Funcionalidades do Cartão de Cidadão. Cartão de Cidadão:

(1)

Funcionalidades

do

Cartão de Cidadão

Cartão Cartão Cartão

Cartão de de de de CidadãoCidadãoCidadão::::Cidadão The object The object The object The object

Credit-card sized Portuguese identity card Contains different ways of conveying

identity attributes

Informatic

Interaction with a smartcard

Visual, machine-readable style

MRZ (Machine Readable Zone)

(2)

Visual, human

Visual, human----readable attributes

readable attributes

Names

Surname, given name, parents

Physical attributes

Sex, height

Other

Date of birth, nationality Photography

Calligraphic signature

Numbers

Civil ID (and checksum) Tax, Social Security, Health Document number and validity

Visual, machine

Visual, machine----readable attributes

readable attributes

Names

Last name, initial an middle names Name count

Physical attributes

Sex

Other

Date of birth, nationality

Numbers

Country and Civil ID (and checksum)

Document number and validity

I<PRT068540477<ZZ85<<<<<<<<<<<

6511061M1309179PRT<<<<<<<<<<<6

(3)

Informatic

Informatic attributes

attributes

All the previous ones

Except the calligraphic signature

Address

Fingerprint biometric template 2 cryptographic key pairs

One for authentication Another for digital signature

7 public key certificates

2 of the owner’s public keys 5 for building certification chains

1 secret, symmetric key for EMV-CAP

3 PINs

PIN protection

Possession of the card is not enough for

Getting the address

Getting/using the authentication private key Getting/using the digital signature private key Getting/using the EMV-CAP secret key

PIN-protected operations

4-number PIN

PIN gets blocked after 3 consecutive failures

Exceptions

(4)

Certificates in the smartcard

Issuer: GTE CyberTrust Global Root Owner: GTE CyberTrust Global Root

Issuer: GTE CyberTrust Global Root Owner: ECRaizEstado

Issuer: ECRaizEstado Owner: Cartão de Cidadão 001

Issuer: Cartão de Cidadão 001

Owner: EC de Autenticação do Cartão de Cidadão 0002

Issuer: EC de Autenticação do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete

Issuer: Cartão de Cidadão 001

Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002

Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete

Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard:

Goals Goals Goals Goals

Allow the card owner to get authenticated

The owner may distribute its certificates to other

people or services whiling to authenticate himself as the card owner

Allow the card owner to authenticate other

people with similar cards

Other people certificates are validated with the

certification chain stored in the card

Allow the card to authenticate clients with

similar certificates

Special operations may be requested to the card by

owners of special certificates that are validated by the card

(5)

Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard:

Interoperation with other applications Interoperation with other applications Interoperation with other applications Interoperation with other applications

Watchdog application detects card insertion and removal

Upon insertion, gets the certificates and

uploads them into browsers’ certificate repositories

Upon removal, removes the certificates from

browsers’ certificate repositories

Smartcards: Smartcards: Smartcards: Smartcards: Definition Definition Definition Definition

Card with computing processing capabilities CPU ROM EEPROM RAM Interface With contact Contactless Chip card

Memory card Smart card (w/ µµµµprocessor)

Chip card

(6)

© André Zúquete Segurança Informática e nas Organizações 11 Smartcard: Smartcard: Smartcard: Smartcard: Components Components Components Components CPU 8/16 bit Crypto-coprocessor (opt.) ROM Operating system Communication Cryptographic algorithms EEPROM File system Programs / applications Keys / passwords RAM Transient data Erased on power off

Mechanical contacts

ISO 7816-2 Power Soft reset Clock

Half duplex I/O

Physical security Tamperproof case Resistance to side-effect attacks Smartcard Smartcard Smartcard

Smartcard----based applications:based applications:based applications:based applications:

Communication protocol stack Communication protocol stack Communication protocol stack Communication protocol stack

Off-card application APDU

(Application Protocol Data Unit) T=0 / T=1

On-card application APDU

(Application Protocol Data Unit) T=0 / T=1

(7)

Smartcard Smartcard Smartcard

Smartcard----based applications:based applications:based applications:based applications: Cartão

Cartão Cartão

Cartão de de de de CidadãoCidadãoCidadão onCidadão ononon----card applicationscard applicationscard applicationscard applications

IAS

Authentication and digital signature Usage of asymmetric key pairs

EMV-CAP

Generation of one-time-passwords for

alternative channels (telephone, FAX, etc.)

