Functional Documentation for "NFC CSP Light" Version 1.0

Similar documents
User Documentation for "NFC CSP Light" Version 1.0

SecureDoc Disk Encryption Cryptographic Engine

Forensics Challenges. Windows Encrypted Content John Howie CISA CISM CISSP Director, Security Community, Microsoft Corporation

Interface. Circuit. CryptoMate

Troubleshooting smart card logon authentication on active directory

This version of the IDGo 800 middleware contains the following components: IDGo 800 Credential Provider build 01

Extending Security Functions for Windows NT/2000/XP

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

This Security Policy describes how this module complies with the eleven sections of the Standard:

XenApp 5 Security Standards and Deployment Scenarios

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

User Authentication. Modified By: Dr. Ramzi Saifan

WatchKey USB Token Cryptographic Module Model Number: K6 Smart Card Chip: Z32L256D32U PCB: K003010A Firmware Version: 360C6702

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

NCP Secure Client Juniper Edition (Win32/64) Release Notes

User Authentication. Modified By: Dr. Ramzi Saifan

FIPS Security Policy UGS Teamcenter Cryptographic Module

CERN Certification Authority

Pass Microsoft Exam

Barron McCann Technology X-Kryptor

NCP Secure Client Juniper Edition Release Notes

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

TPM v.s. Embedded Board. James Y

Dashlane Security Whitepaper

PKCS #15: Conformance Profile Specification

Aventail Connect Client with Smart Tunneling

SafeSign Identity Client Standard

CoSign Hardware version 7.0 Firmware version 5.2

FIPS Non-Proprietary Security Policy

BitLocker Group Policy Settings

Security Policy Document Version 3.3. Tropos Networks

CSC 474 Network Security. Authentication. Identification

1. Product Overview 2. Product Features 3. Product Value 4. Comparison Chart 5. Product Applications 6. Q & A

ivest Client 4.0 Release User Guide

Security Policy for. DAL C3 2 Applet Suite on Axalto Cyberflex Access 64Kv1 Smart Card Chip. FIPS Level 2. Version 1.03 January 31, 2005

1. A broadband connection. 2. Windows Vista (for these instructions; other operating systems have other instructions).

WatchKey ProX USB Token Cryptographic Module Hardware Version: K023314A Firmware Version:

Copyright 2017 Softerra, Ltd. All rights reserved

User guide. procertum CardManager Version Asseco Data Systems S.A.-

In this article I will show you how to enable Outlook Web Access with forms based authentication in Exchange Server 2007 Beta 2.

Secret-in.me. A pentester design of password secret manager

A Multi-Application Smart-Card ID System for George Mason University. - Suraj Ravichandran.

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Application Note. Configuring SSH on Vocality units. Software From V07_04_01. Revision v1.5

Fujitsu mpollux DigiSign Client Technical References

1. Product Overview 2. Product Features 3. Comparison Chart 5. Q & A

Set Up with Microsoft Outlook 2013 using POP3

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Generating a request for a subsequent certificate User Guide for browser Opera

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

CLOUD MAIL End User Guide. (Version 1.0)

Certification Authority

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Nigori: Storing Secrets in the Cloud. Ben Laurie

Security Requirements for Crypto Devices

Junos Pulse Access Control Service Release Notes

Barracuda Networks SSL VPN

SecuRemote for Windows 32-bit/64-bit

PRACTICAL PASSWORD AUTHENTICATION ACCORDING TO NIST DRAFT B

Owner of the content within this article is Written by Marc Grote

Juniper Network Connect Cryptographic Module Version 2.0 Security Policy Document Version 1.0. Juniper Networks, Inc.

Security in NFC Readers

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

VMware Identity Manager vidm 2.7

3 CERTIFICATION AUTHORITY KEY PROTECTION (HSMS)

AT&T Global Network Client Domain Logon Guide. Version 9.7

TFS WorkstationControl White Paper

Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) Evaluation Vendor Questionnaire Version 2.

User Authentication and Passwords

Online Banking Security

STS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4

Lecture 3 - Passwords and Authentication

Configuring your BlackBerry Internet Service from the BlackBerry device

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

QUICK SET-UP VERIFICATION...3

Bluefly Processor. Security Policy. Bluefly Processor MSW4000. Darren Krahn. Security Policy. Secure Storage Products. 4.0 (Part # R)

BCM58100B0 Series: BCM58101B0, BCM58102B0, BCM58103B0 Cryptographic Module VC0 Non-Proprietary Security Policy Document Version 0.

DIGIPASS CertiID. Installation Guide 3.1.0

Symantec Corporation

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

AMD RAID Installation Guide

Salesforce1 Mobile Security White Paper. Revised: April 2014

NFC Equipped Smartphones

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

Ciphermail Webmail Messenger Administration Guide

Gemalto Bluetooth Device Manager

How to Configure Authentication and Access Control (AAA)

SSL VPN - IPv6 Support

SSL VPN - IPv6 Support

FIPS SECURITY POLICY FOR

Cryptography and Network Security

IBM Client Security Solutions. Client Security Software Version 1.0 Administrator's Guide

Power LogOn s Features - Check List

Sagem Orga Strong, Global, Innovative.

