Federal Office for Information Security (BSI)

Security mechanisms in electronic ID documents

The security mechanisms in electronic ID documents have the following security objectives:

  • Data protection: first, the personal data of the card bearer should be protected against unauthorized access,
  • Authenticity and protection against forgery: second, it has to be ensured that the ID document has been issued by a governmental institution and a possible forgery of the data content is detected.

There now follows a presentation of the protocols and other measures, which are used to support the security aspects referred to above:

AbbrTitle Scope
BACBasic Access ControlBasic access control, protects the RF chip against skimming (reading contents from a distance)
PACEPassword Authenticated Connection EstablishmentAccess control, protects the RF chip against skimming

EAC

Extended Access ControlExtended access control consisting of different protocols
CA: Chip AuthenticationEstablishing a secure communication channel and detection of "cloned" RF chips, Chip Authentication belongs to the EAC protocol
TA: Terminal AuthenticationReading device authentication for sensitive data access on the RF chip, Terminal Authentication belongs to the EAC protocol
PAPassive AuthenticationAuthenticity and integrity verification of the data on the RF chip

PKI

Public Key InfrastructureHierarchy of digital certificates
CSCA: Country Signing Certification AuthorityHierarchy of digital certificates for data signing in electronic ID documents
CVCA: Country Verifying Certification AuthorityHierarchy of digital certificates for reading permission of electronic ID documents