Extended Access Control

Quality 0.50 · 2 views · Updated 2 months ago

title: "Extended Access Control" type: doc version: 1 created: 2026-02-28 author: "Wikipedia contributors" status: active scope: public tags: ["international-travel-documents", "passports", "biometrics", "data-security", "information-sensitivity"] topic_path: "sports" source: "https://en.wikipedia.org/wiki/Extended_Access_Control" license: "CC BY-SA 4.0" wikipedia_page_id: 0 wikipedia_revision_id: 0

Extended Access Control (EAC) is a set of advanced security features for electronic passports that protects and restricts access to sensitive personal data contained in the RFID chip. In contrast to common personal data (like the bearer's photograph, names, date of birth, etc.) which can be protected by basic mechanisms, more sensitive data (like fingerprints or iris images) must be protected further for preventing unauthorized access and skimming. A chip protected by EAC will allow that this sensitive data is read (through an encrypted channel) only by an authorized passport inspection system. | title = Security and privacy issues in machine readable travel documents (MRTDs) | url = http://domino.watson.ibm.com/library/CyberDig.nsf/papers/751B6341BFB9015485256FDB005DB216/$File/RC23575.pdf | work = RC 23575 (W0504-003) |author1=G. S. Kc |author2=P. A. Karger | publisher = IBM | accessdate = 4 Jan 2012 | date = 1 April 2005 | title = Public key infrastructure: 4th European PKI Workshop : theory and practice, EuroPKI 2007 |author1=Javier López |author2=Pierangela Samarati |author3=Josep L. Ferrer | publisher = Springer | year = 2007 | isbn = 978-3-540-73407-9 | page = 41 | url = https://books.google.com/books?id=cNanimitjLwC&pg=PA41

EAC was introduced by ICAO{{cite book | title = ICAO Doc 9303, Machine Readable Travel Documents, Part 1: Machine Readable Passports, Volume 2: Specifications for Electronically Enabled Passports with Biometric Identification Capability | publisher = International Civil Aviation Organization (ICAO) | year = 2006 | edition = Sixth | page = 84 | section = 5.8 Security for additional biometrics | url = http://www.icao.int/Security/mrtd/Pages/Document9303.aspx

There are several different proposed implementations of the mechanism, all of which must retain backward-compatibility with the legacy Basic Access Control (BAC), which is mandatory in all EU countries. The European Commission described that the technology will be used to protect fingerprints in member states' e-passports. The deadline for member states to start issuing fingerprint-enabled e-passports was set to be 28 June 2009. The specification selected for EU e-passports was prepared by the German Federal Office for Information Security (BSI) in their technical report TR-03110. | website = BSI | title = Advanced Security Mechanisms for Machine Readable Travel Documents – Extended Access Control (EAC) | url=https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/44792/TR-03110_v202_pdf |format=PDF| accessdate = 2009-11-26 }} Several other countries implement their own EAC.

EAC as defined by the EU

EAC as defined by the EU has two requirements: chip and terminal authentication.

Chip authentication (for strong session encryption)

The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters. Chip authentication (CA) has two functions:

To authenticate the chip and prove that the chip is genuine. Only a genuine chip can implement communication securely.
To establish a strongly secured communication channel, using a chip-specific key pair with strong encryption and integrity protection. Chip authentication has an add-on Basic Access Control (BAC) with protection against skimming and eavesdropping.

Terminal authentication (access restricted to authorized terminals)

Terminal authentication (TA) is used to determine whether the inspection system (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on digital certificates which come in the format of card verifiable certificates.

Each inspection system is granted a card verifiable certificate (CVC) from a document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day and 1 month.
An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data.
The CVC allows the inspection system to request one or more items of sensitive data, such as data for iris or fingerprint recognition.{{cite web | first = Dennis | last = Kügler | title = Extended Access Control: Infrastructure and Protocol | url = http://parallels.googlecode.com/svn/trunk/msifakis/WIRELESS/Kuegler_-_Extended_Access_Control.pdf | accessdate = 2016-05-03

A document verifier certificate is granted from the country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years.

References

"Temporat Secure Digital Identity". EPassport Extended Access Control.
Kugler, Dennis. (1 June 2006). "Extended Access Control; Infrastructure and control".

::callout[type=info title="Wikipedia Source"] This article was imported from Wikipedia and is available under the Creative Commons Attribution-ShareAlike 4.0 License. Content has been adapted to SurfDoc format. Original contributors can be found on the article history page. ::