Extended Access Control: Difference between revisions
Content deleted Content added
DavidWalker7 (talk | contribs) Added in details about mobile access control |
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| (17 intermediate revisions by 15 users not shown) | |||
| Line 1: | Line 1: | ||
'''Extended Access Control''' (EAC) is a set of advanced security features for [[Biometric passport|electronic passports]] that protects and restricts access to sensitive personal data contained in the [[Radio-frequency identification|RFID]] chip. In contrast to common personal data (like the |
'''Extended Access Control''' ('''EAC''') is a set of advanced security features for [[Biometric passport|electronic passports]] that protects and restricts access to sensitive personal data contained in the [[Radio-frequency identification|RFID]] chip. In contrast to common personal data (like the bearer's photograph, names, date of birth, etc.) which can be protected by basic mechanisms, more sensitive data (like [[fingerprint]]s or [[iris images]]) must be protected further for preventing unauthorized access and skimming. A chip protected by EAC will allow that this sensitive data is read (through an encrypted channel) only by an authorized passport inspection system.<ref> |
||
{{cite web |
{{cite web |
||
| title = Security and privacy issues in machine readable travel documents (MRTDs) |
| title = Security and privacy issues in machine readable travel documents (MRTDs) |
||
| url = http://domino.watson.ibm.com/library/CyberDig.nsf/papers/751B6341BFB9015485256FDB005DB216/$File/RC23575.pdf |
| url = http://domino.watson.ibm.com/library/CyberDig.nsf/papers/751B6341BFB9015485256FDB005DB216/$File/RC23575.pdf |
||
| work = RC 23575 (W0504-003) |
| work = RC 23575 (W0504-003) |
||
| |
|author1=G. S. Kc |author2=P. A. Karger | publisher = IBM |
||
| publisher = IBM |
|||
| accessdate = 4 Jan 2012 |
| accessdate = 4 Jan 2012 |
||
| date = 1 April 2005 |
| date = 1 April 2005 |
||
| Line 11: | Line 10: | ||
{{cite book |
{{cite book |
||
| title = Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007 |
| title = Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007 |
||
| |
|author1=Javier López |author2=Pierangela Samarati |author3=Josep L. Ferrer | publisher = Springer |
||
| publisher = Springer |
|||
| year = 2007 |
| year = 2007 |
||
| isbn = 978-3-540-73407-9 |
| isbn = 978-3-540-73407-9 |
||
| page = 41 |
| page = 41 |
||
| url = |
| url = https://books.google.com/books?id=cNanimitjLwC&pg=PA41 |
||
}}</ref> |
}}</ref> |
||
EAC was introduced by [[International Civil Aviation Organization|ICAO]] |
EAC was introduced by [[International Civil Aviation Organization|ICAO]]<ref>{{cite book |
||
| title = ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability |
| title = ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability |
||
| publisher = International Civil Aviation Organization ([[ICAO]]) |
| publisher = International Civil Aviation Organization ([[ICAO]]) |
||
| Line 27: | Line 25: | ||
| section = 5.8 Security for additional biometrics |
| section = 5.8 Security for additional biometrics |
||
| url = http://www.icao.int/Security/mrtd/Pages/Document9303.aspx |
| url = http://www.icao.int/Security/mrtd/Pages/Document9303.aspx |
||
}}</ref><ref>{{cite journal| |
}}</ref><ref>{{cite journal|title=Temporat Secure Digital Identity|journal=EPassport Extended Access Control|volume=White Paper|url=http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf|accessdate=19 June 2013|archive-url=https://web.archive.org/web/20061021005853/http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf|archive-date=21 October 2006|url-status=dead}}</ref> as an optional security feature (additional to [[Basic Access Control]]) for restricting access to sensitive [[Biometrics|biometric]] data in an electronic [[Machine-readable passport|MRTD]]. A general idea is given: the chip must contain chip-individual keys, must have processing capabilities and additional key management will be required. However, ICAO leaves the actual solution open to the implementing States. |
||
There are several different proposed implementations of the mechanism, all of which must retain [[Backward compatibility|backward-compatibility]] with the [[Legacy system|legacy]] [[Basic Access Control]] (BAC), which is mandatory in all [[European Union|EU]] countries. The European Commission described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German [[Federal Office for Information Security]] (BSI) in their technical report TR-03110.<ref name="tr-03110"> |
There are several different proposed implementations of the mechanism, all of which must retain [[Backward compatibility|backward-compatibility]] with the [[Legacy system|legacy]] [[Basic Access Control]] (BAC), which is mandatory in all [[European Union|EU]] countries. The European Commission described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German [[Federal Office for Information Security]] (BSI) in their technical report TR-03110.<ref name="tr-03110"> |
||
{{cite web |
{{cite web |
||
| |
| website = BSI |
