Currently I’m preparing a project where an ePassport has to be tested. These tests start with the booklet and end with the chip. During the preparation the need for a test specification overview popped up. This need was the root of a new service here on this blog: an overview of all current specifications in the domains of this blog starting with eMRTDs and their corresponding inspection systems. To list all current specifications I’ve added a new page called ‘test specifications‘ in menu above. I will keep this list up-to-date in the future. Finally with every new version of a test specification I will update this list. Currently the list contains test specification released by ICAO and BSI. Both organisations are in the front of implementing tests in context of eMRTD and the corresponding back-end-systems. These certification schemes of BSI and ANSSI also base on these test specification.
Test specifications are “living documents”, which causes several modifications over the time. You need the test specifications, listed here, to prove conformity and finally certify your passport or inspection system.
With every new protocol you need some more or some modified test cases in the specifications. And also maintenance is an important fact to keep the test cases up-to-date. Additionally, I will list also test specifications of other domains like IoT in the closer future.
So have a look at this page next time when you’re back on this blog.
Simultaneously with Part 3, the ICAO released also version 2.10 of the test specification ‘RF and Protocol Testing Part 4‘ to test the interoperability of inspection systems (IS) in context of eMRTD. While the Technical Advisory Group (TAG) of ICAO endorsed the update on the ICAO website, from now on the test specification can be referenced officially. Finally in version 2.10 of the test specification there are some significant modifications compared with the previous version 1.01 released in 2013:
Additionally, there are some clarifications and minor editorial changes.
Furthermore you can find a more detailed list of changes and modifications in version 2.10 to test interoperability of inspection systems.
New test cases in Version 2.10 Update
Basically the new test cases are testing the protocol PACE-CAM or make use of the new LDS 1.8 data structure where the LDS version number is stored in EF.SOD (additionally to EF.COM).
ISO7816_C_29: PACE-CAM with missing tag 8Ah but correct ECAD
ISO7816_C_30: PACE-CAM with incorrectly encoded ECAD (no octet string)
ISO7816_C_31: PACE-CAM with wrong ECAD
ISO7816_C_32: PACE-CAM with wrong tag 8Ah (use 8Bh) but correct ECAD
ISO7816_C_33: PACE-CAM with correct tag 8Ah but missing ECAD
ISO7816_C_34: PACE-CAM with Passive Authentication
ISO7816_C_35: Return additional tag 8Ah during PACE-GM
ISO7816_C_36: Use DG14 without SecurityInfo during PACE-CAM
ISO7816_C_37: Use EF.CardSecurity with wrong ChipAuthenticationPublicKey during PACE-CAM
ISO7816_C_38: Use EF.CardSecurity without ChipAuthenticationPublicKeyInfo during PACE-CAM
ISO7816_C_39: Check supported standardized Domain Parameters with Chip Authentication Mapping
ISO7816_G_01: Chip Authentication with DH
ISO7816_G_02: Chip Authentication with ECDH
ISO7816_G_03: DG14 with one key reference
ISO7816_G_04: DG14 with two key references
ISO7816_G_05: DG14 with three key references
ISO7816_G_06: DG14 with invalid key reference
ISO7816_G_07: DG14 with corrupted DH public key
ISO7816_G_08: DG14 with corrupted ECDH public key
ISO7816_G_09: Use old session keys after Chip Authentication
ISO7816_G_10: Verify lifetime of ephemeral keys
ISO7816_G_11: DG14 with invalid DH public key specification
ISO7816_G_12: DG14 with invalid ECDH public key specification
ISO7816_G_13: ChipAuthenticationPublicKeyInfo: key reference does not match key reference in ChipAuthenticationInfo
ISO7816_G_14: Chip Authentication with Extended Length
ISO7816_G_15: Use various status words for invalid key reference
LDS_A_10: EF.COM with LDS version 1.8
LDS_D_35: EF.SOD with LDS Version 1.8
LDS_D_36: Security Object with LDS Version 1.8 but Version wrong number
LDS_D_37: Security Object with LDS Version 1.7 but Version number 1
LDS_D_38: EF.SOD with future LDS Version 1.9
Modified test cases in Version 2.10 Update
Due to the new document structure of version 2.10, it’s difficult to detect all modifications. Therefore please be aware that the list of modified test cases may not be complete and there might be more changes compared to previous version 1.01.
ISO7816_C_04: Added new OID for PACE-CAM in table corresponding to test case
ISO7816_D_07: Test case deleted
With the release of this test specification, version 2.10 is relevant for certification. So from now on, your inspection system must fulfill these conformity tests to achieve a certificate.
There is an update of ICAO’s test specification ‘RF and Protocol Testing Part 3‘ available. The specification is focusing on conformity testing and protocol testing for eMRTDs implementing protocols like BAC and PACE.
