1
FuncionalidadesFuncionalidadesFuncionalidadesFuncionalidadesdodododo
Cartão de CidadãoCartão de CidadãoCartão de CidadãoCartão de Cidadão
© André Zúquete Segurança Informática e nas Organizações 2
CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::The objectThe objectThe objectThe object
� Credit-card sized Portuguese identity card
� Contains different ways of conveying identity attributes� Informatic
� Interaction with a smartcard
� Visual, machine-readable style� MRZ (Machine Readable Zone)
� Visual, human-readable style
2
© André Zúquete Segurança Informática e nas Organizações 3
Visual, humanVisual, humanVisual, humanVisual, human----readable attributesreadable attributesreadable attributesreadable attributes
� Names� Surname, given name, parents
� Physical attributes� Sex, height
� Other� Date of birth, nationality� Photography� Calligraphic signature
� Numbers� Civil ID (and checksum)� Tax, Social Security, Health� Document number and validity
© André Zúquete Segurança Informática e nas Organizações 4
Visual, machineVisual, machineVisual, machineVisual, machine----readable attributesreadable attributesreadable attributesreadable attributes
� Names� Last name, initial an middle names
� Name count
� Physical attributes� Sex
� Other� Date of birth, nationality
� Numbers� Country and Civil ID (and checksum)
� Document number and validity
I<PRT068540477<ZZ85<<<<<<<<<<<
6511061M1309179PRT<<<<<<<<<<<6
ZUQUETE<<ANDRE<V<CRUZ<MARNOTO<
3
© André Zúquete Segurança Informática e nas Organizações 5
InformaticInformaticInformaticInformatic attributesattributesattributesattributes
� All the previous ones� Except the calligraphic signature
� Address� Fingerprint biometric template� 2 cryptographic key pairs
� One for authentication� Another for digital signature
� 7 public key certificates� 2 of the owner’s public keys� 5 for building certification chains
� 1 secret, symmetric key for EMV-CAP� 3 PINs
© André Zúquete Segurança Informática e nas Organizações 6
PIN protectionPIN protectionPIN protectionPIN protection
� Possession of the card is not enough for� Getting the address
� Getting/using the authentication private key
� Getting/using the digital signature private key
� Getting/using the EMV-CAP secret key
� PIN-protected operations� 4-number PIN
� PIN gets blocked after 3 consecutive failures
� Exceptions� Police officials can get the address without PIN
4
© André Zúquete Segurança Informática e nas Organizações 7
Certificates in the smartcardCertificates in the smartcardCertificates in the smartcardCertificates in the smartcard
Issuer: GTE CyberTrust Global RootOwner: GTE CyberTrust Global Root
Issuer: GTE CyberTrust Global RootOwner: ECRaizEstado
Issuer: ECRaizEstado
Owner: Cartão de Cidadão 001
Issuer: Cartão de Cidadão 001Owner: EC de Autenticação do Cartão de Cidadão 0002
Issuer: EC de Autenticação do Cartão de Cidadão 0002Owner: André Ventura da Cruz Marnoto Zúquete
Issuer: Cartão de Cidadão 001Owner: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002
Issuer: EC de Assinatura Digital Qualificada do Cartão de Cidadão 0002Owner: André Ventura da Cruz Marnoto Zúquete
© André Zúquete Segurança Informática e nas Organizações 8
Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:GoalsGoalsGoalsGoals
� Allow the card owner to get authenticated� The owner may distribute its certificates to other
people or services whiling to authenticate himself as the card owner
� Allow the card owner to authenticate other people with similar cards� Other people certificates are validated with the
certification chain stored in the card� Allow the card to authenticate clients with
similar certificates� Special operations may be requested to the card by
owners of special certificates that are validated by the card
5
© André Zúquete Segurança Informática e nas Organizações 9
Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Certificates in the smartcard:Interoperation with other applicationsInteroperation with other applicationsInteroperation with other applicationsInteroperation with other applications
� Watchdog application detects card insertion and removal� Upon insertion, gets the certificates and
uploads them into browsers’ certificate repositories
� Upon removal, removes the certificates from browsers’ certificate repositories
© André Zúquete Segurança Informática e nas Organizações 10
Smartcards:Smartcards:Smartcards:Smartcards:DefinitionDefinitionDefinitionDefinition
� Card with computing processing capabilities� CPU
� ROM
� EEPROM
� RAM
� Interface� With contact
� Contactless
Chip card
Memory cardSmart card
(w/ µµµµprocessor)
Chip card
Contact Contactless
6
© André Zúquete Segurança Informática e nas Organizações 11
Smartcard:Smartcard:Smartcard:Smartcard:ComponentsComponentsComponentsComponents
� CPU� 8/16 bit� Crypto-coprocessor (opt.)
� ROM� Operating system� Communication� Cryptographic algorithms
� EEPROM� File system
� Programs / applications� Keys / passwords
� RAM� Transient data
� Erased on power off
� Mechanical contacts� ISO 7816-2
� Power� Soft reset� Clock� Half duplex I/O
� Physical security� Tamperproof case� Resistance to side-effect
attacks
© André Zúquete Segurança Informática e nas Organizações 12
SmartcardSmartcardSmartcardSmartcard----based applications:based applications:based applications:based applications:Communication protocol stackCommunication protocol stackCommunication protocol stackCommunication protocol stack
Off-card application
APDU
(Application Protocol Data Unit)
T=0 / T=1
On-card application
APDU
(Application Protocol Data Unit)
T=0 / T=1
7
© André Zúquete Segurança Informática e nas Organizações 13
SmartcardSmartcardSmartcardSmartcard----based applications:based applications:based applications:based applications:CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão onononon----card applicationscard applicationscard applicationscard applications
� IAS� Authentication and digital signature
� Usage of asymmetric key pairs
� EMV-CAP� Generation of one-time-passwords for
alternative channels (telephone, FAX, etc.)
� Match-on-Card� Biometric validation of fingerprints
© André Zúquete Segurança Informática e nas Organizações 14
Smartcard interactions:Smartcard interactions:Smartcard interactions:Smartcard interactions:APDUAPDUAPDUAPDU (ISO 7816(ISO 7816(ISO 7816(ISO 7816----4)4)4)4)
� Command APDU� CLA (1 byte)
� Class of the instruction
� INS (1 byte)� Command
� P1 and P2 (2 bytes)� Command-specific parameters
� Lc� Length of the optional command data
� Le� Length of data expected in subsequent Response APDU� Zero (0) means all data available
� Response APDU� SW1 and SW2 (2 bytes)
� Status bytes� 0x9000 means SUCCESS
CLA INS P1 P2 Lc Optional data Le Optional data SW1SW2
header body body trailer
8
© André Zúquete Segurança Informática e nas Organizações 15
Smartcard interactions:Smartcard interactions:Smartcard interactions:Smartcard interactions:LowLowLowLow----level T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocolslevel T=0 and T=1 protocols
� T=0� Each byte transmitted separately
� Slower
� T=1� Blocks of bytes transmitted
� Faster
� ATR (ISO 7816-3)� Response of the card to a reset operation
� Reports the protocol expected by the card
© André Zúquete Segurança Informática e nas Organizações 16
Encoding objects in smartcards:Encoding objects in smartcards:Encoding objects in smartcards:Encoding objects in smartcards:TLVTLVTLVTLV and ASN.1 and ASN.1 and ASN.1 and ASN.1 BERBERBERBER
� Tag-Length-Value (TLV)� Object description with a tag value, the length
of its contents and the contents
� Each element of TLV is encoded according with ASN.1 BER (Abstract Syntax Notation, Basic Encoding Rules)
� Values can contain other TLV objects� Recursive structure
9
© André Zúquete Segurança Informática e nas Organizações 17
SmartcardsSmartcardsSmartcardsSmartcards’’’’ssss computational modelcomputational modelcomputational modelcomputational modelJava cardsJava cardsJava cardsJava cards
� Smartcards that run Java Applets� That use the JCRE� The JCRE runs on top of a native OS
� JCRE (Java Card Runtime Environment)� Java Virtual Machine� Card Executive
� Card management� Communications
� Java Card Framework� Library functions Native OS
Java Virtual Machine (JVM)
Card
Executive
Java
Card
FrameworkApplet
Applet
AppletAPDU
© André Zúquete Segurança Informática e nas Organizações 18
Smartcard cryptographicSmartcard cryptographicSmartcard cryptographicSmartcard cryptographic servicesservicesservicesservices::::MiddlewareMiddlewareMiddlewareMiddleware
� Libraries that bridge the gap between functionalities of smartcards and high-level applications
� Some standard approaches:� PKCS #11
� Cryptographic Token Interface Standard (cryptoki)� Defined by RSA Security Inc.
� PKCS #15� Cryptographic Token Information Format Standard� Defined by RSA Security Inc.
� CAPI CSP� CryptoAPI Cryptographic Service Provider� Defined by Microsoft for Windows systems
� PC/SC� Personal computer/Smart Card� Standard framework for smartcard access on Windows systems� Also available in Linux
10
© André Zúquete Segurança Informática e nas Organizações 19
PKCSPKCSPKCSPKCS #11:#11:#11:#11:CryptokiCryptokiCryptokiCryptoki middleware integrationmiddleware integrationmiddleware integrationmiddleware integration
© André Zúquete Segurança Informática e nas Organizações 20
PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki object hierarchyobject hierarchyobject hierarchyobject hierarchy
Object
Data
Key
Certificate
Public key
Private key
Secret key
11
© André Zúquete Segurança Informática e nas Organizações 21
PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki sessionssessionssessionssessions
� Logical connections between applications and tokens� Read-only sessions� Read/write sessions
� Operations on open sessions� Administrative
� Login/logout
� Object management� Create / destroy an object on the token
� Cryptographic
� Session objects� Transient objects created during sessions
� Lifetime of sessions� Usually for a single operation on the token
© André Zúquete Segurança Informática e nas Organizações 22
PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki R/OR/OR/OR/O sessions login/logoutsessions login/logoutsessions login/logoutsessions login/logout
� R/O Public Session � Read-only access to public token objects� Read/write access to public session objects
� R/O User Functions� Read-only access to all token objects (public or private)� Read/write access to all session objects (public or private)
12
© André Zúquete Segurança Informática e nas Organizações 23
PKCS #11:PKCS #11:PKCS #11:PKCS #11:CryptokiCryptokiCryptokiCryptoki R/WR/WR/WR/W sessions login/logoutsessions login/logoutsessions login/logoutsessions login/logout
� R/W Public Session� Read/write access to all
public objects
� R/W SO Functions� Read/write access only to
public objects on the token� Not to private objects
� The SO can set the normal user’s PIN
� R/W User Functions � Read/write access to all
objects
© André Zúquete Segurança Informática e nas Organizações 24
PKCS #11:PKCS #11:PKCS #11:PKCS #11:Concepts used by the Concepts used by the Concepts used by the Concepts used by the CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão
� Authentication PIN� PKCS #11 User PIN
� Digital signature PIN� Not mapped into PKCS #11 PINs
� Address PIN� Not mapped into PKCS #11 PINs
� PKCS #11 SO PIN� Not used by owners
13
© André Zúquete Segurança Informática e nas Organizações 25
Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:PTEIDPTEIDPTEIDPTEID middlewaremiddlewaremiddlewaremiddleware for Windowsfor Windowsfor Windowsfor Windows
Microsoft
applications
Microsoft
applicationsNon-Microsoft
applications
Non-Microsoft
applications
CryptoAPI (CAPI)CryptoAPI (CAPI)
Cryptographic
Service
Provider (CSP)
Cryptographic
Service
Provider (CSP)PKCS #11PKCS #11
PC/SCPC/SC
© André Zúquete Segurança Informática e nas Organizações 26
Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:Cartão de Cidadão:PTEIDPTEIDPTEIDPTEID middlewaremiddlewaremiddlewaremiddleware for Unixfor Unixfor Unixfor Unix
libpteidlibpteid libpteidpkcs11libpteidpkcs11
libpteidlibopensclibpteidlibopensc
libQtCorelibQtCore libcryptolibcrypto libpcsclitelibpcsclite
14
© André Zúquete Segurança Informática e nas Organizações 27
CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::PTEIDPTEIDPTEIDPTEID middleware & SDKmiddleware & SDKmiddleware & SDKmiddleware & SDK
� Public distribution� Windows� MAC-Tiger� Linux
� Caixa Mágica, Fedora, OpenSuse, Red Hat, Ubuntu
� Languages� Dynamic libraries for C/C++� Java wrapper (JNI) for C/C++ libraries� C# wrapper for .NET for C/C++ libraries
� Manuals� Validação de Número de Documento do Cartão de Cidadão� Autenticação com Cartão de Cidadão� Manual Técnico do Middleware do Cartão de Cidadão� Certificados e Entidades de Certificação� Outros
© André Zúquete Segurança Informática e nas Organizações 28
CartãoCartãoCartãoCartão de de de de CidadãoCidadãoCidadãoCidadão::::PKIPKIPKIPKI servicesservicesservicesservices
� Issued certificates� LDAP and Web interfaces
� Revoked certificates� OCSP, delta-CRL and CRL services