Basic Access Control and Extended Access Control
Transcript of Basic Access Control and Extended Access Control
![Page 1: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/1.jpg)
Basic Access Controland
Extended Access Controlin ePassports
Basic Access Controland
Extended Access Controlin ePassports
Tom Kinneging ISO/IEC JTC1 SC17 WG3/TF5
New Technology Working Group (NTWG)TAG/MRTD 18
��������������� �������������������������������������� ��������������
![Page 2: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/2.jpg)
History History
����������������
![Page 3: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/3.jpg)
�Document as proof of identity– Protected against
• Counterfeit• Manipulation• Copying and cloning
– Physically– Electronically
History History
![Page 4: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/4.jpg)
Physical security Physical security
�Materials�Security printing�Optical variable elements�Personalization
![Page 5: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/5.jpg)
�Against counterfeit and manipulation– Passive Authentication
�Against copying and cloning– Active Authentication
Electronic security Electronic security
![Page 6: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/6.jpg)
�Electronic signature– Chip data is authentic– Chip data has not been changed
�Cryptographic key pair– Private key for signing– Public key for verification
Passive Authentication Passive Authentication
�
�
Against counterfeiting and manipulationAgainst counterfeiting and manipulation
![Page 7: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/7.jpg)
DS
CSCA
Passive AuthenticationPassive AuthenticationState A
Inspection System
PKDPKD
State B
Key distributionKey distribution
![Page 8: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/8.jpg)
�Challenge response mechanism– Genuine combination chip and data
�Cryptographic key pair– Private key in chip’s secure memory– Public key in Data Group 15
Active Authentication Active Authentication
�
�
Against copying and cloningAgainst copying and cloning
![Page 9: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/9.jpg)
�No problem for conventional passport– You cannot read a closed book
�Introduction RF chip– Skimming
• Reading data from the RF chip
– Eavesdropping• Reading along the chip-reader communications
PrivacyPrivacy
?
![Page 10: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/10.jpg)
Basic Access ControlBasic Access Control
Inspection System
![Page 11: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/11.jpg)
Inspection System
10011101111001
Basic Access ControlBasic Access Control
![Page 12: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/12.jpg)
�Strong or weak?– Skimming no problem– Eavesdropping risks can be diminished
• Random document number
�Lifetime– Computer power increases– Planned evaluation, investigate successor
Basic Access ControlBasic Access Control
?
![Page 13: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/13.jpg)
�Doc 9303 recommends a more strict protection of sensitive data– Finger print– Iris
�To be realized– At a national or bilateral level– Through Encryption or Extended Access Control
Extended Access ControlExtended Access Control
?
![Page 14: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/14.jpg)
�Two protocols– Chip Authentication– Terminal Authentication
Extended Access ControlExtended Access Control
?
![Page 15: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/15.jpg)
�Strong secure communications– First BAC– Replace BAC keys
�Implicit verification of genuine chip– Like Active Authentication
�Can be used on its own
Chip AuthenticationChip Authentication
?
![Page 16: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/16.jpg)
�After Chip Authentication�MRTD chip verifies access rights
– Verify certificates present in I.S.– Grant access to sensitive data
�Certificate issued by MRTD issuer
Terminal AuthenticationTerminal Authentication
?
![Page 17: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/17.jpg)
CVCA
Terminal AuthenticationTerminal AuthenticationState A
IS ISIS
DV
CVCA
State B
IS ISIS
DV
CVCA
State C
IS ISIS
DV
Certificate distributionCertificate distribution
![Page 18: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/18.jpg)
�Opens up other possibilities– Access rights verification for
• Updating chip contents• Writing visa information• Writing travel records
Terminal AuthenticationTerminal Authentication
?
![Page 19: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/19.jpg)
�Passive authentication– Enables the inspection system to verify that
• The chip contents is authentic• The chip contents has not been altered
�Active authentication– Enables the inspection system to verify that
• The chip contents is not a copy• The authentic chip is in the document
SummarySummary
![Page 20: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/20.jpg)
�Basic Access Control– Enables the chip system to verify that
• The passport is opened for inspection
�Extended Access Control– Enables the chip to verify that
• The inspection system is authorized to read sensitive data
SummarySummary
![Page 21: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/21.jpg)
�Chip Authentication– Can be used on its own for
• Strong secure communications• Alternative to Active Authentication
�Terminal Authentication– Authorized access
• Acces to sensitive data• Writing and updating chip contents
SummarySummary
![Page 22: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/22.jpg)
�Action by the TAG– Investigate BAC successor– Continue study to global standard for EAC
• based on implementation experiences in Europe
– Recognize Chip Authentication• as stand-alone protocol
– Recognize Terminal Authentication• as general authentication mechanism
Working Paper 6Working Paper 6
![Page 23: Basic Access Control and Extended Access Control](https://reader037.fdocuments.net/reader037/viewer/2022102802/58491b321a28ab002f8b765f/html5/thumbnails/23.jpg)
Thank youfor your attention
Thank youfor your attention
Tom Kinneging ISO/IEC JTC1 SC17 WG3/TF5
New Technology Working Group (NTWG)TAG/MRTD 18
��������������� �������������������������������������� ��������������