The Technical Advisory Group (TAG) of ICAO endorsed the updated release on the ICAO website, so from now on the test specification can be referenced officially. In version 2.10 of the test specification there are some major modifications:
Additional test cases for PACE-CAM (this includes modifications of existing test cases and also new test cases especially for PACE-CAM).
New test suite 7816_S to verify access rights (read and select) of EF.CardSecurity.
New test suite LDS_K to test presence and coding of SecurityInfo structures in EF.CardSecurity
The referenced documents are updated to Doc 9303 Edition 7 and old specifications including supplements are replaced.
With 7th edition of Doc 9303 the wording is changed from ‘PACEv2’ and ‘SAC’ to ‘PACE’.
And of course there are some minor editorial corrections.
The interim version 2.08 of this test specification was used during the interoperability test in London 2016 (first results of this event can be found in a previous post). This version was prepared at the meeting of ISO WG3 TF4R in Berlin to establish a valid version for the test event. Version 2.10 includes all the updates and some minor changes. In the following the update of version 2.10 is listed more detailed.
New test cases in layer 6
ISO7816_O_55: Accessing the EF.CardSecurity file with explicit file selection.
ISO7816_O_56: Accessing the EF.CardSecurity file with implicit file selection (ReadBinary with SFI).
ISO7816_O_57: Accessing the EF.CardSecurity file with ReadBinary. The test verifies the enforcement of SM after the PACE-CAM protocol has been performed successfully.
ISO7816_O_58: Accessing the EF.CardSecurity file with ReadBinary. The test verifies the enforcement of SM after a PACE protocol different from PACE-CAM has been performed successfully.
ISO7816_P_78: Positive test with a complete sequence of PACE without Chip Authentication Mapping commands and with MRZ password. The tag 0x8A during PACE-GM and PACE-IM MUST NOT be returned.
ISO7816_S_01: Accessing EF.CardSecurity with explicit file selection and Read Binary.
ISO7816_S_02: Accessing EF.CardSecurity with implicit file selection (ReadBinary with SFI).
ISO7816_S_03: Accessing EF.CardSecurity with explicit file selection and Read Binary OddIns.
ISO7816_S_04: Accessing EF.CardSecurity with implicit file selection (ReadBinary OddIns with SFI).
Modified test cases in layer 6
ISO7816_P_01: New step 6 and step 7 added for PACE-CAM, Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_02: New step 6 and step 7 added for PACE-CAM, Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_03: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_14: Step 6 return new data object 0x8A used in PACE-CAM.
ISO7816_P_25: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_26: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_27: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_28: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_41: Adopted profile to handle PACE-CAM.
ISO7816_P_42: Adopted profile to handle PACE-CAM.
ISO7816_P_43: Adopted profile, step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_44: Adopted profile, Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_45: Adopted profile, step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_46: Adopted profile, step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_49: Adopted profile to handle PACE-CAM.
ISO7816_P_50: Adopted profile to handle PACE-CAM.
ISO7816_P_68: Adopted purpose.
ISO7816_P_73: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_P_74: Step 5 return new data object 0x8A used in PACE-CAM.
ISO7816_R_05: Correction in referenced RFC.
ISO7816_R_06: Correction in referenced RFC.
New test cases in layer 7
LDS_E_09: Test that EF.DG14 contains at least one valid set of SecurityInfos for Chip Authentication. A chip supporting PACE-CAM must also support CA.
LDS_I_05: Verify that EF.CardAccess contains at least one valid PACEInfo for PACE-GM or PACE-IM as an additional mapping procedure if PACE-CAM is supported.
LDS_K_01: Test the ASN.1 encoding of the SecurityInfos.
LDS_K_02: Verify the ASN.1 encoding of the ChipAuthenticationPublicKey.
LDS_K_03: Test the coherency between the EF.CardSecurity and EF.CardAccess.
LDS_K_04: Verify that the parameterID also denotes the ID of the Chip Authentication key used, i.e. the chip MUST provide a ChipAuthenticationPublicKeyInfo with keyID equal to parameterID.
Modified test cases in layer 7
LDS_I_02: Added OIDs for PACE-CAM and new step 3 (to check that a valid OID is present for each declared configuration).
LDS_I_03: Added OID for PACE-CAM.
LDS_J_04: Correction in referenced RFC.
Previous ideas to migrate this test specification to an ISO document are canceled due to political reasons. Part 3 (eMRTD) and Part 4 (inspection systems) will be ICAO documents furthermore whereas Part 1 (durability of ePassports) and Part 2 (contactless interface) are still migrated to ISO documents (ISO 18745-1 and ISO 18745-2).