BS EN 419212-2:2014

$215.11

Application Interface for smart cards used as Secure Signature Creation Devices – Additional services

Published By	Publication Date	Number of Pages
BSI	2014	130

Guaranteed Safe Checkout

Categories: 35.240.15 - Identification cards. Chip cards. Biometrics, BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

This European Standard contains Identification, Authentication and Digital Signature (IAS) services in addition to the SSCD mechanisms already described in EN 419212-1 to enable interoperability and usage for IAS services on a national or European level. It also specifies additional mechanisms like key decipherment, Client Server authentication, identity management and privacy related services.

PDF Catalog

PDF Pages	PDF Title
4	Contents
7	Foreword
9	1 Scope 2 Normative references 3 Terms and definitions
11	4 Abbreviations and notation
13	5 Additional Service Selection
16	6 Client/Server Authentication 6.1 Client/Server protocols
17	6.2 Steps preceding the client/server authentication 6.3 Padding format 6.3.1 PKCS #1 v 1-5 Padding
18	6.3.2 PKCS #1 V 2.x (PSS) Padding
19	6.3.3 Building the DSI on ECDSA
20	6.4 Client/Server protocol 6.4.1 Step 1 — Read certificate
21	6.4.2 Step 2 — Set signing key for client/server internal authentication
22	6.4.3 Step 3 — Internal authentication
24	6.4.4 Client/Server authentication execution flow
26	6.4.5 Command data field for the client server authentication 6.4.5.1 RSA 6.4.5.2 ECDSA 6.4.5.3 Other algorithms
27	7 Role Authentication 7.1 Role Authentication of the card 7.2 Role Authentication of the server 7.3 Symmetrical external authentication 7.3.1 Protocol
28	7.3.1.1 Keys definition 7.3.1.2 Naming rules
29	7.3.1.3 Step 1 — Read key exchange parameters
30	7.3.1.4 Step 2 — Select Key for symmetrical external authentication
31	7.3.1.5 Step 3 — Challenge generation 7.3.1.6 Step 4 — External authentication
32	7.3.2 Description of the cryptographic mechanisms 7.3.3 Role description
33	7.4 Asymmetric external authentication 7.4.1 Protocol based on RSA 7.4.1.1 Step 1 — Success certificate verification
34	7.4.1.2 Step 2 — Selection of verification key PuK.IFD.RA 7.4.1.3 Step 3 — Get Challenge
35	7.4.1.4 Step 4 — External authentication 7.4.1.5 Role description
36	7.4.2 Protocol based on modular Enhanced Role Authentication (mERA)
41	7.4.2.1 Step A — Set the cryptographic context
42	7.4.2.2 Step B – Get challenge
43	7.4.2.3 Step C – GENERAL AUTHENTICATE (C1)
44	7.4.2.4 Stage 3 – Internal authentication of the ICC (C2)
45	7.4.2.5 Step D – Certificate verification
46	7.4.2.6 Step E – Retrieval of public parameters for key agreement
47	7.4.2.7 Step F – Key Agreement
49	7.4.2.8 Cryptographic suites
50	7.4.2.9 Certificate format
51	8 Symmetric key transmission between a remote server and the ICC 8.1 Steps preceding the key transport 8.2 Key encryption with RSA
52	8.2.1 PKCS#1 v1.5 padding 8.2.2 OAEP padding
53	8.2.3 Execution flow
54	8.2.3.1 Step 1 — Set deciphering key
55	8.2.3.2 Step 2 — Decipher key
56	8.3 Diffie-Hellman key exchange for key encipherment
58	8.3.1 Execution flow 8.3.1.1 Step 1: Select DH encryption key
59	8.3.1.2 Step 2: Derivation of the shared secret.
60	9 Signature verification 9.1 Signature verification execution flow
61	9.1.1 Step 1: Receive Hash
62	9.1.2 Step 2: Select verification key
63	9.1.3 Step 3: Verify digital signature
64	10 Certificates for additional services 10.1 File structure
65	10.2 EF.C_X509.CH.DS 10.3 EF.C.CH.AUT 10.4 EF.C.CH.KE 10.5 Reading Certificates and the public key of CAs
67	11 Privacy Context functions 11.1 Introduction 11.2 Auxiliary Data Comparison
68	11.2.1 Presentation of the auxiliary data
70	11.2.2 Age Verification
71	11.2.3 Document Validation
72	11.3 Restricted Identification
75	11.3.1 Command APDU for Step RI:1
76	11.3.2 Command APDU for Step RI:2
79	11.4 eServices with trusted third party protocol
80	11.4.1 mERA-based eServices with trusted third party protocol
81	11.4.1.1 Authentication steps
83	11.4.1.2 Step 2: Verify PIN 11.4.1.3 Step 3: Get Data / General Authenticate
85	11.4.2 mEAC-based eServices with trusted third party
86	11.4.2.1 Stage 1: Loading a profile on to the ICC
87	11.4.2.2 Stage 2: The Identity Provider completes the profile
88	11.4.2.3 Stage 3: the SP retrieves the completed profile from the ICC 11.5 eServices with two party protocols 11.5.1 mEAC-based eServices with on-line two party protocol
89	11.5.2 mEAC-based eServices with off-line two party protocol
91	12 APDU data structures 12.1 Algorithm Identifiers 12.2 CRTs 12.2.1 CRT DST for selection of ICC’s private client/server auth. key 12.2.2 CRT AT for selection of ICC’s private client/server auth. key
92	12.2.3 CRT CT for selection of ICC’s private key 12.2.4 CRT DST for selection of IFD’s public key (signature verification)
93	Annex A (normative)Security Service Descriptor Templates A.1 Security Service Descriptor Concept
94	A.2 SSD Data Objects A.2.1 DO Extended Header List, tag ‘4D’ A.2.2 DO Instruction set mapping (ISM), tag ‘80’ A.2.3 DO Command to perform (CTP), tag ‘52’ (refer to ISO/IEC 7816-6) A.2.4 DO Algorithm object identifier (OID), tag ‘06’ (refer to ISO/IEC 7816-6) A.2.5 DO Algorithm reference, tag ‘81’
95	A.2.6 DO Key reference, tag ‘82’ A.2.7 DO FID key file, tag ‘83’ A.2.8 DO Key group, tag ‘84’ A.2.9 DO FID base certificate file, tag ‘85’ A.2.10 DO FID adjoined certificate file, tag ‘86’ A.2.11 DO Certificate reference, tag ‘87’ A.2.12 DO Certificate qualifier, tag ‘88’ A.2.13 DO FID for file with public key of the certification authority PK(CA), tag ‘89’ A.2.14 DO PIN usage policy, tag ‘5F2F’
96	A.2.15 DO PIN reference, tag ‘8A’ A.2.16 DO Application identifier (AID), tag ‘4F’ (refer to ISO/IEC 7816-6) A.2.17 DO CLA coding, tag ‘8B’ A.2.18 DO Status information (SW1-SW2), tag ‘42’ (refer to ISO/IEC 7816-6) A.2.19 DO Discretionary data, tag ‘53’ (refer to ISO/IEC 7816-6) A.2.20 DO SE number, tag ‘8C’
97	A.2.21 DO SSD profile identifier, tag ‘8D’ A.2.22 DO FID mapping, tag ‘8E’ A.3 Location of the SSD templates A.4 Examples for SSD templates
99	Annex B (informative)Security environments
100	B.1 Definition of CRTs (examples)
101	B.1.1 CRT for Authentication (AT)
102	B.1.2 CRT for Cryptographic Checksum (CCT)
103	B.1.3 CRT for Digital Signature (DST)
104	B.1.4 CRT for confidentiality (CT)
105	B.2 Security Environments (example) B.2.1 Security Environment #10
106	B.2.2 Security Environment #11 B.3 Coding of access conditions (example)
107	B.3.1 Access Conditions
108	B.3.2 Access rule references
109	B.3.3 Access conditions for EF.ARR B.3.4 EF.ARR records
112	Annex C (normative) Algorithm Identifiers — Coding and specification
119	Annex D (informative) Example of DF.CIA
124	Annex E (informative)Build scheme for object identifiers defined by EN 14890
126	Bibliography

Additional information

Status	Withdrawn
Title	Application Interface for smart cards used as Secure Signature Creation Devices – Additional services
Replaces	BS EN 14890-2:2008
Publisher	BSI
Committee	IST/17
Pages	130
Publication Date	2014-12-31
Withdrawn Date	2018-04-24
Replaced By	BS EN 419212-2:2017, BS EN 419212-4:2018, BS EN 419212-1:2017, BS EN 419212-5:2018, BS EN 419212-3:2017
ISBN	978 0 580 77110 1
Standard Number	BS EN 419212-2:2014
Descriptors	Interfaces (data processing), Electronic signatures, Identification methods, Data security, Computer terminals, Information exchange, Data processing, Personal identification numbers, Identity cards, Verification, Integrated circuit cards, Cryptography
ICS Codes	35.240.15 - Identification cards. Chip cards. Biometrics

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS EN 419212-2:2014

PDF Catalog

Related products