Professional Documents
Culture Documents
.
.
.
2010-2011
ii
. ,
. ,
. .
. ,
. ,
. ,
,
2010-2011
iii
.
iv
,
, , .
,
, ,
,
,
. ,
,
.
, ,
, ,
,
.
,
ICAO
.
.
, : ) (
) ,
) ,
.
,
.
,
, ,
( ) (SCA)
.
,
, -
, .
vi
interactions between the secure signature creation device (citizen card) and the middleware
responsible for generating and validating electronic signatures.
Last but not least, the different implementations of citizen cards in national level inside the
European economic area are studied. The choices made and their implications are discussed
and summarized in comparative tables.
This work concludes with the authors comments on the previously presented security
mechanisms and methods as specified by the various related standards and proposals, the
nowadays tendencies and the future vision.
viii
,
. ,
,
.
, ,
.
,
, .
., ., .
, 2011
.
2
1: .................................................................................................. 13
1.1
..................................................................................................................... 13
1.2
...................................................................................................... 15
1.2.1
........................................................................................................... 15
1.2.2
....................................................................................................... 19
1.2.3
................................................................................................. 21
1.2.4
............................................................................................ 22
1.2.4.1
................................................................................ 22
1.2.4.2
................................................................... 23
1.2.4.3
........................................................................................... 24
1.2.5
(Standardization).............................................................................................. 26
2: ............................................. 28
2.1
& ECC............................................................................... 28
2.2
&
...................................................................................................................... 30
2.2.1
2.2.2
................................................................................................. 30
.................................................................................................................... 30
2.3
....................................................... 31
2.4
ECC ........................................................................ 32
2.5
ECC................................................................................................ 32
2.6
ECC .......................................................................... 33
2.7
IC .................................................................... 34
3: ........................................................ 36
3.1
MRTDs .................................................................. 36
3.2
...................................................... 39
3.3
..................................................................................... 41
3.4
..................................................................................... 43
3.4.1
...................................................................................................................... 44
3.4.2
............................................................................................................... 45
3.4.2.1
1999/93/ ........................................................................................................... 45
3.4.2.1.1 ................................... 47
3.4.2.1.2 ... ............................................................................................................. 48
3.4.2.1.3 ...................................................... 49
3.4.2.1.4 A ........................................ 50
3.4.2.1.5 ............................................... 51
3.4.3
................................................................................................................... 52
3.4.3.1
150/2001 ........................................................................................ 53
3.5
................................................................ 54
3.6
................................................................ 57
......................................................................................... 60
4.1.1
................................................................................................................... 60
4.1.2
................................................................................................................................ 61
4.1.2.1
................................................................................................................................... 63
4.1.2.1.1 PVC () ............................................................................................... 65
4.1.2.1.2 ABS (acryl butadiene styrene) ........................................................................................... 66
4.1.2.1.3 PC () .......................................................................................................... 66
4.1.2.1.4 PET (polyethylene terephthalate - ) ................................... 68
4.1.2.1.5 PETG (Polyethylene terephthalate glycol) ........................................................................ 69
4.1.2.1.6 .................................................................................................................. 69
4.1.2.1.7 ................................................................................................................. 70
4.1.2.1.8 .................................................................................................................... 71
4.1.2.2
......................................................................................................................... 72
4.1.2.3
............................................ 78
4.1.2.3.1 ...................................................................................................... 78
4.1.2.3.2 ................................................................................ 80
4.1.2.3.3 ................................................................................. 82
4.1.2.3.4 ECC .............................................................................................. 86
4.1.2.4
........................................................................................................................... 87
4.2
4.2.1
4.2.2
4.2.3
4.3
................................................................................... 87
............................................................................................................... 87
............................................................................................................... 88
ICAO CEN .................................................................. 89
............................................................................... 92
4.3.1
.................................................................................................................. 93
4.3.1.1
offset ................................................................................................................ 93
4.3.1.2
(Rainbow colouring).............................................................................. 94
4.3.1.3
................................................................................................... 94
4.3.1.4
(Screen printing).......................................................................................... 95
4.3.1.5
........................................................................................................... 95
4.3.1.6
...................................................................................................... 96
4.3.1.7
(Form printing) ................................................................................... 96
4.3.1.8
(Numbering)...................................................................................................... 97
4.3.2
.......................................................................................... 98
4.3.3
............................................................................................................... 98
4.3.3.1
- (thermo transfer printing) ..............................................100
4.3.3.2
E - (thermo sublimation printing) ........................................103
4.3.3.3
- (thermo retransfer printing) ................................104
4.3.3.4
(laser engraving).................................................................................105
4.3.4
......................................................................................................................106
4.4
................................................................................... 107
4.5
..................................................................................................... 109
4.5.1
...............................................................................................109
4.5.2
.....................................................................................................113
4.5.2.1
Gemalto ............................................................................................................................114
4.5.2.2
Giesecke & Devrient ........................................................................................................114
4.5.2.3
Toppan Printing Co. Ltd ...................................................................................................115
4.5.2.4
Evolis.................................................................................................................................116
4.5.2.5
Sagem-orga (brand name: Morpho) ...............................................................................116
4.5.2.6
Oberthur Card Systems....................................................................................................117
4.5.2.7
CardLogix ..........................................................................................................................118
4.5.2.8
Datacard Group ................................................................................................................118
4.5.3
.........................119
5: IC ................................................ 121
5.1
5.1.1
................................................................................................121
5.1.2
eMRTDs ............................................................................124
5.1.3
& ..........................................................................126
5.1.4
& LDS .....................................................................128
5.1.5
LDS.................................................................130
5.1.6
...................................136
5.1.7
& .........................................................................................137
5.1.8
APDUs & eMRTD .....................................................................................143
5.1.9
.......................148
5.1.9.1
UID .......................................148
5.1.9.2
...........................................................................150
5.1.9.3
......................................153
6: IC ... 155
6.1
........................................................................................ 155
6.2
PKI.......................................................................................................................... 159
6.2.1
.................................................................................................................................159
6.2.2
& .................................................................................160
6.2.3
....................................................................165
6.2.3.1
.............................................................................................................................169
6.2.4
PKI MRTDs ICAO ...................................................................................................171
6.2.4.1
...............................................................................175
6.2.5
PKI MRTDs BSI.......................................................................................................175
6.2.6
MRTD ...........................................178
6.3
6.3.1
Passive Authentication () ..................................................................................181
6.3.1.1
Passive Authentication ...........................................................................182
6.3.2
Active Authentication (AA) ().............................................................................183
6.3.2.1
AA ............................................................................................................186
6.4
6.4.1
Basic Access Control (BAC) () .............................................................................187
6.4.1.1
Secure Messaging BAC .............................................................................191
6.4.1.2
BAC ..........................................................................................................194
6.4.2
ICAO () ..................197
6.5
6.5.1
6.5.2
6.5.3
6.5.4
6.5.5
Chip Authentication (CA) ...........................................................................................................209
6.5.6
Terminal Authentication (TA) ....................................................................................................211
6.5.6.1
TA ............................................................................................................213
6.5.7
Restricted Identification (RI) ......................................................................................................214
6.6
................................................................ 216
6.7
6.7.1
...................................................................................................................220
6.7.2
CEN 15480-3 Card-Verifiable Certificates ...................................................222
6.7.3
CEN 15480 ...........................................................................................223
6.7.3.1
) eID ...................................................................................................................223
6.7.3.2
d) eID (IAS) ..........................................................................................................224
6.7.4
.......................................................................225
6.7.5
......................................................................................................226
6.7.5.1
() .....................................................227
6.7.5.2
........................................................................228
7: ................................................................... 230
7.1
................................................................................................................ 230
7.2
...................................................................................................... 232
7.2.1
7.2.2
7.3
7.3.1
7.3.2
7.3.3
7.3.4
7.4
....................................................................................................233
....................................................................................................234
........................... 237
...............................................................................................238
.....................................................................................238
.............................................................................241
........................241
............................................................................................. 243
7.4.1
....................................................................................243
7.4.1.1
RSA ...............................................................................................................246
7.4.1.2
DSA ...............................................................................................................247
7.4.1.3
ECDSA (Fp) ...............................................................................248
m
7.4.1.4
ECDSA (F2 )...............................................................................249
7.4.1.5
ECGDSA (Fp) .............................................................................250
m
7.4.1.6
ECGDSA F2 ................................................................................251
7.4.2
BnetzA ...........................................................251
7.5
......................................................................................... 253
7.5.1
...............................................................255
7.5.1.1
SHA-1 ................................................................................................................................255
7.5.1.2
RIPEMD160 ......................................................................................................................255
7.5.1.3
SHA 224 ............................................................................................................................256
7.5.1.4
SHA 256 ............................................................................................................................256
7.5.1.5
WHIRLPOOL ......................................................................................................................256
7.5.1.6
SHA 384 ............................................................................................................................257
7.5.1.7
SHA 512 ............................................................................................................................257
7.5.2
BnetzA .............................................................258
7.6
..................................................................................... 259
8: ...................................................................................... 260
6
8.1
.................................................................................................... 260
8.2
........................................................... 260
8.2.1
.509 ......................................................................................................................262
8.3
............................................................................... 264
8.4
....................................... 265
8.5
...................................... 269
8.6
............................................................ 270
.................................................................. 272
9.2
................................................................ 274
9.3
.................... 276
9.4
............................................................................ 277
9.5
.......................................... 281
9.5.1
..............................................................................................................281
9.5.1.1
.................................................................282
9.5.1.1.1 ..................................................................................285
9.5.1.2
.............................................285
9.5.1.2.1 ...............................................................................................286
9.5.1.2.2 ...............................................................................................288
9.6
9.6.1
9.6.2
9.6.3
9.6.4
9.7
ICC........................................................................ 295
9.7.1
................................................................................295
10: eID
.................................................................................................................................... 299
10.1
............................................................................................ 299
10.1.1
10.1.2
10.1.3
10.1.4
10.2
10.2.1
10.2.2
10.2.3
10.3
...........................................302
..........................................................................303
, & ...................308
eIDs....................................................................................................................312
................................................................................................................................315
.................................................................................................................................317
.............................................................................................................320
10.3.1
10.3.2
10.3.3
..............................................................................................................................324
.................................................................................................................................328
.............................................................................................................................332
10.3.4
10.3.5
10.3.6
10.3.7
10.3.8
10.3.9
10.3.10
10.3.11
10.3.12
10.3.13
..............................................................................................................................336
..................................................................................................................................340
...............................................................................................................................342
...........................................................................................................................346
............................................................................................................................349
..............................................................................................................................353
...................................................................................................................355
.........................................................................................................................356
.......................................................................................................................358
.........................................................................................................................360
.................................................................................................... 362
11.2
............................................................................................................... 366
11.2.1
..................................................................................................................367
............................................................................................................ 369
A I: ICAO DES ..................................................................... 1
A II: SECURE HASH STANDARD ...................................................................... 4
A II: ISO STANDARDS.................................................................................... 7
ISO/IEC 7810 ................................................................................................................ 7
ISO/IEC 7816 ................................................................................................................ 8
ISO/IEC 14443 ............................................................................................................ 11
ISO/IEC 19794 ............................................................................................................ 12
ISO/IEC 10373 ............................................................................................................ 14
IV: (EESSI)
...................................................................................................................................... 16
CEN CWA 14169 Secure Signature-Creation Devices, version EAL 4+....... 16
CWA 14170 Security Requirements for Signature Creation Systems ............. 16
CWA 14171-00 General guidelines for electronic signature verification......... 16
EN 14890-1, Application Interface for smart cards used as Secure Signature
Creation Devices ....................................................................................................... 17
EN 14890-2, Application Interface for smart cards used as Secure Signature
Creation Devices ....................................................................................................... 17
ETSI TS 102 176-1 Algorithms and Parameters for Secure Electronic
Signatures, ................................................................................................................. 19
EN 726 ......................................................................................................................... 19
--
1: ...................................................................................................... 21
2: ......................................... 27
3: ECC.................................................................................................................... 73
4: ECC...................................................................................................................... 74
5: ICAO ........................................................................................................... 77
6: ................................................................................................ 89
7: ............... 92
8: MRZ ................................................................................................... 123
9: eMRTDs [ICAO 9303 P3V2] ........................ 125
10: LDS ................................... 132
11: 3 ( LDS ) ..... 133
12: ISO/IEC 7816-4 .......................................................................... 140
13: EF.COM .................................................................................................. 142
14: INTERNAL AUTHENTICATE [RWEW03] ...................... 146
15: EXTERNAL AUTHENTICATE [RWEW03] ............... 147
16: PICC A [Y08] ............................. 151
17: bit Manchester (PICC ) [RWEW03] .......... 153
18: [SSG10] ..................................... 167
19: [SSG10] ............................................. 168
20: ) PKI ICAO ) ...................................... 173
21: PKI BSI [BSI-TR-03110]................................................................................................. 176
22: [BSI-TR-03110] .................................... 179
23: BAC KENC KMAC............................................................................................... 189
24: APDU [BSI-TR-03110] ................................................................. 193
25: APDU [BSI-TR-03110] ............................................................ 194
26: EAC BSI (: [DF10]) ...................................................................................... 201
27: IS ePassport [BSI-TR-03110] .. 205
28: PACE [BSI-TR-03110] ............................................................................................. 208
29: Chip Authentication ver.1 [BSI-TR-03110] ............................................................. 210
30: Terminal Authentication ver.2 [BSI-TR-03110] ...................................................... 212
31: Restricted Identification [BSI-TR-03110] ................................................................ 215
32: [CEN 15480-3] ......................................................................... 223
33: IAS-ECC, () ()......................................... 225
34: ........................................................................ 232
35:
............................................................................................................................................................................. 262
36: OBJECT IDENTIFIER ............ 266
37: MONETARY VALUE ,
........................................................................ 267
38: RETENTION PERIOD
............................................................................................... 268
39: OBJECT IDENTIFIER
SSCD .................................................................................................... 268
40: [CWA 14170] ............................................................................. 273
41: ......................................................................... 277
42: SCA SSCD 1999/31/ [EN
14890-1] .............................................................................................................................................................. 278
43: ICC ESIGN [EN 14890-1] 279
44: ................................................................................................. 280
45: ............................................................................................ 280
46: 12345
............................................................................................................................................................................. 285
47: ..................................................................................................... 288
48: ................................................................................................... 288
49: ..................................................... 290
50:
................................................................................................................................................ 296
51: .......................................... 299
52: ( ) ................... 315
53: PKI eID (: [CWP06]) ................................................... 330
54: 3DES / CBC Mode.................................................................. 2
55: MAC ................................................................................................................................. 3
56: ICC (EN 14890-2) ...................................................................... 18
57: Diffie-Hellman (EN 14890-2)....................................................... 18
1: ............................................................................... 25
2: ISO/IEC 7810 ............................................................. 61
3: ........................................................................................ 72
4: [DATACRD] ...................................................... 92
5: ....................................................... 110
6: ......................................................... 111
7: .................................. 120
8: DG2 ......................................................................................... 133
9: ........................................................... 135
10: ISO/IEC 19785 ............................................................................ 136
11: ................................................... 141
12: APDU ..................................................................................................................... 143
13: APDU ................................................................................................................. 144
14: ICAO ............................................... 180
15: BAC ............................................................. 188
16: [ICAO 9303 P3V2] ........................................................ 199
17: ICAO............................................................................ 216
18: ICAO ........................................................................... 217
19: BSI ............................................................................... 218
20: ........................................... 219
21: Primary Account Number ECC............................................................................................... 226
22: , [EN 14890-1] .............................................................. 227
23: ................................................................ 244
24:
[ETSI TS 102 176-1] .............................................................................................................. 245
25: ................................................ 252
26: ............................................................................................. 255
27: ............................................................ 257
28: K BnetzA .................................................................... 258
29: ........................................................................................... 259
30: X.509 .................................................................................................... 263
31: APDU VERIFY ...................................................................................................... 282
32: APDU VERIFY ................................................................................... 283
33: APDU Password Change ...................................................................................... 283
34: APDU Password Change................................................................... 283
35: APDU RESET RETRY COUNTER........................................................................ 283
36: APDU RESET RETRY COUNTER .................................................... 284
37: APDU x ....................................................... 287
38: APDU .................................... 287
10
1:
................................................................................................................................................................ 17
2: .... 24
3: ICAO eMRTD........................................................................................................... 35
4: ...................................................................................................................................... 39
5: (polycarbonate) ........................................................ 68
6: .......................................................................................... 71
7: ........................................................................................................................... 78
8: ( ) ( ) (
) ......................................................................................................................................................... 81
9: (security background printing) ..................................................... 81
10: (polycarbonate): ...................... 82
11: UV ...................................................................................................................................... 83
12: ( )................................................................ 83
13: MLI (Multiple Laser Image) .............................................................................................................. 85
14: ............................................................................................ 86
15: offset.................................................................................................................................. 93
16: ................................................................................................................................ 94
17: ..................................................................................................................... 95
18: - & ............................. 96
19: ..................................................................................................... 97
20: ................................................................. 98
21: - ........................................................................................ 100
22: - ............ 102
11
12
1:
1.1
,
.
,
, ,
.
11 2001
. ,
, ,
, .
( )
, , .
2004 1 ,
,
,
, (
) .
, ,
2005/60/ ,
1999/93/ ,
.
Towards an electronic ID for the European Citizen, a strategic vision. CEN/ISSS. Brussels, December 2004.
13
, 3 : ,
. 3
, . , ,
,
. ,
,
. ,
, , ,
.
,
. ,
, ,
,
.
, SIM
, ,
,
.
,
,
. ,
- .
,
, / PIN . ,
. ,
/ online .
14
,
,
,
, ,
, ,
( ) ,
.
1.2
.
.
,
,
/ ( )
.
1.2.1
. ,
,
, .
- - .
; ;
,
, .
- ,
15
,
.
[Y08].
:
1.
2.
3.
(2) (3), , :
4.
5. /
,
:
,
[RE03].
.
. ,
, [JDC].
16
[RE03]. ,
,
, ,
.
1:
.
, (contact) (contactless) [JDC].
.
,
.
3 5 volt, .
proximity
couplers
.
.
17
,
, ,
(personal identification number, PIN).
/ .
, ,
.
:
(loyalty systems)
, ,
(acrylonitrile butadiene styrene)
[RE03]. .
,
(International Organization for Standardization, ISO) ISO 7810. ISO 7816
,
18
, , ,
. , ,
.
,
. (cellular) ,
,
/.
MAOSCO ( ) Microsoft.
1.2.2
70,
.
[SCH], [RE03] Jrgen Detholff Helmut Grtrupp 1968
1982.
1970 Kunitaka Arimura. ,
Roland Moreno,
1974. 1977, Michel Ugon Honeywell
Bull . 1978, Bull
SPOM (Self Programmable One-chip Microcomputer)
- . ,
CP8 Motorola.
, Bull 1200 ,
CP8 2001 Schlumberger. , Schlumberger
CP8 Axalto. 2006, Axalto
Gemplus, 2 1 ,
Gemalto.
19
, 1984
(PTT)
(Tlcarte). 1986,
. , ,
'90, SIM
.
1983.
, ISO/IEC 7816/1-4.
,
,
bytes RAM [MR+04].
MasterCard, Visa, Europay 1993
.
EMV 1994, 1998
. EMVco,
2000 2004 [SCH].
,
. Smart Card Alliance (SCA), 3,4
2001 30% (SCA,
2001).
1:
20
1: 2
,
. ,
SIM (Subscriber Identification Module) [WSC10].
, Smart Card Market 2008 2015,
8,8 2015 5,2
2009.
1.2.3
, ,
[RE03].
. /
,
, , ,
.
2
: BioSensor, LLC
21
. ,
.
/
/ .
.
. ,
.
,
.
1.2.4
,
[JDA07].
. /
(released)
.
.
. / ( ,
, )
.
, online .
1.2.4.1
.
,
22
[WM09].
.
, ,
. ,
.
1.2.4.2
,
.
. ,
:
( ).
2:
-
- ,
. ,
(logic) .
.
(logic),
,
. 128 bits.
1.2.4.3
. - , , RAM, ROM,
/.
.
/ ,
.
ROM
. ,
,
.
24
NVM,
,
. NVM
: EPROM, EEPROM, flash FRAM (Ferroelectric Random Access Memory).
flash EEPROM
. FRAM (low power)
100 .
.
.
,
. , ,
. , ,
//
.
/ , ,
.
(2006)
18
232
1000
2655
Personal Digital Assistants (PDA)
(PC)
1: 3
(logical)
, , de
3
25
facto , ,
, [JDA07].
1.2.5
(Standardization)
.
ISO (International Organization for Standardization)
IEC (International Electrotechnical Commission).
,
ISO/IEC . ISO/IEC
[RE03].
ISO CEN4
(European Committee for Standardization)
, , ,
. .
T ISO/IEC,
CEN.
.
ISO IEC .
CEN .
26
ISO
IEC
TC 68
Banks
JTC1
Information
Technology
SC 6
Transaction cards
WG5
Messages and
data contents
WG7
Security
architecture
ISO 10202
ISO 11568
SC 17
IC Cards and
related devices
WG1
Physical
characteristics
and test
methods
ISO/IEC 7810
ISO/IEC 7811
ISO/IEC 7813
ISO/IEC 10373
ISO/IEC 15457
ISO/IEC 24789
WG4
ICC with
contacts
ISO/IEC
7816
WG8
Contactless ICC
ISO/IEC 10536
ISO/IEC 14443
ISO/IEC 15693
WG5
Registration
ISO/IEC 7812
WG9
Optical cards and
equipment
ISO/IEC 11694
WG 3
MRTD
ISO/IEC 7501
2:
,
. ISO TC68/SC6,
,
ISO/IEC JTC1/SC17, .
27
2:
(European
Citizen Card - ECC) ,
,
/ ECC
.
ECC
,
, .
2.1
& ECC
CEN 15480
( [CEN 15480-1] [CEN 15480-2]5
), (European Citizen Card,
ECC) (personalized)
ID-1, ISO/IEC 7810,
1 2 ISO/IEC 7816. ISO
A II: ISO STANDARDS.
ECC, ,
:
1) -
,
,
28
2) ,
3)
/ ECC
.
ECC.
,
,
micromodule.
[CEN 15480-1], ECC :
,
,
,
,
,
,
,
.
29
, ISO/IEC 7816-3
/ ISO/IEC 7816-12. ECC
(International Civil Aviation
Organization, ICAO), ECC ,
ICAO 9303,
1 3. ICAO
9303. ICAO
MRTD6 (Machine Readable Travel Document)
ICAO
.
2.2
&
2.2.1
ECC ,
:
. ECC
,
(..
).
2.2.2
ECC
:
6
MRTD eMRTD
. ICAO
MRTD MRtd ,
.
30
, ,
,
2.3
ECC
(Identification
Authentication Signature, IAS), ECC 2
CEN 15480. ECC
, .
ECC. ,
. ,
,
,
,
:
31
6: IC
,
. ,
IC .
2.4
ECC
ECC .
, .
(proof of identity)
,
,
.
,
.
ECC
, :
ECC
ECC ,
2.5
ECC
2) ,
,
3)
,
4) , ,
5) ,
6) ,
7) -,
:
a) (
ISO/IEC 7816-13),
b) ,
c) , IAS
.
2.6
ECC
,
. [CEN 15480-1] ECC
2 3 [CWA 14169],
.
. [CWA 14169]
(Secure Signature Creation Device, SSCD),
, Common
Criteria (CC). ,
[1999/93/] . 2 3
,
33
, .
CC EAL4+
Strength of Functions High.
SSCD ,
. , SSCD ,
(Side-channel) (.. : , ,
), , ,
.
4.2
(Integrated Circuit, IC) ECC
,
EAL4+ SOF-High. , [ICAO 9303 P3V2],
MRTD Active Authentication,
. ,
EAL4+ SOF-High, . ,
PKI ( 6.2)
EAL4+ SOF-High.
2.7
IC
34
3: ICAO eMRTD
:
1. MRTD
32 ,
2.
ICAO (Logical Data Structure, LDS),
MRZ 1 (Data Group 1, DG1)
DG2,
3.
.
(32 KB)
,
. eID
. ,
[Y08].
35
3:
ICAO ,
/ [
2252/2004], [ 444/2009] [ 1030/2002],
[ 380/2008].
3.1
MRTDs
, 2005
(EU Counter-Terrorism Strategy)
, . [EU-CTS],
,
.
,
,
.
ICAO, ,
[ICAO 9303 P3V2] MRTDs,
, ,
.
,
/
.
ICAO ,
[ 2252/2004] [
444/2009] 36
, ,
, ,
, . , ,
- ( 1, 3 [
2252/2004] ).
[ 2252/2004]
,
, . [ 444/2009]
,
, ICAO:
,
, .
[ 444/2009] [ 2252/2004]
. ,
. [ 444/2009]
-, .
[3021/2010],
, 17 2010
, (12) .
.
,
/..., .
,
, .
37
,
. , ICAO ( )
templates.
.
, [ 380/2008],
,
.
, [ 562/2006],
,
,
. ,
.
, ,
. ,
(
)
.
. [ 11/2010],
, .
..
. ,
38
4:
3.2
.2472/1997
,
39
. 2774/1999
, . 3471/2006
2002/58/
[2002/58/],
1995/46/
,
8 .
, , ,
,
370 , 370 370 .
a priori .
,
,
, , , , , ( 95/46, 2).
,
, , ,
, , .. ,
: ,
, , (
, ,
), (,
, .) [10].
40
6 1995/46/
. ,
. ,
.
.
:
, ( ),
( .. ),
, ,
.
:
.
, , :
[10].
()
(9 101)
.
3.3
19 . 1 :
41
.
.
, .2225/1994
, .3115/2003 .. 47/2005
19
(), :
, , ,
, ,
, ,
, , ,
, ,
, ,
, , ,
, / , ,
, , ,
, , , ,
, , ,
, , , , , , ,
.
/ ,
. . , ,
,
( . 3471/06,
2002/58/), . .
42
""
IC ,
e-mail
.. 25 .3471/2006
:
"":
, .
,
.
, , .
.
2 . 3471/06 [3471/2006] :
3. :
.
, , , ,
,
, ,
, , ,
, ,
.
4. :
.
3.4
,
.
43
,
, .
,
. [1999/31/]
,
.
. [150/2001]
[1999/31/]
.
()7
(),
.
3.4.1
[UDC95]
,
.
1996 (United Nations
Commission on International Trade Law (UNCITRAL)
[UNCITRAL96], , ,
, , ,
.
& (),
http://www.eett.gr/opencms/opencms/EETT
44
,
.
, , o
( [97])
.
3.4.2
,
,
1999/93/
, 6
2000 [EK/709/2000], -,
3 4 1999/93/
.
3.4.2.1
1999/93/
: 1999/93/
13 1999
.
.
,
,
.
45
,
7.3 - ,
,
,
.
:
:
,
:
,
,
:
,
:
,
: ,
,
,
:
- ,
: ,
,
46
:
,
:
, ,
: ,
,
: ,
,
.
, : () , ()
() .
3.4.2.1.1
.
, .
.
47
.
.
3.4.2.1.2 ...
,
,
, :
, ,
,
, ,
( )
( ) .
,
.
,
.
99/93/
,
,
. ,
.
,
48
.
, .
II . :
,
.
(
) .
, 24 ,
.
( 30
), .
3.4.2.1.3
:
49
, ,
,
.
3.4.2.1.4 A
(Secure Signature Device Creation-SSCD)
.
( III ) ,
, (
) :
.
,
,
,
.
50
, ,
.
.
.
,
(..
PIN).
,
.
3.4.2.1.5
,
, :
, ,
.
.
51
3.4.3
,
, ,
:
14 2672/1998 [N2672/1998],
10 3230/2004 [3230/2004],
( )
,
, .
150/2001 [150/2001]
(1999/93) ,
,
.
342/2002 [342/2002]
, ... ...
(.. , ..)
(, .).
20 3448/06 [N3448/2006],
25 . 3536/2007 [N3536/2007],
(),
() .
52
/.60/10/21711-5-2007 [/60/10/217] ,
.
8,
, , : )
, )
,
, )
,
.
3.4.3.1
150/2001
99/93/.
.
()
,
. ,
.
.
. , ,
, ,
, .
8
, ,
, 30 .
53
,
.
, ,
,
. ,
,
,
. ,
.
, ,
. ,
,
, .
,
,
.
3.5
21385/11246
421/B/02.07.1992). ..
. 1
16 ,
, , ,
.
. , 1599/1986 ( 75)
12 , ,
54
13
, (
, , , ,
). ,
.. 127/1969,
. 1988/1991 ( 189),
()
. , . 1599/1986
. 1832/1989, . 1839/1989, . 1988/1991, . 2479/1997, . 2521/1997, . 2690/1999, .
2990/2002, . 3242/2004, .. 3021/19/53/2005
1253/25.6.2009.
,
[3021/2005] ( 1440/18.10.2005).
(3.2) .
,
,
.
,
1253/25.6.2009
. , ,
, , fax .
. , ,
,
,
.
: , , , , ,
, , , ,
. , ,
55
, 743
( ISO 843:1997).
.
.
.
:
1. ,
6 .. 127/1969
2.
3.
4. ( 1253/25.6.2009,
),
5.
,
, .
,
.
.
56
.
.../...
(...),
. ,
.
,
,
... .
, ,
.
.../...
.
3.6
. 3103/2003 ( /23/29.1.2003),
[3021/2005] [3021/2010]
.
3021
,
, .
. 12
.
[3021/2010],
:
57
1, 4:
(12) .
,
, .
,
.
1, 5: ,
, , ,
,
. 3 1
. ,
(6)
.
,
/..., .
(6)
.
2: ,
(12) ,
,
.
' ,
,
58
,
.
151 .
5
, .
:
( ),
, ,
.
59
4: ECC &
:
) ,
) ,
)
.
4.1
, .
,
.
.
.
,
.
, .
,
,
. ,
, ,
.
,
, CEN ICAO.
4.1.1
ISO/IEC 7810 4
, 2.
60
2: ISO/IEC 7810
ID-1 .
, ,
. , ID-1
. [CEN 15480-1],
ID-1 ECC.
4.1.2
,
,
[RE03]. :
(, ,
),
(signature panel),
(.. ),
.
61
, 0,76 . ,
.
.
ISO 7810, 7813 7816
1. :
X,
/,
ISO/IEC 10373
,
. , [CEN
15480-1] .
,
, .
/
.
, , ,
.
62
4.1.2.1
ECC
,
CEN ICAO. ,
/ ,
. -
ECC ,
.
, [ICAO 9303 P3V1]
.
. , [ICAO 9303 P3V1]
, :
,
,
,
,
,
,
.
[ICAO SUPPL].
63
, [HT02],
,
(foils) .
. :
/Printability
( )
/ (Anti-statics)
64
4.1.2.1.1 PVC ()
(PVC)
. ,
,
. ,
/ . PVC
,
. PVC ,
/feedstock, /vinyl chloride, .
, PVC
. ,
, -
. PVC
ECC .
:
,
(furane),
65
PVC, ABS , ,
4.1.2.1.3 PC ()
( , polycarbonate, PC)
.
5 10
CDs DVDs. PC
4-8 (foils) . PC
/, / (torsion),
66
UV . ,
/ hotstamp, . , ,
,
//. PC
. , /
PC
, .
:
,
(..
//punching )
PC /phosgene (.
) . .
67
5: (polycarbonate)
4.1.2.1.4 PET (polyethylene terephthalate - )
PVC
PET. ,
. /thermostable
/amorphous form (A-PET) /crystalline form (PETP).
,
. , PETP ,
.
(PETF) PET
, . , PETF
200
. PC,
. ,
/ / /
(torsion).
(polycarbonate)
coextrusion .
.
68
(, PVC)
, PETG
PVC (With some processing parameters PETG has a tighter process window than
PVC)
4.1.2.1.6
:
,
- /restricted reserves
/thermostable
PVC
69
. ,
, edge impact . /
( PVC) IS0
,
. ,
.
, ,
, .
4.1.2.1.7
,
. ,
, , ,
. , ,
.
70
4.1.2.1.8
6: 9
PVC
.
: ( , ),
( ),
/ ( ),
(, , .), UV (
) ( ,
).
PC () /
, UV . ,
,
,
.
9
: [DATACRD]
71
3: 10
[DATACRD].
4.1.2.2
, ECC ID-1. ,
ISO/IEC 7810. ,
[CEN 15480-1], 3. 3.,
.
10
: [DATACRD]
72
3: ECC
)
.
,
73
. 3. 3.,
4. 4..
4: ECC
)
74
ECC
, ,
.
, ,
.
,
( ). ,
,
. , ,
[CEN 15480-1] ECC :
, ECC
(fixed administration information),
, ..,
(fixed administrative information) ( 4.),
, ,
( ),
.
, ,
( / )
,
( 9303-1 ICAO).
MRZ ,
MRTD,
4.1.2.3,
75
ECC
,
3.
4. .
Header
Mandatory
Zone II
Zone III
Zone IV
Mandatory
Zone V
Identification feature
Mandatory
Zone VI
Data elements
Optional
Zone VII
Mandatory
76
5: ICAO
)
77
4.1.2.3
,
.
4.1.2.3.1
[CEN 15480-1],
:
7:
1 ( ):
2 ( 1 ):
3 ( 2 ):
78
4 ( forensic taggant):
/ , ( )
/ /
ECC 1
2. ,
. [ICAO 9303 P3V1]
/
, .
,
.
/ , ,
9303, 3,
-1 1 [ICAO 9303 P3V1].
. ,
,
.
,
, ,
ECC
:
1) ,
2) /,
79
3) .
ECC :
,
( 1
2 3),
.
4.1.2.3.2
ISO/IEC 7810 /
, .
, ECC
( 1 / 2)
, [CEN 15480-1]. ,
.
/ .
, 11.
,
.
. 8 .
11
, ,
( 2), .. ,
( 3), .. , .
80
8: ( ) (
) ( )
,
.
customer-specific .
.
81
,
.
[Y08]. 10
. (background security printing)
, .
,
.
10: (polycarbonate):
4.1.2.3.3
UV ( 2 , 3 )
ECC [CEN 15480-1], /
,
. UV
ECC ECC
ECC (, , ).
82
11: UV
(Optical Variable
Feature, OVF) ECC [CEN 15480-1]. [CEN
15480-1] OVF ,
OVF ( 1).
,
/ .
, , colour-copied
, (Optically Variable Inks, OVI).
,
(intaglio printing) (screen printing).
12: ( )
83
(IR )
[Y08] .
.
, ICAO [ICAO 9303 P3V1]
.
metallic inks
metameric inks
infrared drop-out inks
thermochromic inks
photochromic inks
infrared fluorescent inks
phosphorescent inks
tagged inks
[ICAO SUPPL]
penetrating numbering ink
invisible ink which fluoresces in different colours when exposed to different wave
lengths.
(Multiple Laser Image, MLI) [Y08],
,
. , ,
84
.
, ,
, .. - (micro photo).
,
.
85
14:
(rainbow colouring).
, ,
(forensic) ( 3, 4).
IC , ,
,
.
need to know [ICAO 9303 P3V1].
, ,
.. .
.
4.1.2.3.4 ECC
ECC [CEN 15480-1] [CWA 14169].
,
.
86
4.1.2.4
, .
VISA MASTERCARD,
.
[Y08].
Common Criteria
FIPS. ,
EEPROM ( FLASH).
eID. ,
EEPROM 8 kilobyte 144 kilobyte.
.
.
[HT02].
4.2
4.2.1
,
.
,
.
87
,
. ,
,
.
[CEN 15480-1] , ,
,
ISO/IEC 7816.
4.2.2
.
.
, .
,
. ,
.
. 10
,
.
ECC ,
[CEN 15480-1] ISO/IEC 14443,
(proximity cards, PICC)
ID-1. ISO/IEC 14443 ,
(proximity coupling devices, PCDs),
,
. PICC
88
4.2.3
ICAO CEN
6:
[ICAO 9303 P3V2] IC
89
ICs
.
10 .
( ISO/IEC 14443) , ICAO,
IC
(electromagnetic screening)
.
,
,
.. (
, ).
(Automated Border Control System, ABC), ICAO
[ICAO GUIDL] .
1 1
(live) 3 .
, .
,
. ,
,
.
(card readers)
. 5 [DATACRD].
,
.
,
.
90
.
( 2
) ,
( UV IR ) [REG S7004].
CEN
9303 ICAO. , [CEN 15480-1]
ECC ISO/IEC 7816-3
7816-12, ECC ICAO
, ,
ISO/IEC 14443.
ECC
(dual interface). , ,
( )
.
( ).
( 4).
( ) ,
, . ,
[ 380/2008],
, -
.
.
, .
91
, 7,
.
4: [DATACRD]
(1 )
(2 )
N
N + 15-30%
N + 50-100%
N + 80-120%
7:
4.3
,
, :
1. ,
2. ,
92
3. ,
4. .
, ,
/
.
4.3.1
4.3.1.1
offset
offset
[Y08]. (plate) offset
,
(Computer to plate - CTP).
.
.
,
.
,
.
,
(foil)
.
15: offset
93
(waterless) offset
UV .
(single) , -
.
4.3.1.2
(Rainbow colouring)
16:
(background printing).
4.3.1.3
(intaglio printing)
[PRADO] offset.
,
, .
()
. ,
/
94
, .
,
(oblique light).
(latent images)12.
17:
4.3.1.4
(Screen printing)
[Y08]
.
.
,
.
: , ,
.
4.3.1.5
[Y08] . ,
, ,
.
12
, (oblique light).
95
, ,
.
// (biodata/photo/signature
integration).
18: - &
(thermal
sublimation dye) (retransfer printing)
.
offset , ,
.
4.3.1.6
4.1.2.3.2 ,
.
,
[CEN 15480-1].
4.3.1.7
(Form printing)
- (micro-printing) (
) [CEN 15480-1].
96
4.3.1.8
(Numbering)
[CEN 15480-1],
.
,
.
,
[ICAO 9303 P3V1]. ,
( /
), ,
.
19:
,
[CEN 15480-1], DOVID13
( ) (
..),
,
[ICAO SUPPL].
13
DOVID ,
, ,
: (hologram), (Kinegram), (Identigram).
DOVID .
97
4.3.2
20:
OVD layered ,
.
ID-1,
.
(diffractive) OVD
(metallised) DOVID,
.
4.3.3
. ,
( ), /
.
98
/ .
.
, ,
,
, [ICAO 9303 P3V1]. , :
(.. ),
(thermal transfer printing),
ink-jet ,
,
,
(
, /broken face type),
, , , /
.
14
toner VISA
.
99
,
,
.
,
,
.
,
[ICAO 9303 P3V1]
[ICAO SUPPL], ,
,
[Y08], .
4.3.3.1
,
(donor ribbon)
.
pixels.
21 - (thermo transfer printing).
21: -
100
/ .
.
:
300 dpi
/ /
PVC
-:
(polycarbonate)
/ (chip module)
/ UV
(blank)
101
:
( 22)
: , ,
/, , ,
..
/ .
,
.
22:
-
:
- (..
)
. , ECC.
102
4.3.3.2
- -
. ,
, , (300-400 )
( ) .
,
/ UV . ,
. ,
.
-:
( )
103
, -.
.
4.3.3.3
- . ,
(mirror-inverted), -,
. - .
30 .
.
-:
( )
(polycarbonate)
( ,
(CMYK) )
:
- .
(polycarbonate),
.
104
4.3.3.4
(laser engraving)
,
. ,
. ,
(PVC,
PC). 23 .
23:
.
.
:
UV
105
( )
:
.
,
.
4.3.4
,
[ICAO GUID].
( )
, MRZ
MRZ
,
.
() ,
(stitching),
. , /
.
(finished) ,
.
106
, ,
[ICAO 9303 P3V1].
4.4
, /
. ,
[ICAO 9303 P3V1],
()
[ICAO GUID].
.
, ,
.
[ICAO 9303 P3V1]
[ICAO SUPPL] :
,
/, .
, (,
, ) .
/
.
,
(.. ).
( ).
107
,
INTREPOL.
.
.
/ CCTV ( ).
.
:
,
/ .
, ,
.
, , .
, ,
108
,
, .
( , ..).
/
.
.
.
, .
, [ICAO GUID]
,
,
.
4.5
4.5.1
/bytes ,
[P+99]:
, /
109
, Unix, DOS
Windows,
. 3 24 kbytes.
,
-.
,
. , ISO 7816-4 EN 726-3
profiles, .
, profile ISO 7816-4
5.
Data
Structures
Commands
Transparent
Linear fixed
Linear variable
Cyclic
Read binary, update binary, no implicit selection and
maximum length up to 256 bytes
Read record, update record, without automatic selection
Append record
Select file
Verify
Internal authenticate
External authenticate
Get challenge
5:
110
STARCOS [RE03],
Giesecke & Devrient. ,
1990, ,
/ .
, COS (card operating system)
.
, STARCOS MPCOS.
..
GemXplore, GPK, MPCOS
Gemplus
AuthentIC, SIMphonic
Micardo
Oberthur
Orga
Schlumberger
Siemens
TCOS
Telesec
6: 15
, , ,
. ,
:
1. Multos
Multos
.
MEL (Multos Executable Language).
C Java, MEL. Multos
API Application Abstract
15
: [RE03]
111
Machine (AAM). ,
Multos
. AAM
. ,
MEL,
.
1: Multos
[GK06] MULTOS ( (6)
IT-SEC evaluation criteria)
.
-
.
2. Java Card
H Java Card
Java. , Java
. , Java Card
112
.
.
Java Card.
3. Windows for Smart Cards
Windows for Smart Cards
Microsoft
1998.
DOS FAT,
, , /,
API.
4.5.2
.
Infineon, ST microelectronics, Atmel
113
Gemalto
http://www.gemalto.com/
Gemalto ,
, tokens
. 2006 Axalto Gemplus
International.
, Gemalto,
SIM ,
, , USB tokens. 2008,
1,4 .
400 , 300
30 ,
, .
Gemalto
, , , , , , ,
, , .. .
Gemalto 10.000 , 77
, 18 , 30 , 11 R&D
40 2009 1.65 .
4.5.2.2
http://www.gi-de.com/en/index.jsp
1852 Hermann Giesecke Alphonse Devrient.
,
(banknotes) .
114
, G&D
(banknotes), ,
.
(banknotes), 8.000 , 50
$2,45 .
G&D euro (euro notes)
(banknotes) .
, (banknotes), ,
/ (bonds), ,
.
4.5.2.3
Toppan Printing
http://www.toppan.co.jp/english/
Toppan Printing
2008 $16,3 .
1997, Toppan Printing
- .
,
(stamping) ,
12 . 100
.
2006 Toppan
Printing ..
( ) ..
115
Evolis
http://www.evolis.com/
Evolis .
,
.
, ( )
.
140 ,
100 . 2009
32,7 .
4.5.2.5
http://www.morpho-edocs.com/
25 ,
. 1984,
, , , .
16
: http://www.toppan.co.jp/english/news/newsrelease458.html
116
Morpho 1984.
,
, , , tokens, ,
inlays modules, .
2.500 ,
, , , .
Morpho
, .
, , .
4.5.2.6
http://www.oberthur.com/
Oberthur Technologies ,
, , , .
Oberthur Printing 1842 , Franois-Charles
Oberthr, 1984, Jean-Pierre Savare
Oberthur Technologies.
905 2009, Oberthur Technologies
.
Oberthur Technologies :
.
, , TV.
.
(banknotes),
.
117
.
, ,
- -
.
.
ATM.
4.5.2.7
CardLogix
http://www.cardlogix.com/
1998, CardLogix 36
. ,
,
CardLogix .
4.5.2.8
Datacard Group
http://www.datacard.com/index.jhtml
40 , Datacard
, .
,
, .
Datacard ,
.
,
.
40- ,
Datacard
. ,
10
118
, 90
.
4.5.3
119
7:
120
5: IC
5.1
5.1.1
& LDS
121
MRZ ,
(<) .
24:
[ICAO 9303 P3V1] MRZ,
8.
( ).
VIZ: DARTAGNAN
MRZ: DARTAGNAN
VIZ: MARIE-ELISE
MRZ: MARIE<ELISE
MRZ (check
digits)
. modulus 10
MRZ 731 731
.
122
8: MRZ
[CEN 15480-1] (Annex C), ECC ID-1
ICAO
[ICAO 9303 P3V1] (Visual
Inspection Zone, VIZ). .
[REG S7004]
123
5.1.2
eMRTDs
eMRTD (
). [ICAO 9303 P3V2]
.
,
. 9 eMRTD
.
9
. ,
MRZ.
MRZ . MRZ
( CRL
) (watch list).
.
IC
( ).
.
.
124
9: eMRTDs
[ICAO 9303 P3V2]
125
5.1.3
&
(biometric identification)
[ICAO 9303 P3V2].
. 3.1
.
(biometric templates),
. -
( )
.
.
ICAO
( )
.
:
(veify) --
MRTD
.
( ) .
(identify) --
MRTD
.
.
126
.
,
MRTD,
MRTD.
Match On Card. templates
.
tamper-proof .
,
.
, templates -
[ID-CRED0210].
,
ICAO , 300 dpi
640 KB (24 bits/pixel)
90 .
ICAO 32
. JPEG17 / JPEG2000
.
15 KB 20 .
17
127
WSQ18 10
. 30 .
(cropping)
, 25,
. ICAO
token image.
token ISO/IEC 19794-5.
90
.
25: (ICAO)
5.1.4
& LDS
18
128
. .
.
DG1 DG16 . ICAO
MRTD IC
visas
MRTD personalization .
ICAO doc 9303.
[ICAO 9303 P3V2]
(Logical Data Structure,
LDS). LDS
(
). LDS
, .
.
(random ordering scheme)
.
MRTD
MRTD LDS.
.
(3.2).
ICAO
LDS MRZ (DG1) (DG2).
129
LDS
LDS MRTDs,
,
,
.
5.1.5
LDS
(data elements)
(data groups, DGs)
:
1. /
MRTD 10.
.
2.
( LDS) 11.
. [ICAO 9303
P3V2] .
:
1. DG1
MRZ,
2. DG2
,
3. EF.COM (common elementary file) LDS
(tags) DGs ,
130
131
10:
LDS
132
11: 3
( LDS )
DG2, DG3 DG4
( , ).
DG2 . DG2 3 :
: DG2
01
02
03
8: DG2
01 1 Byte.
1. 02
. 03
99999 Bytes.
02 03
01.
133
|
ASN.119.
[ICAO 9303 P3V2], DG2-DG4
(nested) ISO/IEC
7816-11 ( C.10).
biometric templates Common Biometric
Exchange Formats Framework (CBEFF)20 NIST NISTR 6529a:
2004 ISO/IEC 19785 (2006-2010).
9.
8
Tag 02
Tag 7F60
. ICAO 1 9
, .
Tag 03
. Tag 82
(Biometric subtype)
( ) (
). Biometric subtypes ISO/IEC 19785 10.
19
20
134
9:
(biometric data), ,
ISO/IEC 7816-11 (Annex D)
:
135
MAC
2
.
5.1.6
LDS
IC MRTD
.
:
. LDS
MRTD,
.
(
) .
136
MRTD (Active Authentication)
.
MRTD.
.
5.1.7
&
137
(secure messaging)
DF1
DF A0 00 00 02 47 10 01
. (DG)
EF.DGn, n (
12).
:
ASN.1 (tag),
(short EF identifier) .
EFs
11.
139
140
11:
(DG)
(Tag) . Tags
1 [ICAO 9303 P3V2]
tags (inter-industry)
ISO/IEC 7816-6.
DF1 EF.COM (common elementary file)
1. 13
:
141
(AID).
HEADER
13: EF.COM
DGPM, (DG),
, Data Element Presence Map
DG.
142
5.1.8
ISO/IEC 7816-4. ICAO
SELECT READ BINARY
0
AUTHENTICATE,
INTERNAL
GET
AUTHENTICATE,
CHALLENGE,
MSE,
CDS
EXTERNAL
VERIFY
CERTIFICATE.
-.
4 .
Application Protocol Data Units (APDUs).
ISO/IEC 7816-4 APDUs, 4 Bytes
( 12).
CLA INS P1 P2
12: APDU
143
Le Bytes
. Le
APDU Bytes
.
class (CLA)
(Secure Messaging)
.
instruction (INS) ,
SELECT FILE 4 READ BINARY 0.
P1 P2
. P1
MF, DF, EF . P2
, , , .
,
.
2-Bytes trailer
bytes SW1-SW2. 9000
.
[Data field]
SW1 SW2
13: APDU
, SELECT
: )
(short EFID) ) DF. ICAO
MRTD
.
144
.
(reset)
MF historical bytes.
READ BINARY
EF, EF (
). EF
READ BINARY EF
. EF.
.
.
(offset) Byte
. offset .
GET CHALLENGE
).
INTERNAL AUTHENTICATE
. ( )
GET CHALLENGE .
MF,
. DF
DF
. INTERNAL AUTHENTICATE ,
. 14.
145
APDU
.
. ISO/IEC 7816-4
.
.
14: INTERNAL
AUTHENTICATE [RWEW03]
EXTERNAL AUTHENTICATE
.
.
15.
.
EXTERNAL
AUTHENTICATE .
.
.
(state machine)
146
.
.
tamper proof smart
card
.
15: EXTERNAL
AUTHENTICATE [RWEW03]
MANAGE SECURITY ENVIRONMENT (MSE)
ISO/IEC 7816-8.
.
, , ,
checksum, hash .
MSE
[RWEW03].
147
,
VERIFY CERTIFICATE
.
( CA
).
.
,
. VERIFY CERTIFICATE ,
.
(VERIFY DIGITAL SIGNATURE).
5.1.9
ICAO
MRTD
IC (ISO/IEC 14443) :
.
(Proximity Coupling Devices, PCDs) .
ISO/IEC 7816-4
.
ISO/IEC 7816 4-5.
5.1.9.1
UID
eMRTD , IC eMRTD
(UID ). ISO/IEC 14443
148
: ) MRTD
)
. ICs
.
.
.
-
(traceability) .
ICAO
UIDs [ICAO SUPPL].
.
6:
IC .
RFID- [JMW05].
(covert
channel).
r MRTD :
UID =
(r | __MRTD)
r
(
) MRTD.
(reverse engineering) [HHJ06].
149
5.1.9.2
(modulation) ,
.
PICC PCD
IDLE. PICC
REQA ( REQB) WUPA ( WUPB)
PICCs .
PICCs IDLE ,
ATQA ( ATQB ).
PICC READY
16.
150
16: PICC
A [Y08]
PICCs PCD .
PCD PICC
.
PICCs .
PICC PCD
. SELECT (NVB)
(pattern) .
PICCs
bits . bit
, ( )
PICCs
PICC ACTIVE.
151
152
, ,
.
. Answer To
Reset reset ,
.
(unexpected)
(unspecified) .
.
153
.
,
, [HHJ06].
154
6:
IC
.
,
.
ICAO, CEN
BSI
(PKI),
, .
.
,
( , ,
)
.
.
6.1
.
, , (
), ( spam ).
. :
1. :
.
155
UID
, .
2. :
.
.
. .
3. Man-in-the-middle : ,
/middleware
.
4. :
.
.
.
5.
:
.
.
6. :
6.2.3
.
.
7. :
( PIN
156
)
.
8. :
.
tamper proof ,
, (probing)
,
.
[KOKU99].
9. Side-Channel-Attacks:
, ,
. (Differential Power Analysis)
.
Simple Power Analysis.
,
- .
10. :
.
11. Skimming :
.
157
.
25
[JMW05].
.
.
12. :
. skimming.
(
smart cards )
.
,
(semantics)
,
, ,
.
13. :
, , supermarket,
, .
14. :
.
158
,
,
.
.
(5.1.9) .
,
( , 6.3.1.1, 6.3.2.1, 6.4.1.2 6.5.6.1).
eID ( 10:
eID )
. :
, ,
, ( ),
, (matchon-card), ()
, ICAO BSI
. [08].
10.1
.
6.2
6.2.1
PKI
(PKI) .
PKI
159
, ,
, VPN ,
/ . PKI
, , ,
, .
,
, .
PKI
Root-CA. PKI
(cross-certification)
.
6.2.3 ICAO PKI
.
6.2.2
&
[150/2001] [1999/93/]
.
, ,
, . , , :
160
,
.
()
.
[1999/93/]
.
:
,
,
161
, , ..
,
.
,
, .
. . 248/71
( 603/'/16-5-2002)
.
,
/ .
()
syzefxis.gov.gr
[YA2512/2006].
.....
.
()
.
.
( 99/93/) :
162
,
.
o , ,
.
.
o
.
,
.
,
150/2001. CC EAL4+.
[/60/10/217] PKI
, :
1. (),
() , 20 . 3448/2006
( 57/715-3-2006), 25 . 3536/2007
( 42/723-2-2007), ()
& ......
,
,
( 20 . 3448/2006).
163
2. () ,
......
,
.
3. () .....,
- ...
,
(). ,
, ,
,
.
4. (), (),
.
(.. )
,
.
31/12/2005 SYZEFXIS
Adacom SA. Adacom CA VeriSign
CA 2
.
ERMIS online 31/3/2009
. ERMIS
164
.
/
(Trusted Service Provider List, TSL)21
/
(CSP) /
[1999/93/].
()
, ,
. ,
. :
1. ,
(http://pki.syzefxis.gov.gr)
2. Adacom Qualified Certificate Services CA -
(http://www.adacom.com/repository)
3. ASYK
Qualified
Certificates
CA
AE
(http://www.ase.gr/repository)
6.2.3
.
21
/ TSL,
https://www.eett.gr/tsl/EL-TSL.pdf
165
. ,
.
.
.
online
;
;
.
. [SSG10]
. 18
(Identity Providers, IdPs) (Service Providers,
SPs) .
(token
mapping)
.
proxy
.
X.509 .
166
18:
[SSG10]
.
.
. [SSG10]
(IdPs)
(SPs) X.509 SAML22
22
167
(attribute assertions). 19
( ).
X.509 Proxy .
CA
.
Proxy
. SAML
,
, ,
.
19: [SSG10]
eID
.
CAs
.
,
168
,
CA .
6.2.3.1
.
. Modinis eIDM Study23
.
TLS-Federation24
.
.
GUIDE (Creating a European Identity Management Architecture for
eGovernment)25,
,
-
.
.
.
GUIDE
.
23
ModinisIDM, https://www.cosic.esat.kuleuven.be/modinis-idm/twiki/bin/view.cgi/Main/WebHome
24
Bruegger, B.P., Hhnlein, D., Schwenk, J.: TLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated
Identity Management, http://porvoo14.dvla.gov.uk/documents/tls_federation_final.pdf
25
169
STORK
(Secure idenTity acrOss boRders linKed)26.
(eIDs) .
eID
, eID .
2011.
[IDABC] 2009
.
CAs
European IDABC Bridge/Gateway CA (EBGCA)
.
/ (Trusted Service Provider
List, TSL) CAs ( 6.2.2).
ISA (Interoperability Solutions for European Public
Administrations) 2010 2015.
PEPPOL27 eSignature
,
.
Symantec VeriSign28
VeriSign Managed Public Key Infrastructure
PEPPOL
26
27
28Symantec's
170
6.2.4
.
CAs. CA
CAs
.
Root CA
. - (cross-certify)
.
(CRLs)
: ) CRL , ,
, )
CA CRL
.
PKI.
29
SPOCS, http://www.eu-spocs.eu/
171
,
MRTDs, ICAO
MRTDs .
:
1. MRTDs ,
2.
MRTD,
3. MRTD
.
ICAO , CRL
MRTD .
online
eGovernment , .
PKI MRTDs ICAO
MRTD .
PKI.
5.1.2 MRTD
IC ,
IC
.
[ICAO 9303 P3V2] PKI :
172
(Document Signer, DS). CDS
CSCA IS SOD
IC . CDS
KPuDS SOD
MRTD. KPrDS
SOD .
20.
ICAO PKD
Country A
Country A
CDS A
CSCA
CDS B
DS A
DS B
CDS C
DS C
Country B
CDS A
...
...
...
CDS B
CDS C
ICAO
(CDS) CDS ,
CCSCA
online (Public Key Directory, PKD), 20.
ICAO PKD
MRTD. validator
CCSCA ,
PKD. PKD
CDS
MRTDs
. PKD CRL
.
PKD 48 .
CRLs CSCA DS,
Document Security Objects Active Authentication
.
MRTD Document Security Object
(SOD) LDS (EF.SOD)
LDS (hashed)
RFC3369 Cryptographic Message Syntax, CMS. [ICAO SUPPL] (R8p1_v2_sIV_0062) SOD ICC
CDS
.
online Public Key
Directory ICAO ( 20).
MRTD SOD.
174
6.2.4.1
.
(Data Room)
,
,
( 6.2.2
[1999/93/] ).
CSCA (KPuCSCA, KPrCSCA)
(off-line). CCSCA
( ICAO PKD)
(out-of-band).
MRTD
ICAO PKD
(IS).
CCSCA IS .
6.2.5
[EN 14890-1]
.
Terminal Certificate.
(Terminal) . MRTD
MRTD.
(Document
Signers)
(Document Verifiers) MRTDs.
Country Signing CA, CSCA Country Verifying CA, CVCA.
, Country CA.
6.2.6
MRTD
178
22: [BSITR-03110]
.
.
CVCA Link Certificates ( 22)
, MRTD
-.
CVCA
(
) PKI
179
.
CVCA 5 .
(Terminal)
.
IS .
Terminal 10 .
14: ICAO
Country
Signing CA
.50930
3 5
Document
Signer
: CCSCA
IS
:
.509
: CDS
IS
SOD IC
:
IC MRTD
Active
Authentication
: DG15 LDS
:
30
:
MRTD (10 )
:
MRTDs 3
(10 )
RFC 3280, R. Housley, W. Polk, W. Ford, D. Solo, Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile, RFC 3280, April 2002
180
6.3
ICAO
6.3.1
Passive Authentication ()
MRTD
.
IC MRTD.
SOD
LDS (EF.SOD)
LDS (hashed).
IS :
1. MRTD, SOD IC.
CDS.
2. (DS) SOD.
3. IS SOD
(KPuDS). CDS
IS ICAO PKD
ICAO IC
MRTD. SOD ,
SOD . IS
CDS
KPuCSCA.
4. IS Data Groups LDS.
5. IS Data Groups
hash SOD Data
Group .
MRTD.
181
Passive Authentication
ICAO CEN.
IV-1 [ICAO 9303 P3V2], D.2 [CEN 15480-2]
.
6.3.1.1
Passive Authentication
Passive Authentication
SOD LDS
IC
IC.
IC .
. DG1 IC
MRZ
.
hash .
hash
hash
(Birthday paradox). ,
(Document Signer) .
(Document Signer)
.
bits
. MRTD
.
MRTD
IC ( ).
182
IC
.
hash
hash . 2004 NIST31
SHA-1 2010
SHA-2.
6.3.2
http://csrc.nist.gov/groups/ST/toolkit/documents/shs/hash_standards_comments.pdf
183
SOD. IS
DG15 Active Authentication.
AA APDU INTERNAL AUTHENTICATE (
5.1.8) ICC.
ISO/IEC 9796-232.
IS
IC :
1. MRZ MRTD (
BAC)
DG1. DG1
Passive Authentication MRZ
.
2. Passive Authentication
DG15 KPuAA.
3. MRZ
-.
a. IS nonce 8 Bytes RND.IFD
MRTD
INTERNAL
AUTHENTICATE ( 5.1.8).
b. IC :
32
ICAO ISO/IEC 9796-2:2002 Information Technology - Security Techniques - Digital Signature Schemes
giving message recovery - Part 2 Integer factorisation based mechanisms
2010. ISO
.
. ISO ,
.
184
i. M2 = RND.IFD
nonce M1.
ii. ( SHA1)
=SHA1(M), = 1|2. O
.
iii.
F=6A|M1|H|T.
iv. F
KPrAA. APDU
INTERNAL AUTHENTICATE IS.
c. To IS
KPuAA DG15 LDS.
d. .
M1 IC M2,
M H* H
.
4.
IC
.
Active
Authentication ISO/IEC 9796-2. ICAO
RSA Active Authentication
ECDSA. DG15 LDS.
RSA hash
ISO/IEC 9796-2.
185
ECDSA
hash
DG14 LDS
[ICAO SUPPL]. hash ECDSA
ECDSA hash .
6.3.2.1
AA
Active Authentication
cloning IC Grandmaster Chess Attack.
MRTD IC
(proxy) IC
. proxy IC ,
,
IC.
, IC
. IS
, .
IS
: E[SKIS](IDICC|||)
. IS
IS. MRTD
.
,
.
MRTD
186
.
AA
. MRTD
AA Basic Access Control. BAC
MRTD .
6.4
ICAO
IC MRTD
.
(skimming)
.
10 . .
(eavesdropped) .
6.4.1
MRZ_information =
MRTD
MRTD
MRTD
MRTD
ISO/IEC 11770-2:2008 Information technology Security techniques - Key management Part 2: Mechanisms using symmetric techniques 13
. 6 point-to-point
. ISO 1996.
188
block
A I: ICAO DES.
IFD ICC :
a. IFD GET CHALLENGE ICC
nonce RND.ICC 8 Bytes.
b. IFD :
189
i.
ii.
iii.
KENC
E_IFD = E[KENC](S).
iv.
KMAC M_IFD = MAC[KMAC](E_IFD).
v.
MUTUAL AUTHENTICATE
E_IFD || M_IFD.
c. ICC :
i.
M_IFD E_IFD.
ii.
E_IFD.
iii.
RND.ICC S IFD
.
iv.
IFD.
K.ICC 16 Bytes
.
v.
vi.
E_ICC = E[KENC](R).
190
KENC
vii.
KMAC M_ICC = MAC[KMAC](E_ICC).
viii.
E_ICC || M_ICC.
d. IFD :
i.
M_ICC E_ICC.
ii.
E_ICC.
iii.
RND.IFD S ICC
.
6.4.1.1
BAC
Secure Messaging ,
( )
IFD ICC.
BAC
K.IFD K.ICC 16 Bytes
. ICC IFD :
1. Kseed= K.IFD xor K.ICC.
2. M 23
, KSENC KSMAC.
3. APDUs
APDUs. :
a. APDU (
) 3DES CBC Mode ( 54)
191
b. APDU
, Le / Lc MAC
( 55).
APDU
24 25 .
APDU Le
87 97 .
APDU
(padded)
block . padding
MAC ISO 7816-4.
( ).
block
blocks DES CBC .
MAC
. MAC ( 55)
(send sequence counter) APDUs .
192
193
BAC
BAC MRZ .
MRTD
MRZ
ID .
194
[KMHG07].
ePassport eID.
MRZ
.
BAC
(KENC KMAC)
ICC IFD. 15
.
73 bits :
( )
MRTD
o
o
,
,
195
MRTD
50 bits (
) 40 bits (
) [BKJ09].
Brute-Force
.
BAC
MRZ
( ) .
.
.
MRZ.
Moore
18 BAC
5 . 2006 BAC
2 [KMHG07]
MRZ 20 COPACOBANA34 $10.000.
34
196
BAC
MRTD .
skimming
offline . (6.5.4) ICAO
PACE .
6.4.2
ICAO ()
BAC
. MRTD
( ICAO)
, .
MRTD
BAC , MRZ
MRZ
6.4.1
. ICAO
:
ICAO
.
, .
IS
.
[ICAO 9303 P3V2].
ICAO 16
.
198
6.5
BSI
ICAO Passive
Authentication ICAO
199
MRTD.
BSI [BSI-TR-03110].
ICAO, MRTDs.
6.5.1
Terminal
Authentication (TA)
, . ,
( )
.
Chip Authentication
(CA) Diffie-Hellman
.
(Secure Messaging).
200
26. -
BSI PACE ( BAC)
.
SSL/TLS
EAC. TA CA EAC
.
AKE .
: ) forward secrecy (. long-term
long-term ) )
long-term (key
compromise impersonation resilience). o EAC
( , MAC , ).
EAC :
6.5.2
IC MRTD. :
Inspection systems, Authentication terminals Signature terminals.
ePassport ( ICAO), o BSI
27.
Standard Inspection Procedure
ICAO Basic Access Control
PACE . MRTD
BAC PACE
PACE .
:
(Authentication terminal)
.
. MRTD
General Authentication
Procedure .
203
eID Authentication
terminal.
IS .
(Signature terminal)
.
. MRTD
General Authentication Procedure
eSign
eSign
/ Signature terminal.
eSign
Authentication terminal
.
-
Certificate Holder Authorization Template. To MRTD
terminal
(referenced) :
Document Verifier Certificate CVCA Certificate.
( Boolean AND)
. Effective
Authorization.
204
27: IS
ePassport [BSI-TR-03110]
6.5.3
Secure Messaging
Secure Messaging
MRTD .
MAC . Secure Messaging
Basic Access Control ( 6.4.1.1). Secure Messaging
BSI PACE Chip
205
6.5.4
206
MRZ MRZ .
non-blocking
PIN
blocking. PIN
PIN. PIN
CAN PIN.
PIN MRTD
PIN
PUK.
PACE (
)
Diffie-Hellman. .
35
207
.
28.
Diffie-Hellman .
KENC
KMAC Secure Messaging.
(TPCD TPICC) .
Secure Messaging
.
PACE
Diffie-Hellman : )
)
( 6.6, 19).
6.5.5
Active Authentication
( )
MRTD
.
CA Diffie-Hellman
.
MRTD .
Secure Messaging.
209
210
6.5.6
(IDPICC). BAC
MRTD MRZ
PACE PACE MRTD .
PACE.
, 2 Terminal Authentication
Chip Authentication .
TA
CA
. 2 .
6.5.6.1
TA
6.2.5
.
.
.
MRTDs
.
.
[HHJ06].
6.5.2 BSI,
(Inspection system, IS).
.
213
IS DV
. PKI
DV
.
/.
PKI
.
[HHJ06] on-line
GPRS
. , (back office)
( ),
.
.
on-line Terminal Authentication .
back office
o personalization.
. back office
.
6.5.7
Document
Verifier PKI BSI o 21.
(Terminal Sector) Terminal
Certificate . Document Verifier.
Terminal Sector (PKSector).
,
(tracing)
MRTDs.
MRTDs .
.
RI MRTD (
31.
hash (SKID)
( /(pre)-personalization)
(PKSector). SKID
MRTD.
215
6.6
ICAO
Country Signing CA,
Document Signing Active Authentication.
MRTDs
.
O 17 [ICAO 9303 P3V2]
.
( 14, . 180) MRTD.
[ICAO SUPPL]
RSA 1280 bits.
ICAO ( 17)
. (
),
18.
17: ICAO
- -
Country
Signing CA,
Document
Signer,
36
RSA
SOD:
RFC 344736
CSCA
modulus n 3072 bits
DS
modulus n 2048 bits
RFC 3447, J. Jonsson, B. Kaliski, Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications
Version 2.1, February 2003.
RSA . RSASSA-PKCS1v1.5 RSASSA-PSS. ICAO IS .
216
Document
Security
Object
, :
FIPS 186-337
Elliptic curve DSA (ECDSA)
,
:
ANS X9.6238
ISO/IEC 15946
CSCA modulus
p q 3072 256 bits
DS modulus p
q 2048 224 bits
CSCA
256 bits
Active
Authentication
DS
224 bits
RSA modulus n
:
1280 bits
ISO 9796-239
DSA modulus p
q 1024 160 bits
Hashing
ECDSA
160 bits
SHA-1,
SHA-224, ( A II: SECURE HASH
SHA-256,
SHA-384, STANDARD)
SHA-512
FIPS 180-3
18: ICAO
Country Signing CA
128 bits
Document Signer
112 bits
Active Authentication
80 bits
37
FIPS 186-3, Federal Information Processing Standards Publication, Digital Signature Standard, June 2009. ICAO
FIPS 186-2 186-3.
38
ANSI X9.62, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Standard
(ECDSA), 2005.
ECDSA DSA .
domain .
39
ICAO ISO/IEC 9796-2:2002 Information Technology - Security Techniques - Digital Signature Schemes
giving message recovery - Part 2 Integer factorisation based mechanisms
2010. ISO
.
. ISO ,
.
217
19: BSI
/
Diffie-Hellman
PKCS#340
ECKA41
SHA-1
X-
RFC 263142
ECC
2 :
MAC
PACE
AES 128/192/256
bits
FIPS PUB 197
Secure Messaging
3DES
CBC mode
ISO 10116
AES
CBC mode
ISO 10116
3DES
retail mode
ISO/IEC 9797-1 (
55)
AES
CMAC mode43
40
Public-Key Cryptography Standards (PKCS) #3: Diffie-Hellman Key-Agreement Standard, RSA Labaratories Technical
Note, 1993. Diffie-Hellman
.
41
BSI, Elliptic Curve Cryptography (ECC) Version 1.11, TR-03111, 2009. Elliptic Curve Key
Agreement Algorithm (ECKA) ANSI X9.63. Public Key Cryptography for the Financial Services
Industry: Key Agreement and Key Transport Using Elliptic Curve Cryptography, 2001.
ECC Brainpool domain ECC Brainpool, ECC
Brainpool Standard Curves and Curve Generation, Version 1.0, 2005 Lochter M., Merkle J., Elliptic Curve
Cryptography (ECC) Brainpool Standard Curves and Curve Generation, RFC 5639, 2010.
42
Rescorla E., Diffie-Hellman Key Agreement Method, RFC 2631, 1999. Diffie-Hellman
.
[2, p-1] small
subgroup attack.
43
NIST, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication, Special Publication
800-38B, 2005.
218
BSI [BSI-TR-03110]
19.
Diffie-Hellman o BSI RFC 511444
(1024-bit modp group 160-bit prime order subgroup) (2048-bit modp group
224-bit/256-bit prime order subgroup).
BSI domain
p 192 521 bits.
ECDLP DLP
. ECDLP
DLP - .
bits
.
20:
44
RSA/DH/DSA
160
1024
80
224
2048
112
256
3072
128
384
7680
192
512
15360
256
Lepinski M., Kent S., Additional Diffie-Hellman Groups for Use with IETF Standards, RFC 5114, 2008.
219
6.7
CEN 15480
6.7.1
CEN 15480
(European Citizen Card, ECC).
[CEN 15480-1] [CEN
15480-2] [CEN 15480-3] [CEN 15480-4]
.
.
Eurosmart45 CEN
( )
. CEN 15480
.
, ,
.
. PIN .
,
. -
. online
( eGovernment, eBusiness, eVoting, eDemocracy,
eBanking, ). ECC eID .
To CEN/TS 15480 Identification card systems European Citizen Card
:
45
220
M 1 ECC,
,
ISO7810,
ISO7816, ISO14443 ICAO eMRTD ID-1.
2 , ECC
.
. ,
ECC .
.
ICAO BSI .
, (IAS services)
RSA.
.
. IAS
[EN 14890-1] [EN 14890-2]. ECC
( ID )
ECC 4.
3 CEN/TS 15480
H/Y
ECC .
middleware ECC online .
middleware ISO/IEC 24727
. middleware EEC
221
, / ECC
.
4
, .
,
,
CEN/TS 15480-4.
1 2 . 1
ID .
(OID)
, ..
/ .
middleware (
Global Profile) [EUROSM-ECC].
0 General Framework of the ECC
Standard - ECC
ISOs.
46.
6.7.2
46
Lorenzo Gaston,GEMALTO, Presentation EUROPEAN CITIZEN CARD e-ID Interoperability, 14th Porvoo Group 24
Oct 2008, http://fineid.fi/default.aspx?docid=3199&action=publish
222
6.7.3
6.7.3.1
CEN 15480
) eID
.
ISO/IEC 14443
:
eID:
. (
)
.
223
ICAO:
, MRTD
ICAO, e-passport.
Passive Authentication, BAC, EAC Chip &
Terminal Authentication Secure Messaging.
SIG: EN
14890
personalization .
6.7.3.2
d) eID (IAS)
To ) eID,
ECC
IAS
.
33.
( ) ( ).
EAC ( backwards compatibility). H eTravel .
e-Services
. e-Services
( ).
224
33: IAS-ECC, () ()
IAS-ECC
ECC.
:
PKI , ePassport [EUROSMECC].
6.7.4
[CEN 15480-2],
, ISO/IEC 7816-4.
(5.1.7) LDS ICAO.
MF (Master File, ), DF (Dedicated Files) EF (Elementary
225
6.7.5
[CEN 15480-2]
.
14890-1. CEN,
:
ICC
ICC,
2 ,
(
,
Secure Messaging).
226
() Secure Messaging .
ECC [CEN 15480-2]
.
6.7.5.1
()
KK
, IFD ICC.
-
SN.ICC . SN.ICC
IFD.
22.
2 .
(freshness) ( man-in-the-middle
).
22: , [EN 14890-1]
227
6.7.5.2
ECC
:
228
.
ECC o
Secure Messaging
.
( ).
Secure Messaging 14890
ICAO ( 6.4.1.1).
229
7:
7.1
.
.
,
, .
(SA) (VA).
:
O SA VA ,
.
m M s S ,
VA(m, s) = true,
.
. .
(data integrity). , ,
,
' .
(Hash functions).
230
.
(message digest) .
. , ,
47 .
, H(x)=y,
y, x H(x)=y.
, x z H(x)=H(z).
:
x , y .
(x) .
/
, .
MD5, SHA/SHA-1.
31,
.
47
231
34:
7.2
,
, ,
,
. ,
.
,
, ,
.
232
(plaintext),
(Cipher text).
H
.
.
,
.
.
, .
7.2.1
.
, , ,
, .
, .
(IDEA, CAST5, BLOWFISH,
RC4), Data Encryption Standard (DES) 3DES,
IBM 1977
. , ,
,
AES.
.
233
26:
.
1. ,
.
2. ,
.
.
3. ,
, .
4.
5.
, ,
.
7.2.2
,
234
,
- (public) (private) , .
:
1976
Diffie Hellman [DF76], 1978 Rivest, Shamir Adleman,
, RSA,
.
,
( ).
. .
,
.
.
, .
235
27:
.
1. ,
( ). ,
.
2. ,
, .
3. .
4.
, ,
, ,
.
. , ,
, ,
236
.
, ,
. , ,
(Public Key Infrastructure - PKI). ,
.
PKI ,
. PKI
, (servers) . ,
, .
7.3
,
.
. ,
( :
)
(non-repudiation). ,
,
, i) ,
ii) iii)
( / ).
[1999/31/],
, ,
.
237
7.3.1
[1999/93/
,
.
,
,
.
,
(.. ),
(.. ,
).
.
/,
.
7.3.2
[150/2001].
,
. ,
.
,
.
,
,
,
238
, . ,
[150/2001],
. ,
()
.
,
.
A) :
X.509 .
) E :
. ,
. ,
,
(Certification Service Provider-CSP)
() .
)
:
(Signature Creation Device-SCDev)
(signature-creation data-SCD).
, , ,
/
. ,
, (Secure Signature-Creation DeviceSSCD), [1999/93/]
,
SCD ,
239
, SSCD.
,
:
i.
SCDev ,
,
.
ii.
SCDev , ,
, ,
(signature-creation applicationSCA) / .
iii.
iv.
H (key escrow) ,
SCD.
) ,
:
:
i.
.
.
ii.
.
,
. ,
(brute force) .
240
7.3.3
[1999/31/],
[150/2001],
.
3.1 [150/2001]
, .
, 2.2
,
,
:
i.
(Qualified Certificate-QC),
,
II.
ii.
,
. (
8),
,
.
iii.
iv.
,
.
7.3.4
[1999/31/],
.
5.1
241
,
. ,
.
5.1 :
i.
, ,
(, )
.
.
ii.
)
, )
, )
( ),
,
.
,
2.2 (
)
( 2.1),
( 5.2). 5.2
, , ,
.
242
7.4
,
:
7.4.1
(SCD).
(SVD) ,
,
. 20,
21
[ETSI TS
102 176-1], [ETSI SR 002 176].
RSA
=1020
DSA
01.01.2001
p=1020
q=160
243
01.01.2001
[RFC-3447]
[FIPS 186-3],
[ISO 14888-3]
ECDSA-Fp
q=160
r0=104
=200
01.01.2001
[ANSI X9.62]
ECDSA-F2m
q=160
r0=104
=200
01.01.2001
[ANSI X9.62]
ECGDSA-Fp
q=160
r0=104
=200
25.06.2001
[ISO 15946-2]
ECGDSA-F2m
q=160
r0=104
=200
25.06.2001
[ISO 15946-2]
23:
[ETSI TS 102 176-1]
244
RSA
128
128
DSA
128
128
ECDSA-Fp
128
128
ECDSA-F2m
128
128
ECGDSA-Fp
128
128
ECGDSAF2m
128
128
24:
[ETSI TS 102 176-1]
245
7.4.1.1
RSA
RSA,
Rivest, Shamir Adleman, 1978
,
(public key cryptosystems) Diffie
Hellman [DF76].
RSA
, p q, :
To modulus n= p*q
( 23).
p q .
p q (.. q
p). p q n1/2.
A p q , |p-q|
.
, p q,
.
d ( )
modulus n.
e ( )
modulus n.
RSA
(padding).
246
7.4.1.2
DSA
p, q, g.
( ) x, ,
0<x<q.
( ) k, ,
0<k<q.
p, q, g, y,
y = gx mod p.
M,
.
, (hashcode) ,
2.2 [FIPS 186-2].
7.4.1.3
ECDSA (Fp)
Galois
(Fq GFq), modulo q.
(Elliptic Curve Digital Signature
Algorithm-ECDSA),
Fq, Fp (prime finite
field) 2 F2m (characteristic 2 finite field). ,
ECDSA Fp F2m.
Fp
[ANSI X9.62]. , ,
[ISO 14888-3], [IEEE P1363] [ISO 15946-2].
:
p
248
q q p
q
E Fp, n
q
P E(Fp) q
E, m, q, P
( ) x, o,
0<x<q
( ) k o, 0<k<q
E, q, P Q, E,
Q = xP.
7.4.1.4
ECDSA (F2m)
(F2m), ECDSA-F2m
[ANSI X9.62]. , ,
[ISO 14888-3], [IEEE P1363] [ISO 15946-2]. ECDSA-F2m
.
:
q q
249
E F2m n
q
F2
P E(F2m) q
E, m, q, P
( ) x, ,
0<x<q
( ) k , 0<k<q
E, q, P Q, E,
Q = xP.
7.4.1.5
ECGDSA (Fp)
(Fp), (Elliptic Curve German Digital Signature AlgorithmECGDSA-Fp48, 49). [ISO 15946-2].
.
ECDSA-Fp,
. ,
48
ecdsa ISO SC 27
ISO/IEC 15946
(Elliptic Curve based German Digital Signature Algorithm). ,
ECKDSA
49
250
k ,
ECGDSA-Fp. ECDSA-Fp.
7.4.1.6
ECGDSA F2m
(F2m)
[ISO 15946-2].
.
ECGDSA-F2m ECDSA
, ( 7.4.1.5).
7.4.2
BnetzA
,
. [BnetzA10],
Bundesnetzagentur fr Elektrizitt, Gas, Telekommunikation, Post und Eisenbahnen (BnetzA)
,
.
, RSA n
1728 2010 2011
1976 . ,
2048 .
, :
RSA,
PKCS#1-v1_5 [PKCS #1 v2.1], 8.2 9.2,
2014. , PKCS#1-v1_5
251
2016. ,
2013.
DSA, p 2048 .
2015, q 224 .
2016, q 256 .
ECDSA-Fp, 2010
p. q 224
2016 250 .
ECDSA-F2m 2010
m. q 224
2016 250 .
( 25)
.
:
2010
:
2017
RSA
1768 ()
2048 ()
1976 ()
2048 ()
p
q
p
q
m
q
2048
224*
224
224
2048
256
250
250
DSA
ECDSA-Fp
ECDSA-F2m
25:
* 2015
252
7.5
, :
i.
,
.
ii.
iii.
,
.
(Pre-image resistance):
( ) y, x
h(x)=y. ,
(backwards),
.
ii.
2 (2nd-preimage resistance):
.
, m, m
h(m) = h(m).
.
253
iii.
(collision resistance):
m, m , h(m)=h(m).
(chosen message attacks)50
.
MD5 SHA-1,
. ,
MD5
. ,
2
, , ,
.
, ,
[BR93] (random oracle). To
(Random Oracle Model)
,
. ,
,
. ,
.
26 [ETSI TS
102 176-1].
50
, .
254
sha1*
01.01.2001
ripemd160
01.01.2001
[ISO 10118-3]
sha224
2004
[FIPS 180-3]
sha256
2004
whirlpool
31.03.2007
[ISO 10118-3]
sha384
31.03.2007
[FIPS 180-3]
sha512
31.03.2007
[FIPS 180-3]
[ISO 10118-3],
[FIPS 180-3]
[ISO 10118-3],
[FIPS 180-3]
26:
7.5.1
7.5.1.1
SHA-1
RIPEMD160
SHA 224
SHA 256
SHA-256 264
256 . FIPS Publication 180-3
[FIPS 180-3].
7.5.1.5
WHIRLPOOL
256
7.5.1.6
SHA 384
SHA 512
SHA-512 2128
512 . FIPS Publication 180-3
[FIPS 180-3]
.
SHA-1
SHA-224
SHA-256
SHA-384
SHA-512
RIPEMD160
WHIRLPOOL
()
160
224
256
384
512
()
()
()
<264
<264
<264
<2128
<2128
512
512
512
1024
1024
32
32
32
64
64
80
80
80
80
80
<264
512
32
160
<2256
512
512
27:
257
7.5.2
BnetzA
SHA1 RIPEMD160
2015.
, SHA1
RIPEMD160 2015.
SHA-224 2015
.
, SHA-256,
SHA-384, SHA-512 [FIPS 180-3]. ,
,
, 2017.
28 .
*:
2010
SHA-1
2010
2015
2017
RIPEMD-160
SHA-224
(SHA-1,
RIPEMD-160)**
SHA-256,
SHA-384,
SHA-512
28: K BnetzA
258
* ,
(serial number) 20 ,
.
** .
7.6
,
bytes
(padding).
.
,
, ,
(salt value).
29 .
emsa-pkcs1-v1.5
[RFC 3447]
emsa-pkcs1-v2.1
[RFC 3447]
emsa-pss
Salt
[RFC 3447]
iso9796ds2
Salt
[ISO 9796-2]
iso9796-din-rn
Salt
[DIN V662911]
iso9796ds3
[ISO 9796-2]
29:
259
8:
8.1
,
.
. ,
,
. ,
.
, , ,
, ,
(non repudiation) .
8.2
(PKI)
.
(certification). ,
(public key certificates)
.
.
. ,
.
,
,
260
. ,
.
(Certification Authority).
,
,
() .
,
,
, .
