ePassport Security: A Deep Dive into BAC, PAC, and SAC

Advanced Cryptography in ePassportsePassports utilize sophisticated security protocols such as Basic Access Control (BAC), Password Authenticated Connection Establishment (PACE), and Supplemental Access Control (SAC) to protect the data stored on their embedded chips. These protocols are fundamental to preventing unauthorized access and data manipulation.

The Role of Access Control MechanismsBAC, PACE, and SAC each provide distinct layers of security, controlling how and when the ePassport chip's data can be accessed. BAC relies on the Machine Readable Zone (MRZ) for initial authentication, while PACE and SAC offer stronger, more modern cryptographic protections against eavesdropping and cloning.

Importance of Cryptographic ValidationVerifying the cryptographic signatures and integrity of ePassport data directly from government issuers is paramount. This ensures that the document is authentic and has not been tampered with, providing the highest level of assurance in identity verification.

Didit's NFC Verification for Enhanced SecurityDidit's NFC Verification technology leverages these ePassport security features to deliver the highest level of ID verification. By reading the secure chip and performing cryptographic validation, Didit ensures tamper-proof checks and extracts comprehensive data, making it a leader in secure identity solutions.

Understanding ePassport Security: The Foundation

ePassports, or electronic passports, are critical tools in modern border control and identity verification, designed to be highly secure and resistant to fraud. Unlike traditional passports, ePassports contain a contactless microchip that stores biometric and biographical data, mirroring the information printed on the data page. The integrity and confidentiality of this data are protected by a series of sophisticated cryptographic protocols, primarily Basic Access Control (BAC), Password Authenticated Connection Establishment (PACE), and Supplemental Access Control (SAC).

These protocols are not merely technical jargon; they are the bedrock upon which the trust in digital identity is built. They dictate how a passport reader (e.g., at an airport or a financial institution performing KYC) can access the chip's contents, ensuring that only authorized entities can retrieve and verify the sensitive information. Without these mechanisms, the ePassport would be vulnerable to cloning, data alteration, and unauthorized access, undermining its purpose as a secure travel document.

The evolution from BAC to PACE and SAC reflects a continuous effort to enhance security against increasingly sophisticated threats. Each protocol addresses specific vulnerabilities and introduces stronger cryptographic primitives, making ePassports progressively harder to compromise. For any organization involved in identity verification, understanding these layers of protection is not just beneficial but essential for implementing robust and compliant verification processes.

Basic Access Control (BAC): The First Line of Defense

Basic Access Control (BAC) was the initial security mechanism introduced for ePassports. Its primary function is to establish a secure, encrypted communication channel between the ePassport chip and the reader. This prevents unauthorized eavesdropping and skimming of the chip's data during transmission. The key to initiating a BAC session is derived from the Machine Readable Zone (MRZ) data printed on the passport's identity page. Specifically, the document number, date of birth, and date of expiry are used to generate a session key.

While BAC was a significant step forward, it has known limitations. The security of BAC is directly tied to the secrecy of the MRZ data. If a fraudster can read the MRZ (e.g., by simply looking at the passport's data page), they can potentially initiate a BAC session. This vulnerability, known as passive attack, means BAC alone isn't sufficient for the highest security applications. However, it still provides a crucial layer of protection by encrypting the communication channel and preventing casual access to the chip's contents.

For systems like Didit's ID Verification, which relies on accurate OCR of the MRZ, BAC plays a foundational role in the initial secure handshake with the ePassport chip. Even with its limitations, BAC remains a part of the ePassport security architecture, often serving as a fallback or an initial step before more advanced protocols are engaged.

Password Authenticated Connection Establishment (PACE) and Supplemental Access Control (SAC): Enhanced Security

Recognizing the limitations of BAC, newer generations of ePassports have adopted more robust protocols: Password Authenticated Connection Establishment (PACE) and Supplemental Access Control (SAC). PACE offers a significantly stronger cryptographic mechanism for establishing a secure channel. Instead of relying solely on the MRZ, PACE can use various authentication mechanisms, including a shared secret derived from the MRZ, a CAN (Card Access Number) printed on the document, or even a biometric template. This flexibility allows for stronger key derivation and mutual authentication between the chip and the reader, making it much more resistant to passive attacks and eavesdropping.

Supplemental Access Control (SAC) is a comprehensive framework that integrates PACE with other security features like Extended Access Control (EAC). SAC mandates the use of PACE for secure messaging and then layers on additional protections. It ensures that critical data, especially sensitive biometric information like fingerprints, can only be accessed by authorized readers holding the correct cryptographic certificates. This prevents unauthorized entities from reading or cloning the most sensitive data elements on the chip, even if they manage to initiate a PACE session.

The combination of PACE and SAC provides a formidable defense against advanced attacks, including sophisticated cloning attempts and data manipulation. They move beyond simply encrypting the communication to ensuring the authenticity of both the document and the reader, creating a highly trusted environment for data exchange. Didit's NFC Verification leverages these advanced protocols to perform cryptographic validation, ensuring that the data extracted is not only secure but also genuinely from the issuing authority.

The Data Elements Within the ePassport Chip

Beyond the security protocols, it's essential to understand what data elements are actually stored on the ePassport chip. These typically include:

• Biographical Data: Name, date of birth, nationality, passport number, issuing authority, and expiry date (mirroring the MRZ).
• Facial Image: A high-resolution digital image of the passport holder's face, usually in JPEG2000 format. This is critical for 1:1 Face Match and Liveness Detection during identity verification.
• Fingerprint Data (Optional): Some ePassports store fingerprint templates, providing an additional biometric identifier.
• Digital Signatures: Cryptographic signatures from the issuing state and the International Civil Aviation Organization (ICAO) to verify the authenticity and integrity of the chip's data. These signatures are crucial for detecting tampering.

The security implications of these data elements are profound. The facial image, for instance, is used in conjunction with Liveness Detection to confirm that the person presenting the document is its legitimate owner and not a deepfake or imposter. The digital signatures are the ultimate proof of authenticity, allowing a reader to cryptographically confirm that the data on the chip has not been altered since it was issued by the government.

When an identity verification solution like Didit's NFC Verification reads an ePassport chip, it doesn't just extract data; it performs a series of cryptographic checks to ensure that each data element is valid and untampered. This goes far beyond what can be achieved with mere OCR of the printed document, offering an unparalleled level of assurance in identity verification.

How Didit Helps

Didit provides an AI-native, developer-first identity platform that excels in leveraging the advanced security features of ePassports. Our NFC Verification product is specifically designed to interact with ePassport chips, providing the highest level of security available for ID Verification. By reading the secure chip embedded in modern passports and IDs using a mobile phone's NFC capabilities, Didit performs cryptographic validation directly from government issuers.

Our solution offers tamper-proof checks, detecting document manipulation invisible to the human eye. It extracts comprehensive data, including the facial image and biographical details, which are then used in conjunction with our 1:1 Face Match and Passive & Active Liveness detection to ensure the person presenting the document is the rightful owner. Didit's modular architecture allows businesses to easily integrate this high-security verification into their existing workflows, ensuring compliance and preventing fraud.

With Didit, you benefit from Free Core KYC, no setup fees, and a pay-per-successful-check model, making enterprise-grade identity verification accessible to businesses of all sizes. Our platform is ISO 27001 certified, GDPR compliant, and iBeta Level 1 certified for biometric presentation attack detection, affirming our commitment to security and accuracy. By providing a truly global and scalable solution, Didit empowers businesses to automate trust with confidence.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.