Page 1. Smart Card Applications. Lecture 7: Prof. Sead Muftic Matei Ciobanu Morogan. Lecture 7 : Lecture 7 : Smart Card Applications

Transcription

1 in Open Distributed Processing s 1 in Open Distributed Processing s 2 Prof. Sead Muftic Matei Ciobanu Morogan Lecture 7: 1 2 in Open Distributed Processing s 3 in Open Distributed Processing s Smart s Applications 1. Personal Identity Verification (PIV) 2. Smart access card logical security 3. Physical access control card. Secure banking applications, including purse (EMV). Secure WAP application. Ticketing 7. Memberships loyalty programs 8. Medical application 9. Training and certification 3 in Open Distributed Processing s in Open Distributed Processing s Generic smart card application (PKCS#1) Pointer references in PKCS#1 application DIR EF(DIR) Generic PKCS #1 Application DF(Generic PKCS #1 Application) Token Info Unused Space ODF EF(TokenInfo) EF(Unused Space) EF(ODF) PrKDF PuKDF TPuKDF SKDF CDF TCDF UCDF DODF AODF EF(PrKDF) EF(PuKDF) EF(CDF) EF(SKDF) EF(DODF) PrK PuK SK Cert DO AO EF(TPuKDF) EF(TCDF) EF(UCDF) EF(AODF) EF(PrK) EF(PuK) EF(Cert) EF(SK) EF(AO) EF(DO) Page 1 1

2 in Open Distributed Processing s 7 in Open Distributed Processing s 8 Multiple smart card applications Joint issuers shared data EF(DIR) DIR DF(EID) Generic PKCS#1 #1 Application_1 EF(TokenInfo) EF(Unused Space) EF(ODF) Token Info Unused Space ODF EF(PrKDF) EF(PuKDF) EF(CDF) EF(SKDF) EF(DODF) PrKDF PuKDF TPuKDF SKDF CDF TCDF UCDF DODF AODF x2 EF(TPuKDF) EF(TCDF) x2 EF(UCDF) EF(AODF) x2 PrK PuK SK Cert DO AO EF(PrK) EF(PuK) EF(Cert) EF(SK) EF(AO) EF(Personal Info) DF(Any Other PKCS #1 Application) PKCS#1 Application_2 EF(TokenInfo) EF(ODF) EF(DODF) PKCS#1 Application_3 EF(Application Specific DO's) 7 8 in Open Distributed Processing s 9 in Open Distributed Processing s 10 Components of Java card Combined Java cards 9 10 in Open Distributed Processing s 11 in Open Distributed Processing s 12 Java card framework (JCRE) Downloading applets into a card Functions of the JCRE : Providing services to applets : - installation - registration - selection - deselection. Provision of services to applications in the card reader Packages include java.lang, javacard.framework, javacardx.security and javacardx.crypto Page 2 2

3 in Open Distributed Processing s 13 in Open Distributed Processing s 1 Dynamic applets management 13 1 in Open Distributed Processing s 1 in Open Distributed Processing s 1 PIV (FIPS 201) Management PIV Roles and Request Processing Issuance and Management Access Control PKI Directory & Certificate Status Responder Physical Access Control I&A Data Physical Resource Approval Authority OPM/FBI Identity Proofing & Registration Issuance & Maintenance PKI Key Management Logical Access Control I&A Logical Resource Reader / Writer I&A - Identification & Authentication Data Applicant Sponsor Registrar Adjudicator Issuer Owner holder PIN Input Device Biometric Reader Request Approved Request Completed Request Background Check Physical Access Control 1 PIV Front-End 1 Logical Access Control (PIV Authentication Protocols) in Open Distributed Processing s 17 in Open Distributed Processing s 18 PIV Architecture Enrollment Station Shared Services Environment Agency SIP OPM/FBI Agency IDMS Printing (Personalization) CA Enrollment Finalization Station ( Personalization) Agency Enrollment Station Activation Station Page 3 3

