PKCS #15: Conformance Profile Specification

Similar documents
PKCS #15 v1.0: Cryptographic Token Information Format Standard

PKCS #11: Conformance Profile Specification

Provisioning Smartcard

This document is a preview generated by EVS

PKCS #10 v1.7: Certification Request Syntax Standard (Final draft)

PUBLIC USER SPECIFICATION BELPIC APPLICATION V2.0

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Technical report. Signature creation and administration for eidas token Part 1: Functional Specification

ISO INTERNATIONAL STANDARD. Road vehicles Extended data link security. Véhicules routiers Sécurité étendue de liaison de données

Technical report. Signature creation and administration for eidas token. Version 1.0 Release Candidate 6. Version 1.0 Release Candidate 6

OMA Device Management Bootstrap

ETSI TS V1.2.2 ( )

FINEID - S4-1 Implementation Profile 1

ETSI TS V7.1.0 ( )

FINEID - S4-2 Implementation Profile 2

ISO/IEC INTERNATIONAL STANDARD

Security Policy for Schlumberger Cyberflex Access 32K Smart Card with ActivCard Applets

ETSI ES V1.1.3 ( )

ETSI TS V1.3.1 ( )

Request for Comments: 5208 Category: Informational May 2008

SSL Certificates Certificate Policy (CP)

PKCS #3: Diffie-Hellman Key- Agreement Standard

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Wireless Identity Module

ISO/IEC INTERNATIONAL STANDARD

Wireless Identity Module

Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems

Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks

ISO/IEC INTERNATIONAL STANDARD

FINEID - S1 Electronic ID Application

Biometrics. Overview of Authentication

ETSI TS V1.5.1 ( )

ISO/IEC INTERNATIONAL STANDARD

Personal Security Environment (PSE) Token properties. Realisation of PSEs : Tokens. How to store private keys? Chapter 6.

FINEID - S4-1 Implementation Profile 1

ACOS5-64. Functional Specifications V1.04. Subject to change without prior notice.

ISO/IEC INTERNATIONAL STANDARD. Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange

Information technology Security techniques Telebiometric authentication framework using biometric hardware security module

Public Key Infrastructures

PKCS #3: Diffie-Hellman Key-Agreement

The Information Technology (Certifying Authority) Regulations, 2001

INTERNATIONAL STANDARD

Public Key Infrastructures

Public Key Infrastructures

Digital Certificates Demystified

EMV Contactless Specifications for Payment Systems

Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

TS V1.3.2 ( )

EMV 96 Integrated Circuit Card Application Specification for Payment Systems

draft-ietf-smime-cert-06.txt December 14, 1998 Expires in six months S/MIME Version 3 Certificate Handling Status of this memo

SSH Communications Tectia SSH

MISPC Minimum Interoperability Specification for PKI Components, Version 1

ETSI TS V1.2.1 ( ) Technical Specification

PKCS #5 v2.0: Password-Based Cryptography Standard

1) Revision history Revision 0 (Oct 29, 2008) First revision (r0)

Telemetry Data Sharing Using S/MIME

ISO/IEC INTERNATIONAL STANDARD. Information technology Trusted Platform Module Part 2: Design principles

The Mobile Finnish Identity Certificate

WatchKey USB Token Cryptographic Module Model Number: K6 Smart Card Chip: Z32L256D32U PCB: K003010A Firmware Version: 360C6702

Public Key Infrastructures Chapter 06 Private Keys

PKCS #7: Cryptographic Message Syntax Standard

Updating OCSP. David Cooper

PayPass M/Chip 4. Card Technical Specification

TELIA MOBILE ID CERTIFICATE

ETSI TS V7.1.0 ( )

CEN TC 224 WG15. European Citizen Card. Brussels May 10th CEN/TC 224 WG15 European Citizen Card

I N F O R M A T I O N S E C U R I T Y

Category: Standards Track W. Ford VeriSign D. Solo Citigroup April 2002

EU Passport Specification

Owner of the content within this article is Written by Marc Grote

Draft ETSI EN V ( )

ISO/IEC Information technology Common Biometric Exchange Formats Framework Security block format specifications

Technical Guideline TR eid-client Part 2: Conformance Test Specification. Version 1.3

ID-One PIV (Type A) FIPS Security Policy. (PIV Applet Suite on ID-One Cosmo V7-n) Public Version

ETSI TR V1.1.1 ( )

CORRIGENDA ISIS-MTT SPECIFICATION 1.1 COMMON ISIS-MTT SPECIFICATIONS VERSION JANUARY 2008 FOR INTEROPERABLE PKI APPLICATIONS

