Access control is used to check that, if an entity (a person computer), requesting access to a resource has the necessary rights to do that or not. Access control offers the ability to access physical resources (e.g. a building a room a country ) or logical (e.g. operating system or computer application specific) . Access control generally includes three components:
a mechanism for authentication of the entity (e.g. password a map a key a biometric ). This mechanism is not useful in itself but, it is essential to the functioning of the two following;
an authorization mechanism (the entity can be authenticated but does not have the right to access this resource at this time).
A traceability mechanism: sometimes the authorization mechanism may be insufficient to ensure that the entity has the right to access this resource (due process hours worked). Today, companies are increasingly obliged to draw their computer access using an Access Rights Reporting .
An access control system is a set of devices that can interact with each other:
Restrict access door opening or by some mechanical means.
Identify the user in accordance with parameters established to determine whether access is allowed or denied.
Register and audit user access events and door.
Program approval or disapproval of relating to each user access.
Allow additional security features and functionality.
Basic Access Control
Basic Access Control provides the authentication method described between an inspection system and a machine readable passport to permit encrypted data exchange. The authentication method used is a challenge-response authentication .The procedure requires that the document holder be travel document (e.g. passport ) submitted for inspection. This ensures that sensitive data cannot be read without the consent of the passenger.
Key generation
The document holder shall submit his passport for inspection.
An optical reader reads the document printed on the machine readable zone of (MRZ). Alternatively, the data can also be entered manually.
From the data, the document number, date of birth and expiration date including the check digit is extracted.
From the extracted data with two key sand K_ENC K_MAC are generated, which are used to encrypt the following commands and for checksum.
Authentication and establishment of the session key
From the document, chip random number is generated and sent to RND_ICC the inspection system.
The inspection system generates two random numbers, and RND_IFD K_IFD.
The concatenation of the random number is encrypted with the key, and the result with a K_ENC based on the key K_MAC MAC provided checksum.
The data is sent together with an authentication command to the document chip.
The chip verifies and decrypts the data and compares the random number included with the previously sent by him.
The chip generates a further random number, and forms the K_ICC XORing from K_ICC K_IFD and as a basis for the generation of the session key and KS_ENC KS_MAC.
The concatenation of random numbers RND_ICCRND_IFD K_ICC and is encrypted with the key K_ENC and provided the result with a key based on the K_MAC MAC checksum and returned to the inspection system. For later communication from the four low-order bytes of random numbers and RND_ICC RND_IFD an eight-byte counter is generated.
Start of secure communication.
The inspection system verifies the validity of the response of the chip, and decrypts the result.
From the result support is now provided the session key and the eight-byte count is ...