Home

Ebook Design and Implementation of Public Key Infrastructure on Smart Card Operating System

Submitted by puput on Wed, 09/02/2009 - 02:37

Integrated circuit cards (ICC) or smart cards are credit-card sized plastic cards embedded with a memory chip for data storage and optionally a microprocessor to provide processing capabilities. Smart cards which provide only data storage capabilities are known as memory based smart cards; while smart cards which also have processing capabilities are known as microprocessor based smart cards. A microprocessor based smart card executes a software component such as an operating system and hence complex logic and algorithms can be built into it. In this document, the term “smart card” shall be used to refer implicitly to a microprocessor based smart card. The interaction with a smart card is carried out using a specialized hardware called an interface device (IFD) or a smart card reader as a more commonly used name. A smart card does not have its own power supply and needs an external power source to power it up. This external power is supplied by the smart card reader. The communication between a smart card and a reader can occur either in contact mode or in contact less mode. In contact mode, the contact card is inserted into the reader with a mating contact and the electric circuit completed due to this physical contact is used to power up the card. In contact less mode, the contact less card is placed in the RFID field of the reader which is then used to power up the card. Smart cards are small and easy to handle devices which make them very usable in everyday applications.

Security is a major concern in many everyday applications like e-Commerce etc. Most of these applications require secure and confidential data exchange, mechanisms to detect tampering/modification of data, verification of origin integrity etc. Various cryptographic mechanisms are required to establish a secure trusted environment or to operate securely in a non-trusted medium. These requirements can be addressed by use of either symmetric-key based or asymmetric-key based cryptographic techniques. A public key infrastructure (PKI) is a framework which uses the capabilities of performing asymmetric key cryptography, also known as public key cryptography (PKC). PKC involves a pair of cryptographic keys called private and public keys.

A private key is known only to the owner of the key while the public key can be distributed freely. Decryption and signature computation are two operations that are performed by an entity using its private key while encryption and digital signature verification operations are carried out using the corresponding public key. PKI builds over the PKC to support functionality such as digital signatures, origin integrity, certificates for the genuineness of the public key etc.

Smart cards are an ideal medium for use with PKI applications. Smart cards provide secure storage of confidential data and are capable of executing complex cryptographic algorithms. They provide secure storage for private keys and are resistant to tampering. Some smart cards have dedicated co-processors (cryptoprocessors) for executing cryptographic algorithms which make cryptographic com putations much faster and efficient. Smart cards can be used as authorization media and encryption modules. They offer high degree of reliability and safeguard against unauthorized modification of protected data like private keys.

Contents

Certificate
Abstract
Acknowledgements
List of Figures
List of Tables
Abbreviations
1 Introduction

    1.1 Motivation
    1.2 Related Work
    1.3 Thesis Objective.
    1.4 Thesis Organization

2 Background
2.1 Smart Card Communication Structure
2.2 File System
2.3 Security Architecture

    2.3.1 Security Status
    2.3.2 Security Attributes
    2.3.3 Security Environment
    2.3.4 Security Algorithms
    2.3.5 Security Mechanisms

2.4 Password and Key Repository
2.5 Security Mechanisms in SCOSTA-CL

    2.5.1 Encryption and Decryption
    2.5.2 Cryptographic Checksum
    2.5.3 Secure Messaging
    2.5.4 Session Key Derivation
    2.5.5 Authentication

2.6 Overview of Public Key Cryptography

    2.6.1 RSA Cryptosystem
    2.6.2 Primitive Cryptographic Operations
    2.6.3 Encryption and Decryption Operations
    2.6.4 Digital Signature
    2.6.5 Certificate Verification

3 Design for PKI Support
3.1 PKI-related Operations

    3.1.1 Authentication
    3.1.2 Session Key Establishment
    3.1.3 Authentication with Session Key Establishment
    3.1.4 Computation of Digital Signature
    3.1.5 Encryption and Decryption
    3.1.6 Certificate Verification

3.2 PKI-related Data Structure

    3.2.1 Overview
    3.2.2 Directory of Applications (EF.DIR)
    3.2.3 Cryptographic Information Application (DF.CIA)
    3.2.3.1 Overview
    3.2.3.2 CIA Information File (CIAInfo EF)
    3.2.3.3 Object Directory File (EF.OD)
    3.2.3.4 CIO Directory Files

3.3 Application Identification and Selection

    3.3.1 Application Identification
    3.3.2 Application Selection
    3.3.3 Common Scenarios

3.4 Key/Password Storage and Retrieval

    3.4.1 Passwords and Symmetric keys
    3.4.2 Private Keys
    3.4.3 Public Keys
    3.4.3.1 Retrieval of Public Key for VERIFY CERTIFI CATE command
    3.4.3.2 Retrieval of Public Key for Other Commands
    3.4.4 Common Scenarios

3.5 Operations Supported in SCOSTA-PKI

    3.5.1 Authentication
    3.5.1.1 External Authentication
    3.5.1.2 Internal Authentication
    3.5.1.3 Mutual Authentication
    3.5.2 Session Key Establishment
    3.5.3 Authentication and Session Key Establishment

3.6 Cryptographic Algorithms in SCOSTA-PKI

    3.6.1 Algorithms for Confidentiality
    3.6.2 Algorithms for Authentication
    3.6.3 Algorithms for Digital Signature

3.7 SCOSTA-CL Commands Requiring Modifications in SCOSTA-PKI

    3.7.1 ENVELOPE
    3.7.2 GET CHALLENGE
    3.7.3 EXTERNAL/ INTERNAL/ MUTUAL AUTHENTICATE
    3.7.4 MSE SET for key derivation
    3.7.5 PSO DECIPHER
    3.7.6 PSO ENCIPHER
    3.7.7 PSO COMPUTE DIGITAL SIGNATURE
    3.7.8 PSO VERIFY CERTIFICATE

3.8 Additional Support for APDU in SCOSTA-PKI
4 Implementation
4.1 Support for Generic Data Objects
4.2 Extended Lc and Le
4.3 Application Identification and Selection
4.4 Storage and Retrieval of Cryptographic Information
4.5 Cryptographic Operations

    4.5.1 Encryption Schemes
    4.5.1.1 RSAES-PKCS1-v1 5 Scheme
    4.5.1.2 RSAES-OAEP Scheme

4.6 Security Commands Modified
4.7 Other Implementation Details

    4.7.1 Conversion from 2-byte EEPROM Address to a Generic EEPROM Address
    4.7.2 DES in Hardware

5 Testing
6 Conclusion and Future Work
A ASN.1 module

    A.1 Common Data Types
    A.1.1 Path Data Type
    A.1.2 ObjectValue Data Type
    A.1.3 RSAPublicKey Data Type
    A.1.4 RSAPrivateKey Data Type
    A.1.5 AlgorithmIdentifier Data Type
    A.1.6 Name Data Type

A.2 The CIO Type
A.3 Keys

    A.3.1 Private Keys
    A.3.2 Public Keys
    A.3.3 Secret Keys

A.4 Authentication Objects
A.5 Certificates
Bibliography

Download
PDF Ebook Design and Implementation of Public Key Infrastructure on Smart Card Operating System

»

Posted in :