Federal Office for Information Security (BSI)

Security mechanisms in electronic ID documents

Basic Access Control (BAC)

"Basic Access Control" (BAC) protects the contactless RF chip from being read without direct access and ensures the information exchanged with the reading device is encrypted. BAC is used in the electronic passport.

If the ID document is protected by BAC, then it cannot be read from out of the jacket pocket, for example. In order to access the data stored on the contactless chip of the ID document, first the machine readable zone (MRZ) of the passport has to be read. The MRZ is located on the bottom of the data card.

This data is either read optically or typewritten. Based on this data, an individual access key for each passport is computed, which must be used by the reading device to authenticate itself to the chip. This means the reading device proves to the chip it has optical access to the passport. The RF chip transmits a random number to the reading device for this purpose. The reading device encrypts this number using the access key and then transmits it back to the RF chip. The RF chip checks if the random number has been encrypted with the right access key. If this is the case, the RF chip allows the reading device to access the data, which is also printed in optical form in the passport, e.g. facial image, name, date of birth etc.

The access key is also used to encrypt the data exchanged between reading device and RF chip.

If you would like to know more about this procedure, please read our technical guideline BSI-TR-03110.