Match-on-Card

Biometric validation of fingerprints

Smartcard interactions: Smartcard interactions: Smartcard interactions: Smartcard interactions: APDU APDU APDU

APDU (ISO 7816(ISO 7816(ISO 7816----4)(ISO 7816 4)4)4)

Command APDU

CLA (1 byte)

Class of the instruction

INS (1 byte)

Command

P1 and P2 (2 bytes)

Command-specific parameters

Lc

Length of the optional command data

Le

Length of data expected in subsequent Response APDU Zero (0) means all data available

Response APDU

SW1 and SW2 (2 bytes) Status bytes

0x9000 means SUCCESS

CLA INS P1 P2 Lc Optional data Le Optional data SW1SW2

(8)

Low----level T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocols

T=0

Each byte transmitted separately Slower

T=1

Blocks of bytes transmitted Faster

ATR (ISO 7816-3)

Response of the card to a reset operation Reports the protocol expected by the card

Encoding objects in smartcards: Encoding objects in smartcards: Encoding objects in smartcards: Encoding objects in smartcards:

TLV TLV TLV

TLV and ASN.1 and ASN.1 and ASN.1 BERand ASN.1 BERBERBER

Tag-Length-Value (TLV)

Object description with a tag value, the length

of its contents and the contents

Each element of TLV is encoded according with

ASN.1 BER (Abstract Syntax Notation, Basic Encoding Rules)

Values can contain other TLV objects

(9)

Smartcards Smartcards Smartcards

Smartcards’’’’ssss computational modelcomputational modelcomputational modelcomputational model Java cards

Java cards Java cards Java cards

Smartcards that run Java Applets

That use the JCRE

The JCRE runs on top of a native OS

JCRE (Java Card Runtime Environment)

Java Virtual Machine Card Executive

Card management Communications

Java Card Framework

Library functions _{Native OS}

Java Virtual Machine (JVM) Card Executive Java Card Framework Applet Applet Applet APDU Smartcard cryptographic Smartcard cryptographic Smartcard cryptographic

Smartcard cryptographic servicesservicesservicesservices:::: Middleware

Middleware Middleware Middleware

Libraries that bridge the gap between functionalities of smartcards and high-level applications

Some standard approaches: PKCS #11

Cryptographic Token Interface Standard (cryptoki) Defined by RSA Security Inc.

PKCS #15

Cryptographic Token Information Format Standard Defined by RSA Security Inc.

CAPI CSP

CryptoAPI Cryptographic Service Provider Defined by Microsoft for Windows systems PC/SC

Personal computer/Smart Card

Standard framework for smartcard access on Windows systems Also available in Linux

(10)

Cryptoki middleware integrationmiddleware integrationmiddleware integrationmiddleware integration

PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki

Cryptoki object hierarchyobject hierarchyobject hierarchyobject hierarchy

Object Data Key Public key Private key Secret key

(11)

Cryptoki sessionssessionssessionssessions

Logical connections between applications and tokens

Read-only sessions Read/write sessions

Operations on open sessions

Administrative Login/logout Object management

Create / destroy an object on the token Cryptographic

Session objects

Transient objects created during sessions

Lifetime of sessions

Usually for a single operation on the token

PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki

Cryptoki R/OR/OR/O sessions login/logoutR/O sessions login/logoutsessions login/logoutsessions login/logout

R/O Public Session

Read-only access to public token objects Read/write access to public session objects

R/O User Functions

Read-only access to all token objects (public or private) Read/write access to all session objects (public or private)

(12)

Cryptoki R/WR/WR/W sessions login/logoutR/W sessions login/logoutsessions login/logoutsessions login/logout R/W Public Session

Read/write access to all

public objects

R/W SO Functions

Read/write access only to

public objects on the token

Not to private objects The SO can set the

normal user’s PIN

R/W User Functions

Read/write access to all

objects

PKCS #11: PKCS #11: PKCS #11: PKCS #11:

Concepts used by the Concepts used by the Concepts used by the

Concepts used by the CartãoCartãoCartão de Cartão de de Cidadãode CidadãoCidadãoCidadão

Authentication PIN

PKCS #11 User PIN

Digital signature PIN

Not mapped into PKCS #11 PINs

Address PIN

Not mapped into PKCS #11 PINs

PKCS #11 SO PIN

(13)

PTEID middlewaremiddlewaremiddlewaremiddleware for Windowsfor Windowsfor Windowsfor Windows

Microsoft applications Microsoft applications Non-Microsoft applications Non-Microsoft applications CryptoAPI (CAPI) CryptoAPI (CAPI) Cryptographic Service Provider (CSP) Cryptographic Service Provider (CSP) PKCS #11 PKCS #11 PC/SC PC/SC Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: PTEID PTEID PTEID

PTEID middlewaremiddlewaremiddlewaremiddleware for Unixfor Unixfor Unixfor Unix

libpteid

libpteid libpteidpkcs11libpteidpkcs11

libpteidlibopensc libpteidlibopensc

libQtCore

(14)

Cartão de de de de CidadãoCidadãoCidadão::::Cidadão PTEID

PTEID PTEID

PTEID middleware & SDKmiddleware & SDKmiddleware & SDKmiddleware & SDK

Public distribution

Windows MAC-Tiger Linux

Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu Languages

Dynamic libraries for C/C++

Java wrapper (JNI) for C/C++ libraries C# wrapper for .NET for C/C++ libraries

Manuals

Validação de Número de Documento do Cartão de Cidadão Autenticação com Cartão de Cidadão

Manual Técnico do Middleware do Cartão de Cidadão Certificados e Entidades de Certificação

Outros

Cartão de de de de CidadãoCidadãoCidadão::::Cidadão PKI

PKI PKI

PKI servicesservicesservicesservices

Issued certificates

LDAP and Web interfaces

Revoked certificates