Security Mechanisms for Electronic Documents

• Abbreviations
• Logical Data Structure of RFID chips
• Access Keys to Protected Data
• Data Security Mechanisms
  • Passive Authentication
  • Active Authentication
  • Access Control
• Advanced Security Mechanisms
  • Password Authenticated Connection Establishment
  • Chip Authentication
  • Terminal Authentication
• Procedures of Document Authentication
  • Standard Inspection Procedure
  • Advanced Inspection Procedure
  • General Inspection Procedure
• Master Lists
• References

Abbreviations

AA - Active Authentication—a procedure of additional verification of document authenticity (compliance of the read SO with the original chip).

BAC/BAP - Basic Access Control/Protection—data access control security mechanism.

CA - Chip Authentication—a stage of an advanced security mechanism of data access control (EAC).

CAN - Card Access Number—a short password printed on the document; it is used as a key to control access to protected data.

EAC/EAP - Extended Access Control/Protection—advanced security mechanism of data access control.

MRZ—document Machine Readable Zone used as a key to control access to protected data.

OCR—Optical Character Recognition.

PA - Passive Authentication—a security mechanism of RFID-chip data integrity verification.

PACE - Password Authenticated Connection Establishment—data access control security mechanism.

RFID—Radio Frequency Identification.

RFID chip—Radio Frequency Identification chip.

SM - Security Messaging—a mechanism of protected data exchanging.

SO - Security Object—an object of electronic document data protection.

TA - Terminal Authentication—a stage of an advanced security mechanism of data access control (EAC).

SOD - Document Security Object.

LDS - Logical Data Structure.

eMRTD - Electronic machine readable travel documents.

MRTD - Machine readable travel documents.

eDL - Electronic driver's license.

EF. - Elementary files.

eSign - Electronic signature.

AT – Authentication Terminal (terminal type).

IS - Inspection System (terminal type).

ST – Signature Terminal (terminal type).

Logical Data Structure of RFID chips

From a software standpoint, the data contained in the memory of the RFID chip are organized in a form of separate files. Each file has its own unique identifier that is used to provide access to the file. The logical designation of files (of their contained data) is defined by the application, which includes the file. Each application also has a unique identifier that is used to select the application. A separate application can provide a range of informational and (or) functional capabilities.

The file that is not included in any of the applications is considered to belong to the root Master File.

Access Keys to Protected Data

To establish a secure communication channel between the reader and the RFID chip when implementing the SM mechanism several types of keys (passwords) can be used. Each of them can be used by the terminal of a certain type.

The set of functional and informational capabilities ensured by the chip also depends on the type of the used password:

• MRZ—data access password is derived from MRZ printed on the document and available for OCR operation
• CAN—a short password, usually printed on the document, and available for OCR operation. It can be used to organize the SM communication channel using PACE as a basic mechanism only.

Data Security Mechanisms

To protect the data of electronic documents several basic security mechanisms are provided:

• passive authentication (PA);
• active authentication (AA);
• access control.

Passive Authentication

Passive Authentication (PA) proves that the contents of the SOD and the LDS are authentic and not changed.

Passive Authentication uses the mechanism of digital signature to confirm the authenticity of data that are stored in RFID-chip memory. It allows detecting the presence of any changes in signed data read from the RFID-chip memory but does not protect against their full copying (cloning of RFID-chip).

To use the digital signature mechanism requires a pair of cryptographic keys. The private key is used to compute the digital signature and is available only for the signer; the public key – to verify the signature value and is distributed as a certificate (a special data object, which is protected by the digital signature mechanism as well).

Thus, the procedure of passive authentication consists of two basic stages to control:

• the authenticity of document security object;
• integrity of document data informational groups.

