LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does Basic Access Control (BAC) derive its key, and why is it cryptographically weak?

BAC derives symmetric keys from MRZ fields (passport number, birth date, expiry) — but these have low entropy (birth date ~30,000 values, expiry a few years, sex 2 values), so the short key is brute-forceable in hours.

Optically read MRZ fields (~low entropy) feed SHA-1 to derive keys, brute-forceable in hours.

* BAC derives its keys from low-entropy MRZ fields, so the result is brute-forceable in hours. *

Principle: BAC requires the reader to possess a key generated from the machine-readable zone (MRZ) data, intended to prevent unauthorised reading. Key derivation uses: issuing country (3 chars), document type (1 char, e.g. "P"), passport number (up to 9 chars), nationality (3 chars), date of birth (YYMMDD, 6 chars), sex (1 char), expiry date (YYMMDD, 6 chars), check digits (3 chars).

Security problems:

  • Weak entropy: the data are easy to guess — passport numbers often follow predictable patterns; date of birth has only ~30,000 possible values; expiry is limited to a few years; sex has only 2 values.
  • Short key: the resulting key length is too short for modern requirements.
  • Brute-force feasible: researchers showed BAC can be broken in hours with off-the-shelf hardware; knowing parts of the MRZ (country, birth year) shrinks the search space dramatically.

BAC offers basic protection against casual scanning, but not against targeted attacks with adequate resources.

Tip: The flaw is that the "key" is built from semi-public, low-entropy facts about you. Your birth date and a guessable passport number aren't a secret — so a key made from them isn't really secret either.

Go deeper:

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: Jul 05, 2026