Information Processing Letters 111 (2010) 2630

Contents lists available at ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

E-passport EAC scheme based on Identity-Based Cryptography

C.H. Li , X.F. Zhang, H. Jin, W. Xiang
School of Computer Science and Technology, Huazhong University of Science and Technology, 1037 LuoYu Road, 430074 Wuhan, China

a r t i c l e i n f o a b s t r a c t

Article history: Extended Access Control (EAC) is a security mechanism specied to allow only autho-
Received 31 July 2010 rized Inspection System (IS) to read sensitive biometric data such as ngerprints from
Received in revised form 29 September e-passports. Although European Union EAC scheme offers more exibility than Singapore
2010
scheme, there is clearly room for improvement. By adopting Identity-Based Cryptography
Accepted 6 October 2010
(IBC) technology, a simple and secure EAC implementation scheme (IBC-EAC) is proposed.
Available online 8 October 2010
Communicated by D. Pointcheval The authorization mechanism based on IBC is more trustable because the access right to
sensitive data is granted directly to the IS through Authorized Smartcard. A new authenti-
Keywords: cation protocol based on IBC is performed between the e-passport chip and the Authorized
E-passport security Smartcard. The protocol also provides an important contribution towards terminal revo-
Extended Access Control cation. By using IBC-EAC scheme, the complexity of deploying and managing PKI can be
Identity-Based Cryptography reduced. And the computational cost for e-passport to verify the certicate chain in EU-
Safety/security in digital systems
EAC scheme can be saved.
2010 Elsevier B.V. All rights reserved.

1. Introduction The EU-EAC v1 [3] consists of two phases, Chip Authen-

Efforts are underway to increase e-passport security,
ensuring the passport holder is the credential owner. This
requires more sensitive information than a photo, such as
ngerprint or iris biometrics, be added to the chip. Access-
ing to the sensitive data should be more restricted. It is
accomplished by EAC mechanism according to ICAO stan-
dard [1]. NTWG of ICAO [2] has been engaging on devel-
oping a global standard for EAC. But until now, it is at the
preparatory stage. Some regions and countries have started
deploying their own EAC schemes, particularly, Singapore
[2] and the European Union [3,4].
Singapore was the rst country to implement an EAC-
based passport, called BioPass, in August 2006 [2]. The ac-
cess to DG3 is protected by a 16-byte triple-DES key (EAC-
KEY) in Singapore EAC scheme. In order to distribute the
EAC-KEY to the intended authorized Inspection System, it
is encrypted using an asymmetric cryptographic algorithm
[2,5]. The EAC-KEY is used in the context of an External
Authenticate command prior to a read operation to DG3.
* Corresponding author.
E-mail address: hustxxs@yahoo.com.cn (C.H. Li).
tication and Terminal Authentication. Terminal Authentica-
tion aims to prove to the chip that the terminal is allowed
to access sensitive biometric data on the chip. It is based
on two-level PKI hierarchy and a challengeresponse cryp-
tographic protocol. Each country sets up a CV (Country
Verifying) CA, which by issuing certicates will determine
who will have access to secondary biometric data. The root
certicate of the CA (C CVCA ) is stored in the e-passport chip
and serves as the initial point of the access control. Coun-
tries, which want to read secondary biometric data, will
have to set up a DV (Document Verier) CA. The DV CA
needs to get certicates (C DV ) from CV CA. DV CA then is-
sues terminal certicates (C IS ) to IS accessing the biometric
data. During the Terminal Authentication phase, the IS is
required to send a certicate chain (C IS , C DV , C CVCA ). After
the certicate chain is validated by the e-passport, it sends
a challenge to the IS.
The Singapore EAC scheme is static with respect to the
terminal being supported by issued e-passports. After the
e-passport is issued, it is hard to append a new authoriza-
tion [2]. A malicious IS can share the plaintext of EAC-KEY
with third party. Singapore EAC scheme was designed for
a national level, while EU-EAC was designed to be used

0020-0190/$ see front matter 2010 Elsevier B.V. All rights reserved.
doi:10.1016/j.ipl.2010.10.006
 C.H. Li et al. / Information Processing Letters 111 (2010) 2630
Fig. 1. IBC-EAC framework.
unilaterally by the EU Member States. Although EU-EAC of-
fers more exibility than Singapore scheme, there is clearly
room for improvement. The vulnerabilities of EU-EAC v1
were exposed in [6]. Pasupathinathan et al. [7] argued that
EU-EAC proposal made extensive use of PKI. Lschner and
Rha [8] concluded that the process of certication should
be simplied. All the researchers [69] pointed out one
common problem is that its hard to check whether a cer-
ticate has expired or not. This also makes it practically
impossible to revoke a certicate. Chaabouni and Vaude-
nay [10] pointed out that the revocation of terminals was
not fully solved in EU-EAC v2.
Identity-Based Cryptography is a type of public-key
cryptography in which the public key is some unique in-
formation about the identity of the user (e.g. a users email
address). IBC has many merits over Certicate-Based Public
Key Cryptography, such as no Certicate and CA, no Pub-
lic Key Directory, no CRL, etc. IBC was proposed by Shamir
[11] in 1984. The rst practical Identity-Based Encryption
scheme using Weil pairing on elliptic curve was proposed
by Boneh and Franklin [12] in 2001. After that, many cryp-
tographic primitives (such as encryption, signature, etc.)
based on IBC were proposed.
In this paper, we introduce IBC into EAC implemen-
tation scheme. A new authorization mechanism and its
authentication protocol based on IBC are proposed. The se-
curity of authorized mechanism is based on the security of
Authorized Smartcard. The security of authentication pro-
tocol is based on ECDLP and BDH problems. The bilinear
pairing cryptography algorithm should be supported by e-
passport chip and Authorized Smartcard.
2. The IBC-EAC scheme
The following proposed scheme enables the chip to
verify whether the IS is entitled to access sensitive data,
which only performs the same function as Terminal Au-
thentication in EU-EAC scheme.
2.1. IBC-EAC framework and system setup
Each issuing country has a unique Country Signing (CS)
as Trusted Authority. The CS sets up IBC Server system to
27
provide cryptographic services for Document Signer (DS)
and IS. Each DS and each IS takes his unique Ocial Name
as its identity (denoted by ID_Issuer and ID_IS respectively).
The IS who wants to read the sensitive data must submit
his application to the CS. For the domestic IS, the Doc-
ument Verier (DV) judges the legitimacy of the IS and
then submits the applications to the CS. For the foreign
IS, it is the responsibility of the Embassy of Issuing State.
The access right is granted directly through Identity Cer-
ticates (ID-Cert) stored in Authorized Smartcard. The au-
thorization information is stored in Authorized Smartcard;
while the information used for authentication is stored in
e-passport chip. Authentication protocol based on IBC is
performed between e-passport chip and Authorized Smart-
card. The authentication protocol enables the chip to verify
whether the IS is entitled to access sensitive data. Fig. 1 il-
lustrates the framework of the IBC-EAC scheme.
System setup. The CS chooses a security parameter k
(k Z , k > 2) and runs the BDH parameter generator.
(1) Get two cyclic groups G 1 and G 2 . G 1 is an addi-
tive group generated by P , ord( P ) = q. G 2 is a multi-
plicative group with the same order q. A bilinear pair-
ing is a map e : G 1 G 1 G 2 ; (2) Choose a crypto-
graphic hash functions: H : {0, 1} G 1 ; (3) Pick a random
s Z q as a master-key and compute P pub = s P . Keep
s only to the CS; (4) Public system parameters PARA =
G 1 , G 2 , e , P , q, P pub , H . This phase is executed only once.
2.2. Authorized smartcard
In IBC, the public key is the Identity of the user. Trusted
Authority can deliver a type of ID-Cert to the user. The
ID-Cert takes the private key of the user as authentication
parameter which be only controlled by the Trusted Author-
ity. By using the ID-Cert, a trustable relationship between
the user and the Trusted Authority can be setup.
(1) Private key generation
The Ocial Name of the immigration check point is
used as his Identity. For example, ID_IS = Beijing Inter-
national Capital Airport. The users public key ID_Receiver
is structured as: ID_Receiver = ID_ISISSUEREXP. here 
is string concatenate operator; ISSUER is the Identity
28 C.H. Li et al. / Information Processing Letters 111 (2010) 2630

