-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implementing Chip Authentication #44
Comments
Looks like CA is just another name for AA. |
From the official icao doc 9303 Part 11. Even if they seem to be similar they are actually different. |
Yes, I'd like to implement Chip Authentication and additionally PACE but its not straightforward and also testing is an issue (I currently don't have any passports that support this). Pull requests welcomed though if you are able to help! |
Just an information for those who would like to implement PACE protocol. By default NFCISO7816Tag requirers a list of ISO/IEC 7816 applets (AIDs). Upon discovery of NFC tag the first found applet from this list is automatically selected (and you have no way of changing this). Now, the ICAO 9303 standard does specify command for selecting master file by sending After a bit of researching standard ISO/IEC 7816 I found there is an alternative |
https://stackoverflow.com/questions/56515747/cannot-read-the-nfc-chip-of-the-epassport-using-ios13/56516232#56516232 |
@rgex, unfortunately it doesn't work. At least it doesn't work with my European passport. Btw I haven't found any explanation why Apple choose to go this way and you have to provide AID in advance in order to detect ISO/IEC 7816 tag. And why there is no option to detect general ISO 14443 tag. |
@smlu What kind of passport do you have? |
@rgex I've tested on several European passports pre-2018 and issued in 2018 (after 2018, PACE is mandatory). I had no problem connecting to those passports using BAC protocol. But yeah, I haven't tested any newly issued passport (2019-2020). FYI I worked on some private passport related projects using Androd/iOS native framework and flutter. Unfortunately, I hadn't developed PACE protocol on any of those project so I can't help you there. I'd share the PACE protocol implementation here. Btw thank you for sharing this information here. Side note:
|
@smlu JMRTD seems quite buggy, I made someone try other open source app that uses it and they got an error (Have you used it?). OpenPACE looks interesting, I currently started writing my own C/C++ PACE implementation. |
@rgex Do you maybe know what error did they get? From my experiences I hadn't had any serious issues with JMRTD. I don't remember though if I used PACE protocol or only BAC to establish SM session. |
Will there be support for reading the Spanish eid? |
Hi man I am having similar problem, my problem is DG15 is present but terminal cannot read the data , what might be the reason ? It seems Active Authentication is not supported because of this i guess. |
@smlu I got it working on Android using JMRTD, although it seems quite slow. |
@rgex Have you tried to run the Android app compiled in release mode? Sometimes the release builds reading and writing operations via NFC are faster in release builds due to optimizations (and not logging so much in the background). Though, the spead of transcieve operation usually also depends on eMRTD's chip itself. As for ethereum, it's a bit out of my league so I really can't comment it. |
Is CA development still blocking because of no testing documents? |
I have one document that supports CA, and have been looking into how JMRTD does it. But not started on implementing it yet (every time I think about it I have a desire to do something easier :)! |
Yes, it seems quite complicated about parsing the infos in DG14:( |
I've got Chip Authentication working for DESede based ciphers and it should work for both DH and ECDH keys (DH keys are untested as I haven't a passport that has them) |
Does anyone have a Passport that uses AES based keys for Chip Authentication? I've managed to do the implementation BUT have no idea if it works as no way of testing. If you do - please let me know! |
Release 1.1.1 implements Chip Authentication - both DES and AES based keys are now supported |
Hey,
are you thinking of implementing Chip Authentication(CA) besides the Active Authentication(AA)?
Even if CA mostly aims to provide the same verification features as AA, CA seems to be more commonly supported in current passports.
Just for some context, a short summary of CA can be found here.
The text was updated successfully, but these errors were encountered: