C.I.E – Carta di Identità Elettronica Functional Specification Version 2.0

More documents

Recommendations

Info

4 RFU Set to FFh5 RFU Set to FFh6 RFU Set to FFh7 AC_GENKEYPAIR GENERATE KEY PAIRTable 13: BSO AC11.3 CSE / SEOThe Current Security Environment (CSE) is a set of references to the security objects that will beused by Perform Security Operation (PSO) commands, and may be used by EXTERNAL AUTH.It has three components: Confidentiality (CON), Digital Signature (DS) and TEST. Each of thesecomponents is the ID of the BSO to be used.The CSE is not defined after a reset (CSE in “not initialized” state), and goes in the state“initialized” only after a Manage Security Environment (MSE) RESTORE command, that actuallycopies into it the values contained in the Security Environment Object referenced by the command.A Security Environment Object (SEO) has the following structure:TitleLengthValue And DescriptionSEO Identifier 100h to FEh (EFh reserved by ISO and SHOULD NOT be used) it mustbe unique at DF levelSEO AC_RESTORE 1 Access Condition for MSE RESTORE commandRFU 1 Set to FFhSEO ComponentCON1 Valid PSO BSO ID byte (BSO class byte 20h)SEO Component DS 1 Valid PSO BSO ID byte (BSO class byte 20h)SEO ComponentTEST1 Valid TEST BSO ID byte (BSO class byte 00h)Table 14: SEO structureCIE - Functional Specification v 2.0 -Page 32/76
11.4 Secure MessagingThe Secure Messaging (SM) is used to protect the communication between the interface device(IFD) and the smartcard. There are two ways to communicate data in SM format:• SM_ENC: APDU commands with enciphered data (data confidentiality)• SM_SIG: APDU commands with cryptographic checksum (data authentication andintegrity)It is possible to use a combination of the two (ENC followed by SIG). It is recommended forsecurity reasons to use SM_ENC only in conjunction with SM_SIG.The presence and the type of SM used is indicated by the APDU Class byte.Only the logical channel 0 is used, therefore the supported APDU Class byte values are:• X0h – No Secure Messaging• XCh - 3DES_CBC or MAC3 are performed on the transmitted data using symmetric keys.The command header is authenticated if MAC is used.The symmetric keys used by the smartcard to decrypt and/or verify the APDU commands areobtained from the SM condition related to the object or file on which the APDU command shouldoperate.The SM conditions for BSOs and files are defined at object/file creation time by the commandsCREATE FILE and PUT DATA (DATA_OCI).The SM conditions for BSOs and files are managed using the commands PUT DATA(DATA_OCI) and PUT DATA (DATA_FCI).The algorithms used in SM are• double length key 3DES for SM_ENC• MAC3 for SM_SIGthe cryptographic algorithms are detailed in Chapter 13.Before any SM command involving a signature (SM_SIG and SM_ENC_SIG), an n*8-byte longrandom has to be sent from the card to the terminal, with a GetChallenge command.The random generated by Get Challenge is valid for only one SM command.11.4.1 Secure Messaging ConditionThe possible values for the SM conditions are:• 01h… 1Fh: object ID of the SM BSO to use to compute ENC/SIG• FFh: no Secure Messaging condition defined for the operation.CIE - Functional Specification v 2.0 -Page 33/76
Page 1 and 2: C.I.E. - Carta di Identità Elettro
Page 3 and 4: Table of Contents1. Revision Histor
Page 5 and 6: 12.17 GENERATE KEY PAIR ...........
Page 7 and 8: 2. IntroductionThis document is the
Page 9 and 10: 4. Reference Documents1. ISO/IEC 78
Page 11 and 12: Public Key - That key of an entity
Page 13 and 14: lsbLSBMACMFmsbMSBMSEMTSCOSOCIPINPPP
Page 15 and 16: 6. Electrical ParametersFor all ele
Page 17 and 18: 8. Answer To Reset (ATR)The Answer
Page 19 and 20: XXh XXh H5/H6 Y02h H7 Y49h H8 Y54h
Page 21 and 22: 9. Application SelectionNo explicit
Page 23 and 24: Record structure:The EF is seen at
Page 25 and 26: Linear Variable TLV or Cyclic EFSiz
Page 27 and 28: The card maintains an internal Secu
Page 29 and 30: BSO ID 1 01h to 1FhOPTION 1 See Tab
Page 31: RSA public key Exponent for Authent
Page 35 and 36: Byte Nr. SM Condition1 ENC USE IN2
Page 37 and 38: • Step 4: APDU command set up in
Page 39 and 40: 11.4.5 SM Response in SM_ENCOrigina
Page 41 and 42: 11.4.7 SM Response in SM_ENC_SIGOri
Page 43 and 44: 12. APDU ReferenceThe CIE supports
Page 45 and 46: 6A 86 Incorrect P1-P26A 87 Lc incon
Page 47 and 48: The PUT DATA - DATA_OCI acts on the
Page 49 and 50: 3DES - SM Cipher 10h 83h 03h3DES -
Page 51 and 52: 3 8Fh 6 BYTE 1: Not used - MUST be
Page 53 and 54: Table35Table 34: SELECT FILE Comman
Page 55 and 56: The operation is possible if the ac
Page 57 and 58: n has to be different from FFh.P1=0
Page 59 and 60: First and NextLast and PreviousSecu
Page 61 and 62: acktrackingallowed.b6 = 0b5 = 0b4 -
Page 63 and 64: 12.13 RESET RETRY COUNTERCLA INS P1
Page 65 and 66: 12.15 GIVE RANDOMCLA INS P1 P2 P3 D
Page 67 and 68: Security:The access condition to sa
Page 69 and 70: The access condition to satisfy is
Page 71 and 72: 0X 04 00 00 LC = 00 EmptyTable 59:
Page 73 and 74: • The length in bits of the priva
Page 75 and 76: • a sequence of q cipher text blo

C.I.E – Carta di Identità Elettronica Functional Specification Version 2.0

Create successful ePaper yourself

Delete template?

Save as template?