-A +A

AKiS GEZGiN e-passport application is compatible with ICAO 9303 standards. Thanks to Basic Access Control (BAC) and Supplemental Access Control (SAC), the information in the contactless chip can only be read through secure communication. Active Authentication prevents cloning of the e-passport. In addition, biometric data in the chip is protected by Extended Access Control (EAC) and CVC certificates; only those countries that are allowed by the issuing country can access the biometric data. AKiS GEZGiN supports Logical Data Structure (LDS) 1.7 and can include at most 11 data groups (DG1 to DG11) of which the data group containing MRZ (DG1) is mandatory whereas the others are optional.

▪ ICAO LDS 1.7
▪ Basic Access Control (BAC)
▪ Active Authentication (AA)
    - RSA (up to 2048 bits): SHA-1, SHA-256, SHA-384, SHA-512
    - ECC (up to 521 bits): SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
▪ Supplemental Access Control (SAC)
    - PACE v2
    - Support for MRZ and CAN
    - Support for Generic Mapping and Integrated Mapping
    - ECDH (Brainpool curves up to 512 bits)
    - DH (1024 bits, 2048 bits)
▪ Extended Access Control (EAC)
    - EAC v1
    - RSA (up to 3072 bits): SHA-1, SHA-256, SHA-512
    - ECC (up to 521 bits): SHA-1, SHA-224, SHA-256, SHA-384, SHA-512
▪ Contactless Communication
    - ISO/IEC 14443-3, 4 Type A
    - Baud rate: 424/848 kbps
▪ Secure Messaging
    - DES3
    - AES-128, AES-192, AES-256
▪ Common Criteria (CC) security evaluation
    - CC EAL 4+ (ALC _ DVS.2) for BAC
    - CC EAL 5+ (ALC _ DVS.2, AVA _ VAN.5) for SAC & EAC
▪ Support for multiple chips1
    - Infineon SLE78CLFX3000P (88K EEPROM)
    - Infineon SLE78CLFX4000P (192K EEPROM)
    - NXP P71D320P (80K EEPROM)
▪ Compliance with standards
    - ICAO 9303
    - ISO/IEC 14443-3, 4
    - ISO/IEC 7816-4, 8, 9
    - ICAO Technical Report Supplemental Access Control for MRTDs (for SAC only)
    - BSI TR-03110(for EAC only)
    - BSI TR 03111

Basic Access Control (BAC) is a mechanism used in e-passports to prevent chip skimming and eavesdropping on the communication between e-passports and the terminals by encrypting the transmitted information. BAC ensures that only authorized terminals can read information from e-passports: before any data can be read, the terminal needs to prove that it has physical access to e-passport by using a session key derived from the Machine Readable Zone (MRZ).

EAC is a mechanism that enhances the security features of e-passports by adding functionality to check the authenticity of both the chip (via Chip Authentication – CA) and the terminals (via Terminal Authentication – TA). EAC CA provides a stronger encryption than BAC whereas EAC TA ensures that only authorized terminals can read biometric data (DG3 and DG4) from e-passports.

Active Authentication prevents cloning of the chip.

Based on Diffie-Hellman key exchange protocols (DH / ECDH), SAC is a mechanism that provides more secure and stronger session keys than BAC.

1 Chips are certified for CC EAL 6+.