Funcionalidades do Cartão de Cidadão

Propaganda
Funcionalidades
do
Cartão de Cidadão
Cartão de Cidadão:
Cidadão:
The object
Credit-card sized Portuguese identity card
Contains different ways of conveying
identity attributes
Informatic
Visual, machine-readable style
Interaction with a smartcard
MRZ (Machine Readable Zone)
Visual, human-readable style
© André Zúquete
Segurança Informática e nas Organizações
2
1
Visual, humanhuman-readable attributes
Names
Physical attributes
Sex, height
Other
Surname, given name, parents
Date of birth, nationality
Photography
Calligraphic signature
Numbers
Civil ID (and checksum)
Tax, Social Security, Health
Document number and validity
© André Zúquete
Segurança Informática e nas Organizações
3
Visual, machinemachine-readable attributes
Names
Physical attributes
I<PRT068540477<ZZ85<<<<<<<<<<<
6511061M1309179PRT<<<<<<<<<<<6
Sex
ZUQUETE<<ANDRE<V<CRUZ<MARNOTO<
Other
Last name, initial an middle names
Name count
Date of birth, nationality
Numbers
Country and Civil ID (and checksum)
Document number and validity
© André Zúquete
Segurança Informática e nas Organizações
4
2
Informatic attributes
All the previous ones
Address
Fingerprint biometric template
2 cryptographic key pairs
One for authentication
Another for digital signature
7 public key certificates
Except the calligraphic signature
2 of the owner’s public keys
5 for building certification chains
1 secret, symmetric key for EMV-CAP
3 PINs
© André Zúquete
Segurança Informática e nas Organizações
5
PIN protection
Possession of the card is not enough for
PIN-protected operations
Getting the address
Getting/using the authentication private key
Getting/using the digital signature private key
Getting/using the EMV-CAP secret key
4-number PIN
PIN gets blocked after 3 consecutive failures
Exceptions
Police officials can get the address without PIN
© André Zúquete
Segurança Informática e nas Organizações
6
3
Certificates in the smartcard
Issuer: GTE CyberTrust Global Root
Owner: GTE CyberTrust Global Root
Issuer: GTE CyberTrust Global Root
Owner: ECRaizEstado
Issuer: ECRaizEstado
Owner: Cartão de Cidadão 001
Issuer: Cartão de Cidadão 001
Owner: EC de Autenticação do Cartão de Cidadão 0002
Issuer: EC de Autenticação do Cartão de Cidadão 0002
Owner: André Ventura da Cruz Marnoto Zúquete
Issuer: Cartão de Cidadão 001
Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002
Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002
Owner: André Ventura da Cruz Marnoto Zúquete
© André Zúquete
Segurança Informática e nas Organizações
7
Certificates in the smartcard:
Goals
Allow the card owner to get authenticated
Allow the card owner to authenticate other
people with similar cards
The owner may distribute its certificates to other
people or services whiling to authenticate himself as the
card owner
Other people certificates are validated with the
certification chain stored in the card
Allow the card to authenticate clients with
similar certificates
Special operations may be requested to the card by
owners of special certificates that are validated by the
card
© André Zúquete
Segurança Informática e nas Organizações
8
4
Certificates in the smartcard:
Interoperation with other applications
Watchdog application detects card
insertion and removal
Upon insertion, gets the certificates and
uploads them into browsers’ certificate
repositories
Upon removal, removes the certificates from
browsers’ certificate repositories
© André Zúquete
9
Segurança Informática e nas Organizações
Smartcards:
Definition
Card with computing processing
capabilities
CPU
ROM
EEPROM
RAM
Chip card
Memory card
Interface
With contact
Contactless
© André Zúquete
Smart card
(w/ µprocessor)
Chip card
Contact
Segurança Informática e nas Organizações
Contactless
10
5
Smartcard:
Components
CPU
ROM
8/16 bit
Crypto-coprocessor (opt.)
RAM
Operating system
Communication
Cryptographic algorithms
Programs / applications
Keys / passwords
Power
Soft reset
Clock
Half duplex I/O
Physical security
© André Zúquete
ISO 7816-2
File system
Erased on power off
Mechanical contacts
EEPROM
Transient data
Tamperproof case
Resistance to side-effect
attacks
11
Segurança Informática e nas Organizações
SmartcardSmartcard-based applications:
Communication protocol stack
Off-card application
On-card application
APDU
(Application Protocol Data Unit)
APDU
(Application Protocol Data Unit)
T=0 / T=1
T=0 / T=1
© André Zúquete
Segurança Informática e nas Organizações
12
6
SmartcardSmartcard-based applications:
Cartão de Cidadão onon-card applications
IAS
EMV-CAP
Authentication and digital signature
Usage of asymmetric key pairs
Generation of one-time-passwords for
alternative channels (telephone, FAX, etc.)
