LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does Passive Authentication (PA) work in detail, and what does it explicitly NOT protect against?

All data groups (DG1–DG16) are hashed into a Document Security Object (SOD), signed by the issuer's Document Signer cert, verifiable up to the Country Signing CA — but PA does NOT prevent cloning, since it only proves the data are genuine, not that they sit in the original chip.

DG hashes form the SOD, signed by a Document Signer, verified up to the country CSCA; proves genuine, not anti-clone.

* PA's signature chain proves the data are genuine but does not stop cloning. *

How it works: to prevent changes to stored passport data:

  1. All data groups (DG1–DG16) are hashed.
  2. The hashes are stored in the SOD (Document Security Object).
  3. The SOD is signed by the issuing country's Document Signer (DS) certificate.
  4. Authenticity is verifiable with the Country Signing Certificate (CSCA).

Weaknesses in practice:

  • Patchy implementation: validation of DS certificates is often skipped at airports/borders, massively weakening security.
  • No protection against cloning: PA explicitly does not prevent copying a passport — it only proves the data are authentic, not that they reside in the original chip.
  • Trust chain: security depends on the integrity of the entire CA infrastructure; compromised CSCA keys endanger all passports built on them.

Tip: This is the PA/AA division of labour: PA proves the data are genuine; only Active Authentication proves the chip is the original. A perfect bit-for-bit clone passes PA but fails AA.

Go deeper:

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: Jul 05, 2026