Скачать презентацию The DIN Standard and PKCS 15 Common Usage for Скачать презентацию The DIN Standard and PKCS 15 Common Usage for

b6fa8e80986c05374107c3fc584d74be.ppt

  • Количество слайдов: 13

The DIN Standard and PKCS#15 Common Usage for Signature Cards? Gisela Meister e-mail: Gi. The DIN Standard and PKCS#15 Common Usage for Signature Cards? Gisela Meister e-mail: Gi. Mei@compuserve. com Gisela. Meister@gdm. de Giesecke & Devrient

How is the situation ? Standardised Specification for signature cards ä ä l Signature How is the situation ? Standardised Specification for signature cards ä ä l Signature Cards: Cards to perform the algorithm for generation of signature and / or generation of keys in the card DIN = German National Institute for Standardisation DIN Standard for Smart Cards according to Sig. G/Sig. V (1998) for Signature cards including ä DIN Standard for Personalisation of Smart cards according to Sig. G/Sig. V (End of 1999) ä ITSEC E 4 Pre-Evaluation based on the DIN Standard initiated by Tele. Trus. T Germany (End of 1999) Tele. Trus. T = Organisation of vendors of technology , application groups and federal and scientific institutes to promote trustworthiness in communication techniques Giesecke & Devrient

How is the situation combining PKCS #15 ? l Related standardised specification for smart How is the situation combining PKCS #15 ? l Related standardised specification for smart cards which (could) integrate PKCS #15 ä ä ä DIN Standard for signature cards DINSIG, (Signature generation, . . ) DIN Personalisation specification , including Key generation inside the card Office ID card Key encipherment (RSA, DH) Client sever Authentication (SSL/TLS) <-----> WIM specification for WAP l File structure, Application Flow Diagram, Access table for DINSIG /Office ID l How to proceed, ? Concept of a Profile for PKCS #15 , Annex x , similar to Annex B? l Implications on PKCS #11 ? Giesecke & Devrient

Contents of the DIN Standards Where are intersections and common points ? l DIN Contents of the DIN Standards Where are intersections and common points ? l DIN Standard V 66391 -1: Interface to smart cards with digital signature application/ functionality ä Application Flow diagram, Command set ( PKCS not relevant) ä File Structure--------PKCS 15 relevant storage of Certificates and Public Keys ä Certificate structure for Authentication services and Authentication protocols -------not include in PKCS#15 ä Digital signature input formats ( PKCS-1, ISO/IEC 9796 -2 with random number , pretty secure) ä Public Key format for different algorithms---- PKCS#15 ä Access control rules (table) for files----- to be compared with pkcs #15 l DIN Personalisation specification with digital signature application / functionality (Draft) ä Execution phases ä Command set Giesecke & Devrient

Office ID Card l Based on Standard l additionally Key encipherment ä according to Office ID Card l Based on Standard l additionally Key encipherment ä according to PKCS 1. 5 ( New attacks? ? ? ) ä according to a modification 9796 -2 (pretty secure until now) l Client Server Authentication ä PKCS #1 Format Giesecke & Devrient

Key Format Algorithms- Details l 1. RSA (SIG / ENC / Device-AUT, CL-AUT) l Key Format Algorithms- Details l 1. RSA (SIG / ENC / Device-AUT, CL-AUT) l 2. DSA, FIPS Publication 186: Digital Signature Standard (DSS), May 1994 l 3. DSA variants, based on elliptic curves: l · ISO/IEC 14883 -3 [4], Annex A. 2. 2 ("Agnew-Mullin-Vanstone analogue"), l · IEEE Standard P 1363 [5], Section 5. 3. 3 ("Nyberg-Rueppel version"), l · IEEE Standard P 1363 [5], Section 5. 3. 4 ("DSA version"). l 4. Diffie Hellman Key Exchange based on 2 and 3 ä for AUT ä for ENC ä Format supported by PKCS #15 ? Giesecke & Devrient

SIG-Algorithm Hash. Funktion Signature. Algorithm Giesecke & Devrient SHA-1 RIPEMD-160 RSA DSA ELC SIG-Algorithm Hash. Funktion Signature. Algorithm Giesecke & Devrient SHA-1 RIPEMD-160 RSA DSA ELC

File Structure DFxx = PKCS #15 Giesecke & Devrient DINSIG File Structure DFxx = PKCS #15 Giesecke & Devrient DINSIG

Access Table DINSIG to be included: SK File ( Generation/ Update for SK) Certificates Access Table DINSIG to be included: SK File ( Generation/ Update for SK) Certificates with PIN access root Public key trusted Giesecke & Devrient

Different Roles for access (Access type ) by Role ID presented in a CV Different Roles for access (Access type ) by Role ID presented in a CV Certificate l CHA Role ID Meaning l ´ 00´ No access right to data l ´ 01´ EF. DM) CHA Role ID for proving the access right of an IFD (Read access to l ´ 02´ access to CHA Role ID for proving the access right of a CA (e. g. read/write certificate files and EF. DM) l ´ 03´ SYS/ Personalisation manager Giesecke & Devrient

Management of Access Rights according to 7816 -9 Elementary File Security Attributes File Content Management of Access Rights according to 7816 -9 Elementary File Security Attributes File Content Example: AM = Read SC = EXT AUTH (asym) with CHA = ´x. 01´ or ´x. 02´ and User AUTH AM = Update SC = EXT AUTH (asym) with CHA = ´x. 01´ and SM X = Prefix denoting the AID or the entity AM = Access Mode assigning the role ID SC = Security Conditions CHA = Cert. Holder Authorisation (Prefix, Role ID) SM = Secure Messaging Giesecke & Devrient

German Proposal l Include after Annex B new Annex C l Annex C: A German Proposal l Include after Annex B new Annex C l Annex C: A PKCS #15 Profile for Signature Cards ä Signature Cards: Cards to perform the algorithm for generation of signature and / or generation of keys in the card ä Orientation on DIN Standard structured as Appendix B ? Including ISO Part 9 Access rules (informative) Giesecke & Devrient

WWW Addresses ä ä ä DIN Standard (English version) Sig. I /DIN Standard /Pre-Evaluation WWW Addresses ä ä ä DIN Standard (English version) Sig. I /DIN Standard /Pre-Evaluation Object Identifier for algorithms / Pre-Evaluation Giesecke & Devrient http: //gmd. darmstadt. de http: //www. bsi. de http: //teletrust. de