||
| title = Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC) |
| title = Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC) |
||
| url=https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR-03110_v202_pdf |
| url=https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR-03110_v202_pdf |
||
| Line 39: | Line 37: | ||
==EAC as defined by the EU== |
==EAC as defined by the EU== |
||
EAC as defined by the EU has two requirements: chip and terminal authentication.<ref>{{cite |
EAC as defined by the [[European Union|EU]] has two requirements: chip and terminal authentication.<ref>{{cite web|first=Dennis |last=Kugler|title=Extended Access Control; Infrastructure and control|date=1 June 2006|volume=|url=http://www.interoptest-berlin.de/pdf/Kuegler_-_Extended_Access_Control.pdf|accessdate=19 June 2013}}</ref> |
||
===Chip authentication (for strong session encryption)=== |
===Chip authentication (for strong session encryption)=== |
||
The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters. ''Chip authentication'' (CA) has two functions: |
The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters. ''[[Chip Authentication Program|Chip authentication]]'' (CA) has two functions: |
||
* To authenticate the chip and prove that the chip is genuine. Only a genuine chip can implement communication securely. |
* To authenticate the chip and prove that the chip is genuine. Only a genuine chip can implement communication securely. |
||
* To establish a strongly secured communication channel, using a chip-specific key pair with strong encryption and integrity protection. |
* To establish a strongly secured communication channel, using a chip-specific key pair with strong encryption and integrity protection. |
||
Chip authentication has an add-on Basic Access Control (BAC) with protection against skimming and eavesdropping. |
Chip authentication has an add-on [[Basic access control|Basic Access Control]] (BAC) with protection against skimming and eavesdropping. |
||
===Terminal authentication (access restricted to authorized terminals)=== |
===Terminal authentication (access restricted to authorized terminals)=== |
||
''Terminal authentication'' (TA) is used to determine whether the ''inspection system'' (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on digital certificates which come in the format of ''card verifiable'' certificates. |
''Terminal authentication'' (TA) is used to determine whether the ''inspection system'' (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on [[digital certificates]] which come in the format of ''card verifiable'' certificates. |
||
* Each inspection system is granted a ''card verifiable certificate'' (CVC) from a ''document verifier'' (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day and 1 month. |
* Each inspection system is granted a ''[[Card Verifiable Certificate|card verifiable certificate]]'' (CVC) from a ''document verifier'' (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day and 1 month. |
||
* An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. |
* An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. |
||
* The CVC allows the inspection system to request one or more items of sensitive data, such as data for [[iris recognition|iris]] or [[fingerprint recognition]].<ref name="eac-protocol"> |
* The CVC allows the inspection system to request one or more items of sensitive data, such as data for [[iris recognition|iris]] or [[fingerprint recognition]].<ref name="eac-protocol">{{cite web |
||
{{cite web |
|||
| first = Dennis |
| first = Dennis |
||
| last = Kügler |
| last = Kügler |
||
| title = Extended Access Control: Infrastructure and Protocol |
| title = Extended Access Control: Infrastructure and Protocol |
||
| url=http:// |
| url = http://parallels.googlecode.com/svn/trunk/msifakis/WIRELESS/Kuegler_-_Extended_Access_Control.pdf |
||
| accessdate = 2016-05-03 |
|||
}}{{Dead link|date=August 2019 |bot=InternetArchiveBot |fix-attempted=yes }}</ref> |
|||
</ref> |
|||
A document verifier certificate is granted from the ''country verification certificate authority'' (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.<ref name="eac-protocol" /> |
A document verifier certificate is granted from the ''country verification certificate authority'' (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.<ref name="eac-protocol" /> |
||
== '''Mobile Access Control (for remote locations)''' == |
|||
[http://www.smi-global.net/mobile-access-control/ Mobile extended access control systems] are used to provide security to remote locations where there is no physical boundary. |
|||
Access is gained with the scan of a personal identity card against the mobile device. |
|||
* The devices have to be certified by the leading security original equipment manufacturers (OEM’s). |
|||
* These devices are used for checking workers onto oil, gad and gold sites, checking card validity, checking cardholder details, attendance and mustering. |
|||
* Mobile readers operate online via Wifi or Cellular communications. |
|||
==External links== |
==External links== |
||