AUTACK. Secure authentication and acknowledgement message. Edition 2016

I N F O R M A T I O N S E C U R I T Y

SWG-F D6 MESSAGE IMPLEMENTATION GUIDELINE OF THE UN/EDIFACT SECURE AUTHENTICATION & ACKNOWLEDGEMENT MESSAGE AUTACK. DRAFT 0.6m

Card Specification Amendment A March 2004

ISO/IEC INTERNATIONAL STANDARD

Sharing Secrets using Encryption Facility - Handson

Request for Comments: TIS Labs March Storing Certificates in the Domain Name System (DNS)

ENTITY AUTHENTICATION USING PUBLIC KEY CRYPTOGRAPHY DRAFT

SONERA MOBILE ID CERTIFICATE

AUTACK. Secure authentication and acknowledgement message. Edition 2012

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

An Overview of the PKCS Standards

Security Requirements for Crypto Devices

Internet Engineering Task Force (IETF) Request for Comments: 6403 Category: Informational ISSN: M. Peck November 2011

ETSI TS V1.8.3 ( ) Technical Specification. Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)

Network Security Essentials

Web Services Security: XCBF Token Profile

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

EXBO e-signing Automated for scanned invoices

Web Services Security XCBF Token Profile

Certification Report

Machine Readable Travel Documents

Transcription:

Table of Contents PKCS #15: Conformance Profile Specification RSA Laboratories August 1, 2000 1 INTRODUCTION... 2 1 REFERENCES AND RELATED DOCUMENTS... 2 2 DEFINITIONS... 2 3 SYMBOLS AND ABBREVIATIONS... 3 4 GENERAL OVERVIEW... 4 4.1 PROFILE MODEL...4 5 ELECTRONIC IDENTIFICATION PROFILE I... 5 5.1 SCOPE... 5 5.2 DIRECTORY STRUCTURE... 5 5.3 FILE ACCESS CONDITIONS... 6 5.4 PKCS #15 OBJECT REQUIREMENTS... 7 Copyright 1991-2000 RSA Laboratories, a division of RSA Data Security, Inc., a Security Dynamics Company. License to copy this document is granted provided that it is identified as RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS) in all material mentioning or referencing this document. 003-903076-100-000-000

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 2 1 Introduction For multiple applications to access the PKCS #15 v1.1 standard it will be necessary to ensure that a mechanism exists to ensure interoperability and compliance for at least some specific subset of the specification. To accomplish this task subsets of the PKCS #15 specification have been defined and are detailed in the form of profiles. The profiles specify which sections of the specification need to be implemented for compliance. These profiles can then be used in the production of conformance testing tools and allow vendors to certify their compliance. The aim of this document is to spell out the profile in sufficient detail to allow conformance tools to be implemented and widely adopted. 1 References and related documents RSA Laboratories PKCS #1 v2.0: RSA Cryptography Standard. RSA Laboratories PKCS #11 v2.10: Cryptographic Token Interface Standard. RSA Laboratories PKCS #12 v1.0 (DRAFT): Personal Information Exchange Syntax Standard. RSA Laboratories PKCS #15 v1.1: Cryptographic Token Information Format Standard. Sweden Post EID: Profile for a PKCS #15 compliant Token. FINEID - S4-1 Implementation Profile: Public Key Infrastructure for Smart Cards. 2 Definitions ANSI: American National Standards Institute. An American standards body. Application: The implementation of a well-defined and related set of functions that perform useful work on behalf of the user. It may consist of software and or hardware elements and associated user interfaces. Application provider: An entity that provides an application. ASN.1 object: Abstract Syntax Notation object as defined in ISO/IEC 8824. A formal syntax for describing complex data objects.

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 3 CHV: CardHolder Verification. Also called the PIN. Typically a 4 to 8 digit number entered by the cardholder to verify that the cardholder is authorized to use the card. Cryptogram: Result of a cryptographic operation. Data unit: The smallest set of bits that can be unambiguously referenced. Defined in ISO/IEC 7816-4. Function: A process accomplished by one or more commands and resultant actions that are used to perform all or part of a transaction. ICC: Integrated Circuit Card. Another name for a smart card. ISO: International Organization for Standardization Password: Data that may be required by the application to be presented to the card by its user before data can be processed. PIN: Personal Identification Number. See CHV. Provider: Authority who has or who obtained the rights to create the MF or a DF in the card. Template: Value field of a constructed data object, defined to give a logical grouping of data objects. Defined in ISO/IEC 7816-6. Token: In this specification, a portable device capable of storing persistent data. Tokenholder: Analogous to cardholder. Uniform Resource Identifiers: a compact string of characters for identifying an abstract or physical resource. Described in RFC 2396. The key words "must", "must not", "required", "shall", "shall not", "should", "should not", "recommended", "may", and "optional" in this document are to be interpreted as described in IETF RFC 2119. 3 Symbols and Abbreviations AODF BER CA CDF DER DF Authentication Object Directory File Basic Encoding Rules Certificate Authority Certificate Directory File Distinguished Encoding Rules Directory File

