Federal Office for Information Security (BSI)

Security mechanisms in electronic ID documents

Passive Authentication (PA)

"Passive Authentication" (PA) is used to check if the data on the RF chip of the electronic ID document is authentic and unforged.

The data stored on the RF chip is digitally signed during production of an electronic ID document. For this purpose, a so-called document signer certificate is used, which is in turn signed with the CSCA (Country Signer Certificate Authority) certificate of the issuing country and which is available only to the officially commissioned document issuer. This certificate forms the root of the CSCA-PKI (Country Signer Certificate Authority Public Key Infrastructure), a hierarchy for the certificates to prove the data authenticity of the ID documents.

During reading of an ID document the signature of the data stored on the RF chip is checked and traced back to the CSCA certficate using Passive Authentication. This way it can be determined, if the officially commissioned document issuer has stored the ID document data on the RF chip and if this data is authentic.

If you would like to know more about this procedure, please read our technical guideline BSI-TR-03110.