LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What information does a biometric passport (E-Pass) store, and which four crypto protocols protect it?

The chip stores personal data, a digital photo, optional biometrics (fingerprints, iris), and a digital signature. Four crypto sub-protocols protect different aspects: BAC, PA, AA, EAC.

Data on the RFID chip:

  • Personal data: name, birthdate, citizenship, document number, …
  • Digital passport photo
  • Optional biometrics: fingerprints, iris scans
  • Digital signature over all of the above

The four crypto sub-protocols:

Name Goal Method
BAC (Basic Access Control) Prevent unauthorised reading from a distance Symmetric crypto (3DES / AES) — the key is derived from data printed on the MRZ, which a reader can only access if they have physical sight of the open passport
PA (Passive Authentication) Verify the chip data is authentic and unmodified Asymmetric crypto — the issuing country signs the data with their private key; a reader verifies with the public key in a country-signing CA
AA (Active Authentication) Prove the chip is genuine (not cloned) Asymmetric challenge-response — the chip has a private key and signs a fresh challenge from the reader, proving possession of the private key without revealing it
EAC (Extended Access Control) Protect biometrics (fingerprints, iris) from any reader PKI + asymmetric session keys — only readers with their own valid certificate authorised by the issuing country can decrypt the biometric data

Two phases of pass life:

  • Phase 1 — Issuance: the passport authority generates the chip's private key, signs the data, embeds in the chip.
  • Phase 2 — Use: every border control reader runs through BAC → PA → AA → (optionally EAC).

Why so many sub-protocols? Each addresses a different threat:

  • Skimming (silent reading from a backpack) — defeated by BAC.
  • Forgery (modifying data on a cloned chip) — defeated by PA.
  • Cloning (copying the chip) — defeated by AA.
  • Mass biometric harvesting (an attacker scanning fingerprints from many passes) — defeated by EAC.

Tip: ICAO Doc 9303 is the international standard that specifies all four — every UN-recognised passport since ~2006 implements the same protocol family. Civil-liberties debates about biometric passes are not about the crypto (which is reasonable) but about who keeps and queries the data.

From Quiz: ISF / Cryptographic Protocols & Requirements | Updated: Jul 14, 2026