Administering Windows Server 2012

Elaine Barker and Allen Roginsky NIST June 29, 2010

Transcription:

Functional Documentation for "NFC CSP Light" Version 1.0 Prepared by: "Vincent Le Toux" Date: 03/02/2014 1

Table of Contents Table of Contents Revision History Description... 4 System Specifications... 4 Hardware... 4 External System Dependencies... 4 Architecture overview... 4 Files... 5 Virtual smart card... 6 Data storage... 6 Cryptography... 6 PIN attempts check... 7 Limitations... 7 PIN Caching... 7 Quality tests... 8 csptestsuite... 8 2

Revision History This section records the change history of this document. Name Date Reason For Changes Version Vincent Le Toux 03/02/2014 Creation 1.0 3

Description NFC CSP is a software used to emulate the cryptographic functions of smart card using a NFC tag connected to a PCSC reader. It has been designed allow a quick and secure login, independently of the password, like in a hospital. This software is not suitable to provide a very high level of security. The software provide added cryptographic capabilities to be used on Windows. The software was design to support all the common smart card scenarios like : - Smart card logon using Active Directory - Smart card logon using EIDAuthenticate - SSL Authentication using Internet Explorer (or any CAPI compliant browser) - Digital Signature of emails using Outlook - Digital Signature of documents using Word - Encryption of documents using EFS or Bitlocker System Specifications Operating system supported are : - Windows XP, Vista, Seven, 8 - Windows Server 2003, 2008, 2012 Hardware The smart card reader must be a PCSC compliant NFC reader and support the pseudo APDU for reading the NFC ID (FFCA000000). External System Dependencies This software depends on certain external systems to complete some or all of its tasks. This section lists those dependencies explicitly: External System Windows Installer 3.0 Dependencies on that System None Architecture overview There are two ways possible to emulate a smart card in Windows. The first one is to write a full CSP (Cryptographic Service Provider), and the second one is to implement only a subset, named minidriver, by using the existing CSP named "Base Smart card CSP". Implementing a virtual smart card with the minidriver model requires to compute raw RSA operations and to emulate a file system. Implementing a CSP requires only to wrap the calls to the 4

classic RSA provider and to protect the cryptographic material which is easier than building a minidriver. The implementation of a virtual smart card reader is not needed as using a PCSC reader is a requirement. However this solution requires that the files are signed every time the CSP is built, like a kernel mode driver. Files NFC CSP is made of the following files : - NFCCSPLight[32 64].dll which is a Crytographic Service Provider, a dll run by the CAPI library. - NFCCSPSmartManager.exe which is a program design to manage the certificates and the cryptographic container - NFCCSPLogManager.exe which is a utility used to get diagnostic traces 5

Virtual smart card Data storage The data is stored in the Common Application Folder, located on Windows 7 on c:\programdata. The folder used by the application is NFC_CSP. There are inside this folder a directory per smart card emulated. The name of the directory is computed with a hash of the characteristics of the smart card. Inside the virtual smart card, there are a directory per container and a master key file. The masterkey file is encrypted using the characteristics of the smart card along with the PIN if it is defined. Each container can contains up to two public key pair (signature key and key exchange key) as specified by the CAPI interface. For each key, the public key and the private key is written in two different files with different cryptographic key, allowing to read the public key without having being authenticated. A certificate can be optionally stored encrypted. Cryptography There are two keys derived from the NFC tag. The first one is used to access public material. It is based on the characteristics of the tag like its ATR or its UID. The second one is used to access the private material. It is based on the same basic characteristics than the public key with the PIN as an added secret. Several PKDF2 iterations to provide brute force attempts. One derivation takes approximately one half of a second. 6

These key are then used as entropy to the CryptProtectData function which computes a key unique to the local machine. As a consequence, the data cannot be transferred to another computer. Here is an assessment to access the private key. With an UID of 5 bytes, the time needed to test all the combination is 256^5/2 = 549755813888 s = 17 432 years. With an UID of only 3 bytes, the time drops to 0,5 year. To increase this time, a PIN can be set. Each digit set multiplies the time per 10 and each letter/digit set multiplies the time per 36. The PIN is used as a mitigation to the risk of a lost NFC tag. Here is an estimation of the time required to brute force offline the PIN, having access to the computer where is stored the data : Password strength Time 4 number digits 1 hour 8 number digits 19 months 4 letters/numbers digits 3 months 4 digits with symbols 1 year, 4 months 8 digits with symbols 124 millions years PIN attempts check The PIN attempts cannot be stored in the secure container because the container could be saved before the attempt and erased after the login attempt or simply write protected. As a consequence, the PIN attempts are not monitored. Limitations The following table lists the limitations enforced in the product Limitation Maximum container length Minimum PIN size Maxmimum PIN size Comment 100 characters 0 characters 255 characters Digits forbidden in the container name < > : \ " / \? * Digits forbidden in the PIN None PIN Caching The PIN is cached on a process level as advised by Microsoft. Each time the PIN needs to be accessed, it is securely erased from the memory. The PIN is stored in the cache encrypted. 7

Quality tests csptestsuite NFC CSP Light passes successfully the Microsoft test suite designed for CSP. The tests return two warnings. The first warning are caused by the underlying Microsoft CSP. This is known problem and documented as such by Microsoft (file readme.doc). The second warning is triggered when all containers are removed from the smart card : there is no more container to open. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback