NFC Introduction
An ePassport, also known as a biometric passport, is a passport with an embedded RFID chip. This chip contains the same information as that which is printed on the passport - identity details such as passport number, name, surname, nationality, date of birth as well as the passport holders facial image. The information on the chip can be securely read using an NFC capable device such as an ePassport reader or NFC enabled Android and iOS devices.
Using NFC to securely read an ePassport provides a secure, accurate and convenient method of establishing Identity as part of Onboarding.
For integration and setup information, see the guides listed below.
- NFC Certificates can be defined within the Backoffice. For more information, see the NFC Certificates guide.
- An NFC Process Definition integration example can be found in the NFC Process Definition Integration guide.
- Details on NFC activity parameters can be found in the NFC Activity Parameters guide.
ePassport Security
Access Control
To ensure data on the passport holder's ePassport chip remains private, ePassports provide access controls which control how the data on the chip is read. Primarily there are two types of access controls: Basic Access Control (BAC) and Password Authenticated Connection Establishment (PACE).
Basic Access Control (BAC)
Basic Access Control is established by creating a 3DES key based on data which is contained with in the passport's MRZ (Machine Readable Zone). When using BAC to read the ePassport chip, the MRZ must be read first. Using details from the MRZ (document number, date of birth, and expiration date), a 3DES key is created. This key is used to establish secure communications with the ePassport chip.
Password Authentication Connection Establishment (PACE)
Password Authenticated Connection Establishment (PACE) is considered to be more advanced than BAC as it provides for an increased level of security. PACE also establishes secure access control by reading data from the printed document data page - either the document number, date of birth, and expiration date from the MRZ (Machine Readable Zone) or CAN (Card Access Number) if available.
But in addition, by using the PACE protocol a password created from the document details is used in combination with a Diffie-Hellman key agreement protocol to provide a strong session key.
Authentication
The data written to an ePassport is signed using digital signatures. By verifying the trust chain used to sign the data present on an ePassport, the document can be verified as being authentic.
The chain of trust relies on the fact that at the root of the trust chain, the country issuing the ePassport (Country Signing Certificate Authority - CSCA) issues one or more Country Signing Certificates.
The Country Signing Certificate (CSA) is used in turn to sign the the Document Signing Certificates which in turn is used to sign the contents of the ePassport.
Using this chain of trust to verify the data on the document's chip has not been tampered with is known as Passive Authentication.
Clone Protection
Using Passive Authentication to establish a document's authenticity can be used to establish that the document's chip data has not been tampered with. However, Passive Authentication cannot ensure that the document has not been cloned, that is, it cannot determine if the information was read from a copy of a document.
Active Authentication
Active Authentication relies on asymmetric cryptography to ensure the document has not been cloned. As part of Active Authentication, a challenge is sent to the device to be signed using the document's private key (securely stored on the document). The document signs the challenge and the public key is made available so that the signed challenge can be validated.
Since the private key is kept in protected memory on the document, it cannot be copied to another document ensuring that only the original document signed the random challenge.