Extended Access Control: Difference between revisions

Add links
From Wikipedia, the free encyclopedia
Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
capitalizing, other copyedits
Line 12: Line 12:
</ref>. Several other countries implement their own EAC.
</ref>. Several other countries implement their own EAC.


==Extended Access Control as defined by the EU==
==EAC as defined by the EU==
===EAC – Chip Authentication===
===Chip authentication===
''Chip Authentication'' (CA) has two functionalities:
''Chip authentication'' (CA) has two functionalities:
* authenticate the chip and prove that the chip is genuine (not cloned);
* authenticate the chip and prove that the chip is genuine (not cloned);
* establish strongly secured communication channel (stronger than the one established by BAC mechanism)
* establish strongly secured communication channel (stronger than the one established by BAC mechanism)


===EAC – Terminal Authentication===
===Terminal authentication===
''Terminal Authentication'' (TA) is used to determine whether the Inspection System (IS) is allowed to read the sensitive data from the e-passport. The mechanism is based on digital certificates. The certificate format is ''not'' X.509 but ''card verifiable'' certificates.
''Terminal authentication'' (TA) is used to determine whether the Inspection System (IS) is allowed to read the sensitive data from the e-passport. The mechanism is based on digital certificates. The certificate format is ''not'' X.509 but ''card verifiable'' certificates.


Each terminal, or inspection system, is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day to 1 month. An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. The CVC allows the inspection system to request one or more items of sensitive data, such as data for [[Iris recognition|iris]] or [[fingerprint recognition]]. <ref name="eac-protocol">
Each terminal, or inspection system, is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day to 1 month. An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. The CVC allows the inspection system to request one or more items of sensitive data, such as data for [[Iris recognition|iris]] or [[fingerprint recognition]]. <ref name="eac-protocol">

Revision as of 03:48, 5 January 2012

Extended Access Control ("EAC") is a mechanism specified to allow only authorized Inspection Systems (systems used to read e-passport) to read sensitive biometric data such as fingerprints from ePassports. The EAC is mentioned in ICAO Doc 9303 but the description there is not very clear.

There are several different implementation of the mechanism, that must be implemented along with the Basic Access Control which is mandatory in the EU. The European Commission, in its decision No 2909 of 28 June 2006, described what technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German Federal Office for Information Security (BSI) in their technical report TR-03110 [1]. Several other countries implement their own EAC.

EAC as defined by the EU

Chip authentication

Chip authentication (CA) has two functionalities:

  • authenticate the chip and prove that the chip is genuine (not cloned);
  • establish strongly secured communication channel (stronger than the one established by BAC mechanism)

Terminal authentication

Terminal authentication (TA) is used to determine whether the Inspection System (IS) is allowed to read the sensitive data from the e-passport. The mechanism is based on digital certificates. The certificate format is not X.509 but card verifiable certificates.

Each terminal, or inspection system, is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day to 1 month. An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. The CVC allows the inspection system to request one or more items of sensitive data, such as data for iris or fingerprint recognition. [2]

The document verifier certificate is granted from the country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between 1/2 month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.[2]

External references

  1. ^ "Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC)" (PDF). Retrieved 2009-11-26. {{cite web}}: |first= missing |last= (help)
  2. ^ a b Kügler, Dennis. "Extended Access Control: Infrastructure and Protocol" (PDF). Retrieved 2010-03-25.

External links

  • OpenSCDP.org – Open Source EAC-PKI for development and testing


Stub icon

This standards- or measurement-related article is a stub. You can help Wikipedia by expanding it.

Retrieved from "https://en.wikipedia.org/w/index.php?title=Extended_Access_Control&oldid=469649218"