Funcionalidades doddoodo Cartão de Cidadão -...

1

FuncionalidadesFuncionalidadesFuncionalidadesFuncionalidadesdodododo

Cartão de CidadãoCartão de CidadãoCartão de CidadãoCartão de Cidadão

© André Zúquete Segurança Informática e nas Organizações 2

CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::The objectThe objectThe objectThe object

� Credit-card sized Portuguese identity card

� Contains different ways of conveying identity attributes� Informatic

� Interaction with a smartcard

� Visual, machine-readable style� MRZ (Machine Readable Zone)

� Visual, human-readable style

2


Visual, humanVisual, humanVisual, humanVisual, human----readable attributesreadable attributesreadable attributesreadable attributes

� Names� Surname, given name, parents

� Physical attributes� Sex, height

� Other� Date of birth, nationality� Photography� Calligraphic signature

� Numbers� Civil ID (and checksum)� Tax, Social Security, Health� Document number and validity


Visual, machineVisual, machineVisual, machineVisual, machine----readable attributesreadable attributesreadable attributesreadable attributes

� Names� Last name, initial an middle names

� Name count

� Physical attributes� Sex

� Other� Date of birth, nationality

� Numbers� Country and Civil ID (and checksum)

� Document number and validity

I<PRT068540477<ZZ85<<<<<<<<<<<

6511061M1309179PRT<<<<<<<<<<<6

ZUQUETE<<ANDRE<V<CRUZ<MARNOTO<

3


InformaticInformaticInformaticInformatic attributesattributesattributesattributes

� All the previous ones� Except the calligraphic signature

� Address� Fingerprint biometric template� 2 cryptographic key pairs

� One for authentication� Another for digital signature

� 7 public key certificates� 2 of the owner’s public keys� 5 for building certification chains

� 1 secret, symmetric key for EMV-CAP� 3 PINs


PIN protectionPIN protectionPIN protectionPIN protection

� Possession of the card is not enough for� Getting the address

� Getting/using the authentication private key

� Getting/using the digital signature private key

� Getting/using the EMV-CAP secret key

� PIN-protected operations� 4-number PIN

� PIN gets blocked after 3 consecutive failures

� Exceptions� Police officials can get the address without PIN

4


Certificates in the smartcardCertificates in the smartcardCertificates in the smartcardCertificates in the smartcard

Issuer: GTE CyberTrust Global RootOwner: GTE CyberTrust Global Root

Issuer: GTE CyberTrust Global RootOwner: ECRaizEstado

Issuer: ECRaizEstado

Owner: Cartão de Cidadão 001

Issuer: Cartão de Cidadão 001Owner: EC de Autenticação do Cartão de Cidadão 0002

Issuer: EC de Autenticação do Cartão de Cidadão 0002Owner: André Ventura da Cruz Marnoto Zúquete

Issuer: Cartão de Cidadão 001Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002

Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002Owner: André Ventura da Cruz Marnoto Zúquete


Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:GoalsGoalsGoalsGoals

� Allow the card owner to get authenticated� The owner may distribute its certificates to other

people or services whiling to authenticate himself as the card owner

� Allow the card owner to authenticate other people with similar cards� Other people certificates are validated with the

certification chain stored in the card� Allow the card to authenticate clients with

similar certificates� Special operations may be requested to the card by

owners of special certificates that are validated by the card

5


Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Interoperation with other applicationsInteroperation with other applicationsInteroperation with other applicationsInteroperation with other applications

� Watchdog application detects card insertion and removal� Upon insertion, gets the certificates and

uploads them into browsers’ certificate repositories

� Upon removal, removes the certificates from browsers’ certificate repositories


Smartcards:Smartcards:Smartcards:Smartcards:DefinitionDefinitionDefinitionDefinition

� Card with computing processing capabilities� CPU

� ROM

� EEPROM

� RAM

� Interface� With contact

� Contactless

Chip card

Memory cardSmart card

(w/ µµµµprocessor)

Chip card

Contact Contactless

6


Smartcard:Smartcard:Smartcard:Smartcard:ComponentsComponentsComponentsComponents

� CPU� 8/16 bit� Crypto-coprocessor (opt.)

