Download (PDF, 589 KB, Datei ist nicht barrierefrei
Download (PDF, 589 KB, Datei ist nicht barrierefrei
Download (PDF, 589 KB, Datei ist nicht barrierefrei
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
sECurIty<br />
PKI Public Key<br />
Infrastructure<br />
CSCA: Country<br />
Signing Certificate<br />
Authority<br />
CVCA: Country<br />
Verifying Certificate<br />
Authority<br />
Hierarchy of digital certificates.<br />
Hierarchy of digital certificates<br />
for signing data in electronic<br />
identity documents.<br />
Hierarchy of digital certificates<br />
for read authorization of<br />
electronic identity documents.<br />
4.1 Password Authenticated Connection<br />
Establishment (PACE)<br />
Password Authenticated Connection Establishment (PACE)<br />
ensures that the contactless rF chip in the new identity<br />
card cannot be read without explicit access, and that data<br />
are exchanged with the terminal device in encrypted form<br />
[Bender 2008].<br />
the password that can be used for PACE depends on the<br />
authorization certificate of the reader (terminal) device used.<br />
usually, this is the six-digit personal identification number<br />
(PIn), which is known only to the holder of the identity card.<br />
For reader devices with authorization certificates for<br />
sovereign use, e.g. border control, either a Machine<br />
readable Zone (MrZ) printed on the back of the new<br />
identity card or the six-digit card access number (CAn)<br />
printed on the front is sufficient.<br />
4.2 Extended Access Control (EAC),<br />
readers and EAC box<br />
Extended Access Control (EAC) comprises an array of<br />
protocols that are always executed in a specific order,<br />
depending on which electronic identity document is to be<br />
read [tr-03110].<br />
the EAC protocols include Chip Authentication (CA)<br />
and terminal Authentication (tA). the two protocols are<br />
executed together with Password Authenticated Connection<br />
Establishment (PACE) and Passive Authentication (PA).<br />
the purpose of Chip Authentication is to confirm that<br />
the chip is a real chip (and not a forgery or a clone) and to<br />
establish a secure connection between the chip and the<br />
reader, or between the chip and the service provider in the<br />
case of online authentication.<br />
Chip Authentication is based on Diffie-hellman key exchange,<br />
in which the reader or terminal device uses an<br />
ephemeral key pair and the chip a static pair. the chip’s<br />
public key is signed during the process of generating it<br />
(Passive Authentication – see section 4.3).<br />
the use of the signed key verifies the authenticity of the chip;<br />
at the same time, a strongly-encrypted and authenticated<br />
end-to-end channel is established between the chip and – in<br />
the case of online authentication – the service provider.<br />
the advantage of PACE is that the length of the password<br />
All data on the new identity card are treated as confidential<br />
has no effect on the security level of the encryption. In other<br />
and must be protected against being read by unauthorized<br />
words, even when the CAn or PIn are used, which are short<br />
persons. the terminal Authentication (tA) protocol was<br />
compared to the MrZ, the data on the rF chip of the electro-<br />
developed for this purpose. sensitive data can only be read<br />
nic identity card are strongly protected during transmission.<br />
when this protocol has been successfully executed on the<br />
reader. the rF chip in the identity document is designed so<br />
that it enables reading of specific data only when the reader<br />
10 11<br />
sECurIty
Change language