SIST EN 419212-3:2018
(Main)Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols
Application Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols
This part specifies device authentication to be used for QSCDs in various contexts including:
• Device authentication protocols;
• Establishment of a secure channel;
• Data structures;
• CV-certificates;
• Key management.
The device authentication protocols should apply to sole-control signature mandated by the EUregulation
eIDAS [1].
Anwendungsschnittstelle für Smartcards als sichere Signaturerstellungseinheiten - Teil 3: Geräteauthentisierungsprotokolle
Interface applicative des éléments sécurisés utilisés comme dispositifs de création de signature électronique qualifiée (cachet) Partie 3: Protocoles d'authentification des dispositifs
La présente partie spécifie l’authentification de dispositif à utiliser pour les QSCD dans divers contextes, incluant//y compris :
les protocoles d’authentification de dispositif ;
la mise en place d'un canal sécurisé ;
les structures de données ;
les certificats CV ;
la gestion de clés.
Il convient que les protocoles d’authentification de dispositifs s’appliquent à la signature sous contrôle exclusif imposée par le règlement eIDAS de l’UE [1].
Uporabniški vmesnik za varnostne elemente za elektronsko identifikacijo, avtentikacijo in zanesljivost storitev - 3. del: Protokoli avtentikacije naprav
Ta del opredeljuje overitev naprav, ki se uporablja za naprave za ustvarjanje kvalificiranih elektronskih podpisov (QSCD) v različnih kontekstih, vključno s/z:
• protokoli za overitev naprav,
• vzpostavljanjem varnega kanala,
• podatkovnimi strukturami,
• certifikati CV,
• upravljanjem ključev.
Protokoli za overitev naprav se morajo uporabljati za podpise pod izključnim nadzorom uporabnika, kar ureja uredba EU eIDAS [1].
General Information
Relations
Standards Content (Sample)
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.Uporabniški vmesnik za varnostne elemente za elektronsko identifikacijo, avtentikacijo in zanesljivost storitev - 3. del: Protokoli avtentikacije napravAnwendungsschnittstelle für Smartcards als sichere Signaturerstellungseinheiten - Teil 3: GeräteauthentisierungsprotokolleInterface applicative des éléments sécurisés utilisés comme dispositifs de création de signature électronique qualifiée (cachet)
Partie 3: Protocoles d'authentification des dispositifsApplication Interface for Secure Elements for Electronic Identification, Authentication and Trusted Services - Part 3: Device authentication protocols35.240.15Identification cards. Chip cards. BiometricsICS:Ta slovenski standard je istoveten z:EN 419212-3:2017SIST EN 419212-3:2018en,fr,de01-februar-2018SIST EN 419212-3:2018SLOVENSKI
STANDARDSIST EN 419212-2:2015SIST EN 419212-1:20151DGRPHãþD
SIST EN 419212-3:2018
EUROPEAN STANDARD NORME EUROPÉENNE EUROPÄISCHE NORM
EN 419212-3
September
t r s y ICS
u wä t v rä s w Supersedes EN
v s { t s tæ sã t r s vá EN
v s { t s tæ tã t r s vEnglish Version
Application Interface for Secure Elements for Electronic Identificationá Authentication and Trusted Services æ Part
uã Device authentication protocols Interface applicative des éléments sécurisés utilisés comme dispositifs de création de signature d 5authentification des dispositifs
Anwendungsschnittstelle für Smartcards als sichere Signaturerstellungseinheiten æ Teil
uã Geräteauthentisierungsprotokolle This European Standard was approved by CEN on
s y March
t r s yä
egulations which stipulate the conditions for giving this European Standard the status of a national standard without any alterationä Upætoædate lists and bibliographical references concerning such national standards may be obtained on application to the CENæCENELEC Management Centre or to any CEN memberä
translation under the responsibility of a CEN member into its own language and notified to the CENæCENELEC Management Centre has the same status as the official versionsä
CEN members are the national standards bodies of Austriaá Belgiumá Bulgariaá Croatiaá Cyprusá Czech Republicá Denmarká Estoniaá Finlandá Former Yugoslav Republic of Macedoniaá Franceá Germanyá Greeceá Hungaryá Icelandá Irelandá Italyá Latviaá Lithuaniaá Luxembourgá Maltaá Netherlandsá Norwayá Polandá Portugalá Romaniaá Serbiaá Slovakiaá Sloveniaá Spainá Swedená Switzerlandá Turkey and United Kingdomä
EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre:
Avenue Marnix 17,
B-1000 Brussels
9
t r s y CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Membersä Refä Noä EN
v s { t s tæ uã t r s y ESIST EN 419212-3:2018
EN 419212-3:2017 (E) 2 Contents European foreword . 5 Introduction . 6 1 Scope . 7 2 Normative references . 7 3 Device authentication . 7 3.1 General . 7 3.2 Asymmetric Authentication introduction . 9 3.3 Certification authorities and certificates . 9 3.3.1 Certificate chains . 9 3.3.2 Usage of link certificates . 10 3.4 Authentication environments . 10 3.4.1 SCA in trusted environment . 11 3.4.2 SCA in untrusted environment . 11 3.4.3 Specification of the environment . 11 3.4.4 Display message mechanism . 11 3.4.5 Additional authentication environments . 12 3.5 Key transport and key agreement mechanisms . 12 3.6 Device authentication with privacy protection . 12 3.6.1 General . 12 3.6.2 Authentication steps . 13 3.7 Privacy constrained Modular EAC (mEAC) protocol with non-traceability feature . 31 3.7.1 General . 31 3.7.2 Example for traceability case . 31 3.7.3 Notation . 32 3.7.4 Authentication steps . 32 3.7.5 Unlinkablity Mechanism with individual private keys . 45 3.8 Symmetric authentication scheme . 54 3.8.1 General . 54 3.8.2 Authentication steps . 54 3.8.3 Session Key creation . 58 3.9 Key transport protocol based on RSA . 58 3.9.1 General . 58 3.9.2 Authentication Steps . 60 3.9.3 Session Key creation . 68 3.10 Compute Session keys from key seed KIFD/ICC . 68 3.10.1 General . 68 3.10.2 Generation of key data . 69 3.10.3 Partitioning of the key data . 69 3.10.4 Algorithm and method specific definition for key derivation . 69 3.10.5 Key derivation from passwords . 72 3.11 Compute send sequence counter SSC . 73 3.12 Post-authentication phase . 73 3.13 Ending the secure session . 74 3.13.1 General . 74 3.13.2 Example for ending a secure session . 74 3.13.3 Rules for ending a secure session . 74 SIST EN 419212-3:2018
EN 419212-3:2017 (E) 3 3.14 Reading the Display Message . 75 3.15 Updating the Display Message . 77 4 Data structures . 78 4.1 General . 78 4.2 CRTs . 78 4.2.1 General . 78 4.2.2 CRT AT for the selection of internal private authentication keys . 78 4.2.3 CRT AT for selection of internal authentication keys . 78 4.2.4 CRT for selection of IFD's PuK.CAIFD.CS_AUT . 79 4.2.5 CRT for selection of IFD's PuK.IFD.AUT . 79 4.2.6 CRT AT for selection of the public DH / ECDH key parameters . 80 4.2.7 GENERAL AUTHENTICATE DH key parameters used by the Privacy Protocol . 80 4.2.8 CRT AT for selection of ICC's private authentication key . 80 4.2.9 CRT for selection of IFD's PuK.IFD.AUT . 81 4.2.10 CRT for selection of PrK.ICC.KA . 81 4.3 Key transport device authentication protocol . 82 4.3.1 EXTERNAL AUTHENTICATE . 82 4.3.2 INTERNAL AUTHENTICATE . 82 4.4 Privacy device authentication protocol . 83 4.4.1 EXTERNAL AUTHENTICATE (DH case) . 83 4.4.2 EXTERNAL AUTHENTICATE (ECDH case) . 84 4.4.3 INTERNAL AUTHENTICATE (DH case) . 85 4.4.4 INTERNAL AUTHENTICATE (ECDH case) . 85 5 CV_Certificates and Key Management . 86 5.1 General . 86 5.2 Level of trust in a certificate . 86 5.3 Key Management . 86 5.4 Certificate types . 87 5.4.1 Card Verifiable Certificates . 87 5.4.2 Signature-Certificates . 88 5.4.3 Authentication Certificates . 88 5.5 Use of the public key extracted from a CV-certificate . 88 5.6 Validity of the key extracted from a CV-certificate . 88 5.7 Structure of CVC. 89 5.7.1 General . 89 5.7.2 Non-self-descriptive certificates . 89 5.7.3 Self-descriptive certificates . 90 5.8 Certificate Content. 90 5.8.1 General . 90 CPI-Certificate Profile Identifier . 91 5.8.2 CAR-Certification Authority Reference DO . 92 5.8.3 CHR-Certificate Holder Reference DO . 93 5.8.4 CHA-Certificate Holder Authorization Data Object (CHA-DO) . 94 5.8.5 Role identifier specifications. 95 5.8.6 User and service provider authentication . 97 5.8.7 CHAT-Certificate Holder Authorization Template (CHAT) . 98 5.8.8 OID — Object identifier . 98 5.8.9 CEDT — Certificate Effective Date Template . 98 5.8.10 CXDT — Certificate Expiration date Template . 98 5.9 Certificate signature . 99 5.9.1 General . 99 5.9.2 Non self-descriptive certificates . 99 5.9.3 Self-descriptive certificates . 100 SIST EN 419212-3:2018
