Extended Access Control

Extended Access Control ("EAC")is a member of the family of security measures introduced by ICAO. EAC, being the most advanced and (currently) being optional, is not yet fully specified. However, a very comprehensive proposal from the German national IT standards body BSI provides most of the detail needed by prospective implementer.^[1]^[2] In short, EAC is a mechanism specified to allow only authorized Inspection Systems (systems used to read e-passport) to read sensitive biometric data such as fingerprints from ePassports.^[3]^[4]

There are several different implementation of the mechanism, that must be implemented along with the Basic Access Control which is mandatory in the EU. The European Commission (No 290;28 June 2006), described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German Federal Office for Information Security (BSI) in their technical report TR-03110 .^[5] Several other countries implement their own EAC.

EAC as defined by the EU

EAU as defined by EU can be authenticated by 2 requirements which is chip and terminal authentication.^[6]

Chip authentication ( For strong session encryption )

Chip authentications specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters.'Chip authentication (CA) has two functions:

authenticate the chip and prove that the chip is genuine. Only genuine chip can implicit communication securely;
establish strong secured communication channel whereby it uses ship-individual key pair with strong encryption and integrity protection.
Have an add on Basic Access Control (BAC) with protection against skimming and eavesdropping.

Terminal authentication ( Access restricted to authorized terminals )

Terminal authentication (TA) is used to determine whether the Inspection System (IS) is allowed to read the sensitive data from the e-passport. The mechanism is based on digital certificates which comes in the format card verifiable certificates.

Each terminal, or inspection system, is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day to 1 month.
An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. * The CVC allows the inspection system to request one or more items of sensitive data, such as data for iris or fingerprint recognition.^[7]

Document verifier certificate is granted from the country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between 1/2 month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.^[7]

External references

^ EAC is a member of the family of security measures introduced by ICAO
^ Temporat Secure Digital Identity. ePassport Extended Access Control. White Paper http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf. Retrieved 19 June 2013. {{cite journal}}: Missing or empty |title= (help)
^ G. S. Kc and P. A. Karger (1 April 2005). "Security and privacy issues in machine readable travel documents (MRTDs)" (PDF). RC 23575 (W0504-003). IBM. Retrieved 4 Jan. 2012. {{cite web}}: Check date values in: |accessdate= (help)
^ Javier López, Pierangela Samarati, and Josep L. Ferrer (2007). Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007. Springer. p. 41. ISBN 978-3-540-73407-9.{{cite book}}: CS1 maint: multiple names: authors list (link)
^ "Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC)" (PDF). Retrieved 2009-11-26. {{cite web}}: |first= missing |last= (help)
^ Dennis Kugler (2006). Extended Access Control ; Infrastructure and control. 1 http://www.interoptest-berlin.de/pdf/Kuegler_-_Extended_Access_Control.pdf. Retrieved 19 June 2013. {{cite journal}}: Missing or empty |title= (help)
^ ^a ^b Kügler, Dennis. "Extended Access Control: Infrastructure and Protocol" (PDF). Retrieved 2010-03-25.

External links

OpenSCDP.org – Open Source EAC-PKI for development and testing
EJBCA.org – Open Source PKI (BAC and EAC)
EAC specifications from BSI

This standards- or measurement-related article is a stub. You can help Wikipedia by expanding it.

[1] EAC is a member of the family of security measures introduced by ICAO

[2] Temporat Secure Digital Identity. ePassport Extended Access Control. White Paper http://www.securitydocumentworld.com/client_files/eac_white_paper_210706.pdf. Retrieved 19 June 2013. {{cite journal}}: Missing or empty |title= (help)

[3] G. S. Kc and P. A. Karger (1 April 2005). "Security and privacy issues in machine readable travel documents (MRTDs)" (PDF). RC 23575 (W0504-003). IBM. Retrieved 4 Jan. 2012. {{cite web}}: Check date values in: |accessdate= (help)

[4] Javier López, Pierangela Samarati, and Josep L. Ferrer (2007). Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007. Springer. p. 41. ISBN 978-3-540-73407-9.{{cite book}}: CS1 maint: multiple names: authors list (link)

[tr-03110-5] "Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC)" (PDF). Retrieved 2009-11-26. {{cite web}}: |first= missing |last= (help)

[6] Dennis Kugler (2006). Extended Access Control ; Infrastructure and control. 1 http://www.interoptest-berlin.de/pdf/Kuegler_-_Extended_Access_Control.pdf. Retrieved 19 June 2013. {{cite journal}}: Missing or empty |title= (help)

[eac-protocol-7] Kügler, Dennis. "Extended Access Control: Infrastructure and Protocol" (PDF). Retrieved 2010-03-25.

[1]

[2]

[3]

[4]

[5]

[6]

[7]