SmartCards as electronic signature devices Progress of standardization. Helmut Scherzer, CEN TC224/WG16 (Editor) IBM Germany

Similar documents
ISO/ CEN Standardization Status European Citizen Card Lorenzo Gaston

EU Passport Specification

eidas Standardisation What are the Issues and Concerns? Overview from CEN TC 224 WG 16 ESIGN Gisela Meister

Protection Profiles for Signing Devices

CEN TC 224 WG15. European Citizen Card. Brussels May 10th CEN/TC 224 WG15 European Citizen Card

European Citizen Card Going ahead

MACHINE READABLE TRAVEL DOCUMENTS

Technical report. Signature creation and administration for eidas token Part 1: Functional Specification

Biometric Passport from a Security Perspective

ISO/IEC INTERNATIONAL STANDARD. Identification cards Integrated circuit card programming interfaces Part 2: Generic card interface

Status update. ISO/IEC 24727: Identification Cards Integrated Circuit Cards Programming Interface. 18 April 2006 Bill MacGregor U.S.

ETSI TS V7.1.0 ( )

Irish Standard I.S. EN :2014

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

ISO/IEC INTERNATIONAL STANDARD

CREDENTSYS CARD FAMILY

This document is a preview generated by EVS

ISO/IEC JTC 1 N Replaces: JTC 1 N ISO/IEC JTC 1 Information Technology

The Open Protocol for Access Control Identification and Ticketing with PrivacY

ETSI Electronic Signatures and Infrastructures (ESI) TC

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

TECHNICAL SPECIFICATION

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

UPDATE ON CEN & ETSI STANDARDISATION ON SIGNATURES

Legal Regulations and Vulnerability Analysis

Technical report. Signature creation and administration for eidas token. Version 1.0 Release Candidate 6. Version 1.0 Release Candidate 6

SLE66CX322P or SLE66CX642P / CardOS V4.3B Re_Cert with Application for Digital Signature

This document is a preview generated by EVS

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

Interoperability Specification for ICCs and Personal Computer Systems

FINEID - S1 v2.1 Electronic ID Application

MACHINE READABLE TRAVEL DOCUMENTS

2 Electronic Passports and Identity Cards

PayPass M/Chip 4. Card Technical Specification

Utimaco eidas Update. June Thorsten Groetker CTO. Utimaco HSM Business Unit Aachen, Germany 2017 Utimaco eidas Update, June 2017 Page 1

ISO/TS TECHNICAL SPECIFICATION. Automatic vehicle and equipment identification Intermodal goods transport Numbering and data structures

ISO/IEC Identification cards Integrated circuit cards Part 12: Cards with contacts USB electrical interface and operating procedures

ISO/IEC INTERNATIONAL STANDARD. Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange

ISO/TS TECHNICAL SPECIFICATION

ISO INTERNATIONAL STANDARD. Road vehicles Extended data link security. Véhicules routiers Sécurité étendue de liaison de données

Past & Future Issues in Smartcard Industry

ETSI TS V7.0.0 ( ) Technical Specification. Smart Cards; Extensible Authentication Protocol support in the UICC (Release 7)

I N F O R M A T I O N S E C U R I T Y

ISO/IEC JTC 1/SC 27 N7769

Confirmation concerning Products for Qualified Electronic Signatures

This document is a preview generated by EVS

Electronic fee collection Information exchange between service provision and toll charging

ETSI ESI and Signature Validation Services

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles

eidas compliant Trust Services with Utimaco HSMs

Card Specification Amendment A March 2004

Expert Embedded Security

August, Actividentity CTO Office

Java Card Approach to Emulate The Indonesian National Electronic ID Smart Cards

Information technology Security techniques Authentication context for biometrics

ETSI TS V8.0.0 ( ) Technical Specification

ISO/TS TECHNICAL SPECIFICATION

ISO/IEC INTERNATIONAL STANDARD

Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems

ETSI TS V6.0.0 ( )

ISO/IEC INTERNATIONAL STANDARD

ETSI TS V6.1.0 ( )

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

ISO INTERNATIONAL STANDARD. Road transport and traffic telematics Automatic vehicle and equipment identification Numbering and data structure

ISO/IEC Identification cards Integrated circuit cards Part 11: Personal verification through biometric methods

Revision of ISO ISO TC69 Ballot CD1 Major revisions agreed by TC69/WG9 Proposed changes not accepted Next steps

The main objective is to respond to an increasing need for coordination since there is a close relationship among multiple ISO security standards proj

Security Standardization

Security Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets

ETSI TS V7.1.0 ( )

PUBLIC USER SPECIFICATION BELPIC APPLICATION V2.0

SG-CG/SGIS SG-CG/SGIS. ETSI Cyber Security Workshop Sophia Antipolis, France, January the 16th, 2013 Jean-Pierre Mennella, Alstom Grid

Introduction to Electronic Identity Documents

FINEID - S1 Electronic ID Application

Key Management Interoperability Protocol Crypto Profile Version 1.0

Information technology - Security techniques - Message Authentication Codes (MACs) - Part 1: Mechanisms using a block cipher

Technological foundation

ISO INTERNATIONAL STANDARD. Electronic fee collection Systems architecture for vehicle-related tolling

I N F O R M A T I O N S E C U R I T Y

ISO INTERNATIONAL STANDARD

Expert 3.2

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 2: Finger minutiae data

Paul A. Karger

Expert 3.2

ISO/IEC Information technology Common Biometric Exchange Formats Framework Security block format specifications

This document is a preview generated by EVS

ID-One Cosmo V7-a Smart Card Cryptographic Module

CBEFF. Common Biometric Exchange Formats Framework. Catherine Tilton. 6 March W3C Workshop on SIV

ISO/IEC INTERNATIONAL STANDARD

MultiApp ID V2.1 Platform FIPS Cryptographic Module Security Policy

Jaap Hogeling Chair CEN TC 371 Program Committee on EPBD (Energy Performance Buildings Directive)

SETECS OneCARD PIV II Java Card Applet. on Gemalto GemCombi'Xpresso R4 E72K PK card

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

Information technology Security techniques Blind digital signatures. Part 1: General

ISO/IEC INTERNATIONAL STANDARD

BSI TR Part 1.1 A framework for Official Electronic ID Document conformity tests

ISO/IEC JTC 1 N 13538

ISO/IEC INTERNATIONAL STANDARD. Information technology Biometric data interchange formats Part 9: Vascular image data

Transcription:

SmartCards as electronic signature devices Progress of standardization Helmut Scherzer, CEN TC224/WG16 (Editor) IBM Germany scherzer@de.ibm.com

Active CEN working groups(today) TC224 : "Machine readable cards, related device interfaces and operations" Chair: René Beltrando (FRANCE) Secretary: Catherine Protic (AFNOR)

Active CEN working groups(today) WG6 : "Man Machine Interface" Chair: René Beltrando (FRANCE) Secretary: Catherine Protic (AFNOR) WG 11: "Surface transport applications" Chair: Jürgen Wehnert (Germany)

Active CEN working groups(today) WG15 : "European Citizen Card" Chair: Lorenzo Gaston (France) WG 16: "Application Interface for SmartCards used as Secure Signature Creation Devices" Chair: Gisela Meister (Germany) WG 17: "Protection Profiles in the context of electronic signature Chair: Massimo Actis Dato (Italy)

ISO related standardization groups SC17/WG4 : "Organization, security and commands for interchange" Chair: René Beltrando (France)... responsible for the creation of the 7816-x smart card standards

History of pren 14890 Initial documents EU directive for electronic signatures ESIGN Workshop G1 Security requirements for signature creation applications" ESIGN G2 Procedures for Electronic Signature Verification ESIGN Workshop F Secure Signature creation devices (Protection Profile) Foundation of ESIGN-K group (12.7.2001) Chair: Gisela Meister (G&D), Editor: Helmut Scherzer (IBM) Technical specification ESIGN-K (CWA 14890, Part 1 and 2) approx. 250 pages final delivery: March 2004 CEN BT159 to decide future development CEN TC224 WG16 established in response to the resolution number 693 approved by the 41th CEN TC224 Plenary meeting (18.4.2005)