Match-on-Card
Biometric validation of fingerprints
© André Zúquete
13
Segurança Informática e nas Organizações
Smartcard interactions:
APDU (ISO 78167816-4)
header
body
body
CLA INS P1 P2 Lc Optional data Le
Command APDU
Status bytes
0x9000 means SUCCESS
Command
Command-specific parameters
Lc
SW1 and SW2 (2 bytes)
P1 and P2 (2 bytes)
Response APDU
Class of the instruction
INS (1 byte)
CLA (1 byte)
trailer
Optional data SW1SW2
Length of the optional command data
Le
Length of data expected in subsequent Response APDU
Zero (0) means all data available
© André Zúquete
Segurança Informática e nas Organizações
14
7
Smartcard interactions:
LowLow-level T=0 and T=1 protocols
T=0
T=1
Each byte transmitted separately
Slower
Blocks of bytes transmitted
Faster
ATR (ISO 7816-3)
Response of the card to a reset operation
Reports the protocol expected by the card
© André Zúquete
Segurança Informática e nas Organizações
15
Encoding objects in smartcards:
TLV and ASN.1 BER
Tag-Length-Value (TLV)
Object description with a tag value, the length
of its contents and the contents
Each element of TLV is encoded according with
ASN.1 BER (Abstract Syntax Notation, Basic
Encoding Rules)
Values can contain other TLV objects
Recursive structure
© André Zúquete
Segurança Informática e nas Organizações
16
8
Smartcards’
Smartcards’s computational model
Java cards
Smartcards that run Java Applets
That use the JCRE
The JCRE runs on top of a native OS
JCRE (Java Card Runtime Environment)
Java Virtual Machine
Card Executive
Card management
Communications
APDU
Java Card Framework
Card
Executive
Java Virtual Machine (JVM)
Library functions
© André Zúquete
Applet
Java
Applet
Card
Framework
Applet
Native OS
Segurança Informática e nas Organizações
17
Smartcard cryptographic services:
services:
Middleware
Libraries that bridge the gap between functionalities of smartcards
and high-level applications
Some standard approaches:
PKCS #11
PKCS #15
Cryptographic Token Information Format Standard
Defined by RSA Security Inc.
CAPI CSP
Cryptographic Token Interface Standard (cryptoki)
Defined by RSA Security Inc.
CryptoAPI Cryptographic Service Provider
Defined by Microsoft for Windows systems
PC/SC
Personal computer/Smart Card
Standard framework for smartcard access on Windows systems
Also available in Linux
© André Zúquete
Segurança Informática e nas Organizações
18
9
PKCS #11:
Cryptoki middleware integration
© André Zúquete
19
Segurança Informática e nas Organizações
PKCS #11:
Cryptoki object hierarchy
Object
Data
Key
Public key
Private key
Secret key
Certificate
© André Zúquete
Segurança Informática e nas Organizações
20
10
PKCS #11:
Cryptoki sessions
Logical connections between applications and tokens
Read-only sessions
Read/write sessions
Operations on open sessions
Administrative
Create / destroy an object on the token
Cryptographic
Session objects
Login/logout
Object management
Transient objects created during sessions
Lifetime of sessions
Usually for a single operation on the token
© André Zúquete
Segurança Informática e nas Organizações
21
PKCS #11:
Cryptoki R/O sessions login/logout
R/O Public Session
Read-only access to public token objects
Read/write access to public session objects
R/O User Functions
Read-only access to all token objects (public or private)
Read/write access to all session objects (public or private)
© André Zúquete
Segurança Informática e nas Organizações
22
11
PKCS #11:
Cryptoki R/W sessions login/logout
R/W Public Session
Read/write access to all
public objects
R/W SO Functions
Read/write access only to
public objects on the
token
R/W User Functions
© André Zúquete
Not to private objects
The SO can set the
normal user’s PIN
Read/write access to all
objects
Segurança Informática e nas Organizações
23
PKCS #11:
Concepts used by the Cartão de Cidadão
Authentication PIN
Digital signature PIN
Not mapped into PKCS #11 PINs
Address PIN
PKCS #11 User PIN
Not mapped into PKCS #11 PINs
PKCS #11 SO PIN
Not used by owners
© André Zúquete
Segurança Informática e nas Organizações
24
12
Cartão de Cidadão:
PTEID middleware for Windows
Microsoft
Microsoft
applications
applications
Non-Microsoft
Non-Microsoft
applications
applications
CryptoAPI
CryptoAPI (CAPI)
(CAPI)
Cryptographic
Cryptographic
Service
Service
Provider
Provider (CSP)
(CSP)
PKCS
PKCS #11
#11
PC/SC
PC/SC
© André Zúquete
25
Segurança Informática e nas Organizações
Cartão de Cidadão:
PTEID middleware for Unix
libpteid
libpteid
libpteidpkcs11
libpteidpkcs11
libpteidlibopensc
libpteidlibopensc
libQtCore
libQtCore
© André Zúquete
libcrypto
libcrypto
Segurança Informática e nas Organizações
libpcsclite
libpcsclite
26
13
Cartão de Cidadão:
Cidadão:
PTEID middleware & SDK
Public distribution
Windows
MAC-Tiger
Linux
Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu
Languages
Dynamic libraries for C/C++
Java wrapper (JNI) for C/C++ libraries
C# wrapper for .NET for C/C++ libraries
Manuals
Validação de Número de Documento do Cartão de Cidadão
Autenticação com Cartão de Cidadão
Manual Técnico do Middleware do Cartão de Cidadão
Certificados e Entidades de Certificação
Outros
© André Zúquete
Segurança Informática e nas Organizações
27
Cartão de Cidadão:
Cidadão:
PKI services
Issued certificates
LDAP and Web interfaces
Revoked certificates
OCSP, delta-CRL and CRL services
© André Zúquete
Segurança Informática e nas Organizações
28
14
Download