In a previous blog post, we provided an overview of the different security mechanisms for ePassports and similar ICAO 9303 documents. In this blog, we zoom in on the security measures to protect the privacy of the holder.
[updated on 28 July 2022, original post July 2020]
Passports and other identity documents contain privacy-sensitive information, that must be protected against unauthorized access. Even though NFC chips in passports require close proximity between reader and document, several security mechanisms are implemented that mitigate remaining concerns:
- Involuntary reads, where an attacker learns the content of a document by holding a reader close to someone’s wallet.
- Eavesdropping, where an attacker learns the content of a document by capturing the contents of a voluntary read. This would be a challenge since this attacker would have to place something between a reader and a document that can only be centimetres apart, but not impossible.
Basic Access Control (BAC) and Password Authenticated Connection Establishment (PACE) are both protocols implemented by passports and identity documents to prevent these attacks and are discussed in the next sections of this blog. Electronic driver licenses according to the ISO 18013 specification implement basically the same protocols where BAC has been renamed to BAP or Basic Access Protection.
Besides these security mechanisms to protect access to the chip, some countries have added metal shielding to the passport cover. The passport then must be opened to be able to read the chip. The United States passport is an example of a country that has added shielding to its passports.
Some passports and other identity documents contain especially sensitive biometric information such as fingerprints or iris scans. Access to this information is limited to authorized authorities only, and an extra security mechanism, called Extended Access Control (EAC), must be in place that restricts access further.
Basic Access Control
Basic Access Control (BAC) is the simplest and oldest mechanism to protect access to the chip found in ePassports. To access a chip that is protected by BAC, you need to know the document number, the date of birth of the holder and the expiry date of the document. This information is used as a password to encrypt all communication with the passport and can be found in the Machine-Readable Zone of the document. This mechanism prevents unauthorised access to the chip because only entities that know the information that is used as the password can access the chip.
The idea behind it is simple and elegant: you can only get access to the content of the chip if you already have optical access to the document, i.e., you already know what is on the chip. Eavesdropping is prevented as well because an attacker that intercepts the communication between chip and reader cannot decrypt it without knowledge of the password. Before 2020, BAC was used in all ePassports and similar, but the first identity documents without BAC have appeared in 2020. They only support its successor PACE, which we’ll explain below.
There has been some debate on the security of BAC, as the combination of document number, date of birth and expiry date can in some cases be guessed by brute-forcing all possible combinations. The security of the password is especially reduced if some of the fields can somehow be related to each other. For example, if an issuer would increment the document number for each document that was issued, the document number is related to the date the document was issued, and therefore also related to the expiry date of the document.
Relations like this effectively reduce the number of possible variations (entropy) of the password and as such reduce the security. This weakness has a larger impact on eavesdropping than on access control. An attacker can record the communication and try many passwords afterwards, but the number of attempts to get access is typically limited by the passport. For example, it may respond very slowly after a reader tries to get access with an incorrect BAC, thereby making a try-many-different-BAC-combinations attack very unpractical.
Password Authenticated Connection Establishment
Password Authenticated Connection Establishment (PACE) is the successor of BAC that uses more modern cryptography to provide an increased level of security. It is sometimes also referred to as Supplemental Access Control (SAC).
The EU mandates the implementation of PACE by its member states for newly issued travel documents. Passports that have support for PACE also support BAC to remain compatible with the ICAO 9303 standard, which requires documents that support PACE to also support the older BAC. PACE solves the possible security problems of BAC by exchanging strong passwords to prevent eavesdropping immediately after access control.
For getting access to the chip, the same combination of document number, birthdate and expiry date is used as a password. Additionally, the chip can accept one or more Card Access Numbers (CAN) as a password. Typically, a CAN is only 6 digits long and is printed on the document, like the Machine-Readable Zone.
InnoValor, as the only mobile vendor, participated in the PACE interoperability tests that were done at Secure Document World in May 2016 (SDW Interop 2016) and by the EU Joint Reach Centre in 2017 (eMRTD Interop test, ISPRA 2017).
Starting in January 2018, documents that implement PACE are no longer required by the ICAO standard to implement BAC for backwards compatibility. Since 2020, some countries have dropped support for BAC in newly issued documents, requiring PACE to get access to the content on the chip.
Which one to use?
ReadID supports both BAC and PACE on iOS and Android, so it may seem like a trivial decision which mechanism to use: detect if the document supports PACE. If so, we use PACE since it is more secure than BAC. If not, BAC is a fallback. The ICAO 9303 standard also requires this behaviour from readers.
In practice, usability and performance must be considered. The additional level of security that PACE provides comes at the price of computationally more expensive operations that must be performed by the NFC chip. The ReadID SDK intelligently determines the best setting depending on the phone, type of document and the issuing date of the document. It is however possible to override this behaviour by manually specifying a preferred protocol (BAC or PACE).
Extended Access Control
The third privacy-related security mechanism we discuss in this blog is Extended Access Control (EAC). This is used to protect more privacy-sensitive information in the chip, especially fingerprints. EAC must be executed before the fingerprints can be read. The ICAO standard only suggests implementing additional access control mechanisms for protecting more sensitive information but leaves the specification up to its member states. EAC is therefore not an ICAO standard, but in Europe, it has been standardised by the BSI (see here and here). EAC consists of two mechanisms: Chip Authentication (CA) and Terminal Authentication (TA). The first is a cloning detection mechanism that we’ll discuss in another blog post. EAC-TA is about privacy and thus the subject of this blog post.
Contrary to BAC and PACE, the execution of EAC-TA does not involve a password that can be derived from information on the data page. Instead, the terminal (a device that reads the passport) must present a government-issued certificate to the chip, to prove that it is authorised to read such sensitive information.
In practice, only a very few organisations such as national border control, police and local governments receive authorization to read the fingerprints from a passport. Especially in an international context, it is very difficult to arrange. Because of this, EAC-TA seems to be used very little. We have already implemented EAC-TA some years ago, and ReadID can support EAC-TA for customers that have received such authorization. This is however currently not a production feature.
This blog post provided a short overview of privacy-related security mechanisms. In follow-up blog posts, we explain the security features of ePassports that are related to authenticity of the chip and clone detection.