Funcionalidades
Funcionalidades
Funcionalidades
Funcionalidades
do
do
do
do
Cartão de Cidadão
Cartão de Cidadão
Cartão de Cidadão
Cartão de Cidadão
Cartão Cartão Cartão
Cartão de de de de CidadãoCidadãoCidadão::::Cidadão The object The object The object The object
Credit-card sized Portuguese identity card Contains different ways of conveying
identity attributes
Informatic
Interaction with a smartcard
Visual, machine-readable style
MRZ (Machine Readable Zone)
© André Zúquete Segurança Informática e nas Organizações 3
Visual, human
Visual, human
Visual, human
Visual, human----readable attributes
readable attributes
readable attributes
readable attributes
Names
Surname, given name, parents
Physical attributes
Sex, height
Other
Date of birth, nationality Photography
Calligraphic signature
Numbers
Civil ID (and checksum) Tax, Social Security, Health Document number and validity
Visual, machine
Visual, machine
Visual, machine
Visual, machine----readable attributes
readable attributes
readable attributes
readable attributes
Names
Last name, initial an middle names Name count
Physical attributes
Sex
Other
Date of birth, nationality
Numbers
Country and Civil ID (and checksum)
Document number and validity
I<PRT068540477<ZZ85<<<<<<<<<<<
6511061M1309179PRT<<<<<<<<<<<6
© André Zúquete Segurança Informática e nas Organizações 5
Informatic
Informatic
Informatic
Informatic attributes
attributes
attributes
attributes
All the previous ones
Except the calligraphic signature
Address
Fingerprint biometric template 2 cryptographic key pairs
One for authentication Another for digital signature
7 public key certificates
2 of the owner’s public keys 5 for building certification chains
1 secret, symmetric key for EMV-CAP
3 PINs
PIN protection
PIN protection
PIN protection
PIN protection
Possession of the card is not enough for
Getting the address
Getting/using the authentication private key Getting/using the digital signature private key Getting/using the EMV-CAP secret key
PIN-protected operations
4-number PIN
PIN gets blocked after 3 consecutive failures
Exceptions
© André Zúquete Segurança Informática e nas Organizações 7
Certificates in the smartcard
Certificates in the smartcard
Certificates in the smartcard
Certificates in the smartcard
Issuer: GTE CyberTrust Global Root Owner: GTE CyberTrust Global Root
Issuer: GTE CyberTrust Global Root Owner: ECRaizEstado
Issuer: ECRaizEstado Owner: Cartão de Cidadão 001
Issuer: Cartão de Cidadão 001
Owner: EC de Autenticação do Cartão de Cidadão 0002
Issuer: EC de Autenticação do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete
Issuer: Cartão de Cidadão 001
Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002
Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete
Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard:
Goals Goals Goals Goals
Allow the card owner to get authenticated
The owner may distribute its certificates to other
people or services whiling to authenticate himself as the card owner
Allow the card owner to authenticate other
people with similar cards
Other people certificates are validated with the
certification chain stored in the card
Allow the card to authenticate clients with
similar certificates
Special operations may be requested to the card by
owners of special certificates that are validated by the card
© André Zúquete Segurança Informática e nas Organizações 9
Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard: Certificates in the smartcard:
Interoperation with other applications Interoperation with other applications Interoperation with other applications Interoperation with other applications
Watchdog application detects card insertion and removal
Upon insertion, gets the certificates and
uploads them into browsers’ certificate repositories
Upon removal, removes the certificates from
browsers’ certificate repositories
Smartcards: Smartcards: Smartcards: Smartcards: Definition Definition Definition Definition
Card with computing processing capabilities CPU ROM EEPROM RAM Interface With contact Contactless Chip card
Memory card Smart card (w/ µµµµprocessor)
Chip card
© André Zúquete Segurança Informática e nas Organizações 11 Smartcard: Smartcard: Smartcard: Smartcard: Components Components Components Components CPU 8/16 bit Crypto-coprocessor (opt.) ROM Operating system Communication Cryptographic algorithms EEPROM File system Programs / applications Keys / passwords RAM Transient data Erased on power off
Mechanical contacts
ISO 7816-2 Power Soft reset Clock
Half duplex I/O
Physical security Tamperproof case Resistance to side-effect attacks Smartcard Smartcard Smartcard
Smartcard----based applications:based applications:based applications:based applications:
Communication protocol stack Communication protocol stack Communication protocol stack Communication protocol stack
Off-card application APDU
(Application Protocol Data Unit) T=0 / T=1
On-card application APDU
(Application Protocol Data Unit) T=0 / T=1
© André Zúquete Segurança Informática e nas Organizações 13
Smartcard Smartcard Smartcard
Smartcard----based applications:based applications:based applications:based applications: Cartão
Cartão Cartão
Cartão de de de de CidadãoCidadãoCidadão onCidadão ononon----card applicationscard applicationscard applicationscard applications
IAS
Authentication and digital signature Usage of asymmetric key pairs
EMV-CAP
Generation of one-time-passwords for
alternative channels (telephone, FAX, etc.)
Match-on-Card
Biometric validation of fingerprints
Smartcard interactions: Smartcard interactions: Smartcard interactions: Smartcard interactions: APDU APDU APDU
APDU (ISO 7816(ISO 7816(ISO 7816----4)(ISO 7816 4)4)4)
Command APDU
CLA (1 byte)
Class of the instruction
INS (1 byte)
Command
P1 and P2 (2 bytes)
Command-specific parameters
Lc
Length of the optional command data
Le
Length of data expected in subsequent Response APDU Zero (0) means all data available
Response APDU
SW1 and SW2 (2 bytes) Status bytes
0x9000 means SUCCESS
CLA INS P1 P2 Lc Optional data Le Optional data SW1SW2
© André Zúquete Segurança Informática e nas Organizações 15 Smartcard interactions: Smartcard interactions: Smartcard interactions: Smartcard interactions: Low Low Low
Low----level T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocols
T=0
Each byte transmitted separately Slower
T=1
Blocks of bytes transmitted Faster
ATR (ISO 7816-3)
Response of the card to a reset operation Reports the protocol expected by the card
Encoding objects in smartcards: Encoding objects in smartcards: Encoding objects in smartcards: Encoding objects in smartcards:
TLV TLV TLV
TLV and ASN.1 and ASN.1 and ASN.1 BERand ASN.1 BERBERBER
Tag-Length-Value (TLV)
Object description with a tag value, the length
of its contents and the contents
Each element of TLV is encoded according with
ASN.1 BER (Abstract Syntax Notation, Basic Encoding Rules)
Values can contain other TLV objects
© André Zúquete Segurança Informática e nas Organizações 17
Smartcards Smartcards Smartcards
Smartcards’’’’ssss computational modelcomputational modelcomputational modelcomputational model Java cards
Java cards Java cards Java cards
Smartcards that run Java Applets
That use the JCRE
The JCRE runs on top of a native OS
JCRE (Java Card Runtime Environment)
Java Virtual Machine Card Executive
Card management Communications
Java Card Framework
Library functions Native OS
Java Virtual Machine (JVM) Card Executive Java Card Framework Applet Applet Applet APDU Smartcard cryptographic Smartcard cryptographic Smartcard cryptographic
Smartcard cryptographic servicesservicesservicesservices:::: Middleware
Middleware Middleware Middleware
Libraries that bridge the gap between functionalities of smartcards and high-level applications
Some standard approaches: PKCS #11
Cryptographic Token Interface Standard (cryptoki) Defined by RSA Security Inc.
PKCS #15
Cryptographic Token Information Format Standard Defined by RSA Security Inc.
CAPI CSP
CryptoAPI Cryptographic Service Provider Defined by Microsoft for Windows systems PC/SC
Personal computer/Smart Card
Standard framework for smartcard access on Windows systems Also available in Linux
© André Zúquete Segurança Informática e nas Organizações 19 PKCS PKCS PKCS PKCS #11:#11:#11:#11: Cryptoki Cryptoki Cryptoki
Cryptoki middleware integrationmiddleware integrationmiddleware integrationmiddleware integration
PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki
Cryptoki object hierarchyobject hierarchyobject hierarchyobject hierarchy
Object Data Key Public key Private key Secret key
© André Zúquete Segurança Informática e nas Organizações 21 PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki
Cryptoki sessionssessionssessionssessions
Logical connections between applications and tokens
Read-only sessions Read/write sessions
Operations on open sessions
Administrative Login/logout Object management
Create / destroy an object on the token Cryptographic
Session objects
Transient objects created during sessions
Lifetime of sessions
Usually for a single operation on the token
PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki
Cryptoki R/OR/OR/O sessions login/logoutR/O sessions login/logoutsessions login/logoutsessions login/logout
R/O Public Session
Read-only access to public token objects Read/write access to public session objects
R/O User Functions
Read-only access to all token objects (public or private) Read/write access to all session objects (public or private)
© André Zúquete Segurança Informática e nas Organizações 23 PKCS #11: PKCS #11: PKCS #11: PKCS #11: Cryptoki Cryptoki Cryptoki
Cryptoki R/WR/WR/W sessions login/logoutR/W sessions login/logoutsessions login/logoutsessions login/logout R/W Public Session
Read/write access to all
public objects
R/W SO Functions
Read/write access only to
public objects on the token
Not to private objects The SO can set the
normal user’s PIN
R/W User Functions
Read/write access to all
objects
PKCS #11: PKCS #11: PKCS #11: PKCS #11:
Concepts used by the Concepts used by the Concepts used by the
Concepts used by the CartãoCartãoCartão de Cartão de de Cidadãode CidadãoCidadãoCidadão
Authentication PIN
PKCS #11 User PIN
Digital signature PIN
Not mapped into PKCS #11 PINs
Address PIN
Not mapped into PKCS #11 PINs
PKCS #11 SO PIN
© André Zúquete Segurança Informática e nas Organizações 25 Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: PTEID PTEID PTEID
PTEID middlewaremiddlewaremiddlewaremiddleware for Windowsfor Windowsfor Windowsfor Windows
Microsoft applications Microsoft applications Non-Microsoft applications Non-Microsoft applications CryptoAPI (CAPI) CryptoAPI (CAPI) Cryptographic Service Provider (CSP) Cryptographic Service Provider (CSP) PKCS #11 PKCS #11 PC/SC PC/SC Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: Cartão de Cidadão: PTEID PTEID PTEID
PTEID middlewaremiddlewaremiddlewaremiddleware for Unixfor Unixfor Unixfor Unix
libpteid
libpteid libpteidpkcs11libpteidpkcs11
libpteidlibopensc libpteidlibopensc
libQtCore
© André Zúquete Segurança Informática e nas Organizações 27
Cartão Cartão Cartão
Cartão de de de de CidadãoCidadãoCidadão::::Cidadão PTEID
PTEID PTEID
PTEID middleware & SDKmiddleware & SDKmiddleware & SDKmiddleware & SDK
Public distribution
Windows MAC-Tiger Linux
Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu Languages
Dynamic libraries for C/C++
Java wrapper (JNI) for C/C++ libraries C# wrapper for .NET for C/C++ libraries
Manuals
Validação de Número de Documento do Cartão de Cidadão Autenticação com Cartão de Cidadão
Manual Técnico do Middleware do Cartão de Cidadão Certificados e Entidades de Certificação
Outros
Cartão Cartão Cartão
Cartão de de de de CidadãoCidadãoCidadão::::Cidadão PKI
PKI PKI
PKI servicesservicesservicesservices
Issued certificates
LDAP and Web interfaces
Revoked certificates