� ROM� Operating system� Communication� Cryptographic algorithms

� EEPROM� File system

� Programs / applications� Keys / passwords

� RAM� Transient data

� Erased on power off

� Mechanical contacts� ISO 7816-2

� Power� Soft reset� Clock� Half duplex I/O

� Physical security� Tamperproof case� Resistance to side-effect

attacks


SmartcardSmartcardSmartcardSmartcard----based applications:based applications:based applications:based applications:Communication protocol stackCommunication protocol stackCommunication protocol stackCommunication protocol stack

Off-card application

APDU

(Application Protocol Data Unit)

T=0 / T=1

On-card application

APDU

(Application Protocol Data Unit)

T=0 / T=1

7


SmartcardSmartcardSmartcardSmartcard----based applications:based applications:based applications:based applications:CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão onononon----card applicationscard applicationscard applicationscard applications

� IAS� Authentication and digital signature

� Usage of asymmetric key pairs

� EMV-CAP� Generation of one-time-passwords for

alternative channels (telephone, FAX, etc.)

� Match-on-Card� Biometric validation of fingerprints


Smartcard interactions:Smartcard interactions:Smartcard interactions:Smartcard interactions:APDUAPDUAPDUAPDU (ISO 7816(ISO 7816(ISO 7816(ISO 7816----4)4)4)4)

� Command APDU� CLA (1 byte)

� Class of the instruction

� INS (1 byte)� Command

� P1 and P2 (2 bytes)� Command-specific parameters

� Lc� Length of the optional command data

� Le� Length of data expected in subsequent Response APDU� Zero (0) means all data available

� Response APDU� SW1 and SW2 (2 bytes)

� Status bytes� 0x9000 means SUCCESS

CLA INS P1 P2 Lc Optional data Le Optional data SW1SW2

header body body trailer

8


Smartcard interactions:Smartcard interactions:Smartcard interactions:Smartcard interactions:LowLowLowLow----level T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocols

� T=0� Each byte transmitted separately

� Slower

� T=1� Blocks of bytes transmitted

� Faster

� ATR (ISO 7816-3)� Response of the card to a reset operation

� Reports the protocol expected by the card


Encoding objects in smartcards:Encoding objects in smartcards:Encoding objects in smartcards:Encoding objects in smartcards:TLVTLVTLVTLV and ASN.1 and ASN.1 and ASN.1 and ASN.1 BERBERBERBER

� Tag-Length-Value (TLV)� Object description with a tag value, the length

of its contents and the contents

� Each element of TLV is encoded according with ASN.1 BER (Abstract Syntax Notation, Basic Encoding Rules)

� Values can contain other TLV objects� Recursive structure

9


SmartcardsSmartcardsSmartcardsSmartcards’’’’ssss computational modelcomputational modelcomputational modelcomputational modelJava cardsJava cardsJava cardsJava cards

� Smartcards that run Java Applets� That use the JCRE� The JCRE runs on top of a native OS

� JCRE (Java Card Runtime Environment)� Java Virtual Machine� Card Executive

� Card management� Communications

� Java Card Framework� Library functions Native OS

Java Virtual Machine (JVM)

Card

Executive

Java

Card

FrameworkApplet

Applet

AppletAPDU


Smartcard cryptographicSmartcard cryptographicSmartcard cryptographicSmartcard cryptographic servicesservicesservicesservices::::MiddlewareMiddlewareMiddlewareMiddleware

� Libraries that bridge the gap between functionalities of smartcards and high-level applications

� Some standard approaches:� PKCS #11

� Cryptographic Token Interface Standard (cryptoki)� Defined by RSA Security Inc.

