Basic access control (BAC) is a mechanism specified to ensure only authorized parties[1] can wirelessly read personal information from passports with an RFID chip.
In addition, the fact that real existing dates are used further limits the number of possible combinations: The month makes up two of the digits used for generating the key.
The German passport serial-number format (previously 10-digit, all-numeric, sequentially assigned) was modified on 1 November 2007, in response to concerns about the low entropy of BAC session keys.
The new 10-character serial number is alphanumeric and generated with the help of a specially-designed block cipher, to avoid a recognizable relationship with the expiry date and increase entropy.
In addition, a public-key based extended access control mechanism is now used to protect any information in the RFID chip that goes beyond the minimum ICAO requirements, in particular fingerprint images.