also explain how ReadID uses these mechanisms. We try to make this not too technical, and will provide more details in follow-up blog posts
The main standard for these security mechanisms is the ICAO Doc 9303 specification. ICAO stands for International Civil Aviation Organization and is part of the United Nations. ReadID also supports the comparable ISO-18013 standard for electronic driving licences, but for brevity we ignore this in this blogpost.
There the security mechanisms are there to:
- Privacy – protect the privacy of the document holder by implementing access control and preventing eavesdropping
- Authenticity – ensure that the chip is not a forgery and that it is not manipulated
- Clone detection – detect if the chip is a copy
Privacy is very important for the passport holder, since the chip contains privacy sensitive information, such as personal numbers. In addition, this information can be used for identity theft. Someone has to be pretty close to the NFC chip to be able to read the content, but access control is needed nevertheless. For example, you do not want someone in line behind you in the supermarket to hold their smartphone close to your wallet and read the content. In addition, for example at an airport, secure messaging is needed to prevent someone from eavesdropping on the communication between your passport and the Automatic Border Control gate that is reading the chip in your passport.
The best known and most used access control security mechanisms is Basic Access Control (BAC). The combination of document number, date of expiry and date of birth forms an access key, or password if you will, to access the chip. The idea behind this is that you need access to the holder page of the passport to be allowed to read the chip. Since the chip basically contains the same personal information as the holder page, there is no privacy loss when reading the chip: this information was already known. BAC also establishes an encrypted communication channel that prevents eavesdropping.
Since it is quite annoying to type the document number, date of expiry and date of birth, we use the smartphone camera to scan this information from the so-called Machine Readable Zone (MRZ, the bottom two or three lines in a passport / identity card). We use our own Optical Character Recognition technology for this.
BAC has however a successor called PACE, many passports implement both BAC and PACE, but since 2020 there are documents that no longer support BAC. PACE is thus an important security mechanism to have.
Using BAC or PACE you can access almost all information in the chip with one important exception: the fingerprints. Access to these is not possible without authorization from the issuing country. We explain this, and details on BAC and PACE, in this blog post.
From a security perspective, this is the most import of the three goals: we want to make sure the RFID chip content is actually issued by the government and is not manipulated. The underlying principle for verifying integrity is digital signatures. This is a common principle in computer security: data is signed by the issuer (e.g., US government) using a so-called private key and the receiver of this information (e.g., a French police officer) can verify that this data is actually from the US government, using the so-called public key of the US government. This makes it possible to check if a passport is indeed issued by, in this case, the US government and that the content of the chip is not altered. You may not be aware of this, but e.g. your banking card and https in your browser are based on this principle.
This security mechanism to check the integrity is called Passive Authentication, and the certificate with the public key the Country Certificate. This security mechanism is called passive because ReadID does not need to interact with the chip during verification. ReadID thus reads the content of the chip, and then checks the digital signatures on the content. This can be done on the smartphone (ReadID’s client-only deployment model), but in most cases doing this on the server is more secure (client-server or SaaS deployment model).
In this blogpost we explain Passive Authentication in more detail, including the challenge of having the correct Country Certificate.
The above discussed authenticity checks will confirm that the chip content is authentic, but the chip itself could be cloned. Or put differently, Passive Authentication proves that a person with certain personal details exists, but does not prove that the information was read from the original passport. Depending on the use case, knowing that the holder is in possession of the original passport is desirable or even absolutely necessary. Where support for Basic Access Control (or PACE) and Passive Authentication is basically universal in ICAO 9303 documents, for clone detection there is more variation. Some, mostly older, passports do not support it at all. There are two security mechanism for clone detection: Active Authentication and Chip Authentication. ReadID implements this in all both our client-only and SaaS version. For details, see our blog post on this topic.