LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

Comparing the four e-passport mechanisms, what is each one's protection level and status — and what is PACE?

PA: mandatory (data authenticity). BAC: optional/widespread (limited confidentiality). AA: optional, growing (anti-cloning). EAC: optional, strong (sensitive data). PACE is BAC's successor — it replaces the weak SHA-1-based MRZ keys with a stronger password-authenticated key exchange.

Mechanism Protection Status
PA data authenticity Mandatory
BAC confidentiality (limited) Optional (widespread)
AA anti-cloning Optional (increasing)
EAC sensitive data (strong) Optional (for biometrics)
PA + BAC medium Common combination
PA + BAC + AA medium Recommended

PACE (Password Authenticated Connection Establishment): the successor to BAC. It replaces the weak SHA-1-based MRZ-derived keys with a stronger password-authenticated key agreement, fixing BAC's low-entropy brute-force weakness. Implemented in Germany, Austria, and France since ~2010.

Tip: PACE is the fix for the BAC entropy problem: same idea (use MRZ as a shared secret) but a cryptographically sound key-exchange on top, so the low-entropy input no longer yields an easily brute-forced key.

Go deeper:

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: Jul 14, 2026