Fig. 2. ID-Cert structure of Authorized Smartcard.

of Country Signing. EXP is the expiration date. The

CS generates a pair of the users Identity-Based keys Fig. 3. File system structure of IBC-EAC e-passport.
( Q ID_Receiver , S ID_Receiver ) as follows:
(1) The IS sends a requirement to read the sensitive bio-
Q ID_Receiver = H (ID_Receiver)
metric data. The e-passport chip generates a random
S ID_Receiver = s Q ID_Receiver number r, and then sends r and ID_Issuer back to the
IS.
(2) Format ID-Cert and issue Authorized Smartcard
(2) The IS transmits r and ID_Issuer to his own Authorized
The CS formats the ID-Cert as Fig. 2 described, and pro-
Smartcard.
duces the Authorized Smartcard and then issues it to the
(3) Authorized Smartcard computes K and generates a
IS via a secure channel. There are two type data items in
signature with his private key S ID_Receiver using an
ID-Cert. Basic Information are opened to the terminal.
Identity-Based Signature algorithm:
The users private key S ID_Receiver generated by the CS is
the most condential information. It is stored in the secure
K Receiver = e (r Q ID_Issuer , P pub + S ID_Receiver )
memory of Authorized Smartcard and only used inside the
Smartcard. = Sign( K Receiver , S ID_Receiver )
and ID_Receiver are sent back to e-passport chip.
2.3. IBC-EAC e-passport
(4) The e-passport checks if the Authorized Smartcard
is still valid. Compare the EXP from ID_Receiver to
Some authentication information will be written into
the EXPnew from RevocationList according to ID_IS. If
e-passport chip. The DS takes his Ocial Name as its
EXP is before EXPnew , it indicates that the Autho-
identity. For example, ID_Issuer = Beijing Public Security
rized Smartcard has been revoked. And then the e-
OrganChina. The DS submits his ID_Issuer to the CS.
passport chip terminates the verication process. Oth-
The CS generates a pair of Identity-Based keys ( Q ID_Issuer ,
erwise go to the next step. Here, the validity and
S ID_Issuer ):
authenticity of DG13 is checked by Passive Authen-
Q ID_Issuer = H (ID_Issuer ) tication mechanism prior to the EAC protocol is pro-
cessed [1].
S ID_Issuer = s Q ID_Issuer (5) The e-passport chip computes K Issuer which is to be
veried.
The CS sends the private key S ID_Issuer to the DS via
a secure channel. It is written into the secure memory
K Issuer = e ( S ID_Issuer , r P + r Q ID_Receiver )
of e-passport chip by the DS during e-passport chip per-
sonalized phase. The ID_Issuer, PARA and RevocationList are (6) The e-passport chip runs the verify algorithm. If the
formatted as DG13 [5]. Fig. 3 shows the le system struc- following equation holds, e-passport grants access to
ture of IBC-EAC e-passport chip. the stored sensitive data, according to an effective au-
To diminish the potential risk of lost or stolen the thorization level determined by the DS. Otherwise e-
Authorized Smartcard, we design a simple and effectual passport rejects it.
method to revoke the authorization for the terminal by
making use of the merits of IBC. Because the chip has Verify(, Q ID_Receiver , K Issuer ) = True
no internal clock, we introduce the RevocationList which
includes the list of the IS whose access right will be re- Our proposed protocol is summarized as Fig. 4.
voked. The RevocationList is structured as RevocationList =
list (ID_ISEXP new ). EXPnew is the newly expiration data. 3. Discussion
The updating of RevocationList is processed only by the do-
mestic IS when the e-passport is checked successfully. 3.1. The correctness of authentication protocol

2.4. Authentication protocol The protocol authenticates the same message, which is
K Receiver = K Issuer . Because K Receiver = e (r Q ID_Issuer , P pub +
The authentication protocol is performed as follow. S ID_Receiver ) = e (r Q ID_Issuer , s P + s Q ID_Receiver ) = e (s
 C.H. Li et al. / Information Processing Letters 111 (2010) 2630 29

Fig. 4. Authentication protocol.

