Revision as of 19:15, 4 January 2012 edit Dohn joe (talk \| contribs) Autopatrolled, Extended confirmed users 7,439 edits m moved Basic access control (ePassports) to Basic access control: no need to disambiguate ← Previous edit		Revision as of 10:59, 15 January 2012 edit undo Lotje (talk \| contribs) Extended confirmed users, File movers, Pending changes reviewers, Rollbackers 142,825 edits {{linkrot}}, punctuation Next edit →
Line 1: '''Basic access control''' (BAC) is a mechanism specified to ensure only authorized parties <ref>[http://hasbrouck.org/documents/ICAO9303-pt1-vol2.pdf ICAO Document 9303, Part 1, Volume 2 (e-passports)]</ref> can wirelessly read personal information from [[passport]]s with an [[RFID]] chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt the communication between the passports chip and a reading device. This mechanism is intended to ensure that the owner of a passport can decide who can read the electronic contents of the passport. This mechanism was first introduced into the German passport on 1 November 2005 and is now also used in many other countries (e.g., [[United States passport]]s since August 2007 [).<ref>http://travel.state.gov/passport/eppt/eppt_2788.html#Eleven~~]).~~</ref> == Inner workings == Line 7: == Security == There is a replay attack against the basic access control protocol that allows an individual passport to be traced,.<ref>[http://www.theregister.co.uk/2010/01/26/epassport_rfid_weakness/ Defects in e-passports allow real-time tracking, The Register, Dan Goodin, 26th Jan 2010]</ref><ref>[http://www.cs.bham.ac.uk/~tpc/Papers/PassportTrace.pdf A Traceability Attack Against e-Passports, Tom Chothia and Vitaliy Smirnov, 14th International Conference on Financial Cryptography and Data Security 2010]</ref> The attack is based on being able to distinguish a failed nonce check from a failed MAC check and works against passports with randomized unique identifiers and hard to guess keys. The basic access control mechanism has been criticized as offering too little protection from unauthorized interception. Researchers claim {{Citation needed\|date=February 2010}} that because there are only limited numbers of passport issued, many theoretically possible passport numbers will not be in use in practice. The limited range of human age ranges further reduce the space of possibilities. Line 16: The [[German passport]] serial-number format (previously 10-digit, all-numeric, sequentially assigned) was modified on 1 November 2007, in response to concerns about the low entropy of BAC session keys. The new 10-character serial number is alphanumeric and generated with the help of a specially-designed [[block cipher]], to avoid a recognizable relationship with the expiry date and increase entropy. In addition, a public-key based [[extended access control]] mechanism is now used to protect any information in the RFID chip that goes beyond the minimum ICAO requirements, in particular fingerprint images. ==References==▼ {{linkrot}} {{reflist}}▼ == Sources == Line 24 ⟶ 28: ==External links== *[http://www.msnbc.msn.com/id/23736254 2 fired over Obama passport breach] [[NBC]] March 20, 2008 ▲==References== ▲{{reflist}} [[Category:Contactless smart cards]]

Basic access control: Difference between revisions