Security Mechanisms in German Electronic Identity Documents
The security mechanisms in German electronic identity documents are designed to achieve the following objectives:
- Data protection: The personal data of the holder of an ID card must be protected against unauthorised access.
- Authenticity and protection against forgery: It must be possible to ensure that a given identity document was issued by a government institution and that any attempt to falsify the data it contains will be recognised.
The following list presents protocols and other measures that help safeguard these two aspects of security.
| Abbreviation | Title | Purpose |
|---|---|---|
| BAC | Basic Access Control | Protects the RF chip against attempts to access it from a distance |
| PACE | Password Authenticated Connection Establishment | Access control; also protects the RF chip against attempts to access it from a distance |
| EAC | Extended Access Control | Consists of various protocols |
| CA | Chip Authentication | Part of EAC; establishes a secure connection and detects cloned RF chips |
| TA | Terminal Authentication | Part of EAC; authenticates readers to obtain sensitive data from an RF chip |
| PA | Passive Authentication | Verifies the authenticity and integrity of the data on an RF chip |
| PKI | Public Key Infrastructure | A hierarchy of digital certificates |
| CSCA | Country Signing Certificate Authority | A hierarchy of digital certificates for signing data in electronic identity documents |
| CVCA | Country Verifying Certificate Authority | A hierarchy of digital certificates for granting authorisation to read electronic identity documents |