� PKCS #15� Cryptographic Token Information Format Standard� Defined by RSA Security Inc.

� CAPI CSP� CryptoAPI Cryptographic Service Provider� Defined by Microsoft for Windows systems

� PC/SC� Personal computer/Smart Card� Standard framework for smartcard access on Windows systems� Also available in Linux

10


PKCSPKCSPKCSPKCS #11:#11:#11:#11:CryptokiCryptokiCryptokiCryptoki middleware integrationmiddleware integrationmiddleware integrationmiddleware integration


PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki object hierarchyobject hierarchyobject hierarchyobject hierarchy

Object

Data

Key

Certificate

Public key

Private key

Secret key

11


PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki sessionssessionssessionssessions

� Logical connections between applications and tokens� Read-only sessions� Read/write sessions

� Operations on open sessions� Administrative

� Login/logout

� Object management� Create / destroy an object on the token

� Cryptographic

� Session objects� Transient objects created during sessions

� Lifetime of sessions� Usually for a single operation on the token


PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki R/OR/OR/OR/O sessions login/logoutsessions login/logoutsessions login/logoutsessions login/logout

� R/O Public Session � Read-only access to public token objects� Read/write access to public session objects

� R/O User Functions� Read-only access to all token objects (public or private)� Read/write access to all session objects (public or private)

12


PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki R/WR/WR/WR/W sessions login/logoutsessions login/logoutsessions login/logoutsessions login/logout

� R/W Public Session� Read/write access to all

public objects

� R/W SO Functions� Read/write access only to

public objects on the token� Not to private objects

� The SO can set the normal user’s PIN

� R/W User Functions � Read/write access to all

objects


PKCS #11:PKCS #11:PKCS #11:PKCS #11:Concepts used by the Concepts used by the Concepts used by the Concepts used by the CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão

� Authentication PIN� PKCS #11 User PIN

� Digital signature PIN� Not mapped into PKCS #11 PINs

� Address PIN� Not mapped into PKCS #11 PINs

� PKCS #11 SO PIN� Not used by owners

13


Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:PTEIDPTEIDPTEIDPTEID middlewaremiddlewaremiddlewaremiddleware for Windowsfor Windowsfor Windowsfor Windows

Microsoft

applications

Microsoft

applicationsNon-Microsoft

applications

Non-Microsoft

applications

CryptoAPI (CAPI)CryptoAPI (CAPI)

Cryptographic

Service

Provider (CSP)

Cryptographic

Service

Provider (CSP)PKCS #11PKCS #11

PC/SCPC/SC


Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:PTEIDPTEIDPTEIDPTEID middlewaremiddlewaremiddlewaremiddleware for Unixfor Unixfor Unixfor Unix

libpteidlibpteid libpteidpkcs11libpteidpkcs11

libpteidlibopensclibpteidlibopensc

libQtCorelibQtCore libcryptolibcrypto libpcsclitelibpcsclite

14


CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::PTEIDPTEIDPTEIDPTEID middleware & SDKmiddleware & SDKmiddleware & SDKmiddleware & SDK

� Public distribution� Windows� MAC-Tiger� Linux

� Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu

� Languages� Dynamic libraries for C/C++� Java wrapper (JNI) for C/C++ libraries� C# wrapper for .NET for C/C++ libraries

� Manuals� Validação de Número de Documento do Cartão de Cidadão� Autenticação com Cartão de Cidadão� Manual Técnico do Middleware do Cartão de Cidadão� Certificados e Entidades de Certificação� Outros


CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::PKIPKIPKIPKI servicesservicesservicesservices

� Issued certificates� LDAP and Web interfaces

� Revoked certificates� OCSP, delta-CRL and CRL services

Funcionalidades doddoodo Cartão de Cidadão -...

Documents

Transcript of Funcionalidades doddoodo Cartão de Cidadão -...