IC Access

The BACHandler class acts as a handler for Basic Access Control (BAC), which allows access to the contactless Integrated Circuit (IC) of an eMRTD by implementing a Chip Access Control mechanism.

BAC is a cryptographic protocol that enables the inspection system to prove its authorization to access the contactless IC using information derived from the physical document, such as the Machine Readable Zone (MRZ) information.

The BAC mechanism is purely based on symmetric cryptography and provides protection against skimming, misuse and eavesdropping during communication between the eMRTD and the inspection system.

Protocol Specification

Authentication and Key Establishment is provided by a three-pass challenge-response protocol according to ISO/IEC 11770-2 Key Establishment Mechanism 6 using 3DES [FIPS 46-3] as block cipher. A cryptographic checksum according to ISO/IEC 9797-1 MAC Algorithm 3 is calculated over and appended to the ciphertexts. Exchanged nonces MUST be of size 8 bytes, exchanged keying material MUST be of size 16 bytes. The IFD (i.e. the inspection system) and the contactless IC MUST NOT use distinguishing identifiers as nonces.

Cryptographic Specifications

• Encryption of Challenge and Response: Two-key 3DES in CBC mode with zero IV is used for computation of EIFD and EIC. Padding for the input data must not be used when performing the EXTERNAL AUTHENTICATE command.

• Authentication of Challenge and Response: Cryptographic checksums MIFD and MIC are calculated using ISO/IEC 9797-1 MAC Algorithm 3 with block cipher DES and zero IV, following ISO/IEC 9797-1 padding method 2. The MAC length is 8 bytes.

See more

internal final class BACHandler

The DocumentBasicAccessKeys class represents the Document Basic Access Keys derived from the Machine Readable Zone (MRZ) key.

These keys are used for encryption (Kenc) and message authentication (Kmac) in Basic Access Control (BAC). The MRZ key is hashed using SHA-1, and the key seed is generated from the hash. The final keys Kenc and Kmac are derived using a key derivation mechanism with the key seed.

See more

internal final class DocumentBasicAccessKeys

PACEHndler is responsible for performing PACE access control protocol to allow the access to the IC.

PACE is a password authenticated Diffie-Hellman key agreement protocol that provides secure communication and password-based authentication of the eMRTD chip and the inspection system, i.e. eMRTD chip and inspection system share the same password.

See more

internal final class PACEHandler

The PACEInfo class represents security information related to the Password Authenticated Connection Establishment (PACE) protocol used for access the IC and secure communication with an eMRTD chip.

PACE is used to protect sensitive data exchanges in electronic passports. This class provides details about the specific PACE protocol used, including version and domain parameters.

The ASN.1 data structure PACEInfo is defined as follows:

 PACEInfo ::= SEQUENCE {
    protocol OBJECT IDENTIFIER(
        id-PACE-DH-GM-3DES-CBC-CBC |
        id-PACE-DH-GM-AES-CBC-CMAC-128 |
        id-PACE-DH-GM-AES-CBC-CMAC-192 |
        id-PACE-DH-GM-AES-CBC-CMAC-256 |
        id-PACE-ECDH-GM-3DES-CBC-CBC |
        id-PACE-ECDH-GM-AES-CBC-CMAC-128 |
        id-PACE-ECDH-GM-AES-CBC-CMAC-192 |
        id-PACE-ECDH-GM-AES-CBC-CMAC-256 |
        id-PACE-DH-IM-3DES-CBC-CBC |
        id-PACE-DH-IM-AES-CBC-CMAC-128 |
        id-PACE-DH-IM-AES-CBC-CMAC-192 |
        id-PACE-DH-IM-AES-CBC-CMAC-256 |
        id-PACE-ECDH-IM-3DES-CBC-CBC |
        id-PACE-ECDH-IM-AES-CBC-CMAC-128 |
        id-PACE-ECDH-IM-AES-CBC-CMAC-192 |
        id-PACE-ECDH-IM-AES-CBC-CMAC-256 |
        id-PACE-ECDH-CAM-AES-CBC-CMAC-128 |
        id-PACE-ECDH-CAM-AES-CBC-CMAC-192 |
        id-PACE-ECDH-CAM-AES-CBC-CMAC-256),
    version INTEGER, -- MUST be 2,
    parameterId INTEGER OPTIONAL
 }

This data structure provides detailed information on an implementation of PACE and its components represent:

• protocol: An object identifier that identifies the algorithms to be used (i.e. key agreement, symmetric cipher and MAC).

• version: An integer that identifies the version of the protocol. Currently, only version 2 is supported by this specification.

• parameterId: An integer that is used to indicate the domain parameter identifier (optional).

See more

internal final class PACEInfo : SecurityInfo

PACEMapping manages the possible algorithm-specific mapping functions used during the PACE security protocol for accessing the contactless IC.

In PACE, a nonce s is encrypted using a chosen block cipher E() and a derived key Kπ. This nonce is then mapped to a random generator using an algorithm-specific mapping function Map.

PACE supports three mapping functions:

1. Generic Mapping (GM): This mapping uses either DH or ECDH. The function Map:g → ĝ is defined differently for DH and ECDH:

   • Using DH: ĝ = g^s * h, where h is calculated by anonymous Diffie-Hellman Key Agreement.
   • Using ECDH: Ĝ = s × G + H, where H is calculated by anonymous EC Diffie-Hellman Key Agreement.

2. Integrated Mapping (IM): IM uses either DH or ECDH. It utilizes a pseudo-random function Rp(s,t) and a function f_g(x) to map nonces to group elements.

3. Chip Authentication Mapping (CAM): The mapping phase of PACE-CAM is identical to PACE-GM.

See more

internal enum PACEMapping

The PACEParametersDecoder class is responsible for decoding StandardizedDomainParameters used during PACE based on their identifiers.

See more

internal final class PACEParametersDecoder

The PACESecurityProtocol enum represents various security protocols used in PACE for electronic Machine Readable Travel Documents (eMRTD).

These protocols are identified by a unique ObjectIdentifier (OID) and specific EncryptionAlgorithm, KeyAgreementAlgorithm and PACEMapping function.

See more

internal enum PACESecurityProtocol : UInt8, SecurityProtocol