To verify the authenticity of electronic documents with the help of the PA it is required to:

• read SOD data from the memory of RFID-chip;
• receive DS-certificate with a public key to verify a digital signature of SOD;
• receive CSCA-certificate (Country Signing Certificate Authority) with a public key to verify a digital signature of DS-certificate;
• verify the authenticity of the CSCA-certificate by verification of its digital signature (since it is self-signed, the signature verification may be performed using the public key contained in the certificate itself);
• verify the authenticity of the DS-certificate by verification of its digital signature;
• verify the authenticity of the SOD by verification of its digital signature;
• verify the authenticity of the read informational data groups by comparing the computed hash values and the corresponding values contained in the SOD.

Since Master Lists (ML) can be used as a storage for CSCA-certificates for SOD verification, a validation of the digital signature of the master list's security object (SOML) is a part of passive authentication. This digital signature is generated at the stage of master list issuance on the basis of its contents by the issuer (so called "Master List Signer", MLS).

To verify the authenticity of the master list it is required to:

• receive MLS-certificate with a public key to verify a digital signature of SOML;
• receive CSCA-certificate with a public key to verify a digital signature of MLS-certificate;
• verify the authenticity of the CSCA-certificate by verification of its digital signature (since it is self-signed, the signature verification may be performed using the public key contained in the certificate itself);
• verify the authenticity of the MLS-certificate by verification of its digital signature;
• verify the authenticity of the SOML by verification of its digital signature.

Search for a public key to verify a digital signature can be performed by one of two available criteria:

• a combination of the identifier of the source (organization), which has issued the respective certificate (Issuer), and the certificate serial number (serialNumber);
• identifier of the signature subject (the organization that performed document personalization) (subjectKeyIdentifier).

Access to the CSCA-, DS- and MLS- certificates must be provided within the context of the policy of providing the terminal functioning. As a rule, local or centralized certificate storage – Public Key Directory (PKD) – is used for these purposes. In most cases the DS-certificate is included directly in the data structure of SOD; MLS- and corresponding CSCA-certificate can be present in SOML data structure.

Active Authentication

Active Authentication (AA) uses a mechanism of "challenge – response" to determine the authenticity of RFID-chip.

A pair of cryptographic keys is required for its operation:

• the private key – is stored in protected memory of the RFID-chip and is inaccessible for reading;
• the public key – is stored in a special informational data group DG15 of ePassport application (for other applications AA is not provided).

In a process of active authentication, the terminal sends a randomly selected data fragment ("challenge") to the RFID-chip. The chip generates a digital signature of the data using the private key and returns its value ("response") to the terminal. The terminal verifies the validity of the digital signature using the public key, determining thereby the authenticity of the private key used by the chip, and hence the one of the chip itself.

Active Authentication prevents copying the SOD and proves that it has been read from the authentic contactless integrated circuit (IC) and proves that the contactless IC has not been substituted. Support for Active Authentication is indicated by the presence of DG15.

Access Control

RFID-chip protects the data from unauthorized access by the respective access control mechanisms.

The basis of any access control mechanism is the establishing of a secure communication channel between the reader and the chip (Security Messaging, SM). At the same time, the data to be sent are subject to preliminary encryption and subsequent decryption when received.

In addition to data protection, the access control mechanism allows restricting the use of one or another informational or functional chip capabilities by the terminal depending on the specified effective terminal type and delegated access rights.

The data, which are relatively easy to obtain from sources other than the document itself (for example, MRZ, photo, etc.), are protected by Basic Access Control/Protection (BAC/BAP).

BAC/BAP only checks that the terminal has physical access to the document by requiring the printed data (MRZ, barcodes, text fields) to be read optically.

More sensitive personal data (fingerprints, iris) are additionally protected by the extended access control mechanism (Extended Access Control/Protection, EAC/EAP). Their use is permitted only to authorized terminals, which confirmed their right by successful TA procedure. Extended Access Control (EAC) prevents unauthorized access to additional biometrics and prevents skimming of additional biometrics.

Advanced Security Mechanisms

There are several variants of advanced security mechanisms for electronic document data protection, that are an alternative or supplement of the basic mechanisms:

• Password Authenticated Connection Establishment (PACE);
• Chip Authentication (CA);
• Terminal Authentication (TA).

