Security mechanisms in electronic ID documents
The security mechanisms in electronic ID documents have the following security objectives:
- Data protection: first, the personal data of the card bearer should be protected against unauthorized access,
- Authenticity and protection against forgery: second, it has to be ensured that the ID document has been issued by a governmental institution and a possible forgery of the data content is detected.
There now follows a presentation of the protocols and other measures, which are used to support the security aspects referred to above:
| Abbr | Title | Scope |
|---|---|---|
| BAC | Basic Access Control | Basic access control, protects the RF chip against skimming (reading contents from a distance) |
| PACE | Password Authenticated Connection Establishment | Access control, protects the RF chip against skimming |
EAC | Extended Access Control | Extended access control consisting of different protocols |
| CA: Chip Authentication | Establishing a secure communication channel and detection of "cloned" RF chips, Chip Authentication belongs to the EAC protocol | |
| TA: Terminal Authentication | Reading device authentication for sensitive data access on the RF chip, Terminal Authentication belongs to the EAC protocol | |
| PA | Passive Authentication | Authenticity and integrity verification of the data on the RF chip |
PKI | Public Key Infrastructure | Hierarchy of digital certificates |
| CSCA: Country Signing Certification Authority | Hierarchy of digital certificates for data signing in electronic ID documents | |
| CVCA: Country Verifying Certification Authority | Hierarchy of digital certificates for reading permission of electronic ID documents |