Bruno Struif, GMD-TKT 1 SmartCard-Technik German Digital Signature Card and Office Identity Card and PKCS #15 Bruno Struif GMD German National Research.

Slides:



Advertisements
Similar presentations
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Advertisements

Match On Card Technology and its use for PKI Mgr. Miroslav Valeš Sales Manager Eastern Europe May 9, 2001 CATE 2001 Security and Protection.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
PKCS #15 v1.1 Magnus Nyström RSA Laboratories PKCS Workshop, 1999.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
PIV Data Model Testing Ketan Mehta March 3, 2006.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
FIT3105 Smart card based authentication and identity management Lecture 4.
Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Network Security – Part 2 V.T. Raja, Ph.D., Oregon State University.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Digital Certificate Installation & User Guide For Class - 2 Certificates.
Csci5233 Computer Security1 GS: Chapter 6 Using Java Cryptography for Authentication.
Chapter 10: Authentication Guide to Computer Network Security.
Information Security for Managers (Master MIS)
Secure Electronic Transaction (SET)
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Week #7 Objectives: Secure Windows 7 Desktop
Network Security – Part 2 (Continued) Lecture Notes for May 8, 2006 V.T. Raja, Ph.D., Oregon State University.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Cryptography, Authentication and Digital Signatures
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
European Electronic Identity Practices CEN TC224 WG15 European Citizen Card Standard Speaker: L. Gaston AXALTO Date: 26 May 05.
SECURITY – Chapter 15 SECURITY – Chapter 15 ….for authentication and confidentiality PGP 1.Uses best algorithms as building blocks 2.General.
Csci5233 computer security & integrity 1 Cryptography: an overview.
Action SecWG1012:9 “Investigate how role-based access, in compliance with FIPS 140-2, can be used by flight crypto systems.” Where this question comes.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Ken Asnes RSA Laboratories July 2001
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
Creating and Managing Digital Certificates Chapter Eleven.
Key Management and Distribution Anand Seetharam CST 312.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
11/18/2003 Smart Card Authentication Mechanism Tim W. Baldridge, CISSP Marshall Space Flight Center Office of the Chief Information Officer.
LAB#8 PKI & DIGITAL CERTIFICATE CPIT 425. Public Key Infrastructure PKI 2  Public key infrastructure is the term used to describe the laws, policies,
Giesecke & Devrient The DIN Standard and PKCS#15 Common Usage for Signature Cards? Gisela Meister
Apr 1, 2003Mårten Trolin1 Previous lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Ketan Mehta March 3, 2006 PIV Data Model Testing Ketan Mehta March 3, 2006.
VNF Package CSAR Format Tal Halfon, Amdocs Andrei Kojukhov, PhD, Amdocs Aug 3, 2017.
Security Outline Encryption Algorithms Authentication Protocols
Cryptography and Network Security
Authentication.
Module 8: Securing Network Traffic by Using IPSec and Certificates
RSA Laboratories’ PKCS Series - a Tutorial
Module 8: Securing Network Traffic by Using IPSec and Certificates
PKI (Public Key Infrastructure)
VNF Package CSAR Format Tal Halfon, Amdocs Andrei Kojukhov, PhD, Amdocs Aug 3, 2017.
….for authentication and confidentiality PGP
Presentation transcript:

Bruno Struif, GMD-TKT 1 SmartCard-Technik German Digital Signature Card and Office Identity Card and PKCS #15 Bruno Struif GMD German National Research Center for Information Technology Darmstadt

Bruno Struif, GMD-TKT 2 SmartCard-Technik General Configuration Card Terminal PC ICC1ICC2ICC3 Application PKCS#11 Interface Different cards with PKCS#15 Smartcards providing the same service, but possibly in a different way. - If a PC application knows to deal with a card application, no directory files are necessary - If a PC application does not know how to deal with a card application, it needs information

Bruno Struif, GMD-TKT 3 SmartCard-Technik Is PKCS#15 powerful enough? Some challenges: - cards may have a hash function or not - cards may support different signature algorithms - cards may support a different set of Digital Signature Input formats - a card may be configurated in such a way that it allows - either after PIN presentation an unlimited number of DS - or requires PIN presentation before each DS - a card may support ETSI PIN management commands instead of ISO-commands - a card may support a proprietary command for a certain security service

Bruno Struif, GMD-TKT 4 SmartCard-Technik Card File Structure (1) MF EF(DIR) DF(PKCS#15) Other DFs/EFs...

