The European Commission (EC) and the International Civil Aviation Organization (ICAO) has organized a SAC interoperability test in Madrid end of June 2014. The objective of this interoperability test was to assure that European countries are ready to launch Supplemental Access Control (SAC) respective PACEv2 at the end of this year. The following countries participated in the test (in alphabetical order):
- Bosnia Herzegovina
- Czech Republic
The SAC interoperability test was also open for industry. The following vendors participated with their ePassport solutions (in alphabetical order):
- De La Rue
- Giesecke & Devrient
- Safran Morpho
Every participant had the chance to submit up to two different sets of ePassport with different implementations. Altogether there were 52 samples available during the test session. All ePassports were tested in two different test procedures: Crossover Test and Conformity Test. Here the Conformity Test is focused on, because protocols are in foreground in this kind of test. There were three test labs (Keolabs, TÜViT + HJP Consulting and UL) taking part in the interoperability test with their test tools to perform a subset of “ICAO TR RF Protocol and Application Test Standard for e-Passports, Part 3”. The subset includes the following test suites:
- ISO7816_O: Security conditions for PACE protected eMRTDs
- ISO7816_P: Password Authenticated Connection Establishment (PACEv2)
- ISO7816_Q: Command READ and SELECT for file EF.CardAccess
- LDS_E: Matching between EF.DG14 and EF.CardAccess
- LDS_I: Structure of EF.CardAccess
During the conformity test, all three test labs performed 21.282 test cases altogether. Nearly 3% of these test cases failed during the conformity test.
The following diagram shows the results of the conformity test as part of the SAC interoperability test. There were five samples with zero failure, seven samples with 1 failure, twenty-seven samples with 2, 3 or 4 failures, five samples with 5 up to 20 failures and eight samples with more than twenty failures:
The following diagram shows the failures per sample:
All documents supported either Integrated Mapping (IM), Generic Mapping (GM) or both. The following diagram shows the distribution of the mapping protocols:
In mapping protocol there is a possibility to choose either ECDH, DH or both of them. The samples of the SAC interoperability test supported mostly ECDH, as showed in the following diagram:
The observations of the conformity test (part of SAC interoperability test) are:
- the document quality varies from “close to release state” to “experimental state”
- there are different interpretations of padding in EF.CardAccess and EF.DG14, encoding of TerminalAuthenticationInfo in EF.DG14, the use of DO84 in PACE and the use of parameter ID when proprietary or standardized domain parameters are used
- certificates for EAC protocol (e.g. test case 7816_O_41) were missing or not usable
- use of different versions of test specification of test labs (Version 2.01 vs. Version 2.06)
Update 1: You can find a discussion concerning the test results on LinkedIn here.
Update 2: You can find the slides of the presentation we hold at the end of the SAC Interoperability Test here.
I like your summary very much and enjoyed reading the results. I am curious to see how the stakeholder will address the observations.
Pingback: Interoperability Test during SDW in May 2016 - protocolbench