Wednesday, September 17, 2014

Comparing EAC 2.10 to the previous 1.11

EAC 2.10 CV certificates are supported as of EJBCA Enterprise 6.1.0. This is an upgrade from the previously supported EAC 1.11. So, what's new in EAC 2.10 and why would you even need EAC certificates at all?

About Extended Access Control

Extended Access Control (EAC) is the technology used to protect fingerprints (or irises) in EU member states' e-passports, but in some eIDs other information is protected as well. As used in the EU, EAC is defined in the BSI technical specification TR-03110. Based on public key infrastructure (PKI), EAC works as an authentication mechanism between the terminal and the ePassport/eID chip. The specification includes several steps such as both chip- and terminal authentication, but only terminal authentication concerns PKI.

In an EAC process, each inspection system or terminal is given a CV Certificate (CVC) which gives the inspection system privileges to perform specific actions, or to read certain data from the e-passport or eID chip. If the inspection system cannot authenticate itself towards an e-passport or eID chip, the latter will deny access to the data or function.

The news in EAC 2.10

So what are the differences in EAC 2.10 compared to EAC 1.11? As mentioned, 1.11 was designed for ePassports only. With EAC 2.10 the use cases have been extended to other security documents, such as eIDs. In the context of EJBCA, we are primarily interested in terminal authentication (the part where the PKI implements something). Here, the main difference in EAC 2.10 is additional access control templates, used to specify new types of terminals relating to eIDs and digital signatures. There is also room for extensions, but since none have been specified at this stage and no sample certificates are using extensions, this is mostly a placeholder for future additions.

The CVC Terminal Type options illustrated
The news in EAC 2.10 may most easily be illustrated by a few screenshots of the Admin GUI in EJBCA Enterprise 6.2.0.
In EAC 1.11 the only CVC terminal type available  was Inspection System (allowing you to select DG3 and/or DG4). This option still provides an inspection system able to read fingerprints, and/or iris data, from e-passports. In the first image however, you can see the EAC 2.10 CVC terminal type (upper left corner) with two new options next to Inspection System: Authentication Terminal and Signature Terminal. Click the image to enlarge!

EAC 2.10 CVC terminal type options in EJBCA Enterprise 6.2.0.
CVC terminal type

So, what hides behind the new Authentication Terminal and the Signature Terminal options?

The Authentication Terminal can be given fine grained (read and write) control to any data group on an eID, as well as control to additional eID functions such as PIN Management and Age Verification.

Pic 1: CVC access rights of the Authentication Terminal in EAC 2.10, EJBCA Enterprise 6.2.0. Click to enlarge!
Authentication Terminal (pic 1)

Pic 2: CVC access rights of the Authentication Terminal in EAC 2.10, EJBCA Enterprise 6.2.0.
Authentication Terminal (pic 2)

The Signature Terminal on the other hand, can either be given the role of an Accreditation Body or a Certification Service Provider, where each can be allowed to generate signatures and/or qualified signatures.

Pic 1: Body or a Certification Service Provider options in the Signature Terminal in EAC 2.10, EJBCA Enterprise 6.2.0.
Signature Terminal (pic 1)

Pic 2: Body or a Certification Service Provider options in the Signature Terminal in EAC 2.10, EJBCA Enterprise 6.2.0.
Signature Terminal (pic 2)

Summary
To sum up the additional features in EAC 2.10:
  • New terminal types for using eIDs.
  • New access controls for mentioned terminals.
  • Possibility for extensions.

More information

Basic information on EJBCA Enterprise PKI is available here.
EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.

About the author
Tomas Gustavsson, CEO/CTO of PrimeKey, founder of EJBCA
Contact me at tomas(at)primekey.se.
Follow me on Twitter.
Follow PrimeKey on Twitter.