Smart Card Layout and Authentication Protocol for Access Control System in Military Application
|
|
- Olivia Jordan
- 8 years ago
- Views:
Transcription
1 Smart Card Layout and Authentication Protocol for Access Control System in Military Application Vinod Vasudevan Department of Computer Science & Engineering Indian Institute of Technology Kanpur July 2009
2 Smart Card Layout and Authentication Protocol for Access Control System in Military Application A Thesis Submitted In Partial Fulllment of the Requirements For the Degree of Master of Technology by Vinod Vasudevan to the Department of Computer Science & Engineering Indian Institute of Technology Kanpur July 2009
3 3
4 Abstract Smart card technologies are increasingly nding their foothold in the eld of security due to the exibility, relatively low cost, robust security, versatility and variety they provide as compared to other available options such as USB tokens, PCMCIA cards etc. Our attempt is directed towards harnessing this growing technology and implementing it into the Armed forces for Access Control and Management. This work is centrally aimed at designing the architecture framework for such an implementation in the Indian Navy catering to both physical and logical access. The design of such a framework is made challenging by the fact that this implementation is envisaged across a large section of users who are not only distributed geographically but also categorized distinctly in their continuously changing roles of operation. Owing to these on-ground user requirements and the exibility provided by Public Key cryptography, the design of the application was done using asymmetric keys as per SCOSTA-PKI and SCOSTA-CL specications. SCOSTA-PKI and SCOSTA-CL which are compliant to ISO/IEC 7816 set of International Standards for smart cards dene specications for carrying out symmetric and asymmetric key operations. The design for our implementation utilizes asymmetric key operations such as encryption, decryption, authentication, digital signature and certicate verication based on SCOSTA-PKI standards. Establishment of a key management system including secure key generation, distribution and maintenance form a part of the work along with card layout design and authentication protocols. Attempt was made to stick to the already existing and proven system of security management and administration so that little changes need to be incorporated for the implementation and to motivate the user to accept the new technology.
5 Acknowledgment I would like to express my sincere gratitude to my supervisor Dr. Rajat Moona for his unreserved guidance and inspiration throughout the course of this work. I thank him for the patience he has shown over extended discussions during this period. This work would not have been possible without his support, encouragement and faith bestowed upon me. A word of thanks to Dr TV Prabhakar, Dr Manindra Agrawal and Dr Piyush Kurur for being gracious enough to lend their valuable time in clearing my queries from time to time. Their encouragement and advice have been crucial to this thesis. Lt Cdr Ankur Kulshrestha has been a perfect partner and colleague in our joint eort to develop an Access Control solution for the Indian Navy. His unending persistence and dedication was inspirational. His deep insight on the implementation aspects proved critical in shaping my work. He has been a true friend and associate during the course of my stay at IIT Kanpur. I would also like to express my gratitude to Dheeraj Gedam, Anshul Data, Rahul Kulkarni and Satyam Sharma for their support and help. Discussions with them were revealing and aided as the rst level for understanding SCOSTA and PKI framework. Thanks are also due to each of my batch mates and peers not mentioned here for their continued support. A special mention of thanks goes to my wife for being a tremendous support and motivation throughout this duration. Last but not the least, it was an honour to work in a cooperative environment ii
6 with zeal and enthusiasm for which I am thankful to the sta of Computer Science Engineering department, IIT Kanpur. They have provided me all the support needed for the successful completion of the project. iii
7 Contents 1 Introduction Motivation Thesis Statement Related Work Case Studies Common Access Card (CAC) Singapore Smart Card Standard SSID Organization of Thesis Background PKI Related Operations SCOSTA-CL and SCOSTA-PKI SCOSTA-CL Basic Data Structure Security Architecture Security Attributes Security Environment Security Algorithms Security Mechanisms SCOSTA-PKI iv
8 2.4.1 PKI Related Data Structures Password and Key repository Operations supported in SCOSTA-PKI Authentication Session Key establishment Authentication with Session Key Establishment Cryptographic Algorithms in SCOSTA-PKI Additional Commands in SCOSTA-PKI Additional Support for APDU in SCOSTA-PKI System Requirements Overview of Existing Security System Distribution of Naval Establishments Personnel Involved in Various I-Card Related Activities Existing Procedure for I-Card Making Access Control Setup Issues in the Existing System Proposed Design with Smart Cards Security Mechanisms Certicate Revocation List Entry Permissions Security levels Entities of Smart Card solution ROOT CA Level 1 CA Level 2 CA Level 5 users Unit Owner v
9 3.9.6 Zone Owners Level 3 users Level 2 user User Level Normal users User level Smart Card Layout Assumptions File structure of PKI Cards Mandatory Internal Files Mandatory Application Specic Files File Structure for Various Cards Normal User Card L1CA/L2CA/Unit Card File Structure Non-PKI Cards Mandatory Internal Files Mandatory Application Specic Files File Structure for Various Cards ROOT Cards Dependent card Casual Visitor card Implementation Design Specications Various Applications Involved Procedures Involved in various Applications Personal cards I-Card making Process vi
10 I-Card Revalidation Update Certicates by a Higher Authority Card Procedure for updating Entry Permission codes I-Card Checking At Gate Read/Update Card Holder Information Change Own PIN/Password Exclusive Cards Procedure for making L1CA/L2CA/Unit card Update L1CA/L2CA/Unit Card ROOT Cards ROOT Card Making Process ROOT CA Key Retrieval Changing Root Card Holder Information Key repository Certicates on Card Data Structure for Entry Permission Conclusion and Future Scope 66 vii
11 List of Figures 2.1 A Typical File Layout System Layout for Key Management Card layout of Normal user Card layout of L1CA/L2CA/Unit Card Card Layout of ROOT Card Card layout in Dependent Card Card layout of Casual Visitor Card viii
12 List of Tables 2.1 CRT templates in SCOSTA-CL Security algorithms in SCOSTA-CL Contents of Card Holder Information File (Normal user) Contents of Card Holder Information File (Normal user) Contents of Crad Holder Information File (Normal user) Access Rights in Normal user card Contents of Card Holder Information le1(l1ca/l2ca/unit Card) Access Rights of L1CA/L2CA/Unit Card Contents of Card Holder Information File (ROOT Card) Access Rights in ROOT Card Contents of Card Holder Inforamtion File 1(Dependent Card) Access Rights in Dependent Card Contents of Card Holder Information File (Casual Visitor Card) Access Rights in Casual Visitor card Proposed Application Modules Certicates on cards EP Update eld content ix
13 Chapter 1 Introduction Security, be it physical security or logical security, is a term synonymous to the Armed forces. Continuous eorts are being made in the direction to achieve utmost security and Armed Forces across the globe have channelized tremendous resources towards this goal. This work is a small step in line with these eorts and has been appreciated to be necessary and urgent in the present scheme of security requirement in the Indian Navy. The Indian Navy at present has a system in place for management and implementation of physical and logical access control. However, since this existing setup is predominantly based on human interactions and is prone to errors, smart cards are being looked into as an alternative solution to plug loopholes in the prevailing setup. Plastic cards have grown from simple memory cards to micro processor based smart cards to super smart cards with their own key pads and display [15]. The rapid progress made in this eld of technology has seen it increasingly being adopted by varied establishments such as e-commerce, telecommunications, security applications etc. Smart card technology with their myriad advantages such as security (tamper resistance), exibility, reliability, scalability, multi-utility on a single card, maintainability 1
14 and extremely portable storage have ensured them being adopted for a variety of commercial and non-commercial applications. Keeping in line with technology, the Govt. of India has adopted and specied standards for Smart Card technology [1]. Usage of asymmetric key based cryptographic operations [22, 27] has evolved signicantly and they presently are available on smart cards. Asymmetric key cryptography involves the use of key pair consisting of a private key and a public key both of which can only be used in a one-way operation for a given algorithm. For example, if a 2048-bit RSA public key is used for encoding operation then the corresponding private key can only be used to decode that encrypted data. A key dened for encoding cannot be used for decoding operations. The private key is specic to a user and therefore is used to identify the user based on operation performed by this key. Public key, on the other hand, are in the open domain and available to anybody in the system. This key is used to encrypt data that is meant to be decrypted only by the corresponding private key held by the intended recipient. Public keys are certied by certication authority which is a third party trusted by both sender and recipient. A public key operation is, therefore, performed only after it is extracted from a certicate after verication. Key management thus forms an integral and most important part of any asymmetric key cryptographic solution. But the most elementary criteria for robust implementation of PKI solution is safety and portability of private keys. Implementation of PKI based access control system on smart cards for the Indian Navy is the most suitable solution considering the hierarchy and varied authorizations to be exercised by a large number of personnel. The Access Control Solution has a distributed approach for key generation, card making and commissioning and maintenance of central database of personnel information collated. The users involved at every stage of these processes will be required to authenticate themselves and perform their part of operation using special keys that authorize them to do so. Every activity on the smart 2
15 card is logged and maintained in a database for audit purposes. 1.1 Motivation The identity card presently being used in the Indian Navy has no formidable security feature as would be desired. It relies only on visual security features of the card for identication without authentication. The cards can easily be duplicated and used maliciously. There is a need to move ahead and catch up with the developing smart card technology that provides state-of-the-art solutions for access control and identity management. The evolution of higher levels of security on smart cards by incorporating more advanced algorithms for various cryptographic operations is propelling their increased use in the eld of e-commerce, security, research etc. The use of smart card for a single application such as banking, access control, e-cash etc. have been proven beyond any doubt. But for an organization like the Indian Navy there is immense scope to incorporate many such applications on a single card. As far as the navy is concerned, a number of applications for canteen, medical information, travel details, pay and allowance details etc. developed and managed on the same card at a later date. of the individual can be It is possible to include multiple applications on a single card with dierent levels / requirements of security. For example, in a naval scenario, the same Smart Card based I-Card can be used to gain access to a ship, purchase items from Canteen, avail facilities of a Club membership with automatic billing, access a bank account (in liaison with a bank), reserve a ticket in train (in liaison with Indian Railways) and so on. Armed forces across the world are graduating to the smart card technology and have already gone ahead to implement a number of applications mentioned above. 3
16 It is, therefore, felt that there is an inherent need for the Indian Navy to catch up with the evolving technology. Indian Institute of Technology, Kanpur has successfully undertaken work on developing SCOSTA-CL and its subsequent implementation in National ID cards, Driving license and Vehicle Registration Cards [30], e-passports etc. The institute's current endeavor to build Public key Infrastructure on the existing SCOSTA-CL and thus develop SCOSTA-PKI specications for smart card technology was one of the most motivating factors for undertaking this work. Being government machinery, it was prudent to develop this application on approved National standards and with open technology rather than proprietary solutions to ensure availability of hardware from dierent vendors and prospects of future development in a logical and smooth manner. The existence of a mandate to develop all smart card based application for government projects on SCOSTA has further strengthened the cause of undertaking this development on SCOSTA-PKI and SCOSTA-CL. SCOSTA-PKI and SCOSTA-CL standards are compliant to ISO/IEC 7816 International Standards for Smart Cards in addition to other standards like ISO Type A and B [34, 35] for card communication, ITU-T standard X.509 [14] for Public Key Infrastructure (PKI) for single sign-on and Privilege Management Infrastructure (PMI), PC/SC standards for interface to computer terminal and so on. 1.2 Thesis Statement The goal of this thesis is to design the card layout and authentication protocol for a robust, secure and scalable architecture framework for Smart Cards based Access Control and Management using Public Key Infrastructure for implementation in the Indian Navy. The card layouts and application interfaces are based on SCOSTA-PKI and SCOSTA-CL standards for smart card implementation. The work carried out in 4
17 this thesis towards achieving the above goal may broadly be classied into the following. Design of various user card layouts: Designing layouts of various cards from ROOT CA through intermediate level cards in the issuing mechanism to the end user cards held by every authorized person. Some of the smart cards like ROOT CA and Level 1 CA are specic to an application but the various levels of user cards are general purpose cards for identication and authentication with access rights dened. Design of Protocols for Authentication: The protocols for authentication between a smart card and an interface device for all operations to be performed on the card. 1.3 Related Work Smart card implementations are typically based on the ISO/IES 7816 set of international standards [2, 8]. Although these standards are elaborate and address every aspect of smart card implementations, it was considered necessary to specify some of the ner details more elaborately and do away with any ambiguity before any smart card application was undertaken by the Government of India. This reasoning led to the joint development of SCOSTA specications [1] by IIT Kanpur and National Informatics Center. IIT Kanpur also developed the rst SCOSTA compliant OS in 2001 for smart cards which was used for the National transport application. This OS was, however, limited in its functionality to the requirements of contact smart cards. The SCOSTA compliant OS was subsequently enhanced for compliance to contactless smart cards with support for secure messaging to avoid the possibility of eavesdropping. Although SCOSTA-CL is a well dened specication and caters for any kind of 5
18 smart card implementation, it does not support asymmetric key based cryptography. Lack of support for PKI implementation restricts its usage in large user base scenarios where each user might be required to perform cryptographic operations. IIT Kanpur therefore started work to redene the SCOSTA-CL specications to incorporate PKI functionalities. Initial work on dening the specications for PKI based OS was carried out in a partial level by Venkat Rao Pedapati and Simil Dutta in 2007 [19]. Although this work was not compliant to the ISO/IEC 7816 standards, their development of modular exponentiation using crypto-processor in hardware was a major contribution to SCOSTA OS development. This work was then carried forward by Aditi Gupta in 2008 [16] to develop SCOSTA-PKI specications in compliance with ISO/IEC 7816 standards. Barring a couple of functionalities, it covered detailed explanation for most of the salient aspects of PKI implementation in SCOSTA. Work undertaken by Dheeraj Gedam [17] is underway at IIT Kanpur to plug these inadequacies and complete the SCOSTA-PKI compliant OS implementation. Apart from the constant work being undertaken by IIT Kanpur on developing PKI compliant OS based on the SCOSTA specications, a number of leading companies and eminent individuals have also concentrated their eorts in this direction. Work was done by Konstantinos Markantonakis and Keith Mayes to study the signicance of public key secure channel protocols in smart cards that supported multiple applications [20]. Helena Handschuh and Pascal Paillier carried out detailed analysis of the performance of smart card arithmetic crypto-processors with respect to some of the major public key cryptosystems [29]. 6
19 1.4 Case Studies This section includes a couple of case studies on similar implementation in government agencies across the world. The smart card technology has been used for varied purposes and the acceptance of this evolving eld indicates its potential to grow Common Access Card (CAC) CAC are smart card based identity cards issued by the United States Department of Defense to its personnel [32]. The DoD established a system which included electronic messaging, network identication and authentication (I&A) services, personal identication, electronic commerce functions, and physical access based on these cards. The CAC cards have been issued to serving military personnel, selected reserved personnel, civilian employees, non-dod government employees and state employees of National Guard and selected contractors. More than 1000 decentralized card issuance facilities have been set up by DoD across 27 countries and 2000 workstations which collectively have issued more than 17 million smart cards at the rate of approximately 10k cards per day [32]. The main motivation for adopting such a technology was to ensure information assurance and thus reduce the possibility of fraud related to identity management. The physical and logical access security was expected to open up the possibility of e- commerce and in the long run reduce paper work and transaction time thus improving the overall eciency of the system and cost reduction. Commercially O-The-Shelf (COTS) products were taken and twisted as per DoD requirements to manage cost constraints. Major challenge faced for this implementation was to seamlessly integrate ge- 7
20 ographically distributed and rewall protected military networks without hampering network performance. Establishment of a robust PKI based identication system for such a large user base over the internet is essential and challenging for exchange of sensitive information. Last but not the least, the users have to be educated and trained for migration from old system to the new smart card based system. Easily accessible help desks and eective public relations eorts were thought to be critical for a smooth transition to the new system Singapore Smart Card Standard SSID Singapore has taken a pioneering approach to the implementation of smart cards as its national ID card. With relevance to this objective, it released the National standard for smart card related application termed Singapore Smart Card ID (SSID) or SS 529 standards [33]. This standard is applicable to all government based smart card applications and the associated hardware. It species the data structure layout, security and access conditions for smart cards containing personal information etc. The Singapore government has already deployed an estimated 40,000 smart card readers in government and private organizations. Two of the most important government organizations that have already deployed SS 529 SSID compliant cards and readers include the Civil Aviation Authority of Singapore (CAAS) with card holder strength of 70,000 ID cards at Chengi airport and PSA Singapore terminals with strength of 100,000 ID cards for its port employees. The implementation here is limited to identication and physical access control. Another application based on these standards is the Singpass which is an online portal for card holders to interact with government machinery. The SS 529 SSID is a National standard in line with world standards for smart 8
21 cards and therefore the Singapore government is well placed to bring in a national smart card based IDS card for every activity from access control, personnel monitoring to e-commerce and computer logging. 1.5 Organization of Thesis The rest of the thesis is organized as follows. In Chapter 2 we build a background by discussing SCOSTA-CL and SCOSTA-PKI operating system standards in brief, which essentially is the base for work undertaken. We outline the existing Security and Access Control set up in the Indian Navy in Chapter 3. We also describe various levels of users, their authority of operation and give an insight into some of the security attributes in place. In Chapter 4, we explain the various cards required to be developed for the implementation of the management of the I-Card and the data layout of these cards. In Chapter 5, we describe the various protocols for authentication and for any operation that is required to be performed on a smart card. In Chapter 6, we draw conclusion of the work undertaken and discuss its scope in the future. 9
22 Chapter 2 Background PKI is increasingly being associated with Smart Cards considering the identity and data security that this combination provides. PKI based implementations of identity establishment for a system with large user base wherein each user may perform cryptographic operations is becoming increasingly feasible. Smart Cards with their inherent qualities of tamper resistance, fast cryptographic co-processors, support for multiple-applications, in-built memory, fast and reliable card interface techniques etc. has resulted in their greater acceptance. 2.1 PKI Related Operations PKI implementation requires a key pair used in tandem to carry out cryptographic operation. The key pair includes a private key and a corresponding public key. The private key is strictly private to the allotted user while the public key is in open domain certied by a trusted Certifying Authority (CA). The operations that a PKI system supports include the following. 10
23 Authentication: Challenge-response method is the backbone for authentication to verify and conrm the identity of an entity. A private key operation is performed by an entity to prove its identity. Condentiality: The sender encrypts plain text using the intended recipient's public key. This cipher text can only be decrypted by the receiver that uses the corresponding private key. Certicate Verication: Certicate is a standard data structure used to bind a public key to an entity along with some information such as name, period of validity, algorithm etc. Certicate verication is the process of extracting the public key of an entity using the public key of the CA. The public key thus obtained is trusted by the entity to carry out subsequent cryptographic processes. Integrity and Non-Repudiation: PKI uses Digital signatures to ensure non-repudiation and integrity of the signed data. The data is signed using signer's private key after computation of its hash. The signature verication of this data is done using the signer's public key. The hash value recovered using public key is compared with the hash computed on the received data. Upon a match the receiver is assured of the authenticity of the sender and integrity of the sent data. Session Key Establishment: Asymmetric key algorithms are computationally very intensive as compared to symmetric key algorithms. It is therefore a general practice in PKI implementations to use symmetric key for condentiality and integrity purpose for large data. The asymmetric keys are then used to exchange the symmetric keys. The symmetric keys for the purpose are established for a session between the concerned entities and discarded later. The key usage is restricted to the session that created it. 11
24 2.2 SCOSTA-CL and SCOSTA-PKI The design of entire solution architecture is based on SCOSTA-CL [1] and SCOSTA-PKI [16] specications for smart card operating systems. These specications are compliant to ISO/IEC 7816 set of standards [2, 8]. SCOSTA-PKI is built over SCOSTA-CL specications to cater for asymmetric key cryptography. It species a number of data structures and asymmetric key algorithms that have been incorporated to support PKI in SCOSTA. Some of the salient aspects of these specications are mentioned below. 2.3 SCOSTA-CL SCOSTA-CL is generic specication based on ISO/IEC 7816 international standards and is dened for Smart Card implementations by Government of India. An OS compliant to these specications support symmetric key cryptography in contact and contactless cards. Some of the salient aspects dened by SCOSTA-CL are as follows Basic Data Structure MASTER FILE DEDICATED FILE ELEMENTARY FILE DEDICATED FILE DEDICATED FILE ELEMENTARY FILE ELEMENTARY FILE ELEMENTARY FILE Figure 2.1: A Typical File Layout 12
25 SCOSTA-CL supports two categories of les referred to as Dedicated Files (DF) and Elementary Files (EF).The les are arranged in a tree organization with Master File (MF) as the root. Master File is a kind of DF which must exist prior to the creation of any le on the card. The Master File will have DFs and EFs as its children in the tree. The DFs can further have child DFs and EFs. The size of each of these le is static as dened at the time of creation. Data is stored in EFs in one of the following formats dened in ISO/IEC standard. Transparent EF Linear EF with xed records. Linear EF with variable size records Cyclic EFs with xed size records. Each le is referenced by a 16-bit le identier. The EFs may also have an additional 5-bit short ID. The DFs may also carry a unique name for referring independent of their location in the le system tree. Depending on the format in which data is stored in these les, it may be referenced either by a record number (1 Byte) or by a record ID (1 Byte) in case of records or as a stream of 8-bit data units Security Architecture SCOSTA-CL species access control mechanisms for command and data in compliance to ISO/IEC , ISO/IEC and ISO/IEC standards. It supports security specications at global level, le specic level and command specic level. The security denitions for a card are specied using the following mechanisms. 13
26 Security Attributes Security Attributes of a le are specied in the FCP using Access Mode byte and Security Condition bytes as described in ISO/IEC The AM and SC bytes for a le can be specied either in Compact format or in Expanded format. Security attributes of commands can only be specied in expanded format Security Environment Security attributes may refer to certain security conditions for access control. These conditions are dened in a data structure known as security environments. In SCOSTA- CL the security environment denitions can be stored in a separate EF or in the FCP of a DF. A security environment, as per SCOSTA-CL, is dened using Control Reference Templates (CRT). These CRTs [Table 2.1] are used to dene the conditions and requirements for various card operations. CRT Condentiality Template (CT) Cryptographic Checksum Template (CCT) Authentication template (AT) Digital Signature Template (DST) Hash Template (HT) Remarks Encryption and Decryption. Cryptographic Checksum computation and verication of INTERNAL, EXTERNAL and MUTUAL AUTHENTICATION Digital Signature computation and verication. Hash computation Table 2.1: CRT templates in SCOSTA-CL 14
27 Security Algorithms SCOSTA-CL compliant OS supports various algorithms [Table 2.2] for message digest, condentiality, integrity and authentication. CRT Template to which applicable CT CCT CCT AT (AUTH) AT (AUTH) HT Algorithm 3DES (Enc and Dec) 3DES based CBC Residue (CC Computation and Verication) ISO/IEC Algorithm 3 for MAC using 3DES 3DES based challenge response ISO/IEC Key Establishment Mechanism 6 using 3DES SHA-1 as dened in FIPS-140 Table 2.2: Security algorithms in SCOSTA-CL Security Mechanisms SCOSTA-CL compliant OS supports security mechanisms in compliance to ISO/IEC These security mechanisms include PIN/Password for user authentication, entity authentication (INTERNAL, EXTERNAL and MUTUAL) using keys, data integrity by cryptographic checksum computation and verication, data encipherment and decipherment mechanisms, Hash computation and Secure Messaging to ensure integrity and condentiality during data exchange. 2.4 SCOSTA-PKI SCOSTA-PKI is built upon SCOSTA-CL, and therefore, specications dened in SCOSTA- CL are subset of SCOSTA-PKI. SCOSTA-PKI species additional requirements for PKI 15
28 implementation on smart cards. A SCOSTA-PKI compliant OS supports asymmetric key cryptography only if certain data structures are present in the card PKI Related Data Structures As per SCOSTA-PKI asymmetric key cryptography will be supported on the card only if following data structures are present in the card. Directory of Application (EF.DIR): EF.DIR is an internal transparent elementary le under the Master File and is identied by a pre-dened le identier 2F00. It contains a list of applications supported by the card stored in pre-dened templates. These templates indicate the application ID and some other information along with path to the corresponding DF.CIA. Cryptographic Information Application (DF.CIA): DF.CIA is a directory le of all cryptographic information pertaining to an application. These cryptographic information are stored in various elementary les under the DF.CIA. CIA Information le (CIA.Info EF): CIA.Info le is a mandatory le in DF.CIA (File ID 5032) that contains information about the card and its capabilities as specied in ISO/IEC [9]. The mandatory elds within this le indicate version number and card characteristics. Object Directory le (EF.OD): EF.OD is a mandatory le under DF.CIA (File ID 5031) that contains references to other CIO EFs of the application. CIO Directory les: These les under the DF.CIA are all optional, transparent and for internal use by the OS. They store cryptographic information that refers to actual cryptographic objects like keys and passwords which are themselves stored in some other elementary les. 16
29 2.4.2 Password and Key repository The directory les reference the Password and Keys, for the application, stored in dierent EFs. SCOSTA-PKI denes a format for storing the keys in their respective les whereas PINs and passwords are stored as per SCOSTA-CL specications. There can be upto 31 records in each repository le with each record containing one cryptographic object Operations supported in SCOSTA-PKI SCOSTA-PKI species certain aspects of PKI operations that a compliant OS must support. Some of these operations that require explicit mention are as follows Authentication SCOSTA-PKI supports two algorithms for authentication (INTERNAL/EXTERNAL/MUTUAL), one being a digital signature based and other being encrypted challenge response based algorithm. Either of these algorithms can be implemented on smart cards. Authentication (INTERNAL, EXTERNAL and MUTUAL) based on these algorithms may broadly be explained as below. Signature based authentication: In this algorithm, a challenge is sent to the entity to be authenticated for its signature. The authenticating entity upon receiving the signed challenge veries the signature using the signer's public key. It then compares the value obtained from signature verication with the hash computed on the previously generated challenge. If they match then only the entity is considered authentic. 17
