ISO/IEC 18013-3:2009/Amd 2:2014

INTERNATIONAL ISO/IEC
STANDARD 18013-3
First edition
2009-03-01
AMENDMENT 2
2014-12-01
Information technology — Personal
identification — ISO-compliant driving
licence —
Part 3:
Access control, authentication and
integrity validation
AMENDMENT 2: Extended Access
Control v1
Technologies de l’information — Identification des personnes —
Permis de conduire conforme à l’ISO —
Partie 3: Contrôle d’accès, authentification et validation d’intégrité
AMENDEMENT 2: Extended Access Control v1
Reference number
ISO/IEC 18013-3:2009/Amd.2:2014(E)
©
ISO/IEC 2014

---------------------- Page: 1 ----------------------
ISO/IEC 18013-3:2009/Amd.2:2014(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2014
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2014 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 18013-3:2009/Amd.2:2014(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Amendment 2 to ISO/IEC 18013-3:2009 was prepared by Joint Technical Committee ISO/IEC JTC 1,
Information technology, Subcommittee SC 17, Cards and personal identification.
It describes the optional Extended Access Control (EAC) v1 mechanism as an alternative and further
option in addition to Extended Access Protection (EAP), enabling access control to sensitive biometric
data stored on an integrated circuit.
© ISO/IEC 2014 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 18013-3:2009/Amd.2:2014(E)
Information technology — Personal identification — ISO-
compliant driving licence —
Part 3:
Access control, authentication and integrity validation
AMENDMENT 2: Extended Access Control v1
Page 1, Normative references
Insert the following referenced documents:
BSI Technical Guideline TR-03110-1: Advanced Security Mechanisms for Machine Readable Travel Documents
— Part 1 — eMRTDs with BAC/PACEv2 and EACv1 — Version 2.10 — 2012-03-20.
BSI Technical Guideline TR-03110-3: Advanced Security Mechanisms for Machine Readable Travel Documents
— Part 3 — Common Specifications — Version 2.10 — 2012-03-20.
Page 6, Terms and Definitions
Insert the following definition after 4.26:
4.27
Extended Access Control v1
EACv1
alternative protocol to EAP used to limit access to optional signature and biometric data groups
Note 1 to entry: See 8.7 and Annex G.
Page 6, Abbreviated terms
Insert the following abbreviations:
EACv1 extended access control v1
IFD interface device
RFU reserved for future use
Page 11, Table 1
Replace “EAP” by “EAP or EACv1”
Page 30
Insert the following clause after 8.6.3:
8.7 Extended Access Control v1
8.7.1 Purpose
EACv1 is an alternative to EAP and consists of:
a) Chip authentication, which provides for authentication of the SIC and strong secure messaging.
© ISO 2014 – All rights reserved 1

---------------------- Page: 4 ----------------------
ISO/IEC 18013-3:2009/Amd.2:2014(E)

b) Terminal authentication, which provides for conditional authenticated access to data groups.
8.7.2 Applicability
This mechanism is applicable only to SICs.
8.7.3 Description and mechanism
EACv1 is specified in Annex G. The following rules shall be used in the application of EACv1 for an IDL:
a) The SIC’s key agreement public key(s) shall be stored in DG14, formatted in accordance with
BSI/TR 03110-3.
b) When EACv1 is used in combination with BAP, the input string shall be used as the SIC identifier.
c) Strong secure messaging (established using chip authentication as described in BSI/TR 03110) shall
be active before terminal authentication can take place.
d) DG14 shall be accessible without terminal authentication.
e) Only BAP-1 is allowed as possible preceding authentication for EACv1.
f) EAP and EACv1 shall not be supported simultaneously.
Page 32, Table 9
Replace “Extended access protection” by “Extended access protection or EACv1”
Page 32, Figure 15
Replace “Extended access protection” by “Extended access protection or EACv1”
Page 33
Replace 10.4 with the following:
10.4 EF.DG14 Extended access protection or EACv1 (short EF identifier = ‘0E’, Tag = ‘6E’)
DG14 is defined in C.3.4 for EAP and in Annex G for EACv1.
Annex G
(normative)

Extended Access Control v1
G.1 Introduction
This annex describes an additional protocol for conditional access to an application that stores data in
data groups according to a LDS.
EACv1 is specified by the BSI in the Technical Guidelines TR-03110-1 v2.10 and in TR-03110-3 v2.10.
The support of EACv1 requires a BAP-1 configuration for the IDL.
G.2 Changes to TR-03110-1 v2.10
This section describes the changes that apply to TR-03110-1 v2.10 to support the IDL.
G.2.1 General
For BAC, read BAP.
For DG2, read DG6.
For DG3, read DG7.
2 © ISO 2014 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/IEC 18013-3:2009/Amd.2:2014(E)

For DG4, read DG8.
For DG15, read DG13.
For ePassport, read Driving Licence.
For ePassport Application, read Driving Licence Application.
For ICAO compliant ePassport Application, read Driving Licence Application.
For ICAO/EAC1-compliant ePassport Application, read Dr
...