Comparing the four e-passport mechanisms, what is each one's protection level and status — and what is PACE?
PA: mandatory (data authenticity). BAC: optional/widespread (limited confidentiality). AA: optional, growing (anti-cloning). EAC: optional, strong (sensitive data). PACE is BAC's successor — it replaces the weak SHA-1-based MRZ keys with a stronger password-authenticated key exchange.
| Mechanism | Protection | Status |
|---|---|---|
| PA | data authenticity | Mandatory |
| BAC | confidentiality (limited) | Optional (widespread) |
| AA | anti-cloning | Optional (increasing) |
| EAC | sensitive data (strong) | Optional (for biometrics) |
| PA + BAC | medium | Common combination |
| PA + BAC + AA | medium | Recommended |
PACE (Password Authenticated Connection Establishment): the successor to BAC. It replaces the weak SHA-1-based MRZ-derived keys with a stronger password-authenticated key agreement, fixing BAC's low-entropy brute-force weakness. Implemented in Germany, Austria, and France since ~2010.
Tip: PACE is the fix for the BAC entropy problem: same idea (use MRZ as a shared secret) but a cryptographically sound key-exchange on top, so the low-entropy input no longer yields an easily brute-forced key.
Go deeper:
Biometric passport (Wikipedia) — the mechanism comparison and PACE (Supplemental Access Control).