Mission of TC224/WG16 The task... Development & maintenance of CWA 14890 Smart Card shall be able to produce a 'qualified electronic signature'. Additional services to be supported (covered in Part 2) responsible for technical compatibility of standards developed under its authority. (Example ECC-2) Physical, electrical and transport protocol characteristics are out of the scope of this standard

Road Map of TC224/WG16 As the first objective the CEN TC224 WG16 shall prepare a working draft for the new European Standard EN Application Interface for smart card used as Secure Signature Creation Device based on the CWA 14890 parts 1 and 2. This new standard is intended to support the concrete implementation of the European legal framework for electronic signatures This standard is specially expected to be the base standard by card personalized with Identification, Authentication and Digital Signature (IAS) services. The standard will enable the development of interoperable cards issued by any card industry sector. The standard will describe an application interface and behavior of the SSCD i.e. it should be possible to implement on e.g. native and interpreter based cards. The standard shall be compliant with other European standards developed in the framework of the European Directive 1999/93.

Road Map of TC224/WG16 According to the previous division of the CWA 14890-1 and 2 the WG16 will produce two separate working drafts. Both working drafts shall be sent to the CEN TC224 Secretariat for circulation and ballot not later than June 2006.

Documents referring CWA 14890 ICAO : Advanced Security Mechanisms for Machine Readable Travel Documents Identification card systems European Citizen Card Part 2: Logical data structures and card services Electronic Health Card Specification (Germany) - Part 2: Basic Applications and Functions Global Platform Internet search engine: "CWA 14890" approx. 160 hits

Additions and modifications Chapter 3: Normative references Update all documents to last available versions Removed some references (e.g. DIN 66291) Chapter 4: Terms and abbreviations minimum changes required (e.g. AES added) Chapter 5: Application selection AID.ESIGN = A0 00 00 01 67 ESIGN Note: SELECT needs to be in clear when in JAVA cards Chapter 6: User verification added the notion of sensor-on/off card

Additions and modifications Chapter 7: Signature creation Refined the description of hashing Added functionality to modify hash template of current SE Chapter 8: Device authentication Off-card sensor mandates device authentication Added privacy-constrained protocol Corrected 7F21 retrieval problem (according to ISO7816-4) Session key computation available with AES Post authentication chapter describes conditions that end the secure session.

Additions and modifications Chapter 9: Secure messaging Odd/Even instruction codes are supported now Improved figures, taken from TC224/WG15 documents

Command APDU creation (CG) Header Lc Data Le Cla, Ins, P1, P2 Lc Incoming Data Le Header Cla, Ins, P1, P2 8 bytes DATA 8 bytes data DATA x bytes Padding '80 [00...]' Le Le last block ICV = '00 00... 00' SK ENC Triple DES EDE SK ENC Triple DES EDE SK ENC Triple DES EDE '87' Tag L Len '01' Constant 8 bytes 8 bytes Data data 8 bytes Data Encrypted Data Formated Block (EDFB)

Command APDU creation (CC)

Command APDU creation

Response APDU creation (ENC)

Final response APDU creation Data Status word Outgoing Data SW 12 Data Tag Len Status word Padding EDFB '99' '02' SW12 '80' [00...]' SSC Data subject to cryptographic checksum (retail MAC calculation) DES last block E[Ka](SSC) SK MAC left Encrypt SK MAC left Encrypt SK MAC left Encrypt SK MAC left Encrypt SK MAC right Decrypt '8E' '08' Cryptographic Checksum SK MAC left Encrypt Tag Len Value Cryptographic Checksum Formatted Block (CCFB)

