Password Authenticated Connection Establishment

from Wikipedia, the free encyclopedia

Password Authenticated Connection Establishment ( PACE ) is a password-based authentication and key agreement process. The protocol was developed by the Federal Office for Information Security (BSI) for use in the new ID card . a. described in the technical guideline TR-03110. PACE is standardized as the successor to Basic Access Control for use in machine-readable travel documents .

The protocol accepts a password (possibly low entropy ) as input , verifies the password and derives session keys with high entropy in order to protect subsequent communication.

PACE belongs to the family of Password Authenticated Key Exchange (PAKE) protocols. In contrast to other protocols in this group such as B. Encrypted Key Exchange (EKE), Simple Password Exponential Key Exchange (SPEKE) or Secure Remote Password Protocol (SRP), the PACE protocol itself is patent-free and can be implemented both with elliptic curves and with standard cryptography.

Procedure

The PACE protocol consists of four steps:

  1. The chip selects a random number (nonce), encrypts it with the password as a key and sends the encrypted random number to the terminal, which decrypts the random number again.
  2. The chip and the terminal map the random number to a generator of the mathematical group used with the help of a (possibly interactive) mapping function .
  3. The chip and the terminal perform a Diffie-Hellman key exchange using the generator from step 2 as a basis.
  4. The chip and the terminal derive session keys from the shared secret and use them for mutual authentication and then to secure further communication.

Mapping functions

One of the core components of PACE is a so-called mapping function. This function is used to map a random number into the mathematical group used for the asymmetric cryptosystem . Two types of mapping are currently defined:

Generic mapping
This mapping is based on generic group operations, is easy to implement and can be used with all Diffie-Hellman variants.
Integrated mapping
This mapping integrates the random number directly into the group used. When used with elliptical curves, however, patented algorithms are required.
Chip authentication mapping
This mapping combines generic mapping with chip authentication, so that both protocols can be executed together and the performance is increased as a result.

safety

The safety of PACE is mathematically proven. The cryptographic strength of the session keys generated by PACE does not depend on the password used. Therefore, very short passwords can be used with PACE. As with all protocols from the group of password-based authentication methods, PACE cannot protect against brute force attacks on the password used. Possible countermeasures include slowing down the log or blocking the password after a specified number of times the wrong password has been entered.

Use with machine-readable travel documents

PACE is currently being standardized as the successor to Basic Access Control for use in machine-readable travel documents . Due to the patenting of the integrated mapping for elliptic curves, this variant was declared as optional in the current version of the specification and is therefore not mandatory for reading devices.

In a transition phase, PACE is initially to be implemented in parallel with Basic Access Control and is therefore temporarily also referred to as Supplemental Access Control . It is recommended that PACE be implemented in machine-readable travel documents and reading devices by 2015.

Use with the new ID card

With the new ID card , PACE is used in conjunction with Extended Access Control instead of Basic Access Control . Basic Access Control is no longer supported.

PACE can be executed with 4 different passwords. The imprinted six-digit Card Access Number (CAN) and, analogous to Basic Access Control, the machine-readable zone are only permitted with certain readers (usually from government agencies). A secret PIN and a corresponding PUK , which are only known to the rightful owner, can be used with any reader. As the name suggests, the latter is only used to unblock the PIN after a certain number of failed authentication attempts.

Individual evidence

  1. a b BSI Technical Guideline TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents and eIDAS Token, Version 2.20, 2015
  2. a b 19th meeting of the Technical Advisory Group on Machine Readable Travel Documents, 2009  ( page no longer available , search in web archivesInfo: The link was automatically marked as defective. Please check the link according to the instructions and then remove this notice. (PDF; 92 kB)@1@ 2Template: Dead Link / www2.icao.int  
  3. ^ Chip Authentication Mapping, 2015
  4. ^ Security Analysis of the PACE Key-Agreement Protocol, 2009
  5. BSI Technical Guideline TR-03116-2, eCard projects of the Federal Government, Part 2 - Official identification documents (PDF; 332 kB)