Supplemental Access Control
   HOME

TheInfoList



Click Here for Items Related To - Supplemental Access Control
OR:
Supplemental Access Control on:   [Wikipedia]   [Google]   [Amazon]

Supplemental access control (SAC) is a set of security features defined by
ICAO The International Civil Aviation Organization (ICAO, ) is a specialized agency of the United Nations that coordinates the principles and techniques of international air navigation, and fosters the planning and development of international a ...
for protecting data contained in electronic travel documents (e.g. electronic passports). SAC specifies the ''Password Authenticated Connection Establishment'' (PACE) protocol, which itself supplements and improves upon the Basic Access Control (BAC) protocol also established by ICAO. PACE, like BAC, prevents two types of attacks: * Skimming (online attack that consists in reading the
RFID Radio-frequency identification (RFID) uses electromagnetic fields to automatically identify and track tags attached to objects. An RFID system consists of a tiny radio transponder, a radio receiver and transmitter. When triggered by an electromag ...
chip without physical access to the document and without the holder's approval). Prior to reading the chip, the inspection system needs to know some data that is printed on the document (e.g. the
MRZ A machine-readable passport (MRP) is a machine-readable travel document (MRTD) with the data on the identity page encoded in optical character recognition format. Many countries began to issue machine-readable travel documents in the 1980s. Mos ...
) or a key that is known only to the holder (
personal identification number A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric (sometimes alpha-numeric) passcode used in the process of authenticating a user accessing a system. The PIN has been the key to facilitat ...
(PIN)), which means he has willingly handed the document for inspection. While BAC works only with the MRZ, PACE allows using card access numbers (short keys printed on the document) and PINs. * Eavesdropping (offline attack that starts by recording the data exchanged between the reader and the chip, to be analyzed later). The inspection system uses PACE for establishing a secure communication channel with the contactless chip, but using stronger cryptography than BAC. PACE offers an excellent protection against offline attacks, raising the security of documents containing contactless chips to the level of documents using contact chips. With the implementation of PACE begins the third generation of electronic passports. EU members must implement PACE in electronic passports by the end of 2014. States, for the sake of global interoperability, must not implement PACE without implementing BAC, and inspection systems should implement PACE and use it if supported by the MRTD chip. Thus, it is important that global interoperability is achieved, to make the enhancement reliable for the document verification process. To achieve interoperability, there are so called Interoperability Tests. The results of the last test focusing on SAC describe the current state of implementation in the field. Version 1.1 (April 2014) of ICAO's "Supplemental Access Control" Technical Report introduces the Chip Authentication protocol as an alternative to Active Authentication and integrates it with PACE, achieving a new protocol (Chip Authentication Mapping, PACE-CAM ) which allows faster execution than the separate protocols.


References

{{reflist Access control Passports