Funcionalidades do Cartão de Cidadão Cartão de Cidadão: Cidadão: The object Credit-card sized Portuguese identity card Contains different ways of conveying identity attributes Informatic Visual, machine-readable style Interaction with a smartcard MRZ (Machine Readable Zone) Visual, human-readable style © André Zúquete Segurança Informática e nas Organizações 2 1 Visual, humanhuman-readable attributes Names Physical attributes Sex, height Other Surname, given name, parents Date of birth, nationality Photography Calligraphic signature Numbers Civil ID (and checksum) Tax, Social Security, Health Document number and validity © André Zúquete Segurança Informática e nas Organizações 3 Visual, machinemachine-readable attributes Names Physical attributes I<PRT068540477<ZZ85<<<<<<<<<<< 6511061M1309179PRT<<<<<<<<<<<6 Sex ZUQUETE<<ANDRE<V<CRUZ<MARNOTO< Other Last name, initial an middle names Name count Date of birth, nationality Numbers Country and Civil ID (and checksum) Document number and validity © André Zúquete Segurança Informática e nas Organizações 4 2 Informatic attributes All the previous ones Address Fingerprint biometric template 2 cryptographic key pairs One for authentication Another for digital signature 7 public key certificates Except the calligraphic signature 2 of the owner’s public keys 5 for building certification chains 1 secret, symmetric key for EMV-CAP 3 PINs © André Zúquete Segurança Informática e nas Organizações 5 PIN protection Possession of the card is not enough for PIN-protected operations Getting the address Getting/using the authentication private key Getting/using the digital signature private key Getting/using the EMV-CAP secret key 4-number PIN PIN gets blocked after 3 consecutive failures Exceptions Police officials can get the address without PIN © André Zúquete Segurança Informática e nas Organizações 6 3 Certificates in the smartcard Issuer: GTE CyberTrust Global Root Owner: GTE CyberTrust Global Root Issuer: GTE CyberTrust Global Root Owner: ECRaizEstado Issuer: ECRaizEstado Owner: Cartão de Cidadão 001 Issuer: Cartão de Cidadão 001 Owner: EC de Autenticação do Cartão de Cidadão 0002 Issuer: EC de Autenticação do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete Issuer: Cartão de Cidadão 001 Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002 Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002 Owner: André Ventura da Cruz Marnoto Zúquete © André Zúquete Segurança Informática e nas Organizações 7 Certificates in the smartcard: Goals Allow the card owner to get authenticated Allow the card owner to authenticate other people with similar cards The owner may distribute its certificates to other people or services whiling to authenticate himself as the card owner Other people certificates are validated with the certification chain stored in the card Allow the card to authenticate clients with similar certificates Special operations may be requested to the card by owners of special certificates that are validated by the card © André Zúquete Segurança Informática e nas Organizações 8 4 Certificates in the smartcard: Interoperation with other applications Watchdog application detects card insertion and removal Upon insertion, gets the certificates and uploads them into browsers’ certificate repositories Upon removal, removes the certificates from browsers’ certificate repositories © André Zúquete 9 Segurança Informática e nas Organizações Smartcards: Definition Card with computing processing capabilities CPU ROM EEPROM RAM Chip card Memory card Interface With contact Contactless © André Zúquete Smart card (w/ µprocessor) Chip card Contact Segurança Informática e nas Organizações Contactless 10 5 Smartcard: Components CPU ROM 8/16 bit Crypto-coprocessor (opt.) RAM Operating system Communication Cryptographic algorithms Programs / applications Keys / passwords Power Soft reset Clock Half duplex I/O Physical security © André Zúquete ISO 7816-2 File system Erased on power off Mechanical contacts EEPROM Transient data Tamperproof case Resistance to side-effect attacks 11 Segurança Informática e nas Organizações SmartcardSmartcard-based applications: Communication protocol stack Off-card application On-card application APDU (Application Protocol Data Unit) APDU (Application Protocol Data Unit) T=0 / T=1 T=0 / T=1 © André Zúquete Segurança Informática e nas Organizações 12 6 SmartcardSmartcard-based applications: Cartão de Cidadão onon-card applications IAS EMV-CAP Authentication and digital signature Usage of asymmetric key pairs Generation of one-time-passwords for alternative channels (telephone, FAX, etc.) Match-on-Card Biometric validation of fingerprints © André Zúquete 13 Segurança Informática e nas Organizações Smartcard interactions: APDU (ISO 78167816-4) header body body CLA INS P1 P2 Lc Optional data Le Command APDU Status bytes 0x9000 means SUCCESS Command Command-specific parameters Lc SW1 and SW2 (2 bytes) P1 and P2 (2 bytes) Response APDU Class of the instruction INS (1 byte) CLA (1 byte) trailer Optional data SW1SW2 Length of the optional command data Le Length of data expected in subsequent Response APDU Zero (0) means all data available © André Zúquete Segurança Informática e nas Organizações 14 7 Smartcard interactions: LowLow-level T=0 and T=1 protocols T=0 T=1 Each byte transmitted separately Slower Blocks of bytes transmitted Faster ATR (ISO 7816-3) Response of the card to a reset operation Reports the protocol expected by the card © André Zúquete Segurança Informática e nas Organizações 15 Encoding objects in smartcards: TLV and ASN.1 BER Tag-Length-Value (TLV) Object description with a tag value, the length of its contents and the contents Each element of TLV is encoded according with ASN.1 BER (Abstract Syntax Notation, Basic Encoding Rules) Values can contain other TLV objects Recursive structure © André Zúquete Segurança Informática e nas Organizações 16 8 Smartcards’ Smartcards’s computational model Java cards Smartcards that run Java Applets That use the JCRE The JCRE runs on top of a native OS JCRE (Java Card Runtime Environment) Java Virtual Machine Card Executive Card management Communications APDU Java Card Framework Card Executive Java Virtual Machine (JVM) Library functions © André Zúquete Applet Java Applet Card Framework Applet Native OS Segurança Informática e nas Organizações 17 Smartcard cryptographic services: services: Middleware Libraries that bridge the gap between functionalities of smartcards and high-level applications Some standard approaches: PKCS #11 PKCS #15 Cryptographic Token Information Format Standard Defined by RSA Security Inc. CAPI CSP Cryptographic Token Interface Standard (cryptoki) Defined by RSA Security Inc. CryptoAPI Cryptographic Service Provider Defined by Microsoft for Windows systems PC/SC Personal computer/Smart Card Standard framework for smartcard access on Windows systems Also available in Linux © André Zúquete Segurança Informática e nas Organizações 18 9 PKCS #11: Cryptoki middleware integration © André Zúquete 19 Segurança Informática e nas Organizações PKCS #11: Cryptoki object hierarchy Object Data Key Public key Private key Secret key Certificate © André Zúquete Segurança Informática e nas Organizações 20 10 PKCS #11: Cryptoki sessions Logical connections between applications and tokens Read-only sessions Read/write sessions Operations on open sessions Administrative Create / destroy an object on the token Cryptographic Session objects Login/logout Object management Transient objects created during sessions Lifetime of sessions Usually for a single operation on the token © André Zúquete Segurança Informática e nas Organizações 21 PKCS #11: Cryptoki R/O sessions login/logout R/O Public Session Read-only access to public token objects Read/write access to public session objects R/O User Functions Read-only access to all token objects (public or private) Read/write access to all session objects (public or private) © André Zúquete Segurança Informática e nas Organizações 22 11 PKCS #11: Cryptoki R/W sessions login/logout R/W Public Session Read/write access to all public objects R/W SO Functions Read/write access only to public objects on the token R/W User Functions © André Zúquete Not to private objects The SO can set the normal user’s PIN Read/write access to all objects Segurança Informática e nas Organizações 23 PKCS #11: Concepts used by the Cartão de Cidadão Authentication PIN Digital signature PIN Not mapped into PKCS #11 PINs Address PIN PKCS #11 User PIN Not mapped into PKCS #11 PINs PKCS #11 SO PIN Not used by owners © André Zúquete Segurança Informática e nas Organizações 24 12 Cartão de Cidadão: PTEID middleware for Windows Microsoft Microsoft applications applications Non-Microsoft Non-Microsoft applications applications CryptoAPI CryptoAPI (CAPI) (CAPI) Cryptographic Cryptographic Service Service Provider Provider (CSP) (CSP) PKCS PKCS #11 #11 PC/SC PC/SC © André Zúquete 25 Segurança Informática e nas Organizações Cartão de Cidadão: PTEID middleware for Unix libpteid libpteid libpteidpkcs11 libpteidpkcs11 libpteidlibopensc libpteidlibopensc libQtCore libQtCore © André Zúquete libcrypto libcrypto Segurança Informática e nas Organizações libpcsclite libpcsclite 26 13 Cartão de Cidadão: Cidadão: PTEID middleware & SDK Public distribution Windows MAC-Tiger Linux Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu Languages Dynamic libraries for C/C++ Java wrapper (JNI) for C/C++ libraries C# wrapper for .NET for C/C++ libraries Manuals Validação de Número de Documento do Cartão de Cidadão Autenticação com Cartão de Cidadão Manual Técnico do Middleware do Cartão de Cidadão Certificados e Entidades de Certificação Outros © André Zúquete Segurança Informática e nas Organizações 27 Cartão de Cidadão: Cidadão: PKI services Issued certificates LDAP and Web interfaces Revoked certificates OCSP, delta-CRL and CRL services © André Zúquete Segurança Informática e nas Organizações 28 14