Supplemental Access Control (SAC) is a set of security protocols published by ICAO to protect personal data stored in electronic travel documents like ePassports and ID cards. One protocol of SAC is the well known Password Authenticated Connection Establishment (PACE) protocol, which supplements and enhances Basic Access Control (BAC). PACE was developed originally by the German Federal Office for Information Security (BSI) to provide a cryptographic protocol for the German ID card (Personalausweis).
Currently PACE supports three different kinds of mapping as part of the security protocol execution:
- Generic Mapping (GM) based on a Diffie-Hellman Key Agreement,
- Integrated Mapping (IM) based on a direct mapping of a field element to the cryptographic group,
- Chip Authentication Mapping (CAM) extends Generic Mapping and integrates Chip Authentication.
Since Version 1.1 of ICAO technical report TR – Supplemental Access Control for MRTDs there is a specification of a third mapping procedure for PACE, the Chip Authentication Mapping (CAM), which extends established Generic Mapping. This third mapping protocol combines PACE and Chip Authentication into only one protocol PACE-CAM. On this way it is possible to perform Chip Authentication Mapping faster than both separate protocols.
The chip indicates the support of Chip Authentication Mapping by the presence of a corresponding PACEInfo structure in the file EF.CardAccess. The Object Identifier (OID) defines the cryptographic parameters that must be used during the mapping. CAM supports AES with key length of 128, 192 and 256. But in contrast to GM and IM there is no support of 3DES (for security reasons) and only support of ECDH.
The mapping phase of the CAM itself is 100% identical to the mapping phase of GM. The ephemeral public keys are encoded as elliptic curve points.
To perform PACE a chain of GENERAL AUTHENTICATE commands is used. For CAM there is a deviation in step 4 when Mutual Authentication is performed. In this step the terminal sends the authentication token of the terminal (tag 0x85) and expects the authentication token of the chip (tag 0x86). Additionally, in CAM the chip sends also encrypted chip authentication data with tag 0x8A to the terminal.
If GENERAL AUTHENTICATION procedure was performed successfully, the terminal must perform the following two steps to authenticate the chip:
- Read and verify EF.CardSecurity,
- Use the public key of EF.CardSecurity in combination with the mapping data and the encrypted chip authentication data received during CAM to authenticate the chip.
It is necessary to perform Passive Authentication in combination with Chip Authentication Mapping to consider that the chip is genuine.
The benefit of Chip Authentication Mapping is the combination of PACE and Chip Authentication. The combination of both protocols saves time and allows a faster performance than the execution of both protocol separately.
You can find interesting information concerning CAM in the patent of Dr. Dennis Kügler and Dr. Jens Bender in the corresponding document of the German Patent and Trademark Office.
Pingback: Update of ICAO Doc 9303 Edition - protocolbench
Currently we implementing PACE-CAM, but I found out some issue about the modular inversion, is it required to do modular inversion for the Chip Key.
Pingback: Update of BSI TR-03105 Part 5.1 available (V1.4) - protocolbench
Pingback: First results of eMRTD Interoperability Test 2016 - protocolbench
Pingback: Update of RF and Protocol Testing Part 3 V2.10 online - protocolbench
Pingback: Update of RF and Protocol Testing Part 4 V2.10 online - protocolbench
Pingback: Apple adds NFC support to iOS 11 - protocolbench
Pingback: Call for Participation: Interoperability Test 2017 in Ispra - protocolbench