Federal Office for Information Security (BSI)

Security mechanisms in electronic ID documents

Password Authenticated Connection Establishment (PACE)

"Password Authenticated Connection Establishment" (PACE) ensures that the contactless RF chip in the electronic ID card cannot be read without direct access and the data exchanged with the reading device is transmitted encrypted.

This protocol is used for the electronic ID card.

Which password can be used for PACE depends on the digital certificate of the reading device. Usually this is the six digits secret "Personal Identification Number" (PIN), which is known only to the ID card bearer.

For reading devices with digital certificates for official use, such as boarder control, either the machine readable zone (MRZ) printed on the back of the electronic ID card or the six digits "Card Access Number" (CAN) printed on the front side is sufficient.

More about the different "passwords“ can be found under electronic ID card.

PACE has the advantage that the password length has no influence on the security level of the encryption. This means even with the short - in contrast to the MRZ - PIN or CAN the data is strongly protected on the RF chip of the electronic ID card and during transmission.

If you wish to know more about this procedure, please read our technical guideline BSI-TR-03110.