EAC as defined by the
EU has two requirements: chip and terminal authentication.
Chip authentication (for strong session encryption) The chip authentication specification defines a handheld device (CAP reader) with a smart card slot, a decimal keypad, and a display capable of displaying at least 12 characters.
Chip authentication (CA) has two functions: • To authenticate the chip and prove that the chip is genuine. Only a genuine chip can implement communication securely. • To establish a strongly secured communication channel, using a chip-specific key pair with strong encryption and integrity protection. Chip authentication has an add-on
Basic Access Control (BAC) with protection against skimming and eavesdropping.
Terminal authentication (access restricted to authorized terminals) Terminal authentication (TA) is used to determine whether the
inspection system (IS) is allowed to read sensitive data from the e-passport. The mechanism is based on
digital certificates which come in the format of
card verifiable certificates. • Each inspection system is granted a
card verifiable certificate (CVC) from a
document verifier (DV). The inspection system's certificate is valid only for a short time period, typically between 1 day and 1 month. • An inspection system may have several CVCs installed at any time, one for each country that allows it to read sensitive data. • The CVC allows the inspection system to request one or more items of sensitive data, such as data for
iris or
fingerprint recognition. A document verifier certificate is granted from the
country verification certificate authority (CVCA). These certificates can be for domestic or foreign document verifiers. The certificates are typically issued for medium amounts of time, between half a month and 3 months. The CVCA is generated by each country and is typically valid for 6 months to 3 years. ==External links==