EN 419212-3:2017 (E) 4 5.10 Coding of the certificate content . 101 5.10.1 Non self-descriptive certificates . 101 5.10.2 Self-descriptive certificates . 101 5.10.3 Self-descriptive certificates for elliptic curve cryptography . 102 5.11 Steps of CVC verification . 105 5.11.1 General . 105 5.11.2 First round: CVC verification from a Root PuK . 106 5.11.3 Subsequent round(s) . 107 5.12 Commands to handle the CVC . 107 5.13 C_CV.IFD.AUT (non self-descriptive) . 107 5.14 C_CV.CA.CS-AUT (non self-descriptive) . 108 5.15 C.ICC.AUT . 109 5.16 Self-descriptive CV Certificate (Example) . 110 5.16.1 General . 110 5.16.2 Public Key . 110 5.16.3 Certificate Holder Authorization Template . 111 5.16.4 Certificate Extension . 111 5.16.5 ECDSA Signature . 112 Annex A (informative)
Device authentication Protocol Properties . 113 Bibliography . 115 SIST EN 419212-3:2018
EN 419212-3:2017 (E) 5 European foreword This document (EN 41921-3:2017) has been prepared by CEN/TC 224 “Personal identification, electronic signature and cards and their related systems and operations”, the secretariat of which is held by AFNOR. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by March 2018, and conflicting national standards shall be withdrawn at the latest by March 2018. This document supersedes EN 419212-1:2014 and EN 419212-2:2014. This document has been prepared under a mandate given to CENELEC by the European Commission and the European Free Trade Association. This standard supports services in the context of electronic IDentification, Authentication and Trust Services (eIDAS) including signatures. In EN 419212 Part 2, the standard allows support of implementations of the European legal framework for electronic signatures, defining the functional and security features for a Secure Elements (SE) (e.g. smart cards) intended to be used as a Qualified electronic Signature Creation Device (QSCD) according to the Terms of the “European Regulation on Electronic Identification and Trust Services for electronic transactions in the internal market” [1]. A Secure Element (SE) compliant to the standard will be able to produce a “qualified electronic signature” that fulfils the requirements of Article of the Electronic Signature Regulation [1] and therefore can be considered equivalent to a hand-written signature. This standard consists of five parts: Part 1: “Introduction and common definitions” describes the history, application context, market perspective and a tutorial about the basic understanding of electronic signatures. It also provides common terms and references valid for the entire 419212 series. [24] Part 2: “Signature and Seal Services” describes the specifications for signature generation according to the eIDAS regulation. [25] Part 3: “Device Authentication” describes the device authentication protocols and the related key management services to establish a secure channel. [26] Part 4: “Privacy specific Protocols” describes functions and services to provide privacy to identification services. [27] Part 5: “Trusted eServices” describes services that may be used in conjunction with signature services described in Part 2. [28] According to the CEN-CENELEC Internal Regulations, the national standards organisations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. SIST EN 419212-3:2018
EN 419212-3:2017 (E) 6 Introduction The European Committee for Standardization (CEN) draws attention to the fact that it is claimed that compliance with this document may involve the use of a patent concerning the mapping function given in [25] 8.2.5 “Step 4.2 - Map nonce and compute generator point for integrated mapping”. The patent relates to “Sagem, MorphoMapping Patents FR09-54043 and FR09-54053, 2009”. CEN takes no position concerning the evidence, validity and scope of this patent right. The holder of this patent right has ensured CEN that he/she is willing to negotiate licences either free of charge or under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect, the statement of the holder of this patent right is registered with CEN. Information may be obtained from: Morpho 11, boulevard Galliéni 92445 Issy-les-Moulineaux Cedex Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights other than those identified above. CEN shall not be held responsible for identifying any or all such patent rights. SIST EN 419212-3:2018
EN 419212-3:2017 (E) 7 1 Scope This part specifies device authentication to be used for QSCDs in various contexts including:
Device authentication protocols;
Establishment of a secure channel;
Data structures;
CV-certificates;
Key management. The device authentication protocols should apply to sole-control signature mandated by the EU-regulation eIDAS [1]. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 7816-4:2013, Identification cards — Integrated circuit cards — Part 4: Organization, security and commands for interchange ISO/IEC 7816-6, Identification cards — Integrated circuit cards — Part 6: Interindustry data elements for interchange ISO/IEC 7816-8:2004, Identification cards — Integrated circuit cards — Part 8: Commands for security operations ISO/IEC 9796-2:2010, Information technology — Security techniques — Digital signature schemes giving message recovery — Part 2: Integer factorization based mechanisms ISO/IEC 14888-3:2016, Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms 3 Device authentication 3.1 General This clause assumes that device authentication has to be performed as required in 3.3. Device authentication requires mandatory steps in order to provide a secure authentication. A device authentication is mutual and combines two mechanisms: - an ICC verifies the external world (TDA) and itself verified by the external world (CDA); - the two devices negotiate or exchange information to establish common symmetric session keys for subsequent operations. SIST EN 419212-3:2018
EN 419212-3:2017 (E) 8 After negotiation of the symmetric keys, a secure session is established. A secure session is a cryptographic protection of the messages from both sides. The cryptographic protection can be: - a cryptographic checksum on a plain text for integrity protection and/or - an encrypted message text for confidentiality protection (mandates cryptographic checksum). Refer to “9 Secure Messaging” [25]. For performance reasons, the secure messaging keys are symmetric keys. Therefore this document describes the establishment of symmetric session keys only, and does not consider an option for asymmetric session keys. Once the session keys are established, a trusted channel is available to protect or conceal the information transmitted over the interface. The application of Secure Messaging (SM) is mandatory for every subsequent operation to ensure the provision of an entirely trusted channel. For exceptions refer to “5.3 Selection of ESIGN application” [25]. The conditions to end a secure messaging session are given in 3.12. This chapter describes the following device authentication mechanisms - asymmetric session key transport mechanism based on RSA; - asymmetric session key agreement mechanism with privacy protection; - asymmetric session key agreement mechanism with non-traceability and privacy protection; - symmetric authentication mechanism in order to perform a mutual authentication protocol between IFD and ICC. The presentation of the asymmetric schemes is sequentially staged in order to trade off the security features with the required complexity of the authentication protocols. NOTE
Authentication in general requires a defined order of steps to be processed. Violation of this order may result in the ICC aborting the process. The mechanism to control the proper order of execution steps are out of the scope of this standard. In order to distinguish which device authentication is the most appropriate for a given situation refer to Annex A. For the use of certificates the following table indicates the correct certificate type for each device authentication protocol. Table 1 — Certificate type for use with device authentication protocols Certificate Device Auth. CV Certificate self-descriptive CV Certificate non self-descriptive Attribute certificates self-descriptive 3.8 Key transport protocol - x - 3.5 Privacy protocol RSA - x - 3.5 Privacy protocol ELC x - x 3.6 mEAC x - x SIST EN 419212-3:2018
EN 419212-3:2017 (E) 9 3.2 Asymmetric Authentication introduction The above steps result in a high level of security for device authentication. They contain some mandatory aspects of the device authentication protocols considered to comply with the claims of the ESIGN-G1 [23] document. - The public key of the IFD shall not be used until successfully verified by a certificate. - The device to
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.