What is OpenPACE?

OpenPACE is a cryptographic library which provides support for the main protocols of the Extended Access Control (EAC) version 2.0 specified in BSI TR-03110 and is used to establish a Secure Channel with the new German identity card. OpenPACE comprises support for the following protocols:

  • The Password Authenticated Connection Establishment (PACE) protocol. This protocol is used to establish a secure channel between two parties that only share a weak secret. In the context of the new German identity card PACE is used to secure the wireless communication between the ID card and the point of PIN entry (either the RFID reader or the PC).
  • The Terminal Authentication (TA) protocol. This protocol is used to authenticate the terminal which wants to use the identity card and to establish the access rights of this terminal.
  • The Chip Authentication (CA) protocol. This protocol is used to authenticate the identity card based and to establish a secure end-to-end channel between the card and the terminal.

Furthermore, OpenPACE also supports Card Verifiable Certificates (CV Certificates) as specified in BSI TR-03110.

Please note that OpenPACE only implements the cryptographic protocols of the EAC. If you actually want to exchange data with an RFID card, you need to take care of formatting and sending the data in the form of APDUs. If this is what you're trying to do, you should have a look at the pace-tool program in the ccid sub-directory contained in the Virtual Smartcard Architecture.

How to install and use OpenPACE

OpenPACE is based on the OpenSSL library. It consists of a series of patches for OpenSSL:

  1. BP.patch: Adds the elliptic curves defined in RFC 5639 to OpenSSL. It was originally written by Annie Yousar from Humboldt University Berlin.
  2. openpace.patch: Adds support for PACE and handling of CV Certificates.

These patches need to be applied OpenSSL 1.0.1c in the above order.

In order to compile and install OpenPACE you need to use the following commands:

  • ./config shared experimental-pace -g --prefix=/opt/openpace
  • make
  • make install

You can also fetch the required patches from the SVN, which also includes a Makefile which helps you with downloading and patching OpenSSL. In order to build OpenPACE from the SVN just issue the following commands:

  • svn co https://openpace.svn.sourceforge.net/svnroot/openpace openpace
  • cd openpace
  • make
After the make command finishes you should have a working copy of OpenPACE in the openpace/openpace directory.

To use OpenPACE with your application you need to link it against libcrypto and provide the path to include and library files to the compiler. Here's an example of how a gcc call for a program using OpenPACE might look like:

env LD_LIBRARY_PATH=/opt/openpace/lib gcc -o foo foo.c -I /opt/openpace/include -L /opt/openpace/lib -lcrypto

Where to get help

You can find the OpenPACE API here.

If you find a bug or want to add a feature to OpenPACE, feel free to contact the authors via E-Mail:

Supported Platforms

  • Linux
  • Mac OS X
  • Windows

Related Projects

Humboldt Universität zu Berlin