Quiz Entry - updated: 2026.07.05
What are the four cryptographic protection mechanisms of an e-passport, and which is mandatory?
Passive Authentication (PA, mandatory — verifies data authenticity), Basic Access Control (BAC, optional — prevents unauthorised reads), Active Authentication (AA, optional — anti-cloning), and Extended Access Control (EAC, optional — protects fingerprints/iris).
* The four e-passport crypto mechanisms — only Passive Authentication is mandatory. *
The e-passport uses staggered, layered security:
- Passive Authentication (PA): digital signature of the issuing country over all data; ensures data is authentic and unaltered. Mandatory. Important: PA authenticates only the data, not the container (the passport itself).
- Basic Access Control (BAC): optional but widespread. Symmetric keys (KENC, KMAC) derived from MRZ data; protects against unauthorised reading, but the keys are relatively short.
- Active Authentication (AA): optional. Challenge-response to authenticate the chip's content; public key in signed data, private key in the chip. An anti-cloning feature.
- Extended Access Control (EAC): optional. Extra protection for highly sensitive data (fingerprints); RSA-based authentication with certificates; the reader must authenticate with a private key (terminal certificate required).
Tip: Map each to its job: PA = "are the data genuine?", AA = "is this the original chip (not a clone)?", BAC = "can this reader read at all?", EAC = "is this reader authorised for fingerprints?"
Go deeper:
Biometric passport (Wikipedia) — PA, BAC, AA and EAC/SAC explained together.