The authenticity of electronically stored data in MRTDs is protected by a signature (passive authentication). Access to particularly sensitive data is only granted after authentication (terminal authentication).
In order to perform passive authentication, a terminal requires a trust anchor (a CSCA root certificate) in order to check the signature. After reading the security data (EF.SOD), the terminal can identify the document signer which signed the data of the MRTD. In most cases, the certificate of the document signer is also on the chip of the MRTD, in other words, all that is needed is access to the CSCA root certificate. The certificate of the document signer can then be verified and the signature of the data checked using the public key contained in the certificate.
It is absolutely necessary that the certificates be passed on to the terminal in authentic form. If an attacker manages to introduce a forged trust anchor into the background system or to alter the trust anchor during communication, false documents could then be feigned to be authentic. This would corrupt the entire system.
Within the scope of terminal authentication, the terminal must sign a challenge of the MRTD. To do this, the terminal must have access to a key pair and must convince the document of the authenticity of the public key. This is carried out by transmitting a certificate chain which extends to and includes the trust anchor introduced into the document during personalisation (encoded in EF.CVCA).
In order to enable authorised terminals only to access the key material, the authorisation of the terminal must be checked. Otherwise, an attacker can have the signature calculated and thereby obtain access to the sensitive data stored on the MRTD.
A background system must hence fulfil the following preconditions: