Supplemental access control
Supplemental access control is a set of security features defined by ICAO
for protecting data contained in electronic travel documents. SAC specifies the Password Authenticated Connection Establishment protocol, which itself supplements and improves upon the Basic Access Control protocol also established by ICAO.
PACE, like BAC, prevents two types of attacks:Skimming. Prior to reading the chip, the inspection system needs to know some data that is printed on the document or a key that is known only to the holder, which means he has willingly handed the document for inspection. While BAC works only with the MRZ, PACE allows using card access numbers and PINs.Eavesdropping. The inspection system uses PACE for establishing a secure communication channel with the contactless chip, but using stronger cryptography than BAC. PACE offers an excellent protection against offline attacks, raising the security of documents containing contactless chips to the level of documents using contact chips.
With the implementation of PACE begins the third generation of electronic passports.
EU members must implement PACE in electronic passports by the end of 2014.
States, for the sake of global interoperability, must not implement PACE without implementing BAC, and inspection systems should implement PACE and use it if supported by the MRTD chip. Thus, it is important that global interoperability is achieved, to make the enhancement reliable for the document verification process. To achieve interoperability, there are so called Interoperability Tests. The results of the last test focusing on SAC describe the current state of implementation in the field.
Version 1.1 of ICAO's "Supplemental Access Control" Technical Report introduces the Chip Authentication protocol as an alternative to Active Authentication and integrates it with PACE, achieving a new protocol which allows faster execution than the separate protocols.