| Line 78: | Line 67: | ||
* [http://www.openscdp.org/scripts/icao/eacpki.html OpenSCDP.org] – Open Source EAC-PKI for development and testing |
* [http://www.openscdp.org/scripts/icao/eacpki.html OpenSCDP.org] – Open Source EAC-PKI for development and testing |
||
* [http://www.ejbca.org/ EJBCA.org] – Open Source PKI (BAC and EAC) |
* [http://www.ejbca.org/ EJBCA.org] – Open Source PKI (BAC and EAC) |
||
* [https://www.bsi.bund.de/ |
* [https://www.bsi.bund.de/EN/Service-Navi/Publications/TechnicalGuidelines/TR03110/BSITR03110.html EAC specifications from BSI] {{Webarchive|url=https://web.archive.org/web/20211227120500/https://www.bsi.bund.de/EN/Service-Navi/Publications/TechnicalGuidelines/TR03110/BSITR03110.html |date=2021-12-27 }} |
||
{{DEFAULTSORT:Extended Access Control}} |
{{DEFAULTSORT:Extended Access Control}} |
||
[[Category:Contactless smart cards]] |
|||
[[Category:International travel documents]] |
[[Category:International travel documents]] |
||
[[Category:Passports]] |
[[Category:Passports]] |
||
Latest revision as of 02:31, 24 March 2024
Extended Access Control (EAC) is a set of advanced security features for electronic passports that protects and restricts access to sensitive personal data contained in the RFID chip. In contrast to common personal data (like the bearer's photograph, names, date of birth, etc.) which can be protected by basic mechanisms, more sensitive data (like fingerprints or iris images) must be protected further for preventing unauthorized access and skimming. A chip protected by EAC will allow that this sensitive data is read (through an encrypted channel) only by an authorized passport inspection system.[1][2]
EAC was introduced by ICAO[3][4] as an optional security feature (additional to Basic Access Control) for restricting access to sensitive biometric data in an electronic MRTD. A general idea is given: the chip must contain chip-individual keys, must have processing capabilities and additional key management will be required. However, ICAO leaves the actual solution open to the implementing States.
There are several different proposed implementations of the mechanism, all of which must retain backward-compatibility with the legacy Basic Access Control (BAC), which is mandatory in all EU countries. The European Commission described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German Federal Office for Information Security (BSI) in their technical report TR-03110.[5] Several other countries implement their own EAC.
EAC as defined by the EU[edit]
EAC as defined by the EU has two requirements: chip and terminal authentication.[6]
Chip authentication (for strong session encryption)[edit]
The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters. Chip authentication (CA) has two functions:
- To authenticate the chip and prove that the chip is genuine. Only a genuine chip can implement communication securely.
- To establish a strongly secured communication channel, using a chip-specific key pair with strong encryption and integrity protection.
Chip authentication has an add-on Basic Access Control (BAC) with protection against skimming and eavesdropping.
Terminal authentication (access restricted to authorized terminals)[edit]
Terminal authentication (TA) is used to determine whether the inspection system (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on digital certificates which come in the format of card verifiable certificates.
- Each inspection system is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day and 1 month.
- An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data.
- The CVC allows the inspection system to request one or more items of sensitive data, such as data for iris or fingerprint recognition.[7]
A document verifier certificate is granted from the country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.[7]
External links[edit]
- ^ G. S. Kc; P. A. Karger (1 April 2005). "Security and privacy issues in machine readable travel documents (MRTDs)" (PDF). RC 23575 (W0504-003). IBM. Retrieved 4 Jan 2012.
- ^ Javier López; Pierangela Samarati; Josep L. Ferrer (2007). Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007. Springer. p. 41. ISBN 978-3-540-73407-9.
- ^ "5.8 Security for additional biometrics". ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability (Sixth ed.). International Civil Aviation Organization (ICAO). 2006. p. 84.
- ^ "Temporat Secure Digital Identity" (PDF). EPassport Extended Access Control. White Paper. Archived from the original (PDF) on 21 October 2006. Retrieved 19 June 2013.
- ^ "Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC)" (PDF). BSI. Retrieved 2009-11-26.
- ^ Kugler, Dennis (1 June 2006). "Extended Access Control; Infrastructure and control" (PDF). Retrieved 19 June 2013.
- ^ a b Kügler, Dennis. "Extended Access Control: Infrastructure and Protocol" (PDF). Retrieved 2016-05-03.[permanent dead link]
External links[edit]
- OpenSCDP.org – Open Source EAC-PKI for development and testing
- EJBCA.org – Open Source PKI (BAC and EAC)
- EAC specifications from BSI Archived 2021-12-27 at the Wayback Machine