Abstract
In this paper we present modifications to the protocols PACE (Password Authenticated Connection Establishment) and PACE CAM (PACE with Chip Authentication Mapping) from International Civil Aviation Organization (ICAO) specification. We show that with slight changes it is possible to convert PACE (which is limited to password authentication) and PACE CAM (where only the chip is strongly authenticated) to a full-fledged authentication where apart from password authentication both the terminal and the chip are authenticated in a strong cryptographic way.
The new protocols provide better privacy protection and resilience against key leakage than the previous protocols and are implementation friendly. The idea is not to reveal an exponent (as in case of PACE CAM) – instead, we reuse the Diffie-Hellman key exchange for static Diffie-Hellman authentication in the PACE protected channel.
The proposed fine tuning of the schemes adopted by ICAO for biometric passports may contribute to the future European eID practice, since the ICAO standards have been chosen by the EU as an obligatory basic platform for official personal identity documents issued since August 2021 in all EU countries.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Such a delay is necessary to make brute force attacks harder and to convince the user that some computation is really taking place.
References
Bender, J., Dagdelen, Ö., Fischlin, M., Kügler, D.: The PACE\(\vert \)AA protocol for machine readable travel documents, and its security. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 344–358. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32946-3_25
Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 33–48. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04474-8_3
Bender, J., Fischlin, M., Kügler, D.: The PACE\(\vert \)CA protocol for machine readable travel documents. In: Bloem, R., Lipp, P. (eds.) INTRUST 2013. LNCS, vol. 8292, pp. 17–35. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03491-1_2
BSI: Technical guideline TR-03110 v2.21 - advanced security mechanisms for machine readable travel documents and eidas token (2016). https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110.html
Dennis Kügler, J.B.: Method for authentication, RF chip document, RF chip reader and computer program products. Patent US20140157385A1 (2014)
Hanzlik, L., Krzywiecki, Ł, Kutyłowski, M.: Simplified PACE\(\vert \)AA protocol. In: Deng, R.H., Feng, T. (eds.) ISPEC 2013. LNCS, vol. 7863, pp. 218–232. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38033-4_16
Hanzlik, L., Kutyłowski, M.: Chip authentication for E-passports: PACE with chip authentication mapping v2. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 115–129. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45871-7_8
ICAO: Machine Readable Travel Documents - Part 11: Security Mechanism for MRTDs. Doc 9303 (2015)
Kutyłowski, M., Kubiak, P.: Privacy and security analysis of PACE GM protocol. In: 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering, TrustCom/BigDataSE 2019, Rotorua, New Zealand, 5–8 August 2019, pp. 763–768. IEEE (2019). https://doi.org/10.1109/TrustCom/BigDataSE.2019.00110
Kutyłowski, M., Kubiak, P., Kozieł, P., Cao, Y.: Poster: eID in Europe - password authentication revisited. In: Yan, Z., Tyson, G., Koutsonikolas, D. (eds.) IFIP Networking Conference, IFIP Networking 2021, Espoo and Helsinki, Finland, 21–24 June 2021, pp. 1–3. IEEE (2021). https://doi.org/10.23919/IFIPNetworking52078.2021.9472856
Shenets, N.N., Trukhina, E.E.: X-PACE: modified password authenticated connection establishment protocol. Autom. Control Comput. Sci. 51(8), 972–977 (2017)
The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union 119(1) (2016)
The European Parliament and the Council of the European Union: Regulation (EU) 2019/1157—strengthening the security of identity cards and of residence documents issued to eu citizens and their family members exercising their right of free movement. Off. J. Eur. Union 188(67) (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kozieł, P., Kubiak, P., Kutyłowski, M. (2021). PACE with Mutual Authentication – Towards an Upgraded eID in Europe. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-88428-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88427-7
Online ISBN: 978-3-030-88428-4
eBook Packages: Computer ScienceComputer Science (R0)