Validating an EPassport
Overview of data stored in an EPassport
All Data Groups in the passport are in the form of data templates and have individual ASN.1 Tags.
The minimum mandatory items of data stored on in the LDS are the DG1 (duplication of the MRZ) and the DG2 (holders facial image).
In addition the IC contains the Security Object (ED.SOD) which is needed to validate the integrity of data created by the issuer. It is stored in Dedicated File No 1.
MF, DF and EF
Master File, Dedicated Field and Elementary Files.
Master Files are optional files at the root of the file system.
DF’s contain EF’s or other DF’s.
Document Security Object (SOD) is stored on the chip of the passport.
It is named EF.SOD and consists of the hashes of the Data Groups in use and has the Normative Tag 77 (hex).
|Data Group||EF Name||Short File Identifier||FID||Tag|
|Document Security Object||EF.SOD||1D||01 1D||77|
It is a signed data structure, signed by the Document Signer (DSC).
It is stored in the MRTD’s chip.
The SOD data is stored as a hex array of different fields.
Country Signing Certification Authority.
DSC (CDS) and KPuDS
Document Signer Certificate (DSC) contains the information required to verify the digital signature of an e-passport.
KPuDS – verified Document Signer Public Key. It is used to verify the signature of the SOD.
Public Key Infrastructure.
Logical Data Structure.
Data Elements Encoding Rules
Each data object has an identification Tag that is specified in hexadecimal coding. e.g. 0x5A
Validating an EPassport – Passive Authentication
Passive authentication is the process of validating the authenticity and integrity of the content on the chip of an EPassport.
This is done by verifying the digital signature of the document using the public keys of the issuing state.
Passive authentication proves that the contents of the SOD and the LDS are authentic and not changed. It does not prevent exact copying of the contactless integrated circuit’s (IC) content of chip substitution.
- Read the SOD which contains the Document Signer Certificate.
- A certification path from the Trust Anchor to the Document Signer Certificate used to sign the SOD is built and validated.
- The verified Document Signer Public Key is used to verify the signature of the SOD.
- The contents of the Data Group are hashed (computed hash) and compared with the result of the hash value in the SOD (stored hash) to ensure that the data is authentic and unchanged.
 SSL File Extensions