If PACE and CA may be used as independent protocols for replacement of BAC and AA respectively, then TA may be used only in combination with CA.

Password Authenticated Connection Establishment

Password Authenticated Connection Establishment (PACE) prevents skimming and misuse and prevents eavesdropping on the communications between eMRTD and the inspection system (when used to set up encrypted session channel). Support is indicated by the presence of a corresponding PACEInfo structure in CardAccess. If PACE is supported by the MRTD and the inspection system, PACE is used. PACE offers better protection against eavesdropping than BAC.

Chip Authentication

Chip Authentication procedure is one of the components of EAC/EAP. Like BAC/BAP and PACE, it serves to organize a secure communication channel, which is more reliable compared to the basic procedures. In addition, CA is an alternative to AA, as it confirms the chip authenticity as well.

CA is based on the use of a static pair of cryptographic keys, which are stored in chip memory.

Support of Chip Authentication is indicated by the presence of corresponding SecurityInfos in DG14.

Successful CA procedure ensures that the public key and the private key stored in the protected chip memory comply with each other. And this in turn confirms that the chip has not been cloned.

Terminal Authentication

Sensitive data on the electronic passport are that kind of data which are not printed on it; all data on the electronic ID card is treated as sensitive.

Sensitive data can only be read when the protocol "Terminal Authentication" (TA) was successfully executed on the reader.

The RFID chip of the ID card is designed so that it allows certain data to be read only when the reader can prove an explicit read permission for exactly these data (e.g. only the date of birth). In order to allow the RFID chip to verify this permission, the CVCA certificate (Country Verifier Certification Authority certificate) is stored on it. This certificate is the root of the CV PKI (Country Verifier Public Key Infrastructure), a hierarchy for the authorization certificates for the reading of sensitive data on ID documents.

During "Terminal Authentication", the reader transmits its access permission to the RFID chip in the form of a terminal certificate (reading device certificate). In addition, the reader also transmits the CVCA certificate and all certificates that are between these two certificates in the certificate hierarchy. This way the RFID chip can verify the authenticity and integrity of the terminal certificate. For a positive result, all of the certificates which follow in the hierarchy have to be signed with the secret key of their predecessor, starting with the CVCA certificate. This is trustworthy for the RFID chip, since the key is additionally saved on the RFID chip during production.

If the authenticity and integrity of the terminal certificate sent by the reader has been proved, then the RFID chip yet has to ensure that this certificate has really been issued for this reader. Therefore, the RFID chip sends a random number to the reader, which the device signs with the secret key that corresponds to the terminal certificate. Then the reader sends the signed random number back to the RFID chip. With the public key of the reader, which is included in the terminal certificate, the RFID chip can verify the signature of the random number and thus determine if the reader possesses the right certificate private key.

Terminal authentication is a part of the EAC protocol.

Procedures of Document Authentication

The procedure of document authentication allows:

• performing the effective terminal authorization, by determining the effective type of terminal and its corresponding available set of functionalities for organization of data exchange with the RFID-chip;
• on the basis of the data from the RFID-chip to verify the authenticity of the document;
• using the provided functionality for additional verifications (reference intervals, auxiliary data verification) or service operations (password management, digital signature generation, etc.).

Standard Inspection Procedure

This procedure of document authentication (Standard Inspection Procedure) is used to confirm the effective type of inspection system (IS) terminal.

It provides access to all data groups of ePassport and eDL applications, except the sensitive biometric data of fingerprints and iris.

The order for carrying out this procedure is the following:

1. for ePassport application, by the presence of EF.CardAccess and its contents the support of PACE by the RFID-chip as a basic mechanism of SM is determined. In case of such support the secure data access channel is initialized;
2. the application is selected;
3. in case if PACE is not supported, the secure data access channel with BAC/BAP as a basic mechanism is initialized during this step;
4. the first PA phase is performed: EF.SOD is read, verification of its digital signature is performed.

In case of a successful step 4, further reading of informational data groups with their integrity verification as part of PA is possible.