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 4 DODF EF MF ODF OID PKCS PrKDF PuKDF SkDF URL Data Object Directory File Elementary File Master File Object Directory File Object Identifier Public Key Cryptography Standard Private Key Directory File Public Key Directory File Secret Key Directory File Uniform Resource Locator (a class of uniform resource identifiers) 4 General Overview This document defines profiles for the PKCS #15 v1.1 specification. These profiles specify the data format, access conditions and assumptions necessary for profile conformance. Profiles will be defined using the format defined below 4.1 Profile Model Scope: The scope will define the purpose and limitations of the profile. Directory Structure: Explicitly states the specific directory structure for the profile. File Access Conditions: Lays out the access rules for the files and directories in the profile. PKCS #15 Object Requirements: States any specific requirements for each required element of the profile.

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 5 5 Electronic Identification Profile I 5.1 Scope This section contains a detailed description of an Electronic Identification (EID) profile using a PKCS #15 based token. Two keys are used to control the operations, one key for authentication and encryption, the second for non-repudiation. 5.2 Directory Structure This sections show the layout for the EFs And DFs for the profile. EF(DIR) MF DF (PKCS #15) EF(ODF) EF(AODF) Pin 1 Pin 2 EF(PrKDF) PrKey 1 PrKey 2 EF(CDF 1) Cert 1 Cert 2

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 6 5.3 File Access Conditions This list represents the general access conditions for the EID profile. File Access Conditions, R-O card Access Conditions. R-W card MF Create: SYS Delete: NEV EF(DIR) Read: ALW Update: SYS Append: SYS PIN files Read: NEV DF(PKCS15) Create: SYS Delete: NEV EF(TokenInfo) Read: ALW EF(ODF) Read: ALW AODFs Read: ALW Create: SYS Delete: SYS Read: ALW Update: SYS Append: SYS Read: NEV Update: CHV Create: CHV SYS Delete: SYS Read: ALW Update: CHV SYS NEV Read: ALW Update: SYS Append: SYS Read: ALW Append: CHV SYS PrKDFs, PuKDFs Read: ALW CHV Append: SYS NEV Key files (see details Read: NEV in section 5.4.1) Crypt: CHV Other EFs in the PKCS15 directory Read: ALW CHV Append: SYS NEV Crypt: CHV (when applic.) Read: ALW CHV Update: CHV SYS NEV Append: CHV SYS Read: NEV Update: CHV SYS NEV Append: CHV SYS NEV Crypt: CHV Read: ALW CHV Update: CHV SYS NEV Append: CHV SYS NEV Crypt: CHV (when applic.)

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 7. 5.4 PKCS #15 Object Requirements 5.4.1 Private Keys At least two private keys must be present on the PKCS #15 token. One key is used is used for both authorization and encryption. The second key is used exclusively for non-repudiation (or digital signatures). The allowed private key type is RSA keys of strength 1024 or greater. 5.4.1.1 Private Key 1 (Authentication and encryption) PrKey1 must be verified by PIN 1 before private key operations are initially performed. The access conditions for this key is: EF(PrKey) Read: NEV PrKey Ops: PIN 1 5.4.1.2 Private Key 2 (Non-Repudiation) PrKey2 must be verified by PIN 2 before each private key operation is performed. The user must type the PIN for each operation: EF(PrKey) Read: NEV PrKey Ops: PIN 2 5.4.2 Certificates For each private key at least one corresponding X509Certificate type certificate must be stored in the token and pointed to by the CDF. Host side applications are required to recognize and use the X509Certificate type. The access conditions for each of the certificates are: EF(Cert) Read: ALW Update: PIN 1 5.4.3 Authentication Objects

PKCS #15: CONFORMANCE PROFILE SPECIFICATION 8 At least two authentication objects must exist on the token for protection of private objects. The second authentication object (PIN2) is used only to authenticate non-repudiation objects. PIN2 also has the requirement that the verification status is automatically dropped to not verified by the card after each non-repudiation private key operation. Other PIN conditions are: PINs must be at least 4 characters long. BCD, UTF8 or ASCII encoding is used. After three consecutive failed PIN authorization attempts the PIN is blocked. Unblocking and disable routines are defined by the application issuer. A pin can be unblocked any number of times. The application issuer defines the unblocking procedure. Pin update is a special operation defined by the application issuer. The usual access conditions for each of the PINs are: EF(PIN) Read: NEV Update PIN1: PIN1 Update PIN2: PIN2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback