EN 14890-1:2008
Superseded
A superseded Standard is one, which is fully replaced by another Standard, which is a new edition of the same Standard.
View Superseded by
Application Interface for smart cards used as Secure Signature Creation Devices - Part 1: Basic services
01-12-2014
03-12-2008
Foreword
1 Scope
2 Normative references
3 Terms and definitions
4 Symbols and abbreviations
5 Signature application
5.1 Application Flow
5.2 Trusted environment versus untrusted environment
5.3 Selection of ESIGN application
5.4 Selection of cryptographic information application
5.5 Concurrent usage of signature applications
5.6 Security environment selection
5.7 Key selection
5.8 Basic Security Services
6 User verification
6.1 General
6.2 Knowledge based user verification
6.3 Biometric user verification
7 Digital Signature Service
7.1 Signature generation algorithms
7.2 Activation of digital signature service
7.3 General aspects
7.4 Signature Generation
7.5 Selection of different keys, algorithms and input formats
7.6 Read certificates and certificate related information
8 Device authentication
8.1 Certification authorities and certificates
8.2 Authentication environments
8.3 Key transport and key agreement mechanisms
8.4 Key transport protocol based on RSA
8.5 Device authentication with privacy protection
8.6 Privacy constrained Modular EAC (mEAC) protocol with
non-traceability feature (based on elliptic curves)
8.7 Asymmetric Authentication summary
8.8 Symmetric authentication scheme
8.9 Compute Session keys from key seed K[IFD/ICC]
8.10 Compute send sequence counter SSC
8.11 Post-authentication phase
8.12 Ending the secure session
8.13 Reading the Display Message
8.14 Updating the Display Message
9 Secure messaging
9.1 CLA byte
9.2 TLV coding of command and response message
9.3 Treatment of SM-Errors
9.4 Padding for checksum calculation
9.5 Send sequence counter (SSC)
9.6 Message structure of Secure Messaging APDUs
9.7 Response APDU protection
9.8 Use of TDES and AES
10 Key Generation
10.1 Key generation and export using PrK.ICC.AUT
10.2 Key generation and export with dynamic or static SM
10.3 Write certificates
10.4 Setting keys in static secure messaging
11 Key identifiers and parameters
11.1 Key identifiers
11.2 Public Key parameters
11.3 DSA with ELC public key parameters
11.4 RSA Diffie-Hellman key exchange parameters
11.5 ELC key exchange parameters
12 Data structures
12.1 CRTs
12.2 Key transport device authentication protocol
12.3 Privacy device authentication protocol
13 AlgIDs, Hash- and DSI Formats
13.1 Algorithm Identifiers and OIDs
13.2 Hash Input-Formats
13.3 Formats of the Digital Signature Input (DSI)
14 CV_Certificates and Key Management
14.1 Level of trust in a certificate
14.2 Key Management
14.3 Card Verifiable Certificates
14.4 Use of the public key extracted from the certificate
14.5 Validity of the key extracted from a certificate
14.6 Structure of CVC
14.7 Certificate Content
14.8 Certificate signature
14.9 Coding of the certificate content
14.10 Steps of CVC verification
14.11 Commands to handle the CVC
14.12 C_CV.IFD.AUT (non self-descriptive)
14.13 C_CV.CA.CS-AUT (non self-descriptive)
14.14 C.ICC.AUT
14.15 Self-descriptive CV Certificate (Example)
15 Files
15.1 File structure
15.2 File IDs
15.3 EF.DIR
15.4 EF.SN.ICC
15.5 EF.DH
15.6 EF.ELC
15.7 EF.C.ICC.AUT
15.8 EF.C.CA[ICC].CS-AUT
15.9 EF.C_X509.CH
15.10 EF.C_X509.CA.CS (DF.ESIGN)
15.11 EF.DM
16 Cryptographic Information Application
16.1 ESIGN cryptographic information layout example
Annex A (informative) - Device authentication - Cryptographic
view
A.1 Algorithms for authentication with key exchange or key
negotiation
A.2 Device authentication with key transport
A.2.1 Conformance to ISO/IEC 11770-3
A.2.2 Using min(SIG, N-SIG) for the signature token
A.3 Device authentication with key negotiation
A.3.1 Diffie-Hellman Key Exchange
A.4 Device authentication with privacy protection
A.4.1 The authenticity of the public DH parameters
A.5 Device authentication with non traceability
A.5.1 Diffie-Hellman Key Exchange
A.6 The 'Grandmaster Chess Attack'
Annex B (informative) - Personalization scenarios
Annex C (informative) - Build scheme for mEAC Object Identifiers
Bibliography
Part 1 of this series specifies the application interface to Smart Cards during the usage phase, used as Secure Signature Creation Devices (SSCD) according to the Terms of the European Directive on Electronic Signature 1999/93 to enable interoperability and usage as SSCD on a national or European level.This document describes the mandatory services for the usage of Smart Cards as SSCDs based on CEN CWA 14890. This covers the signing function, storage of certificates, the related user verification, establishment and use of trusted path and channel, requirements for key generation and the allocation and format of resources required for the execution of those functions and related cryptographic token information.Thereby the functionality of CWA 14890-1 is enhanced in the following areas:- Device authentication with Elliptic Curves (ELC) for existing asymmetric authentication protocols (RSA Transport, Privacy Protocol),- Enhancement of existing asymmetric authentication protocols due to privacy and non-traceability constraints,- Card Verifiable (CV) Certificate Formats (self descriptive) with ELC for all types of authentication and authorization protocols,- Secure Messaging Tags and use of commands with Odd-INS Code in compliance to the actual ISO/IEC 7816-4,- Further hash algorithms (SHA2–family) with corresponding Object identifier and Algorithm references,- Use of AES in authentication protocols,- Use of AES for secure messaging.The following items are out of scope:1)The physical, electrical and transport protocol characteristics of the card,2)The external signature creation process and signature environment,3)The elements required to verify an electronic signature produced by a card used as a SCCD,4)The error handling process.
Committee |
CEN/TC 224
|
DevelopmentNote |
Supersedes CWA 14890-1. (02/2009)
|
DocumentType |
Standard
|
PublisherName |
Comite Europeen de Normalisation
|
Status |
Superseded
|
SupersededBy |
Standards | Relationship |
BS EN 14890-1:2008 | Identical |
UNI EN 14890-1 : 2009 | Identical |
SN EN 14890-1 : 2009 | Identical |
DIN EN 14890-1 E : 2009 | Identical |
NEN EN 14890-1 : 2008 | Identical |
NS EN 14890-1 : 1ED 2008 | Identical |
PN EN 14890-1 : 2009 | Identical |
I.S. EN 14890-1:2008 | Identical |
NF EN 14890-1 : 2009 | Identical |
UNE-EN 14890-1:2009 | Identical |
DIN EN 14890-1:2009-03 | Identical |
NBN EN 14890-1 : 2009 | Identical |
BS EN 14890-2:2008 | Application interface for smart cards used as secure signature creation devices Additional services |
DD CEN/TS 15480-3:2010 | Identification card systems. European citizen card European citizen card interoperability using an application interface |
DIN EN 14890-2:2009-03 | APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 2: ADDITIONAL SERVICES |
17/30318701 DC : 0 | BS ISO/IEC 19286 - IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARDS - PRIVACY-ENHANCING PROTOCOLS AND SERVICES |
PD CEN/TS 15480-2:2012 | Identification card systems. European Citizen Card Logical data structures and security services |
S.R. CEN/TS 15480-5:2013 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 5: GENERAL INTRODUCTION |
S.R. CEN/TS 15480-2:2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 2: LOGICAL DATA STRUCTURES AND SECURITY SERVICES |
BS ISO/IEC 24727-3 : 2008 | IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARD PROGRAMMING INTERFACES - PART 3: APPLICATION INTERFACE |
UNI CEN/TS 15480-2 : 2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 2: LOGICAL DATA STRUCTURES AND SECURITY SERVICES |
S.R. CEN/TS 15480-3:2014 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 3: EUROPEAN CITIZEN CARD INTEROPERABILITY USING AN APPLICATION INTERFACE |
CEN/TS 15480-4:2012 | Identification card systems - European Citizen Card - Part 4: Recommendations for European Citizen Card issuance, operation and use |
CEN/TS 15480-2:2012 | Identification card systems - European Citizen Card - Part 2: Logical data structures and security services |
I.S. EN 14890-2:2008 | APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 2: ADDITIONAL SERVICES |
ISO/IEC 7816-4:2013 | Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange |
ISO/IEC 19286:2018 | Identification cards — Integrated circuit cards — Privacy-enhancing protocols and services |
UNI EN 14890-2 : 2009 | APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 2: ADDITIONAL SERVICES |
NF EN 14890-2 : 2009 | APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 2: ADDITIONAL SERVICES |
UNI CEN/TS 15480-4 : 2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 4: RECOMMENDATIONS FOR EUROPEAN CITIZEN CARD ISSUANCE, OPERATION AND USE |
PD CEN/TS 15480-4:2012 | Identification card systems. European Citizen Card Recommendations for European Citizen Card issuance, operation and use |
UNI CEN/TS 15480-5 : 2013 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 5: GENERAL INTRODUCTION |
PD CEN/TS 15480-3:2014 | Identification card systems. European Citizen Card European Citizen Card Interoperability using an application interface |
12/30255293 DC : 0 | BS EN 14890-1 - APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 1: BASIC SERVICES |
BS ISO/IEC 19286:2018 | Identification cards. Integrated circuit cards. Privacy-enhancing protocols and services |
S.R. CEN/TS 419241:2014 | SECURITY REQUIREMENTS FOR TRUSTWORTHY SYSTEMS SUPPORTING SERVER SIGNING |
CEN/TS 419241:2014 | Security Requirements for Trustworthy Systems Supporting Server Signing |
UNI CEN/TS 419241 : 2014 | SECURITY REQUIREMENTS FOR TRUSTWORTHY SYSTEMS SUPPORTING SERVER SIGNING |
PD CEN/TS 15480-5:2013 | Identification card systems. European Citizen Card General Introduction |
S.R. CEN/TS 15480-4:2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 4: RECOMMENDATIONS FOR EUROPEAN CITIZEN CARD ISSUANCE, OPERATION AND USE |
DIN EN 14890-2 E : 2009 | APPLICATION INTERFACE FOR SMART CARDS USED AS SECURE SIGNATURE CREATION DEVICES - PART 2: ADDITIONAL SERVICES |
S.R. CWA 15974:May 2009 | INTEROPERABILITY OF THE ELECTRONIC EUROPEAN HEALTH INSURANCE CARDS (WS/EEHIC) |
ISO/IEC 24727-3:2008 | Identification cards Integrated circuit card programming interfaces Part 3: Application interface |
EN 14890-2:2008 | Application Interface for smart cards used as Secure Signature Creation Devices - Part 2: Additional Services |
UNI CEN/TS 15480-3 : 2014 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 3: EUROPEAN CITIZEN CARD INTEROPERABILITY USING AN APPLICATION INTERFACE |
CSA ISO/IEC 7816-4 : 2015 | IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARDS - PART 4: ORGANIZATION, SECURITY AND COMMANDS FOR INTERCHANGE |
INCITS/ISO/IEC 24727-3 : 2009(R2014) | IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARD PROGRAMMING INTERFACES - PART 3: APPLICATION INTERFACE |
11/30237119 DC : 0 | BS ISO/IEC 7816-4 - IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARDS - PART 4: ORGANIZATION, SECURITY AND COMMANDS FOR INTERCHANGE |
PD CEN/TS 15480-1:2012 | Identification card systems. European Citizen Card Physical, electrical and transport protocol characteristics |
BS ISO/IEC 7816-4 : 2013 | IDENTIFICATION CARDS - INTEGRATED CIRCUIT CARDS - PART 4: ORGANIZATION, SECURITY AND COMMANDS FOR INTERCHANGE |
UNI CEN/TS 15480-1 : 2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 1: PHYSICAL, ELECTRICAL AND TRANSPORT PROTOCOL CHARACTERISTICS |
PD CEN/TS 419241:2014 | Security Requirements for Trustworthy Systems Supporting Server Signing |
S.R. CEN/TS 15480-1:2012 | IDENTIFICATION CARD SYSTEMS - EUROPEAN CITIZEN CARD - PART 1: PHYSICAL, ELECTRICAL AND TRANSPORT PROTOCOL CHARACTERISTICS |
CEN/TS 15480-3:2014 | Identification card systems - European Citizen Card - Part 3: European Citizen Card Interoperability using an application interface |
CEN/TS 15480-5:2013 | Identification card systems - European Citizen Card - Part 5: General Introduction |
CEN/TS 15480-1:2012 | Identification card systems - European Citizen Card - Part 1: Physical, electrical and transport protocol characteristics |
ISO/IEC 7816-6:2016 | Identification cards — Integrated circuit cards — Part 6: Interindustry data elements for interchange |
ISO/IEC 8859-1:1998 | Information technology 8-bit single-byte coded graphic character sets Part 1: Latin alphabet No. 1 |
ISO/IEC 24727-1:2014 | Identification cards Integrated circuit card programming interfaces Part 1: Architecture |
ISO/IEC 15946-1:2016 | Information technology Security techniques Cryptographic techniques based on elliptic curves Part 1: General |
ISO 11568-2:2012 | Financial services — Key management (retail) — Part 2: Symmetric ciphers, their key management and life cycle |
ISO/IEC 24727-2:2008 | Identification cards Integrated circuit card programming interfaces Part 2: Generic card interface |
ISO/IEC 7816-8:2016 | Identification cards Integrated circuit cards Part 8: Commands and mechanisms for security operations |
ISO/IEC 18033-3:2010 | Information technology Security techniques Encryption algorithms Part 3: Block ciphers |
ISO/IEC 9796-3:2006 | Information technology — Security techniques — Digital signature schemes giving message recovery — Part 3: Discrete logarithm based mechanisms |
ISO/IEC 11770-4:2006 | Information technology Security techniques Key management Part 4: Mechanisms based on weak secrets |
EN ISO 3166-1:2014 | Codes for the representation of names of countries and their subdivisions - Part 1: Country codes (ISO 3166-1:2013) |
FIPS PUB 197 : 2001 | ADVANCED ENCRYPTION STANDARD (AES) |
ISO/IEC 7816-4:2013 | Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange |
FIPS PUB 46 : 0002 | DATA ENCRYPTION STANDARD (DES) |
ISO/IEC 7816-3:2006 | Identification cards — Integrated circuit cards — Part 3: Cards with contacts — Electrical interface and transmission protocols |
ISO/IEC 9796-2:2010 | Information technology Security techniques Digital signature schemes giving message recovery Part 2: Integer factorization based mechanisms |
ISO/IEC 15946-2:2002 | Information technology Security techniques Cryptographic techniques based on elliptic curves Part 2: Digital signatures |
ISO/IEC 9797-1:2011 | Information technology Security techniques Message Authentication Codes (MACs) Part 1: Mechanisms using a block cipher |
ISO/IEC 7812-1:2017 | Identification cards — Identification of issuers — Part 1: Numbering system |
ISO 3166-1:2013 | Codes for the representation of names of countries and their subdivisions Part 1: Country codes |
ISO/IEC 7816-5:2004 | Identification cards — Integrated circuit cards — Part 5: Registration of application providers |
ISO/IEC 7816-15:2016 | Identification cards Integrated circuit cards Part 15: Cryptographic information application |
ISO/IEC 14888-2:2008 | Information technology — Security techniques — Digital signatures with appendix — Part 2: Integer factorization based mechanisms |
FIPS PUB 180 : 2002 | SECURE HASH STANDARD |
EN 14890-2:2008 | Application Interface for smart cards used as Secure Signature Creation Devices - Part 2: Additional Services |
TS 102 176-1 : 2.1.1 | ELECTRONIC SIGNATURES AND INFRASTRUCTURES (ESI); ALGORITHMS AND PARAMETERS FOR SECURE ELECTRONIC SIGNATURES; PART 1: HASH FUNCTIONS AND ASYMMETRIC ALGORITHMS |
ANSI X9.42 : 2003(R2013) | PUBLIC KEY CRYPTOGRAPHY FOR THE FINANCIAL SERVICES: AGREEMENT OF SYMMETRIC KEYS USING DISCRETE LOGARITHM CRYPTOGRAPHY |
ISO/IEC 7816-11:2004 | Identification cards Integrated circuit cards Part 11: Personal verification through biometric methods |
ISO/IEC 11770-3:2015 | Information technology Security techniques Key management Part 3: Mechanisms using asymmetric techniques |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.