NFC Reading

DOT NFC is a mobile library (both for Android and iOS) that enables the reading of data from the RFID chip contained in the eMRTD with NFC-enabled smartphone.

Electronic Machine Readable Travel Document - eMRTD

The MRTD is a specification of an official travel document. It contains in standardized format the various identification details of the holder, including a photo (or digital image) with mandatory and optional identity elements. The mandatory elements, apart from the photo, are reflected in a two- or three-line machine readable zone (MRZ).

The eMRTD contains a NFC-readable RFID chip. This chip stores data from the travel document data page and the mandatory biometric data of the holder: the photograph. The data is organized in data groups (DG1, DG2, SOD, etc.).

As the chip contains digitally signed data, a country issuing an eMRTD has to maintain a dedicated public key infrastructure (PKI). The “Root” of this PKI is the Country Signing Certification Authority (CSCA). The document signer (DS) certificate, signed by the CSCA, proves the authenticity and integrity of the data on the chip and the link to the issuer.

Specifications and standards of eMRTD can be found in ICAO Document 9303.

Access Control

In order to read the content of the eMRTD chip, Access Control has to be established. The Access Control mechanism ensures that data from the eMRTD chip is not read without the attention of the ID document holder.

ICAO defines two protocols for Access Control:

  • BAC - Basic Access Control
  • PACE - Password Authenticated Connection Establishment

Both Access Control protocols use access keys generated from MRZ - MRZ Key. The MRZ Key is created from the document number, date of birth and date of expiry, which are present in the MRZ, see image below.

MRZ Key

After Access Control has been established, the chip will provide access to less sensitive data groups.

Data Groups and Elements in eMRTD

The standard Access Control enables reading these data groups:

Data groupDescription
DG1Personal details recorded in MRZ as text data
DG2Face photo image
DG7Signature of document holder as image
DG11Additional personal details as text data
DG12Additional document details as text data
DG13Optional details as binary data
DG15Active Authentication Public Key Info
SODDocument Security Object

The list of all possible data groups is below. Note that the fields DG3 and DG4 cannot be read without an additional certificate. MRZ Key

Authentication of eMRTD Chip

After the Access Control has been established, authenticity of the data stored in the chip can be verified. This is the most reliable method to check ID document authenticity using a smartphone.

Two ICAO defined authentication protocols are implemented:

  • Passive Authentication (proves that data in the document have not been modified)
  • Active Authentication (proves that data haven’t been copied to an RFID carrier different from the original ID document)

Passive Authentication

The Passive Authentication protocol verifies that the contents of the Document Security Object (SOD) and relevant data groups are authentic and not changed. It does not prevent copying of the chip content or chip substitution. By relevant data groups are meant data groups, which are able to be read. (e.g. DG3 is not relevant in this context because reading this data group requires the terminal authentication).

Passive Authentication has the following steps:

  1. extract Document Signing Certificate from the chip
  2. validate Document Signing Certificate with CSCA Certificates provided in the master list
  3. verify that Document Security Object (SOD) has been correctly signed by Document Signing Certificate
  4. verify that the contents of the data groups are authentic and unchanged by hashing the contents and comparing the result with the corresponding hash value in the Document Security Object (SOD).

Master List

Note: Innovatrics does not provide its customers with certificates for Passive Authentication. It is the responsibility of the integrator to acquire the certificates needed, either from the ICAO organization or from the country’s governmental organizations. The benefit is that the integrator then gets notified about new certificate updates.

In order to authenticate the eMRTD chip with Passive Authentication, the library needs a master list containing a CSCA certificate chain, which was used to sign the Document Signing Certificate present on the chip. This master list has to be in PEM file format.

Many countries provide their certificates in the ICAO Public Key Directory. It is currently possible to retrieve a suitable master list from there (after accepting the Terms & Conditions). Search for “The latest collection of CSCA Master Lists”. However, this master list is in LDIF file format (and 5 MB), so the certificates need to be converted to PEM file format. If support for only some countries is needed, the required certificates can be filtered from this file to keep the app size smaller.

These resources can help converting LDIF file to PEM file:

Active Authentication

The Active Authentication protocol verifies that the chip data has been read from the genuine chip, and stored in the genuine eMRTD. It prevents the usage of copied chip content or chip substitution.

Active Authentication has following steps:

  1. generate random challenge
  2. request signature for this challenge from the chip
  3. verify signature using public key stored in Data Group 15 (DG15)

DOT NFC

DOT NFC library provides simple non-UI component - NFC Document Reader which facilitates the NFC reading process. It takes MRZ Key as an input and returns the result object as the output. If Passive Authentication protocol is needed, the master list also needs to be provided as an additional input.

The process contains the following steps:

  1. Access Control establishment - In order to access data groups on the chip, the NFC Document Reader will execute PACE first. If it fails or is not supported, the NFC Document Reader will execute BAC.
  2. After the Access Control has been established, the available data groups will be read.
  3. Then, NFC Document Reader will try to authenticate the chip using Active Authentication and Passive Authentication.
  4. Lastly, the NFC Document Reader will return the result object that contains: (1) data from data groups, (2) entries indicating the success or failure of authentication protocols.