Additions and modifications Chapter 10: Key generation Created an overview on the relevant chapters, related to alternative key generation schemes Chapter 11: Key identifiers and parameters minor changes Chapter 12: APDU data structures Added CRTs for key selection during device authentication Chapter 13: AlgIDs, Hash- and DSI Formats SHA-224/256/384/512 and the appropriate object identifier

Additions and modifications Chapter 14: Certificate Formats Card verifiable certificates chapters added Improved description of certificate fields New tables for role ID New Certificate fields CED (Certificate Effective Date) and CXD (Certificate expiration date) Certificate signature described according to WG15 Chapter 15: Files EF.ELC added for the privacy constrained device authentication Chapter16: Cryptographic Information Application To be replaced or removed - under discussion. Annex 1: Added the cryptographic description of the privacy constrained device authentication protocol.

Some extra features PDF is cross referenceable throughout Part1 / Part 2 Separation of execution flow and data content

pren 14890 - Part 2 Under construction First round, February 9 th, 2006.

Next meetings CEN TC224/WG16 9 th February 2005 in Madrid 21 22 th March in France (Gemplus) 26 th 27 th April in Berlin 7 th 8 th June in Munich (G&D)

European Citizen Card (ECC) (WG15) Information provided by Gisela Meister (G&D) The European Citizen Card (ECC) provides An MRTD (Machine Readable Travel Document) functionality according to the ICAO specifications and/or IAS (Identification, Authentication and electronic signature) services based on CWA 14890 (E-Sign K specification) The ECC standard is prepared by the technical committee CEN/TC224 Machine readable cards, related device interfaces and operations (WG15) consists of the following parts: Part1: ECC Physical, Electrical and Transport Protocol Characteristics (CD) Part2: Logical data structures and security services (CD) Part 3: NWI (Personalisation) & Part 4:Planned (Middleware) is a technical standard, i.e. not mandated for national ID cards is compliant with ISO/IEC 7816 and suitable for native & Global Platform (Java ) cards

ECC Part 2: Scope Scope Interoperability for the citizen in the usage phase Specification of security services for the MRTD application based on requirements/definitions of national authorities Specification of the IAS Services (not applications!) Specification of the card edge interface Definitions for extended length fields, logical channels Specification of the card capability description Out of scope Card and application management Loading of applications (ISO/IEC 7816-13 not yet finalized) Administrative tasks in the usage phase Initialization / Personalization

Relation to other Standards and national ecard Projects contactless ecard Card- Interface contact oriented PKI Technical Reports / Supplements (ICAO) European Citizen Card/ CEN TC 224 WG 15 SSCD (CEN TC224 WG 16) French ecard (GIXEL) German ID card dpa (DIF) CWA 14890 (ESIGN K ) CSP/ PKCS #11 PIV Card (DoD / NIST) ISO /IEC 24727-3 ICC-API / Middleware

ICAO Security Mechanisms for MRTD Applications Passive Authentication (mandatory) Data of MRTD application are signed proves data authenticity Basic Access Control (optional) Retrieve key from MRZ (Machine readable zone) for symmetric device authentication with session key establishment prevents skimming and eavesdropping Active Authentication (optional) proves authenticity of ICC ICC signs IFD s random number with ICC specific private key Problem: Tracing of citizen possible if random number has a semantic (e.g. contains information about place and time)

ECC Part 2: Roadmap Preparation of Working Draft Public Review Inquiry Update of CD Voting Period Technical Standard Q2/2005 Q3/2005 Q4/2005 Q1/2006 Q2/2006

Summary ECC-2 ECC-2 is a technical standard, compatible to ICAO Technical report in case of use as MRTD CEN CWA 14890 (CEN TC 224 WG 16), in case of use for IAS Services building the base for national ID card specifications as e.g. the German ID card (dpa), its specification to be provided by the German Industry Association DIF French Government Cards, their specification to be provided by the French Industry Association GIXEL ECC-2 is planned to be used together with Part 3 (Middleware API) of the International Standard Draft series ISO/IEC 24727 to provide interoperable Card Services for egovernment applications

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback