Password Authenticated Connection Establishment (PACE) helps ensure that the contactless RF (radio frequency) chips in German electronic ID cards cannot be read without direct access and that the data they exchange with readers is transmitted in an encrypted form.

This protocol is used with German electronic ID cards.

The passwords that can be used for PACE depend on the authorisation certificate of the reader in use. Generally speaking, the six-digit personal identification number (PIN) that is known only to the holder of the ID card in question is used.

In cases involving readers with authorisation certificates used for sovereign purposes (e.g. border control), the machine-readable zone (MRZ) printed on the back of German electronic ID cards or the six-digit card access number (CAN) printed on the front is sufficient.

Further details on these various 'passwords' are available under German Electronic ID Cards.

One of the advantages of PACE is that the length of a given password does not affect the security level of the corresponding encryption. In other words, the data on a German electronic ID card's RF chip has strong protection during transmission even when using a CAN or PIN, which are short compared to an MRZ.

If you are interested in further details of this procedure, please refer to Technical Guideline BSI-TR-03110.