Basic Access Control


Basic Access Control

Basic Access Control (BAC) is a mechanism specified to ensure only authorized parties can wirelessly read personal information from passports with an RFID chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt the communication between the passports chip and a reading device. This mechanism is intended to ensure that the owner of a passport can decide who can read the electronic contents of the passport. This mechanism was first introduced into the German passport on 1 November 2005 and is now also used in many other countries (e.g., United States passports since August 2007 [http://travel.state.gov/passport/eppt/eppt_2788.html#Eleven] ).

Inner workings

The data used to encrypt the BAC communication can be read electronically from the bottom of the passport called the machine readable zone. Because physical access to the passport is assumed to be needed to know this part of the passport it is assumed that the owner of the passport has given permission to read the passport. Equipment for optically scanning this part of the passport is already widely used. It uses an OCR system to read the text which is printed in a standardized format.

Security

The Basic Access Control mechanism has been criticized as offering too little protection from unauthorized interception. Researchers claim that because there are only limited amounts of passport issued many theoretically possible passport numbers will not be in use in practice. And there are ages in theory that no passport carrying human has in practice. This is because children typically do not request passports and some ages are beyond a normal human lifespan.

In other words, the data used as an encryption key has a low entropy.

It is claimed this brings intercepted but encrypted data in the reach of a modest brute force attack.

This effect increases when passport numbers are issued sequentially or contain a redundant checksum. Both are proven to be the case in passports issued by the Netherlands. There are other factors that can be potentially used to speed up a brute force attack. There is the fact that dates of birth are typically not distributed randomly in populations. Dates of birth may be distributed even less randomly for the segments of a population that pass for example a check in desk at an airport. And the fact that passports are often not issued on all days of the week and during all weeks of a year. Therefore not all theoretically possible expiration dates may get used.

The German passport serial-number format (previously 10-digit, all-numeric, sequentially assigned) was modified on 1 November 2007, in response to concerns about the low entropy of BAC session keys. The new 10-character serial number is alphanumeric and generated with the help of a specially-designed block cipher, to avoid a recognizable relationship with the expiry date and increase entropy. In addition, a public-key based Extended Access Control mechanism is now used to protect any information in the RFID chip that goes beyond the minimum ICAO requirements, in particular fingerprint images.

Sources

* [http://eprint.iacr.org/2005/095.pdf "Security and Privacy Issues in E-passports"] by Ari Juels, David Molnar, and David Wagner, retrieved March 15, 2006
* [http://www.cs.ru.nl/~bart/TALKS/jacobs-vvss05.pdf "A Security Review of the Biometric Passport"] by Bart Jacobs, retrieved March 15, 2006 (presentation slides)
* [http://www.spc-conf.org/2005/slides/SPC_Passport.pdf Security Mechanisms of the Biometrically Enhanced (EU) Passport] by Dennis Kügler, Federal Office for Information Security, Germany (presentation slides from the 2nd International Conference on Security in Pervasive Computing 2005-04-07)

External links

* [http://www.msnbc.msn.com/id/23736254 2 fired over Obama passport breach] NBC March 20 2008


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Basic Access Control — bezeichnet das Authentifizierungsverfahren zwischen einem Inspektionssystem und einem maschinenlesbaren Reisedokument, um einen verschlüsselten Datenaustausch zu ermöglichen. Das verwendete Authentifizierungsverfahren ist eine Challenge Response… …   Deutsch Wikipedia

  • basic Access Control — bazinė prieigos kontrolė statusas Aprobuotas sritis informacija, informacinės technologijos ir informacinė visuomenė apibrėžtis Informacijos apsaugos priemonė, leidžianti perskaityti luste saugomą informaciją tik perskaičius automatinio… …   Lithuanian dictionary (lietuvių žodynas)

  • Access control — is the ability to permit or deny the use of a particular resource by a particular entity. Access control mechanisms can be used in managing physical resources (such as a movie theater, to which only ticketholders should be admitted), logical… …   Wikipedia

  • access control entry —    Abbreviated ACE. The basic unit of security in Microsoft Windows 2000 that controls access to the file system, to Active Directory objects, to printers and other network resources, and to the Registry. An ACE consists of a security identifier… …   Dictionary of networking

  • Context-based access control — (CBAC) intelligently filters TCP and UDP packets based on application layer protocol session information and can be used for intranets, extranets and internets. CBAC can be configured to permit specified TCP and UDP traffic through a firewall… …   Wikipedia

  • Control flow — Not to be confused with Flow control. In computer science, control flow (or alternatively, flow of control) refers to the order in which the individual statements, instructions, or function calls of an imperative or a declarative program are… …   Wikipedia

  • Access badge — An access badge is a credential used to gain entry to an area having automated access control entry points. Entry points may be doors, turnstiles, parking gates or other barriers.Access badges use various technologies to identify the holder of… …   Wikipedia

  • BASIC — Класс языка: алгоритмическое, процедурное, объектное программирование Появился в: 1963 г. Расширение файлов: .bas Типизация данных: нестрогая Бейсик (от BASIC, сокращение от англ.  …   Википедия

  • Control-Alt-Delete — This article is about the keyboard combination. For a list of keyboard shortcuts, see Table of keyboard shortcuts. For other uses, see Control Alt Delete (disambiguation). The keys Control Alt Delete highlighted on a QWERTY keyboard. Control Alt… …   Wikipedia

  • Access method — An access method is a function of a mainframe operating system that enables access to data on disk, tape or other external devices. They were introduced in 1963 in IBM OS/360 operating system. [http://researchweb.watson.ibm.com/journal/rd/255/ausl… …   Wikipedia