Bruno Struif, GMD-TKT 5 SmartCard-Technik Card File Structure (2) DF(PKCS#15) EF(ODF) EF(PrKDF) EF(CDF) EF(AODF) EF(TokenInfo) EF(ODF) - Object Directoty File - points to - EF (PrKDFs) - Private Key Directory Files - EF (PuKDFs) - Public Key Directory Files - EF (SKDFs) - Secret Key Directory Files - EF (CDFs) - Certificate Directory Files - EF (DODFs) - Data Object Directory Files

Bruno Struif, GMD-TKT 6 SmartCard-Technik Cross-References EF(PrKDF) EF(AODF) EF(CDF) EF(DODF) EF(ODF) PuKDF pointer PrKDF pointer CDF pointer AODF pointer DODF pointer EF(PuKDF)

Bruno Struif, GMD-TKT 7 SmartCard-Technik Card File Structure (3) MF EF(DIR) Other DFs/EFs... DF(PKCS#15) EF(ODF) EF(PrKDF) EF(CDF) EF(AODF) EF(TokenInfo) Real objects

Bruno Struif, GMD-TKT 8 SmartCard-Technik Card File Structure (4) MF EF(DIR) DF1 DF(PKCS#15) EF(ODF) EF(PrKDF) EF(CDF) EF(AODF) EF(TokenInfo) DF2 Real objects

Bruno Struif, GMD-TKT 9 SmartCard-Technik Card File Structure (5) MF EF(DIR) DF(PKCS#15) DF2DF1 EF(ODF) EF(TokenInfo) EF(PrKDF)EF(CDF) EF(AODF) EF(PrKDF) EF(CDF)EF(AODF)

Bruno Struif, GMD-TKT 10 SmartCard-Technik User Authentication PKCS15 describes PINs and passwords, but no biometric user authentication The German Digital Signature law allows biometric user authentication It is technically already feasible to implement biometric feature matching algorithms in cards ISO/IEC will add an amendment to with respect to biometric user authentication

Bruno Struif, GMD-TKT 11 SmartCard-Technik VERIFY Command - If a digital signature is made on a private PC, then the PIN is presented as plain value - If a digital signature is made on a public customer service terminal, then the PIN shall be presented as cryptogram followed by a cryptographic checksum

Bruno Struif, GMD-TKT 12 SmartCard-Technik Proposal for integration of bio objects (1) PKCS15Authentication ::= CHOICE { pin PKCS15AuthenticationObject { PKCSPinAttributes }, bio PKCS15AuthenticationObject { PKCSBioAttributes }, } PKCS15BioAttributes ::= SEQUENCE { bioFlags PKCS15BioFlags, bioSubject PKCS15BioSubject, bioType PKCS15BioType, bioReference [0] PKCSReference DEFAULT 0, lastBioChange GeneralizedTime OPTIONAL, path PKCS15Path OPTIONAL, For future extensions }

Bruno Struif, GMD-TKT 13 SmartCard-Technik Proposal for integration of bio objects (2) PKCS15BioFlags ::= BIT STRING { reserved (0), local (1), change-disabled (2), unblock-disabled (3), initialized (4), reserved (5), reserved (6), reserved (7), disable-allowed (8), authentic (9), enciphered (10), }

Bruno Struif, GMD-TKT 14 SmartCard-Technik Proposal for integration of bio objects (3) PKCSBioSubject ::= CHOICE { fingerPrint [0] FingerPrint, voicePrint [1] VoicePrint, irisPrint [2] IrisPrint, facePrint [3] FacePrint, retinaPrint [4] RetinaPrint, handGeometry [5] HandGeometry, writeDynamics [6] WriteDynamics, keystrokeDynamics [7] KeystrokeDynamics, lipDynamics [8] LipDynamics, For future extensions }

Bruno Struif, GMD-TKT 15 SmartCard-Technik Proposal for integration of bio objects (4) FingerPrint ::= SEQUENCE { handID HandID, fingerID FingerID } HandID ::= ENUMERATED {righthand (0), lefthand (1) } FingerID ::= ENUMRATED { thumb(0), pointer finger (1), middle finger (2), ring finger (3), little finger (4) }

Bruno Struif, GMD-TKT 16 SmartCard-Technik Access to objects Public Object Private Object „Entity Object“ Access is free Authentication Object has to be presented (PIN, password, biometrics) Authentication procedure has to be performed

