Extended access control
Encyclopedia
Extended Access Control is a mechanism specified to allow only authorized Inspection system (system used to read e-passport)
to read sensitive biometric data such as fingerprints from ePassports. EAC is mentioned in ICAO Doc 9303 but the description there is not very clear.
There are several different implementation of the mechanism, that must be implemented along with the Basic Access Control
which is mandatory in the EU. The European Commission in its decision No 2909 from the 28 June 2006 described what technology will be used to protect fingerprints in the Member States e-passports. The deadline for the member states to start fingerprint enabled e-passport issuing was set to be 28 June 2009. The specification selected for the EU e-passports was prepared by the German Federal Office for Information Security
(BSI) in their technical report TR-03110
. Several other countries implement their own EAC.
the e-passport. The mechanism is based on digital certificates. The certificate format is not X.509 but card verifiable certificates.
Each terminal, or Inspection System, is granted a Card Verifiable Certificate (CVC) from a Document Verifier (DV). The Inspection System's certificate is valid only for a short time period, typically between 1 day to 1 month. An Inspection System may have several CVCs installed at any time, one for each country that allows it to read sensitive data. The CVC allows the Inspection System to request one or more items of sensitive data, such as data for Iris recognition
or Fingerprint recognition.
The Document Verifier certificate is granted from the Country Verification Certificate Authority (CVCA). These certificates can be for domestic or foreign Document Verifiers. The certificates are typically issued for medium amounts of time, between 1/2 month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.
to read sensitive biometric data such as fingerprints from ePassports. EAC is mentioned in ICAO Doc 9303 but the description there is not very clear.
There are several different implementation of the mechanism, that must be implemented along with the Basic Access Control
Basic Access Control
Basic Access Control is a mechanism specified to ensure only authorized parties can wirelessly read personal information from passports with an RFID chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt...
which is mandatory in the EU. The European Commission in its decision No 2909 from the 28 June 2006 described what technology will be used to protect fingerprints in the Member States e-passports. The deadline for the member states to start fingerprint enabled e-passport issuing was set to be 28 June 2009. The specification selected for the EU e-passports was prepared by the German Federal Office for Information Security
Federal Office for Information Security
The Bundesamt für Sicherheit in der Informationstechnik is the German government agency in charge of managing computer and communication security for the German government...
(BSI) in their technical report TR-03110
. Several other countries implement their own EAC.
EAC - Chip Authentication
Chip Authentication (CA) has two functionalities:- authenticate the chip and prove that the chip is genuine (not cloned);
- establish strongly secured communication channel (stronger than the one established by BAC mechanism)
EAC - Terminal Authentication
Terminal Authentication (TA) is used to determine whether the Inspection System (IS) is allowed to read the sensitive data fromthe e-passport. The mechanism is based on digital certificates. The certificate format is not X.509 but card verifiable certificates.
Each terminal, or Inspection System, is granted a Card Verifiable Certificate (CVC) from a Document Verifier (DV). The Inspection System's certificate is valid only for a short time period, typically between 1 day to 1 month. An Inspection System may have several CVCs installed at any time, one for each country that allows it to read sensitive data. The CVC allows the Inspection System to request one or more items of sensitive data, such as data for Iris recognition
Iris recognition
Iris recognition is an automated method of biometric identification that uses mathematical pattern-recognition techniques on video images of the irides of an individual's eyes, whose complex random patterns are unique and can be seen from some distance....
or Fingerprint recognition.
The Document Verifier certificate is granted from the Country Verification Certificate Authority (CVCA). These certificates can be for domestic or foreign Document Verifiers. The certificates are typically issued for medium amounts of time, between 1/2 month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.
External links
- OpenSCDP.org - Open Source EAC-PKI for development and testing