© copyright 2010 ecsec gmbh, all rights reserved. © 2013 ecsec gmbh dr. detlef hühnlein (ecsec...
DESCRIPTION
© 2013 ecsec GmbH ISO/IEC within an eID-ClientTRANSCRIPT
© Copyright 2010 ecsec GmbH, All Rights Reserved.© 2013 ecsec GmbH
Dr. Detlef Hühnlein (ecsec GmbH)
ISO/IEC 24727 and Extended Access Control
© 2013 ecsec GmbH >> 2>> 2
Agenda
© 2013 ecsec GmbH
ISO/IEC 24727 Extended Access Control (v2)
© 2013 ecsec GmbH
ISO/IEC 24727 within an eID-Client
© 2013 ecsec GmbH
CardInfo according to CEN 15480-3 and ISO/IEC 24727-3 (Amd1)
>>4
http://ws.openecard.org/schema/CardInfo.xsd
© 2013 ecsec GmbH
ISO/IEC 24727-4 (IFD-API)
Card terminal functions• EstablishContext• ReleaseContext• ListIFDs• GetIFDCapabilities• GetStatus• Wait• Cancel• ControlIFD
Card functions• Connect• Disconnect• BeginTransaction• EndTransaction• Transmit
User interaction functions • VerifyUser• ModifyVerificationData• Output
IFD-Callback-Interface• SignalEvent
>>
5
Channel functionsEstablishChannelDestroyChannel
Planned Contribution for Amd2 http://ws.openecard.org/schema/ISOIFD.wsdl
© 2013 ecsec GmbH
Transmit
>>
6
© 2013 ecsec GmbH
ISO/IEC 24727-3 (Service Access Layer)
Card-application-service Access• Initialize• Terminate • CardApplicationPath
Connection-service• CardApplicationConnect• CardApplicationDisconnect• CardApplicationStartSession• CardApplicationEndSession
Card-application service• CardApplicationList• CardApplicationCreate• CardAppicationDelete• CardApplicationServiceList• CardApplicationServiceCreate• CardApplicationServiceLoad• CardApplicationServiceDelete• CardApplicationServiceDescribe• ExecuteAction
Named data service• DataSetList• DataSetCreate• DataSetSelect
• DataSetDelete• DSIList• DSICreate• DSIDelete• DSIRead• DSIWrite
Cryptographic service • Encipher• Decipher• GetRandom• Hash• Sign• VerifySignature• VerifyCertificate
Differential-identity service• DIDList • DIDCreate• DIDGet• DIDUpdate• DIDDelete• DIDAuthenticate
Authorization service• ACLList• ACLModify
>>
7
http://ws.openecard.org/schema/ISO24727-3.wsdl
© 2013 ecsec GmbH
DIDAuthenticate
>>
8
© 2013 ecsec GmbH
Generic authentication flow
>>
9
© 2013 ecsec GmbH
Connection Establishment - Overview
>>
10
© 2013 ecsec GmbH
Connection Establishment – More Details
>>
11
eID-S
SP
User
EAC
UA
get http://localhost:24727/eID-Client?tcTokenURL=...
eID App
tcTokenURL
TCT-S<TCT
oken/>
<Sta
rtPA
OS/>
<Sta
rtPA
OSRe
spon
se/>
ServerAddress
RefreshAddress
© 2013 ecsec GmbH >>
12
StartPAOS
http://ws.openecard.org/schema/ISO24727-Protocols.wsdl
© 2013 ecsec GmbH >> 13>> 13
Agenda
© 2013 ecsec GmbH
ISO/IEC 24727 Extended Access Control (v2)
© 2013 ecsec GmbH >>
14
eService
Extended Access Control (v2) - Overview
© 2013 ecsec GmbH >>
15
random
s
Password Authenticated Connection Establishment (PACE)
pbaxxyEGPICC mod :: 32 D
sKPICC ,, ED
GKSKP PICCPICC~~~
random
GH MapMap~~ HGsG
~
GKSKSK PCDPICC~~~ KK MACMAC KDF
PCDMACPICC KPKT ~,MAC
KK EncEnc KDF
PICCKS ~
,
PCDKS ~
GKSKP PCDPCD~~~
GMap~
GMap~
Map~ Map
~
, ,
PICCMACPCD KPKT ~,MAC
eService
© 2013 ecsec GmbH >>
16
Terminal Authentication (TA) (Version 2)
PCDCACA cccCn
1
PCDTAPCDKP A,~,Comp
PCDTAPCDTAPICCPICCPCDPCD KPrIDSKs A,,~, CompSign
TAPICCr ,
randomPrivate key
TAPICCPICC rID ,
Verificationof C
GKSKP TAPCDTAPCD ,,~~
Ephemeralprivate key
TAPCDKS ,~
GSKPKc PCDPCDPCD
OK~,?
,,, PCDTAPCDTAPICCPICCPCDPCD KPrIDsPK ACompVerify
PCDSK
BAC if,MRZ from #
PACE if,~
DocKP
ID PICCPICC
Comp
eService
© 2013 ecsec GmbH >>
17
Chip Authentication (CA) (Version 2)
GSKPK PICCPICC
in TA generatedprivate key
GKSSKK TAPCDPICC ,~
TAPCDKS ,~PICCSK
GKSKP TAPCDCAPCD ,,~~
TAPCDCAPCD KPKP ,
?
,~~ CompComp
Passive Authentication
priv. key
CAPICCr ,
random
CAPICCEncEnc rKK ,,KDF CAPICCMACMAC rKK ,,KDF
CAPICCCAPCDMACPICC rKPKT ,, ,~,MAC PICCCAPCDMAC TKPK
?
,~, MAC
CAPICCEncEnc rKK ,,KDF CAPICCMACMAC rKK ,,KDF
eService
© 2013 ecsec GmbH
Restricted Identification
pbaxxyEGSector mod :: 32 D
>>
18
SectorSector PK,D
privatekey for RI
PICCI
SectorPICCSectorPICC PKIhI eService
© 2013 ecsec GmbH
Extended Access Control (v2)
>>
19
© 2013 ecsec GmbH
DIDAuthenticate with EAC1InputType
>>
21
© 2013 ecsec GmbH >>
22
EAC1InputType
http://ws.openecard.org/schema/ISO24727-Protocols.xsd
© 2013 ecsec GmbH
DIDAuthenticate with EAC1OutputType
>>
23
© 2013 ecsec GmbH >>
24
EAC1OutputType
http://ws.openecard.org/schema/ISO24727-Protocols.xsd
© 2013 ecsec GmbH
DIDAuthenticate with EAC2InputType
>>
25
© 2013 ecsec GmbH >>
26
EAC2InputType
http://ws.openecard.org/schema/ISO24727-Protocols.xsd
© 2013 ecsec GmbH
DIDAuthenticate with EAC2OutputType
>>
27
© 2013 ecsec GmbH >>
28
EAC2OutputType
http://ws.openecard.org/schema/ISO24727-Protocols.xsd
© 2013 ecsec GmbH >> 29© Copyright 2010 ecsec GmbH, All Rights Reserved.
Titelmasterformat durch Klicken bearbeiten
Formatvorlage des Untertitelmasters durch Klicken bearbeiten
© 2013 ecsec GmbH
Thank you very much for your attention!
Contact: