Basic Access Control (BAC) protects the contactless RF chips in German electronic ID cards from being read without direct access and ensures that the data exchanged with card readers is transmitted in an encrypted form. BAC is used in German electronic passports.

If an ID card is protected by BAC, it cannot be scanned from the holder's jacket pocket (for example). In order to access the data stored on a passport card's contactless chip, the machine-readable zone (MRZ) located on the bottom edge of the card must first be read.

This data is either scanned optically or typed in manually. It is then used to calculate a passport-specific access key, which the card reader at hand must use to authenticate itself to the passport card's chip. In other words, the card reader proves to the chip that it has had optical access to the passport card. For this purpose, the RF chip transmits a random number to the card reader, which the card reader encrypts using the access key before sending it back to the RF chip. The RF chip then checks whether the random number was encrypted using the correct key. If it was, the RF chip grants the card reader access to the data that is also displayed on the passport card itself -- the person's name, date of birth, facial image, and so on.

The access key is also used to encrypt the data that is exchanged between the card reader and the RF chip.

If you are interested in further details of this procedure, please refer to Technical Guideline BSI-TR-03110.