NFC Reading

DOT NFC is a mobile library (both for Android and iOS) that enables the reading of data from the RFID chip contained in the eMRTD with NFC-enabled smartphone.

Electronic Machine Readable Travel Document - eMRTD

The MRTD is a specification of an official travel document. It contains in standardized format the various identification details of the holder, including a photo (or digital image) with mandatory and optional identity elements. The mandatory elements, apart from the photo, are reflected in a two- or three-line machine readable zone (MRZ).

The eMRTD contains a NFC-readable RFID chip. This chip stores data from the travel document data page and the mandatory biometric data of the holder: the photograph. The data is organized in data groups (DG1, DG2, SOD, etc.).

As the chip contains digitally signed data, a country issuing an eMRTD has to maintain a dedicated public key infrastructure (PKI). The “Root” of this PKI is the Country Signing Certification Authority (CSCA). The document signer (DS) certificate, signed by the CSCA, proves the authenticity and integrity of the data on the chip and the link to the issuer.

Specifications and standards of eMRTD can be found in ICAO document series Doc 9303 Machine Readable Travel Documents.

DOT NFC Library

DOT NFC Library provides simple non-UI component - NFC Travel Document Reader (Android, iOS) which facilitates the NFC reading process.

The process contains the following steps:

  1. Access control
  2. Authentication of chip
  3. Reading and parsing data into structures
  4. Authentication of data

Access Control

In order to read the content of the eMRTD chip, Access Control has to be established. The Access Control mechanism ensures that data from the eMRTD chip is not read without the attention of the travel document holder.

ICAO defines two protocols for Access Control:

  • BAC - Basic Access Control (this protocol is used if supported by the chip)
  • PACE - Password Authenticated Connection Establishment (this protocol is used if BAC protocol fails or BAC is not supported by the chip)

Both Access Control protocols use an access key generated from Machine Readable Zone - NFC Key. The NFC Key is created from the document number, date of birth and date of expiry, which are present in the MRZ, see image below.


After Access Control has been established, the chip will provide access to less sensitive data groups.

Authentication of Data and Chip

Authentication of Data

Authentication of data proves that the contents are authentic and not changed. It does not prevent copying of the chip content or chip substitution. Passive Authentication protocol is used for this purpose. Library consumer must supply a list of Country Signing Certificate Authority certificates in order to authenticate the data. The list has to be in PEM file format.

Country Signing Certificate Authority certificates

Innovatrics does not provide its customers with certificates for data authentication. It is the responsibility of the integrator to acquire the certificates needed, either from the ICAO organization or from the country’s governmental organizations. The benefit is that the integrator then gets notified about new certificate updates.

Many countries provide their certificates in the ICAO Public Key Directory. It is currently possible to retrieve a suitable certificates list from there (after accepting the Terms & Conditions). Search for “The latest collection of CSCA Master Lists”. However, this master list is in LDIF file format (and 5 MB), so the certificates need to be converted to PEM file format. If support for only some countries is needed, the required certificates can be filtered from this file to keep the app size smaller.

These resources can help converting LDIF file to PEM file:

Authentication of Chip

Authentication of chip prevents copying the data and proves that it has been read from the authentic chip and the chip has not been substituted. First supported protocol of these three protocols is used:

  1. PACE access control protocol with Chip Authentication Mapping
  2. Chip Authentication
  3. Active Authentication

If the Active Authentication challenge is explicitly set, the Active Authentication Protocol is used first. If none of these protocols is supported, the chip is not authenticated. The flow of the chip authentication process is illustrated in the flowchart below:

Chip Authentication flow

Reading and parsing data

DOT NFC Library supports reading these Data Groups. Part of them are also parsed into structures.

Data GroupDescriptionStructure
COMHeader and Data Group Presence Information (Mandatory)
SODDocument Security Object (Mandatory)
DG1Machine Readable Zone Information (Mandatory)MachineReadableZoneInformation
DG2Encoded Identification Features - Face (Mandatory)EncodedIdentificationFeaturesFace
DG3Additional Identification Feature - Finger(s) (Optional)
DG4Additional Identification Feature - Iris(es) (Optional)
DG5Displayed Portrait (Optional)
DG7Displayed Signature or Usual Mark (Optional)DisplayedSignatureOrUsualMark
DG8Data Feature(s) (Optional)
DG9Structure Feature(s) (Optional)
DG10Substance Feature(s) (Optional)
DG11Additional Personal Detail(s) (Optional)AdditionalPersonalDetails
DG12Additional Document Detail(s) (Optional)AdditionalDocumentDetails
DG13Optional Details(s) (Optional)OptionalDetails
DG14Security Options (Conditional)
DG15Active Authentication Public Key Info (Conditional)
DG16Person(s) to Notify (Optional)

The list of all possible data groups is below. Note that data groups DG3 and DG4 cannot be read without an additional certificate.

Data Groups