30 Encryption based authentication: In this algorithm, the entity to be authenticated is issued with a challenge encrypted with its public key. This challenge is decrypted by a user holding the corresponding private key and sent back to the authenticating entity. The authenticating entity compares this response with the previously generated challenge. If they match then only the entity is taken as authentic Session Key establishment The computationally intensive asymmetric key based cryptography often establishes a symmetric session key to exchange large encrypted data items [22, 27]. SCOSTA-PKI species a mechanism to establish session key using asymmetric key pairs. The session keys are symmetric keys and may be used for condentiality, integrity or authentication mechanism based on TDES symmetric key cryptography. SCOSTA-PKI species establishment of at least two session keys during a session one for condentiality and other for integrity. Multiple session keys may exist provided they are derived for dierent purposes Authentication with Session Key Establishment SCOSTA-PKI species algorithm for asymmetric key based mutual authentication along with session key establishment. This process generates at least two session keysone for condentiality and another for integrity. The session keys generated thus are for symmetric key use. The condentiality key may be used for encryption, decryption and secure messaging. The integrity key may be used for computation and verication of cryptographic checksum and for secure messaging with message integrity. 18
31 2.4.4 Cryptographic Algorithms in SCOSTA-PKI In addition to algorithms specied by SCOSTA-CL specications, SCOSTA-PKI also supports asymmetric key based algorithms for condentiality, digital signature, authentication and session key derivation. All symmetric key based operations in SCOSTA- PKI are carried out as per TDES algorithm specied in SCOSTA-CL and all asymmetric key based operations are carried out by RSA algorithm Additional Commands in SCOSTA-PKI Some commands of SCOSTA-CL have been suitably enhanced to handle the PKI functionality. These enhancements were essentially made in the command headers to represent PKI related information. ENVELOPE: In SCOSTA-PKI, the ENVELOPE command is supported and is used for transmitting a command APDU in T=0 protocol for extended Lc eld as dened in ISO/IEC [2] and ISO/IEC [3] standards. GET CHALLENGE: A smart card generates a challenge when a GET CHAL- LENGE command is issued to it. This challenge is either in cipher text or plain text depending on the algorithm specied in the command. Ref: ISO/IEC for INS = `0x84'. INTERNAL/EXTERNAL/MUTUAL AUTHENTICATE: These commands carry out the authentication of entities and can specify the algorithm to be used for authentication. Ref: ISO/IEC for INS = `0x88' MSE SET for key derivation: MSE SET can be used for key derivation and setting of other SE parameters as dened in SCOSTA-CL specication. MSE 19
32 SET operation can be used to establish symmetric session keys using asymmetric keys. Ref: ISO/IEC [4] for INS = `0x22' PSO ENCIPHER: This operation deciphers the data transmitted in the command data eld and returns the plain text as response. Ref: ISO/IEC [7] for INS = `0x2A'. PSO DECIPHER: This operation enciphers the data transmitted in the command data eld and returns the cipher text as response. Ref: ISO/IEC [7] for INS = `0x2A'. PSO COMPUTE DIGITAL SIGNATURE: A digital signature is computed by using an algorithm that takes the hash of the message as input and computes the digital signature on it. Ref: ISO/IEC [7] for INS = `0x2A'. PSO VERIFY CERTIFICATE: Certicate verication is carried out by issuing this PSO command. A certicate in X.509 format is passed on to the card in data eld of this command to verify the certicate information. Ref: ISO/IEC [7] for INS = `0x2A' Additional Support for APDU in SCOSTA-PKI SCOSTA-PKI species support for extended length formats for Lc and Le in command APDU as elaborated in ISO/IEC This change in format from SCOSTA-CL is required to handle large data in commands of sizes greater than 255 bytes. PKI cryptography involves handling X.509 certicates and RSA keys in RSA algorithms that are usually larger than 255 bytes. The design of this implementation is based on RSA keys of 2048 bit size. 20
33 Chapter 3 System Requirements The Indian Navy infrastructure is geographically distributed with huge complexity of the system. The I-Card must work across such infrastructure and must provide enhanced security. 3.1 Overview of Existing Security System The Indian Navy is a large organisation that comprises of various establishment, units, oces, aoat ships and vessels, platforms, stations, controlled areas including residential areas spread over across the country. We refer to such establishments as units. Identication and verication of personnel requiring access to any of these units is done manually by checking the I-Cards issued to the person. Instead of technology, there is excessive reliance on manual verication methods that are susceptible to errors due to fatigue, loss of concentration and inability to verify persons when approached in large numbers. In the prevailing security scenario, a requirement exists to improve and augment 21
34 the existing procedure by a Smart Card based system for authentication and Access Control. There is a nagging need felt to plug the loopholes in the internal security system and adopt new technologies for the purpose. 3.2 Distribution of Naval Establishments The Indian Navy has its operational, training and administrative establishments spread across the country with the main concentration of personnel and infrastructure being in Mumbai, Vishakhapatnam, Kochi, Delhi and Port Blair. Additionally, there are an excess of two hundred units spread across the country which also need to be brought under the realm of a central and standard identication and verication system for access control. 3.3 Personnel Involved in Various I-Card Related Activities There is a well dened hierarchy of operation for smooth and accountable execution of responsibilities in various branches of the service. The maintenance of internal security, including I-Card issuance and management, is the responsibility of personnel in the Provost branch of the Indian Navy. Various personnel involved in the process of I-Card related activities may be classied as below. I-Card Making Authority: The senior-most serving ocer of the Provost branch, referred to as Naval Provost Marshal, is the I-Card issuing authority responsible for all I-Cards made in the navy. The signing authority, referred to as Commander-at-Arms, is the person who actually makes all cards and signs each 22
35 of them on behalf of the card issuing authority. There is one such ocer at all card making locations. Regulating Authority: The regulating authority consists of personnel who are in charge of all I-Card related management and security issues. They collect personal information for I-Card and distribute the cards to the card holder. Subsequently, they are responsible for ensuring safety of these cards by conducting regular inspection of cards and card holders in their respective units. Every unit has an ocer, referred to as Regulating Ocer, who is in charge of security management of the unit including matters concerning I-Cards of personnel of that unit. The Regulating Ocer is assisted by a hierarchy of personnel to help in his duties which include reporting loss of I-Card, checking I-Cards for damage and misuse, verify the identity of card holder along with the validity of cards at regular intervals etc. 3.4 Existing Procedure for I-Card Making I-Cards are made only at designated locations under strict control. A person may apply for making a new I-Card if he is a new recruit or if he got promoted or lost/damaged his old I-Card. Dierent users carry dierent I-Cards depending upon whether he is a Naval person, civilian employee, Security personnel, dependent, casual visitor or part of support system in residential areas. The card issuance procedure is more or less similar but the authorities involved may be dierent. In case of service personnel, printing of I-Cards is done centrally at one place. These cards are paper based I-Cards with visual features like watermark [38] and guilloche pattern [39]. Strict accountability and control is maintained over the printed blank cards. They cards are distributed to the card issuing units in Mumbai, Kochi 23
36 and Vishakhapatnam as per their requirements. To make a new I-Card for service personnel, a request is made to the Regulating Ocer of the unit. All details to be reected on the new I-Card along with photograph are furnished in this application which is carefully scrutinized by the head of the applicant's department and Regulating Ocer. The Regulating Ocer forwards this request to the relevant card issuing unit which prints the personal details on the blank card and sends it back to the unit for card personalization. The unit upon receiving this card gets the applicant to furnish his signature and nger print on the card. This completed document is sent back to the card issuing unit which is now signed by the card signing authority with his name and designation. A record of the new card is also made in their archive. The card is laminated and sent back to the unit where the regulating Ocer issues it to the applicant after the old or temporary I-card is revoked. All other I-Cards for Civilian Employees, Dependents and support sta are made and issued by the Regulating Ocer designated for various units. The printing of these cards is done locally and are held with the regulating ocer under his responsibility. Every individual applies for an I-Card with his personal details and photographs which is scrutinized carefully by the regulating sta. The personal details are printed on blank cards and signed by the Regulating Ocer. Control on these cards is maintained by issuing them with limited validity. Temporary I-Cards for defence personnel may be issued in case they are not in possession of a permanent I-Card. These cards are issued to personnel undergoing training or to those who have lost or damaged their permanent I-Card. The procedure for making a temporary I-Card is similar to making the Civilian employees cards as mentioned above. 24
37 3.5 Access Control Setup The prevailing system for access control heavily relies on manual methods of identication and verication. Every individual required to gain physical access presents his I-Card to a sentry at the gate for identication. The sentry visually identies this person based on the photograph carried on his I-Card. The procedure remains unchanged even in case of high security conditions. The movement of personnel at entry/exit points to high security areas is manually logged in registers which makes then very cumbersome for reference in future. As far as logical access control is concerned, there is no established concept of logical access control to the Naval network or any computer. At best these assets are protected by passwords. 3.6 Issues in the Existing System The existing system as explained above has a number of weaknesses which need to be taken care of for enhanced security. They are enumerated below. There is accountability on issuance of I-Cards by the I-Card issuing unit. But there is no mechanism to check the presence of a malicious card in the system. The security attributes on the present cards are all visual and easily replicable. A duplicate card can be easily made. Physical access to a unit is entirely dependent on the manual identication carried out by sentries. Failures due to human error, fatigue and trac handling during peak hours are an alarming bottleneck. No concept of a well dened logical access control. 25
38 System has no mechanism for authenticating an entity. The holder of the paper based I-Card with noticeable visual security feature such as photograph is always considered authentic and granted access. 3.7 Proposed Design with Smart Cards The shift from paper based I-Cards to Smart Cards in line with the prevalent technology is likely to improve the security situation considerably. The entire implementation shall include setting up of hardware and software at all applicable locations as per implementation plan. Every user issued with a smart card will be allowed physical or logical access only after he has been correctly authenticated by the system. Hand-held or wall mounted devices would be used to read and authenticate smart cards at gate for physical access and IFDs at computer terminals for logical access. Dierent types of smart cards are required to be designed in this solution to cater for key management and dierent users in the hierarchy. In addition to a number of advanced visual security features that various technologies such as hologram, laser dots etc. provide, the smart cards will also incorporate high level security for authentication in electronic form with optional biometric verication. This is achieved in the following manner. PKI based implementation for authentication, digital signature and condentiality for user holding unique set of keys. Knowledge based authentication mechanism for individuals by means of PIN/Password. Optional enhanced security feature for logical access by using biometric verications. 26
39 Card stores the information of units, access to which is permitted to the cardholder (Entry Permissions). Only certain users with pre dened permissions on card can change card information Each card will carry two public-private key pairs that would be used for all asymmetric key based operations performed by the card. The authority to perform these operations is assigned based on the key usage information stored in certicates held by the card. A detailed key management plan for the PKI implementation has been designed which elaborates on all entities and operations performed by them. Details of the entities involved and their roles are described later. It is proposed to implement a distributed database with a system to manage all user information and access logs. This data could be made available to authorized users. The central server will refer to this database for data update every time a relevant data is modied or log is obtained. Industrial strength encryption techniques such as RSA, triple DES or AES will be used for storing data. Based on CRL alerts received from any unit, the central server would disseminate lost card information to all other units through CRL updates and globally shared database. 3.8 Security Mechanisms The security mechanisms in line with user requirements that can be implemented using these cards have been described in following paragraphs. 27
Specifications for the Smart-Card Operating System for Transport Applications (SCOSTA)
Specifications for the Smart-Card Operating System for Transport Applications (SCOSTA) Addendum to Version 1.2b dated March 15, 2002 Dated: January 23, 2003 National Informatics Centre Ministry of Communication
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationHow To Make A Smart Card Based System Secure And Secure
Solution Architecture for Access Control System in Military Environment Ankur Kulshrestha Department of Computer Science & Engineering Indian Institute of Technology Kanpur July 2009 Solution Architecture
More informationOFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES
OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES Table of contents 1.0 SOFTWARE 1 2.0 HARDWARE 2 3.0 TECHNICAL COMPONENTS 2 3.1 KEY MANAGEMENT
More informationDesign and Implementation of Public Key Infrastructure on Smart Card Operating System
Design and Implementation of Public Key Infrastructure on Smart Card Operating System by Aditi Gupta Department of Computer Science and Engineering Indian Institute of Technology Kanpur 208 016 MAY 2008
More informationThe DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationChapter 15 User Authentication
Chapter 15 User Authentication 2015. 04. 06 Jae Woong Joo SeoulTech (woong07@seoultech.ac.kr) Table of Contents 15.1 Remote User-Authentication Principles 15.2 Remote User-Authentication Using Symmetric
More informationETSI TS 102 176-2 V1.2.1 (2005-07)
TS 102 176-2 V1.2.1 (2005-07) Technical Specification Electronic Signatures and Infrastructures (ESI); Algorithms and Parameters for Secure Electronic Signatures; Part 2: Secure channel protocols and algorithms
More informationOverview of CSS SSL. SSL Cryptography Overview CHAPTER
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers
More informationIntroducing etoken. What is etoken?
Introducing etoken Nirit Bear September 2002 What is etoken? Small & portable reader-less Smartcard Standard USB connectivity Logical and physical protection Tamper evident (vs. tamper proof) Water resistant
More informationAdvanced Authentication
White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is
More informationTrustis FPS PKI Glossary of Terms
Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate
More informationChapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography
Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:
More informationCiphire Mail. Abstract
Ciphire Mail Technical Introduction Abstract Ciphire Mail is cryptographic software providing email encryption and digital signatures. The Ciphire Mail client resides on the user's computer between the
More informationSecureDoc Disk Encryption Cryptographic Engine
SecureDoc Disk Encryption Cryptographic Engine FIPS 140-2 Non-Proprietary Security Policy Abstract: This document specifies Security Policy enforced by SecureDoc Cryptographic Engine compliant with the
More informationPRIME IDENTITY MANAGEMENT CORE
PRIME IDENTITY MANAGEMENT CORE For secure enrollment applications processing and workflow management. PRIME Identity Management Core provides the foundation for any biometric identification platform. It
More informationUnderstanding digital certificates
Understanding digital certificates Mick O Brien and George R S Weir Department of Computer and Information Sciences, University of Strathclyde Glasgow G1 1XH mickobrien137@hotmail.co.uk, george.weir@cis.strath.ac.uk
More informationMeeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
More informationVICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui
VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463
More informationNeutralus Certification Practices Statement
Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3
More informationBiometrics, Tokens, & Public Key Certificates
Biometrics, Tokens, & Public Key Certificates The Merging of Technologies TOKENEER Workstations WS CA WS WS Certificate Authority (CA) L. Reinert S. Luther Information Systems Security Organization Biometrics,
More informationSavitribai Phule Pune University
Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter
More informationDEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0
DEFENSE INFORMATION SYSTEMS AGENCY JOINT INTEROPERABILITY TEST COMMAND FORT HUACHUCA, ARIZONA DEPARTMENT OF DEFENSE PUBLIC KEY INFRASTRUCTURE EXTERNAL CERTIFICATION AUTHORITY MASTER TEST PLAN VERSION 1.0
More informationeid Security Frank Cornelis Architect eid fedict 2008. All rights reserved
eid Security Frank Cornelis Architect eid The eid Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationUsing etoken for SSL Web Authentication. SSL V3.0 Overview
Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More informationesign Online Digital Signature Service
esign Online Digital Signature Service Government of India Ministry of Communications and Information Technology Department of Electronics and Information Technology Controller of Certifying Authorities
More informationFighting product clones through digital signatures
Paul Curtis, Katrin Berkenkopf Embedded Experts Team, SEGGER Microcontroller Fighting product clones through digital signatures Product piracy and forgery are growing problems that not only decrease turnover
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationCertificates. Noah Zani, Tim Strasser, Andrés Baumeler
Certificates Noah Zani, Tim Strasser, Andrés Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate
More informationesign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?
esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents
More informationLecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution.
Lecture slides by Lawrie Brown for Cryptography and Network Security, 5/e, by William Stallings, Chapter 14 Key Management and Distribution. 1 Opening quote. 2 The topics of cryptographic key management
More informationPrivyLink Cryptographic Key Server *
WHITE PAPER PrivyLink Cryptographic Key * Tamper Resistant Protection of Key Information Assets for Preserving and Delivering End-to-End Trust and Values in e-businesses September 2003 E-commerce technology
More information10 Secure Electronic Transactions: Overview, Capabilities, and Current Status
10 Secure Electronic Transactions: Overview, Capabilities, and Current Status Gordon Agnew A&F Consulting, and University of Waterloo, Ontario, Canada 10.1 Introduction Until recently, there were two primary
More informationMANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But
More informationRELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release 2.12.9 - corrections. ADYTON Release 2.12.
Table of Contents Scope of the Document... 1 [Latest Official] ADYTON Release 2.12.9... 1 ADYTON Release 2.12.4... 1 ADYTON Release 2.9.3... 3 ADYTON Release 2.7.7... 3 ADYTON Release 2.6.2... 4 ADYTON
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationCALIFORNIA SOFTWARE LABS
; Digital Signatures and PKCS#11 Smart Cards Concepts, Issues and some Programming Details CALIFORNIA SOFTWARE LABS R E A L I Z E Y O U R I D E A S California Software Labs 6800 Koll Center Parkway, Suite
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationState of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008
State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions
More informationPublic Key Infrastructure for a Higher Education Environment
Public Key Infrastructure for a Higher Education Environment Eric Madden and Michael Jeffers 12/13/2001 ECE 646 Agenda Architectural Design Hierarchy Certificate Authority Key Management Applications/Hardware
More informationIBM Crypto Server Management General Information Manual
CSM-1000-0 IBM Crypto Server Management General Information Manual Notices The functions described in this document are IBM property, and can only be used, if they are a part of an agreement with IBM.
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationAuthentication Application
Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be
More informationKey Management Interoperability Protocol (KMIP)
(KMIP) Addressing the Need for Standardization in Enterprise Key Management Version 1.0, May 20, 2009 Copyright 2009 by the Organization for the Advancement of Structured Information Standards (OASIS).
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure
More informationAn Introduction to Cryptography as Applied to the Smart Grid
An Introduction to Cryptography as Applied to the Smart Grid Jacques Benoit, Cooper Power Systems Western Power Delivery Automation Conference Spokane, Washington March 2011 Agenda > Introduction > Symmetric
More informationDIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES
DIGITAL RIGHTS MANAGEMENT SYSTEM FOR MULTIMEDIA FILES Saiprasad Dhumal * Prof. K.K. Joshi Prof Sowmiya Raksha VJTI, Mumbai. VJTI, Mumbai VJTI, Mumbai. Abstract piracy of digital content is a one of the
More informationGuidelines on use of encryption to protect person identifiable and sensitive information
Guidelines on use of encryption to protect person identifiable and sensitive information 1. Introduction David Nicholson, NHS Chief Executive, has directed that there should be no transfers of unencrypted
More informationFrequently Asked Questions (FAQs) SIPRNet Hardware Token
Air Force Public Key Infrastructure System Program Office (ESC/HNCDP) Phone: 210-925-2562 / DSN: 945-2562 Web: https://afpki.lackland.af.mil Frequently Asked Questions (FAQs) SIPRNet Hardware Token Updated:
More informationSecure web transactions system
Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationINTRODUCTION to CRYPTOGRAPHY & CRYPTOGRAPHIC SERVICES on Z/OS BOSTON UNIVERSITY SECURITY CAMP MARCH 14, 2003
INTRODUCTION to CRYPTOGRAPHY & CRYPTOGRAPHIC SERVICES on Z/OS BOSTON UNIVERSITY SECURITY CAMP MARCH 14, 2003 History of Cryptography The concept of securing messages through cryptography has a long history.
More informationWhat Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012
Federal CIO Council Information Security and Identity Management Committee IDManagement.gov What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form December 3, 2012 HSPD-12
More informationaddressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from
Preface In the last decade biometrics has emerged as a valuable means to automatically recognize people, on the base is of their either physiological or behavioral characteristics, due to several inherent
More information7 Key Management and PKIs
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Key Management and PKIs 7.1 Key Management Key Management For any use of cryptography, keys must be handled correctly. Symmetric keys must be kept secret.
More informationController of Certification Authorities of Mauritius
Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More informationCryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationDigital Certificates Demystified
Digital Certificates Demystified Alyson Comer IBM Corporation System SSL Development Endicott, NY Email: comera@us.ibm.com February 7 th, 2013 Session 12534 (C) 2012, 2013 IBM Corporation Trademarks The
More informationCERTIFICATION PRACTICE STATEMENT UPDATE
CERTIFICATION PRACTICE STATEMENT UPDATE Reference: IZENPE-CPS UPDATE Version no: v 5.03 Date: 10th March 2015 IZENPE 2015 This document is the property of Izenpe. It may only be reproduced in its entirety.