Advanced Inspection Procedure

This procedure of document authentication (Advanced Inspection Procedure) is used to confirm the effective type of IS (inspection system) terminal.

It provides access to all data groups of ePassport and eDL applications, including the sensitive biometric data of fingerprints and iris.

The order for carrying out this procedure is the following:

1. for ePassport application, by the presence of EF.CardAccess and its contents the support of PACE by the RFID-chip as a basic mechanism of SM is determined. In case of such support the secure data access channel is initialized;
2. the application is selected;
3. in case if PACE is not supported, the secure data access channel with BAC/BAP as a basic mechanism is initialized during this step;
4. CA procedure is performed that opens a new SM communication channel;
5. the first PA phase is performed: EF.SOD is read, verification of its digital signature is performed;
6. TA procedure is performed that opens access to informational groups of sensitive biometric data

In case of a successful step 5, further reading of informational data groups with their integrity verification as part of PA is possible.

In case of a successful step 6, further reading of information data groups of sensitive biometric data with their integrity verification as part of PA is possible.

General Inspection Procedure

This procedure of document authentication (General Authentication Procedure) is used to confirm the effective type of any terminal (depending on the information given by the terminal during the step of procedure initialization).

It provides access to:

• all data groups of ePassport, eDL and eID applications for IS terminal;
• reading (and if provided – updating) of all data groups of the eID application for the AT terminal;
• functions of initialization of the eSign application (creating of eSign-PIN and of a new pair of cryptographic keys for digital signature generation) for AT terminal;
• functions of the eSign application of generating data digital signature for ST terminal;
• functions of password management for all types of terminal (depending on the used password when initializing the SM communication channel).

The general authentication procedure means exclusive use of PACE as a basic SM mechanism and is available only for RFID-chips that support EAC.

The order for carrying out this procedure is the following:

1. by the presence of EF.CardAccess and its contents the support of PACE by the RFID-chip as a basic mechanism of SM is determined. In case of such support, the secure data access channel is initialized. Otherwise, the procedure is unavailable.
2. TA procedure is performed.
3. The first PA phase is performed: EF.CardSecurity and EF.ChipSecurity (if necessary) are read, verification of their digital signature is performed.
4. CA procedure is performed, which opens a new SM communication channel.

In case of a successful step 4, further selection of required applications to read informational data groups with their integrity verification as part of PA procedure, as well as using of various functionality of the electronic document is possible.

Master Lists

A Master List is a list of CSCA certificates that has itself been produced and digitally signed by an issuing State. In simple terms, a PKD participant may bilaterally exchange CSCA certificates with a number of other States, authenticate the certificates, then assemble a list and sign it with its national Master List signing certificate. This list containing all the CSCAs that the State trusts is called a Master List and can be uploaded to the ICAO PKD. This Master List can then be downloaded from the ICAO PKD by others who trust the country that has issued the Master List and wish to obtain those CSCA certificates.

The publication of a Master List enables other receiving States to obtain a set of CSCA certificates from a single source (the Master List issuer) rather than undertake direct bilateral exchange with each of the Issuing Authorities or organizations represented on that list.

Source: https://www.icao.int/Security/FAL/PKD/BVRT/Pages/Master-List.aspx

Where can a Master List be downloaded?

ICAO:

• https://download.pkd.icao.int
• https://www.icao.int/Security/FAL/PKD/Pages/ICAO-Master-List.aspx

BSI:

• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ElekAusweise/CSCA/GermanMasterList.html

References

1. Radio Frequency Identification Chip Reader. Programmers' Guide
2. Doc 9303, Machine Readable Travel Documents. Part 10 — Logical Data Structure (LDS) for Storage of Biometrics and Other Data in the Contactless Integrated Circuit (IC)
3. Doc 9303, Machine Readable Travel Documents. Part 11 — Security Mechanisms for MRTDs
4. BSI. Elec­tron­ic ID doc­u­ments
5. BSI. Security mechanisms in electronic ID documents
6. The ICAO Master List

Next Steps

• Mobile
• Web Service
• Web Components
• Desktop