4 in Open Distributed Processing s 19 Enrollment Station IDMS X.00 SAML in Open Distributed Processing s IPS 20 Directory PIV Architecture Central IDMS PKI CA XML/SAML IPS Manager IDMS SAML PIV Requests BioDocs Enroll Approval Authority IPS WorkFlow PIV Roles PIV Requests PIV BioDocs s /Print /Personalization IPS IDMS XML/SAML IPS Issuer P/P Forms Forms Engine Enterprise Services Bus (ESB) PIV Requests s IPS SOAP/SAML/SSL SOAP/SAML/SSL PIV Desktop LACS Sponsor Registrar Adjudicator PC/Browser Enrollment Station Adjudication Station Activator Activation Station Usage Applicant PACS in Open Distributed Processing X.00 s 21 IDMS SAML ESC Directory PIV Architecture Flow of PIV Requests in Open Distributed Processing s 22 Manager IDMS PKI CA XML/SAML ESC SIP Approval Authority PIV Roles PIV Requests PIV BioDocs s 7 Enroll PIV Requests PIV BioDocs IDMS SAML ESC IDMS XML/SAML ESC Printing/Personalization PIV Requests s 8 PIV Desktop 9 LACS Sponsor Registrar Adjudicator Issuer Applicant 21 PC/Browser Enrollment Station Adjudication Station Activation Station Usage PACS 22 in Open Distributed Processing s 23 in Open Distributed Processing s 2 Application (Applet) FIPS 201 PIV Client APIs PIV mandatory and optional data objects: Capability Container Holder Unique Identifier X.09 Cert for PIV Authentication Holder Fingerprint I Holder Fingerprint II Object Holder Facial Image Printed Information X.09 Cert for PIV Digital Signature X.09 Cert for PIV Key Management X.09 Cert for Authentication 23 2 Page

5 in Open Distributed Processing s 2 in Open Distributed Processing s 2 Middleware APIs and SDK Applications, Middleware and s 2 Java OCF object methods: PIV Client APIs: GSC Basic Services Interface: Application CCI: onecard = OneCARD.newInstance(); onecard.close(); onecard.selectapplet("a "); onecard.chekpin( ); pivconnect() pivdisconnect() pivselectapplication() pivlogintoapplication() gscbsiutilconnect() gscbsiutildisconnect() SELECT GET DATA VERIFY 2 Smart s Middleware SC Applications Win Login (Local) PIV CSP PKCS#11 CAC OTP Win Login (Remote) PIV + PIV + FoA Outlook I Explorer W Explorer Acrobat Thunderbird Firefox Applications APIs SC APDUs PIV + MoC MoC Other CAC TWIC FRAC RT in Open Distributed Processing s 27 in Open Distributed Processing s 28 Windows Login in Open Distributed Processing s 29 in Open Distributed Processing s 30 Integration with Windows Explorer Certificate Chain Domain Administrator Domain Registration LDAP/X.00 Directory PKI Certificate Authority Smart Administrator (or ) (or Client) Certificate Chain Private Key Public Key Page

6 in Open Distributed Processing s 31 in Open Distributed Processing s 32 Client (Workstation) Mobility bob.wright@company.com Client Signed Client Client Hello Bob: You may sign and encrypt your using smart card. Chris 31 Supported applications: authentication based on Application Microsoft Windows login, Secure (S/MIME) for Microsoft Outlook and Secure browser (SSL) for Microsoft Internet Explorer using SC CSP 32 Private Key Private Key Public Key Public Key Full PKI certificate chain stored in the card enables user mobility ity and cross domain single sign on protocol in Open Distributed Processing s 33 in Open Distributed Processing s 3 EMV Europay, Mastercard and Visa Standard for smartcard based payment applications Insures global interoperability of smartcards, terminals and applications Based on ISO 781 High-level API: not only basic communication protocol, but also identification and interoperability of common applications in terminal and card 33 3 in Open Distributed Processing s 3 in Open Distributed Processing s 3 EMV Interoperability EMV Requirements A reader will be able to process any payment card regardless of: payment scheme location device technology EMV Level 1 Requirements: Minimum requirements that smarcards and readers must meet in order to communicate to each other Physical characteristics Logical interface Transmission protocols Based on ISO 781 Debit Credit On-line 3 3 Page

7 in Open Distributed Processing s 37 in Open Distributed Processing s 38 EMV Requirements EMV Conclusions EMV Level 2 Requirements: Standard way of performing debit and credit transactions once the physical contact has been established Application selection (multi-application support) Data elements Commands Global standard for migration from magnetic strip credit cards to chip based credit cards Multi-application capable High interoperability (ATM, Point-of-Sale) Capable of on-line transactions in Open Distributed Processing s 39 in Open Distributed Processing s 0 Questions 39 0? Page 7 7