More informationMobile OTPK Technology for Online Digital Signatures. Dec 15, 2015
Mobile OTPK Technology for Online Digital Signatures Dec 15, 2015 Presentation Agenda The presentation will cover Background Traditional PKI What are the issued faced? Alternative technology Introduction
More informationDanske Bank Group Certificate Policy
Document history Version Date Remarks 1.0 19-05-2011 finalized 1.01 15-11-2012 URL updated after web page restructuring. 2 Table of Contents 1. Introduction... 4 2. Policy administration... 4 2.1 Overview...
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationApple Corporate Email Certificates Certificate Policy and Certification Practice Statement. Apple Inc.
Apple Inc. Certificate Policy and Certification Practice Statement Version 2.0 Effective Date: April 10, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.
More informationChapter 10. Cloud Security Mechanisms
Chapter 10. Cloud Security Mechanisms 10.1 Encryption 10.2 Hashing 10.3 Digital Signature 10.4 Public Key Infrastructure (PKI) 10.5 Identity and Access Management (IAM) 10.6 Single Sign-On (SSO) 10.7 Cloud-Based
More informationEUCIP - IT Administrator. Module 5 IT Security. Version 2.0
EUCIP - IT Administrator Module 5 IT Security Version 2.0 Module 5 Goals Module 5 Module 5, IT Security, requires the candidate to be familiar with the various ways of protecting data both in a single
More informationThe Encryption Anywhere Data Protection Platform
The Encryption Anywhere Data Protection Platform A Technical White Paper 5 December 2005 475 Brannan Street, Suite 400, San Francisco CA 94107-5421 800-440-0419 415-683-2200 Fax 415-683-2349 For more information,
More informationCard Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006
Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark
More informationNEMA Standards Publication PS 3 Supplement 41. Digital Imaging and Communications in Medicine (DICOM) Digital Signatures
NEMA Standards Publication PS 3 Supplement 1 Digital Imaging and Communications in Medicine (DICOM) Digital Signatures Status: Final Text Sep 001 Prepared by DICOM Standards Committee, Working Group 1
More informationIntroduction to Network Security Key Management and Distribution
Introduction to Network Security Key Management and Distribution Egemen K. Çetinkaya Department of Electrical & Computer Engineering Missouri University of Science and Technology cetinkayae@mst.edu http://web.mst.edu/~cetinkayae/teaching/cpe5420fall2015
More informationBrocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1
PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority
More informationRF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards
RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards January 2007 Developed by: Smart Card Alliance Identity Council RF-Enabled Applications and Technology:
More informationTeamViewer Security Information
TeamViewer Security Information 2014 TeamViewer GmbH, Last update: 05/2014 Target Group This document is aimed at professional network administrators. The information in this document is of a rather technical
More informationRights Management Services
www.css-security.com 425.216.0720 WHITE PAPER Microsoft Windows (RMS) provides authors and owners the ability to control how they use and distribute their digital content when using rights-enabled applications,
More informationSecurity. 2014 Yokogawa Users Group Conference & Exhibition Copyright Yokogawa Electric Corporation Sept. 9-11, 2014 Houston, TX - 1 -
Security - 1 - OPC UA - Security Security Access control Wide adoption of OPC SCADA & DCS Embedded devices Performance Internet Scalability MES Firewalls ERP Communication between distributed systems OPC
More informationACER ProShield. Table of Contents
ACER ProShield Table of Contents Revision History... 3 Legal Notices... 4 Executive Summary... 5 Introduction... 5 Protection against unauthorized access... 6 Why ACER ProShield... 7 ACER ProShield...
More informationGlobalPlatform. Card Specification. Version 2.2
GlobalPlatform Card Specification Version 2.2 March 2006 Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights or other intellectual property
More informationFunctional Specification of the OpenPGP application on ISO Smart Card Operating Systems
Functional Specification of the OpenPGP application on ISO Smart Card Operating Systems Version 2.0.1 Author: Achim Pietig 2009 April 22 Author: Achim Pietig Lippstädter Weg 14 32756 Detmold Germany Email:
More informationArchitecture for Issuing DoD Mobile Derived Credentials. David A. Sowers. Master of Science In Computer Engineering
Architecture for Issuing DoD Mobile Derived Credentials David A. Sowers Thesis submitted to the faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements
More informationSLE66CX322P or SLE66CX642P / CardOS V4.2B FIPS with Application for Digital Signature
Security Confirmation and Report T-Systems.02192.TE.08.2007 SLE66CX322P or SLE66CX642P / CardOS V4.2B FIPS with Application for Digital Signature Siemens AG Confirmation concerning Products for Qualified
More informationCryptography and Network Security Chapter 14
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationArchived NIST Technical Series Publication
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated
More informationDr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C
Cunsheng Ding, HKUST Lecture 06: Public-Key Infrastructure Main Topics of this Lecture 1. Digital certificate 2. Certificate authority (CA) 3. Public key infrastructure (PKI) Page 1 Part I: Digital Certificates
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationIntroduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001
Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001 D. Richard Kuhn Vincent C. Hu W. Timothy Polk Shu-Jen Chang National Institute of Standards and Technology, 2001.
More informationElectronic and Digital Signatures
Summary The advent of e-government and e-services has changed the way state agencies and local government offices do business. As a result, electronic systems and processes have become as important as
More informationDigital Signatures in a PDF
This document describes how digital signatures are represented in a PDF document and what signature-related features the PDF language supports. Adobe Reader and Acrobat have implemented all of PDF s features
More informationI N F O R M A T I O N S E C U R I T Y
NIST Special Publication 800-78-2 DRAFT Cryptographic Algorithms and Key Sizes for Personal Identity Verification W. Timothy Polk Donna F. Dodson William. E. Burr I N F O R M A T I O N S E C U R I T Y
More informationEnova X-Wall LX Frequently Asked Questions
Enova X-Wall LX Frequently Asked Questions Q: What is X-Wall LX? A: X-Wall LX is the third generation of Enova real-time hard drive cryptographic gateway ASIC (Application Specific Integrated Circuit)
More informationAN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES
HYBRID RSA-AES ENCRYPTION FOR WEB SERVICES AN IMPLEMENTATION OF HYBRID ENCRYPTION-DECRYPTION (RSA WITH AES AND SHA256) FOR USE IN DATA EXCHANGE BETWEEN CLIENT APPLICATIONS AND WEB SERVICES Kalyani Ganesh
More informationFixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006
Fixity Checks: Checksums, Message Digests and Digital Signatures Audrey Novak, ILTS Digital Preservation Committee November 2006 Introduction: Fixity, in preservation terms, means that the digital object
More informationPrivyLink Internet Application Security Environment *
WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.
More informationPublic Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)
Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent
More information