Supplemental access control

Supplemental access control (SAC) is a set of security features defined by ICAO for protecting data contained in electronic travel documents (e.g. electronic passports). SAC specifies the Password Authenticated Connection Establishment (PACE) protocol, which itself supplements and improves upon the Basic Access Control (BAC) protocol also established by ICAO. PACE, like BAC, prevents two types of attacks:


 * Skimming (online attack that consists in reading the RFID chip without physical access to the document and without the holder's approval). Prior to reading the chip, the inspection system needs to know some data that is printed on the document (e.g. the MRZ) or a key that is known only to the holder (personal identification number (PIN)), which means he has willingly handed the document for inspection. While BAC works only with the MRZ, PACE allows using card access numbers (short keys printed on the document) and PINs.
 * Eavesdropping (offline attack that starts by recording the data exchanged between the reader and the chip, to be analyzed later). The inspection system uses PACE for establishing a secure communication channel with the contactless chip, but using stronger cryptography than BAC. PACE offers an excellent protection against offline attacks, raising the security of documents containing contactless chips to the level of documents using contact chips.

With the implementation of PACE begins the third generation of electronic passports. EU members must implement PACE in electronic passports by the end of 2014. States, for the sake of global interoperability, must not implement PACE without implementing BAC, and inspection systems should implement PACE and use it if supported by the MRTD chip. Thus, it is important that global interoperability is achieved, to make the enhancement reliable for the document verification process. To achieve interoperability, there are so called Interoperability Tests. The results of the last test focusing on SAC describe the current state of implementation in the field.

Version 1.1 (April 2014) of ICAO's "Supplemental Access Control" Technical Report introduces the Chip Authentication protocol as an alternative to Active Authentication and integrates it with PACE, achieving a new protocol (Chip Authentication Mapping, PACE-CAM ) which allows faster execution than the separate protocols.