Bruno Struif, GMD-TKT 17 SmartCard-Technik Management of Access Rights Elementary File Security Attributes File Content Example: AM = Read SC = EXT AUTH (asym) with CHA = ´x.01´ or ´x.02´ and User AUTH AM = Update SC = EXT AUTH (asym) with CHA = ´x.01´ and SM X = Prefix denoting the AID or the entity assigning the role ID AM = Access Mode SC = Security Conditions CHA = Cert. Holder Authorisation (Prefix, Role ID) SM = Secure Messaging

Bruno Struif, GMD-TKT 18 SmartCard-Technik Hashing

Bruno Struif, GMD-TKT 19 SmartCard-Technik Certificates PKCS15 distinguishes - x509Certificates - x509Attribute Certificates - spkiCertificates - pgpCertificates - wtlsCertificates - x9-68Certificates but no cvCertificates!!

Bruno Struif, GMD-TKT 20 SmartCard-Technik Card Verifiable Certificates CPI CAR CHR CHA OID PK SIG.CA - CPI = Certificate Profile Identifier - CAR = Certification Authority Reference (Authority Key Identifier) - CHR = Certificate Holder Reference (Subject Key Identifier) - CHA = Certificate Holder Authorisation (Authority || Role Identifier) - OID = Object Identifier of PK Algorithm - PK = Public Key of Certificate Holder - SIG.CA = Signature of Certificate Issuing CA

Bruno Struif, GMD-TKT 21 SmartCard-Technik - Template tags for all security services (e.g. user authentication service, digital signature service, entity authentication service, key cipherment service) - DO Instruction set mapping ISM (regular command) - DO Command to perform (if command is different form that in ISM) - DO Object Id of the algorithm - DO Algorithm reference (as used by the card) - DO Key reference (as used by the card) - DO Key file id (some cards select the key file containing the key to be used) - DO Certificate file id (if present then the file contains the certificate ) - DO Certificate reference (used e.g. if the certificate is not stored in the card) - DO Certificate qualifier (e.g. X.509 certificate, ICC certificate) - DO PIN usage policy (present if the security service is PIN protected) Security Service Descriptor

Bruno Struif, GMD-TKT 22 SmartCard-Technik Security Service Descriptors Indication of supported algorithms, DSI schemas, hash functions Indication of user authentication method Indication where to find certificates Indication of implementation variants Support of migration

Bruno Struif, GMD-TKT 23 SmartCard-Technik SSD construction (1) - For each security service provided by the card exists one or more SSD templates - Inside an SSS template is one DO mandatory: the DO „command to perform“ - Use e.g. for VERIFY: - command class is present - PIN reference is present - PIN length is present possibly with padding - presentation form is present: plain value or with SM - Use e.g. for CHANGE RD: - command class is present - PIN reference is present - usage option is present, e.g. old PIN required/not required in the command - PIN length is present possibly with padding - presentation form is present: plain value or with SM

Bruno Struif, GMD-TKT 24 SmartCard-Technik SSD construction (2) - Use e.g. for digital signature function: - the MANAGE SECURITY ENVIRONMENT to perform is presented - the HASH command, if needed, is presented - The PERFORM SECURITY OPERATION command is presented for the digital signature compuation - Different methods for Dig. Sig. Input constructions can be denoted by the DO OID or the DO AlgID E.g. PKCS#1 or ISO rnd - The FIDs of related certificate files are given

Bruno Struif, GMD-TKT 25 SmartCard-Technik Working with PKCS#15 (1) The usage of PKCS#15 requires - selection of DF(PKCS15) - selection of EF(ODF) for getting the pointer information - reading EF(ODF) - selection of EF(AODF) for getting the PIN information - reading EF(AODF) - selection of EF (PrKDF) for getting the signature key information - reading EF(PrKDF) - selection of EF(CDF) for getting the certificate information - reading EF(CDF) - selection of EF(PuKDF) for getting the root CA PuK information - reading EF(PuKDF)

Bruno Struif, GMD-TKT 26 SmartCard-Technik Working with PKCS#15 (2) To do this all is not very efficient. Therefor: - Read the information once from the card and store it under a card reference, e.g. the ICC Serial Number ICCSN or - keep the information outside the card and store in the card the card profile identifier pointing to the outside information Open problem: there is no indication whether the PKCS15 files are - reocrd-oriented or - transparent.

Bruno Struif, GMD-TKT 27 SmartCard-Technik File Structure of DF.SIG

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.