LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the four cryptographic protection mechanisms of an e-passport, and which is mandatory?

Passive Authentication (PA, mandatory — verifies data authenticity), Basic Access Control (BAC, optional — prevents unauthorised reads), Active Authentication (AA, optional — anti-cloning), and Extended Access Control (EAC, optional — protects fingerprints/iris).

PA (mandatory, data authentic), BAC (weak keys), AA (anti-clone), EAC (fingerprints).

* The four e-passport crypto mechanisms — only Passive Authentication is mandatory. *

The e-passport uses staggered, layered security:

  • Passive Authentication (PA): digital signature of the issuing country over all data; ensures data is authentic and unaltered. Mandatory. Important: PA authenticates only the data, not the container (the passport itself).
  • Basic Access Control (BAC): optional but widespread. Symmetric keys (KENC, KMAC) derived from MRZ data; protects against unauthorised reading, but the keys are relatively short.
  • Active Authentication (AA): optional. Challenge-response to authenticate the chip's content; public key in signed data, private key in the chip. An anti-cloning feature.
  • Extended Access Control (EAC): optional. Extra protection for highly sensitive data (fingerprints); RSA-based authentication with certificates; the reader must authenticate with a private key (terminal certificate required).

Tip: Map each to its job: PA = "are the data genuine?", AA = "is this the original chip (not a clone)?", BAC = "can this reader read at all?", EAC = "is this reader authorised for fingerprints?"

Go deeper:

From Quiz: PRIVACY / Device Tracking: Biometrics, RFID/NFC & E-Passports | Updated: Jul 05, 2026