Supplemental access control (SAC) is a set of security features defined by ICAO[1] for protecting data contained in electronic travel documents (e.g. electronic passports). SAC specifies the Password Authenticated Connection Establishment (PACE) protocol, which itself supplements and improves upon the Basic Access Control (BAC) protocol also established by ICAO.[2] PACE, like BAC, prevents two types of attacks:[3]
With the implementation of PACE begins the third generation of electronic passports.[4] [5] [6] EU members must implement PACE in electronic passports by the end of 2014.[7] States, for the sake of global interoperability, must not implement PACE without implementing BAC, and inspection systems should implement PACE and use it if supported by the MRTD chip. Thus, it is important that global interoperability is achieved, to make the enhancement reliable for the document verification process. To achieve interoperability, there are so called Interoperability Tests. The results of the last test focusing on SAC describe the current state of implementation in the field. [8]
Version 1.1 (April 2014) of ICAO's "Supplemental Access Control" Technical Report introduces the Chip Authentication protocol as an alternative to Active Authentication and integrates it with PACE, achieving a new protocol (Chip Authentication Mapping, PACE-CAM [9] ) which allows faster execution than the separate protocols. [10]