DOT NFC is a mobile library (both for Android and iOS) enabling the reading of data from the RFID chip contained in the eMRTD with NFC-enabled smartphone.
Electronic Machine Readable Travel Document - eMRTD
The MRTD is an official travel document issued by a State or organization, used by its holder for international travel. It contains in a standardized format, various identification details of the holder, including a photo (or digital image) with mandatory and optional identity elements. The mandatory elements, apart from the photo, are reflected in a two- or three-line machine readable zone (MRZ).
The eMRTD must contain a NFC-readable RFID chip. This chip stores data from the travel document data page and the mandatory biometric data of the holder: the photograph. The data is organized in data groups (DG1, DG2, SOD, etc.).
As the chip contains digitally signed data, a country issuing an eMRTD has to maintain a dedicated public key infrastructure (PKI). The “Root” of this PKI is the Country Signing Certification Authority (CSCA). The document signer (DS) certificate, signed by the CSCA, proves the authenticity and integrity of the data on the chip and the link to the issuer.
Specifications and standards of eMRTD can be found in ICAO Document 9303.
In order to read the content of the eMRTD chip, Access Control must be established. Access Control mechanism in effect requires the knowledge of the bearer of the eMRTD that the data stored in the chip is being read securely.
ICAO defines two protocols for Access Control:
- BAC - Basic Access Control
- PACE - Password Authenticated Connection Establishment
Both Access Control protocols use access keys generated from MRZ - MRZ Key. The MRZ Key is created from document number, date of birth and date of expiry which are present in the MRZ, see image below.
After the Access Control has been established, chip will provide access to less sensitive data - DG1, DG2, DG14, DG15 and SOD.
Authentication of eMRTD chip
After the Access Control has been established, authenticity of the data stored in the chip can be verified.
We implement two ICAO defined authentication protocols:
- Passive Authentication
- Active Authentication
The Passive Authentication protocol verifies that the contents of the Document Security Object (SOD) and data groups are authentic and not changed. It does not prevent copying of the chip content or chip substitution.
Passive Authentication has following steps:
- extract Document Signing Certificate from the chip
- validate Document Signing Certificate with CSCA Certificates provided in the master list
- verify that Document Security Object (SOD) has been correctly signed by Document Signing Certificate
- verify that the contents of the data groups are authentic and unchanged by hashing the contents and comparing the result with the corresponding hash value in the Document Security Object (SOD).
In order to authenticate the eMRTD chip with Passive Authentication, you need to provide master list containing CSCA certificate chain which was used to sign the Document Signing Certificate present on the chip. This master list has to be in PEM file format.
Many countries participate in the ICAO Public Key Directory. You may be able to retrieve suitable master list from there. However, this master list will be in LDIF file format, so you need to convert the certificates to PEM file format.
These resources can help you converting LDIF file to PEM file:
The Active Authentication protocol verifies that the chip data has been read from the genuine chip, stored in the genuine eMRTD. It prevents exact copying of the chip content or chip substitution.
Active Authentication has following steps:
- generate random challenge
- request signature for this challenge from the chip
- verify signature using public key stored in Data Group 15 (DG15)
DOT NFC library provides simple non-UI component - NFC Document Reader which facilitates the NFC reading process. It takes MRZ Key as an input and returns the result object as an output. If you want to execute Passive Authentication protocol, you also need to provide master list as an additional input.
The process contains the following steps:
- Access Control establishment - In order to access data groups on the chip, NFC Document Reader will execute PACE first. If it fails or is not supported, NFC Document Reader will execute BAC.
- After the Access Control has been established, the following data groups will be read: DG1, DG2, DG14, DG15 and SOD.
- Then, NFC Document Reader will try to authenticate the chip using Active Authentication and Passive Authentication.
- Lastly, NFC Document Reader will return the result object containing: (1) the data from DG1 and DG2, (2) entries indicating success or failure of authentication protocols.