Академический Документы
Профессиональный Документы
Культура Документы
2
Gemplus PKI cards roadmap
GemSafe v2
java applet
GemID
java applet
GemSafe v1
java applet
(RSA2048)
Native OS
Native OS
3
Gemplus PKI cards in the
GemSafe solution
4
GPK16000
5
GemSafe applets
GemSafe applets: common
features
• GemSafe (and GemID) applets are the Gemplus PKI applets, which main features are the
following:
Digital signature
Session key decipherment
On board key generation
Secure card/reader mutual authentication
Support of RSA, 3-DES, SHA-1 algorithms.
Data management
Secure storage of sensitive data:
• Protection by PIN, Ext Auth, Secure messaging.
Based on E-Sign K (CWA-14890) specifications
Compliant to ISO 7816 -4-5-6-8-9-15
Compliant to Identrus requirements
Integrated in a JavaCard multi-application environment.
Compatible with the GemXpresso Pro range
7
GemSafe applets: specific
features
• GemSafe v1:
PK functions with RSA up to 2048 bits.
Card/reader mutual authentication based on 3-DES (E-Sign K scheme)
• GemID
PK functions with RSA up to 1024 bits.
Card/reader mutual authentication based RSA and Diffie-Hellmann (E-Sign K
scheme)
8
GemSafe applets in
GemXpresso cards
• GXP3-E64PK
GemSafe applets can be loaded in EEPROM.
• GXP3-E32/16PK:
GemID applet present in ROM
GemSafe applets can be loaded in EEPROM
• GXP3.2-E32/18PK:
GemID and GemSafe v1 present in ROM
Samples in Sept 04
• GXP3.2-E64PK:
GemSafe v1 and GemSafe v2 present in ROM
Samples in Nov 04
9
GemSafe applets in a
PKI environment
Digital Signature with
GemSafe applet (1/3)
• Application example :
S/Mime (Secure Multipurpose Internet Mail Extension) uses digital
signatures to ensure the integrity and authenticity of e-mails.
11
Digital Signature with
GemSafe applet (2/3)
• Performing a digital signature:
12
Digital Signature with
GemSafe applet (3/3)
• Verifying a digital signature.
?
?
Receive
• Signature verification does not require high security, since it’s done
using the public key of the sender:
Using
this operation is typically done without a smart the received message, compute
card.
the received hash digest
13
Session Key Decipher with
GemSafe applet (1/3)
• GemSafe applets do not offer an encipher function (it’s not necessary to use a
smart card for this function), but instead offer the decipher function
(PSO:Decipher command).
• Decipher of data up to 512 bits (this data is typically a 3DES session key)
• Data must be padded according to PKCS#1 v1.5 and encrypted with RSA.
• Application example:
S/Mime (Secure Multipurpose Internet Mail Extension) uses
encryption/decryption to ensure the confidentiality of e-mails.
14
Session Key Decipher with
GemSafe applet (2/3)
• Performing a message encipher:
Document
15
Session Key Decipher with
GemSafe applet (3/3)
• Performing a message decipher:
Document
16
Client authentication using
digital certificate (1/3)
17
Client authentication using
digital certificate (2/3)
• Control of digital certificate:
Authenticator
Certificate presentation
This is Mr X
His public key is 1234
A CA I trust vouches for
Mr X’s trustworthiness
By verifying the CA’s
Client - Mr X signature, I bind 1234 to Mr X
• A smart card with GemSafe applet will securely store digital
certificates of any format (X509 or other).
18
Client authentication using
digital certificate (3/3)
• Control of digital signature: Authenticator
Random challenge
Client - Mr X
Send signed challenge
Sign challenge
with •PRIVATE
A smart key
card with GemSafe applet will securely store the private key
and perform the digital signature.
19
On Board Key Generation
with GemSafe applet
20
GemSafe applets in the
GemSafe Libraries
environment
Integration is GSL v4.x
22
GemSafe applet
pre-personalization for GSL
23
GemSafe applets
Technical Specifications
GemSafe applets files and
data objects management
(1/2)
• Binary EFs
number dependant on EEPROM size
• DFs
• PIN objects
GemSafe v1 and GemID:
• Up to 3 PINs
• PINs are 8 bytes long, or 16 digits long (with BCD coding)
GemSafe v2:
• Up to 15 PINs
• PINs are from 8 to 16 bytes long.
“Change PIN before first use” option
• Up to 15 Security Environments
25
GemSafe applet files and
data objects management
(2/2)
• RSA keys
Up to 2048 bits keys
Maximum nb of private keys defined at applet installation.
26
APDU commands
• Personalization only commands: • Management of SE:
Create File MSE: Set
Initialise Update (OP) MSE: Restore
External Auth (OP)
End Personalisation • PK functions:
Generate Public Key Pair
• PIN / User identification PSO: Compute DSI
Verify Card Holder PSO: Decipher
Change Reference Data PSO:Hash (GemSafe v2)
Reset Retry Counter
• Data management:
• Card/Terminal Authentication: Read Binary
PK External Auth (GemID,GemSafe Update Binary
v2) Erase Binary
PK Internal Auth Get Data
(GemID, GemSafe v2) Put Data
PSO: Verify Certificate (GemID,
GemSafe v2) • Files management:
SK Mutual Auth Select File
(GemSafe v1 and v2) Activate File
Get Challenge Deactivate File
Create File
27