|Password Authenticated Connection Establishment (PACE):|
|Establish a secure channel with a strong key between two parties that only share a weak secret.|
|Terminal Authentication (TA):|
|Verify/prove the terminal’s certificate (or rather certificate chain) and secret key.|
|Chip Authentication (CA):|
|Establish a secure channel based on the chip’s static key pair proving its authenticy.|
Furthermore, OpenPACE also supports Card Verifiable Certificates (CV Certificates) as well as easy to use wrappers for using the established secure channels.
The handlers for looking up trust anchors during TA and CA (i.e. the CSCA and the CSCA certificates) can be customized. By default, the appropriate certificates will be looked up in the file system.
OpenPACE supports all variants of PACE (DH/ECDH, GM/IM), TA (RSASSA-PKCS1-v1_5/RSASSA-PSS/ECDSA), CA (DH/ECDH) and all standardized domain parameters (GFP/ECP).
OpenPACE is implemented as C-library and comes with native language wrappers for:
OpenPACE only implements the cryptographic protocols of the EAC. If you actually want to exchange data with a smart card, you need to take care of formatting and sending the data in the form of APDUs. If this is what you’re trying to do, you should have a look at the npa-tool of the nPA Smart Card Library .