Table 1
Comparison with other EAC scheme.

Scheme Carrier of authorization Authorization mechanism Authentication algorithm

Singapore EAC DG13 on e-passport chip Encryption on the EAC-KEY Symmetric cryptographic algorithm (3DES)
EU-EAC CA certicate Indirectly authorization: the certicate chain Asymmetric cryptographic algorithm (RSA)
IBC-EAC ID-Cert on Authorized Smartcard Directly Authorization (ID-Cert) Identity-Based Authentication protocol

Q ID_Issuer , r P + r Q ID_Receiver ) = e ( S ID_Issuer , r P + r 

Q ID_Receiver ) = K Issuer , is Authorized Smartcards signa-
ture for K Receiver . Hence, the e-passport is sure to share
the same Message K Receiver = K Issuer with the Authorized
Smartcard.
3.2. Security analysis of authentication protocol
(1) Forge an Authorized Smartcard
The S ID_Receiver is the most condential information that
the Issuing country stored on Authorized Smartcard. The
security of S ID_Receiver is based on the security of the Au-
thorized Smartcard. The security mechanism of Smartcard
hardware and software can ensure the condential infor-
mation to be used only inside the Smartcard. As we all
known, Smartcards have been used for identication and
authentication purpose in many application scenarios, e.g.
SIM card and EMV card. In case of an intruder gets the
message of S ID_Receiver , he cant get the master key s be-
cause it is as dicult as solving the ECDLP problem.
(2) Forge a message for verication
Without the help of Authorized Smartcard, it is hard
to compute the correct message K Receiver corresponding
to K Issuer , because it is hard to obtain the message of
S ID_Receiver . If an intruder forges a S ID _Receiver to compute
K Receiver , the probability of a successful verication is 1/q.
3.3. Comparison
Some differences between our proposed IBC-EAC scheme
and Singapore and EU-EAC scheme is described in Table 1.
(1) The infrastructure. For the EU-EAC proposal, the Ter-
minal Authentication protocol requires verication of cer-
ticates that involve the entire certication hierarchy. It
creates a huge management overhead. And on the other
hand, the e-passport chip has to verify the certicate chain
before it can grant the access to the IS. It will put quite a
burden on the processing capabilities of the chip. Recently,
a special device EAC-Box is adopted by EU-EAC scheme
for achieving an adequate security level. If taken the PKI
for Passive Authentication security mechanism [1] into ac-
count all together, it will be awful.
By using the IBC-EAC scheme, it is no need to con-
struction a complex PKI and saves much computation that
e-passport has to perform for verifying the certicate chain
in the EU-EAC scheme. The structure of Singapore EAC
scheme is simple too, but the necessity arises that Inspec-
tion Systems must be known at personalization phase.
30 C.H. Li et al. / Information Processing Letters 111 (2010) 2630
(2) Authorization mechanism. In EU-EAC scheme, the
authorization of the access is based on certicate chain.
There are some security leaks in the chain of trust. For
certicate chain, if A=B, and B=C, we can get A=C. But in
the chain of trust, the DV is trusted by the CV. But how
can the CV trust the IS? That is to say, it is possible that
the DV can authorize the access right to malicious IS.
The trust model of IBC-EAC is very similar to the autho-
rization process of real world. It is the Issuing Authority
that grants the access right to IS directly through Autho-
rized Smartcard. It is more reliable and practical than indi-
rectly authorization approach of EU-EAC scheme.
For Singapore EAC scheme, it is also a direct access
authorization. But once the IS got the EAC-KEY using his
private key, he possesses the plaintext of EAC-KEY per-
manently. It leaves the opportunity to do harm to the e-
passport holders privacy.
(3) Revocation method. The EU-EAC scheme offers the
possibility for authorization revocation. Because the e-
passport has no internal clock, this makes it vulnerable to
attack using expired certicates. In Singapore EAC scheme,
this is not technically supported.
In EU-EAC scheme, the message of date is not in-
volved in cryptography operations. It simply compares the
expiration date to the current date. In our protocol, the ex-
piration data EXP is computed in the authentication pro-
tocol. The message ID_Receiver = ID_ISEXP sent to the e-
passport chip should be in conformity with which used to
compute S ID_Receiver , because S ID_Receiver = s Q ID_Receiver =
s H (ID_Receiver). If the IS submits a modied ID_Receiver
to the e-passport chip, the verication will be failed in-
evitably.
4. Conclusions
By introducing IBC, our scheme has many merits over
EU-EAC scheme, such as no need to construct the complex
PKI, and less computer and labor force for it, and not nec-
essary to verify the certicate chain. It also provides two
main enhanced security features: a more trustable autho-
rization mechanism, and a better terminal revocation solu-
tion than relying on an approximation of the current date.
It provides an alternative approach for the global specica-
tion of EAC implemention scheme.
References
[1] ICAO, PKI for machine readable travel documents offering ICC read-
only access, Technical Report, Version 1.1, 2004.
[2] ICAO, Technical advisory group on machine readable travel docu-
ments, TAG-MRTD/17-WP/11, March 2007.
[3] Federal Oce for Information Security, Advanced Security Mech-
anisms for Machine Readable Travel Documents, Extended Access
Control (EAC), version 1.01, Technical Guideline TR-03110, BSI, Bonn,
Germany, 2006.
[4] Federal Oce for Information Security, Advanced Security Mech-
anisms for Machine Readable Travel Documents, Extended Access
Control (EAC), version 2.01, Technical Guideline TR-03110, BSI, Bonn,
Germany, 2009.
[5] ICAO, Machine Readable Travel Documents: Development of a Logical
Data Structure LDS, Technical Report, version 1.7, 2004.
[6] V. Pasupathinathan, J. Pieprzyk, H. Wang, An on-line secure e-
passport protocol, in: Information Security Practice and Experience,
4th International Conference, in: Lecture Notes in Comput. Sci.,
vol. 4991, Springer-Verlag, Berlin, 2008, pp. 1428.
[7] V. Pasupathinathan, J. Pieprzyk, H. Wang, Security analysis of Aus-
tralian and E.U. e-passport implementation, Journal of Research and
Practice in Information Technology 40 (3) (2008) 187205.
[8] J. Lschner, Z. Rha, How to achieve and enhance interoperability
of e-passports, in: Identity Fraud & Theft: The Logistics for Organ-
ised Crime, www.idfraudconferencept2007.org/cms/les/programa/
PFL47344673e580d.pdf.
[9] S. Vaudenay, E. Polytechnique, F. Lausanne, E-passport threats, IEEE
Security & Privacy 5 (6) (2007) 7275.
[10] R. Chaabouni, S. Vaudenay, The extended access control for machine
readable travel documents, in: BIOSIG 2009, Biometrics and Elec-
tronic Signatures, in: LNI, vol. 155, Gesellschaft fr Informatik (GI),
Bonn, Germany, 2009, pp. 93103.
[11] A. Shamir, Identity-Based Cryptosystems and signature schemes, in:
Proceedings of CRYPTO 84, in: Lecture Notes in Comput. Sci., vol. 196,
Springer-Verlag, Berlin, 1984, pp. 4753.
[12] D. Boneh, M. Franklin, Identity based encryption from the Weil pair-
ing, in: Cryptology CRYPTO2001, in: Lecture Notes in Comput. Sci.,
vol. 2139, Springer-Verlag, Berlin, 2001, pp. 213229.