,
. ,
. 35
.
.
() .509
(recommendation) (ITU)
ISO/IEC 9594-8.
261
35:
8.2.1
.509
.509
.
30, 3
(extensions) .
.509 TVL
Distinguished Encoding Rules
(DER).
262
Version
X.509. 3 X.509. 1
issuer unique identifier, subject unique identifier
2, extensions
3.
Serial number
2 ,
,
.
Issuer name
Period of
validity
Subject name
,
.
.
Algorithms
Parameters
Subjects public
key
subject name.
.
Issuer unique
identifier
Subject unique
identifier
,
.
Extensions
Signature
30: X.509
263
8.3
:
1) . )
, ) () (.. )
) () (attribute certificates)
(AttributeAuthority-AA).
:
. .
.
, .
.
,
.
2) (..
servers, routers).
(web
servers). ,
domain name web server ( ),
,
SSL TLS
( ).
3) .
- (infrastructure
mode)
.
/ .
264
,
.
,
. ,
,
( 1 3 ),
.
8.4
1.
.
OID ( 36),
[99/93/] .
266
267
268
C.
. :
i.
M
(Certificate Policies), 4.2.1.5 [RFC
3280],
[99/93/],
ii.
esi4-qcStatement-1 , , .
8.5
, 35,
. ,
.
.
:
.
. ,
.
.
.
269
. ,
,
. ,
,
.
.
.
. ,
.
,
. 8.3,
.
. ,
.
8.6
.
( 1 3 ),
.
270
(revocation) (suspension),
,
(.. eID
) / (..
).
(certificates serial number)
(Certificate Revocation List-CRL)
.
271
9: eID
, ,
, .
272
[CWA 14170]
.
SCA SSCD
,
(Data To Be Signed-DTBS),
(Signed Data
Object).
,
(Trusted)
(Application Specific) (components) SCA. ,
SCA
. ,
40, :
SCA Manager.
,
SSCD,
.
SSCD. To SSCD SCA
SCA
DTBS,
SSCD ,
SCA.
SCA .
.
9.2
:
SD Composer-SDC. ,
(. ) ,
.
Signed Data Object Composer-SDOC. DTBSF
SSCD
, SDO
(Signed Data Object), [ETSI TS 101 733].
Signature Logging Component.
, .
SSCD Holder Indicator-SHI. SSCD.
9.3
(
41) (SCS) .
.
SCS.
.
SCS
() .
.
276
41:
9.4
[EN 14890-1]
, (application interface)
. 42 43
(application flow)
[CWA 14170].
277
278
279
42 :
. ( 44)
.
44:
( 45)
SSCD SCA,
Secure Messaging
.
45:
. ICC
(IFD) .
.
,
.
(secure messaging) ISO/IEC 7816-4.
280
:
SCA SSCD .
9.5
( 42),
,
.
[EN 14890-1] ,
,
. ,
, '
. , ,
, .
9.5.1
( 42 43).
:
1. (. ).
2. .
,
. [ISO 7816-4]
. :
VERIFY
9.5.1.1
,
.
.
, .
, VERIFY.
31 32 VERIFY APDU,
. , ,
(retry counter).
, (. =3).
.
CHANGE
REFERENCE DATA. 7.5.6 ISO/IEC 7816-4
33 34 APDU . ,
retry
counter
. , ISO/IEC 7816-4
RESET RETRY COUNTER,
(reset) retry counter
. (Resetting Code) 6
, . 35, 36 ,
APDU RESET RETRY
COUNTER.
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
20 VERIFY
00
<keyref> password reference
< >
< >
SW1-SW2
ISO/IEC 7816-4
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
24 CHANGE REFERENCE DATA
00
[0 |8] KID of password reference
<password>||<new password >
SW1-SW2
ISO/IEC 7816-4
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
2C RESET RETRY COUNTER
[00.. 03]
[0 |8] KID of password reference
*
, ,
VERIFY. P1 :
P1 = 00
P1 = 01 (Resetting code)
ISO/IEC 7816-4
284
9.5.1.1.1
46.
DF.CIA.
5 [EN 14890-1].
46: 12345
9.5.1.2
. [EN 14890-1]
:
i.
(off-card). ,
(interface device)
.
285
ii.
(on-card).
.
ICC (interface
device-IFD)
Biometric Information Template (BIT) [ISO7816-11],
, 48.
To Biometric Information Template, ,
, SCA,
DF.CIA GET DATA [ISO 7816-4].
:
(.. )
9.5.1.2.1
,
.
o (secure messaging), ( 6.5.3).
GET DATA Biometric Information
Template VERIFY
(biometric template).
286
:
(terminal)
, biometric
information template . H
BIT
,
- (biometric reader),
(scanning). ,
, .
.
,
.
37, 38 APDU
(Biometric Templates), ( 47 48).
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
21 VERIFY
00
xx
reference data qualifier
<biometric data template> ( . 39)
37: APDU x
SW1-SW2
ISO/IEC 7816-4
38: APDU
287
47:
48:
9.5.1.2.2
, ,
. APDU
(. 39, 40)
288
CLA
INS
ISO/IEC 7816-4
21 VERIFY
00
[0x | 8] KID of referenced password or biometric
data reference
5F2E 00 || 4D 00
P1
P2
Lc
39: APDU
SW1-SW2
ISO/IEC 7816-4
40: APDU
9.6
ICC
,
,
. ,
PSO:COMPUTE DIGITAL SIGNATURE PSO:HASH,
APDU , [ISO 7816-4].
9.6.1
ICC IFD
ICC
ICC . 49 ,
ICC,
EAL+ SOF-High, [CWA 14169].
289
,
. (intermediate)
big endian51 bit count.
49:
,
_1 ( ICC)
51
290
. , :
i.
ii.
,
.
, ,
. -
Format_1 .
iii.
, ,
7.5. , _2,
:
ICC.
ICC ICC. , ,
.
ICC,
, .
iv.
9.6.2
ICC
,
. ,
ICC PSO:COMPUTE DIGITAL
SIGNATURE. APDU 41, 42.
291
CLA
INS
P1
P2
Lc
Le
ISO/IEC 7816-4
2 PERFORM SECURITY OPERATION
9
COMPUTE DIGITAL SIGNATURE
9
data to be signed
data to be signed
00
41: APDU o
ICC
TLV
SW1-SW2
ISO/IEC 7816-4
42: APDU o
ICC
9.6.3
ICC
. ,
, ICC
ICC PSO:HASH,
(. 43 44).
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
2 PERFORM SECURITY OPERATION
90
hash
0
input template for hash computation
90 L90 <intermediate hash-code followed by big
Endian bit counter>
80 L80 <data to be hashed>
43: APDU o
ICC. (1/2)
292
SW1-SW2
ISO/IEC 7816-4
CLA
INS
P1
P2
Le
ISO/IEC 7816-4
2 PERFORM SECURITY OPERATION
9
COMPUTE DIGITAL SIGNATURE
9
data to be signed
xx
45: APDU o
ICC. (2/2)
plain signature
SW1-SW2
ISO/IEC 7816-4
9.6.4
ICC
, ,
ICC.
,
PSO:HASH ( 47 48)
PSO-COMPUTE DIGITAL SIGNATURE (. 49 50).
293
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
2 PSO:HASH
90
hash operation
80
plain value
xx
plain data to be hashed
47: APDU o
ICC. ICC (1/2)
SW1-SW2
ISO/IEC 7816-4
48: APDU o
ICC
CLA
INS
P1
P2
Le
ISO/IEC 7816-4
2 PERFORM SECURITY OPERATION
9
COMPUTE DIGITAL SIGNATURE
9
data to be signed
00
49: APDU o
ICC. (2/2)
SW1-SW2
plain signature
ISO/IEC 78164
294
9.7
ICC
,
. [CWA 14171-00],
. (Initial validation)
(Subsequent validation). [CWA
14171-00] .
: ,
,
.
E : ,
,
,
(Initial Verification time).
ICC,
:
DSI ( RSA )
9.7.1
50
, . PSO:
295
ICC
PSO: HASH
OK
MSE: SET
PSO:VERIFY DIGITAL
SIGNATURE
50:
50 ICC
PSO:HASH. (
ICC), APDU
, 51.
90 L90
xxxx =
80 L80 xxxx =
51: APDU
,
APDU
52.
296
L
90 L90
V
xxxx =
52: APDU
,
MSE, PSO: VERIFY SIGNATURE.
MSE :
/.
APDU 53.
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
22 MSE
81
SET for verification
B6
Digital Signature Template
54
297
9000 =
6xxx= .
,
2.
VERIFY DIGITAL SIGNATURE. ARDU
55.
CLA
INS
P1
P2
Lc
ISO/IEC 7816-4
2A VERIFY DIGITAL SIGNATURE
00
SET for verification
B6
Input template for signature verification
56
9 L9
, DSI
2
298
10: eID
51: 52
10.1
eID.
52
299
eID
eID
eID
eID
( 2004)
( 2004)
,
2012
10 25
(
2010)
,
2012
24: 28.80
24:
19.80
16-18:
( 2002)
16
(
2006)
2011
ID
300
ID
ID
eID
eID
eID
eID
53
( 2008)
( 2006)
10
( 2001)
25 45
eID
(
2009)
46
(2010)
( 2009)
23,17
(
54)
15
( 2005)
42.85
,
18
( 2011)
( 2007)
12
( 2005)
42
( 2003)
:
51.47
: 25.73
53
54
301
eID ,
eID
.
,
eID
eID .
10.1.1
(
, , , , , )
(
, , , , ) [IDABC-PEGS].
( , , , , , )
eGovernment .
.
(
TAXISnet ).
,
,
.
.
302
PKI
[OBS-EID]. :
,
.
,
.
, .
-
.
.
.
.
10.1.2
eID
( 58). ICAO
. :
, , . 59
303
ICAO BAC.
BAC PACE.
EAC
. EAC,
EAC .
UID
(, , )
5.1.9.1.
58: , , eID
personalization
PIN
ECC
ICAO
(
)
304
personalization
PIN
(
)
59: eID
ICAO
BAC
EAC
UID
ECC
ICAO
(
PACE)
(
)
(
ID
eGovernment ) personalization
, (
305
) 58.
.
eID .
PIN ( )
. PIN
( )
.
.
.
BAC MRZ
(MRZ
).
.
(
).
PKI ,
eID .
, eID
. eID
,
.
-
306
. 6.3.2.1 AA,
.
-
,
,
, .
([1995/46/] . 7).
. 58
eID
.
eID
-.
tamper
proof EAL4+ SOF-High.
, [PRADO] , online
.
eID -
[PRADO],
ID-1 .
307
10.1.3 , &
( citizenspecific UID) (cardspecific UID). citizen-specific UID
. card-specific UID ,
.
.
eGovernment
:
.
.
( 3.2).
, UID
.
.
UID
UID
.
.
308
.
-
.
. - (
)
(semantic information)
. (FINUID)
eID
. ,
(sourcePIN)
[OBS-EID].
,
.
(domain-specific UID sector-specific UID)
.
.
.
(linkability)
(
U-Prove Microsoft55
55
309
Idemix IBM56).
.
eIDs
- (unlinkability)
(selective disclosure) (
).
60 UIDs
eID
. ,
,
UIDs .
60
.
PACE.
[IDABC-PEGS] - :
1 2010
,
ICAO
2 2009 ,
56
21 2009 ,
310
eID 2007
templates
eID
Match-on-Card
.
ISO/IEC FCD 24745 ( Final Committee Draft)
templates.
.
60: ,
eIDs
UID
UID
UID
( )
.&.
.&.
.&.
.&.
.&.
.&.
311
UID
UID
UID
.&.
( )
.&.
.&.
.&.
(PIN)
hashed
,
.&.
template
.&.
10.1.4 eIDs
Eurostat, o eIDs
, , ( 28). :
eIDs
Internet ( 29)
eGovernment eCommerce
eID.
312
Internet
.
(EU-27)
( )
online .
eIDs.
29: Internet online Banking, (%), 2009
313
2010
18,6% 24,8%.
.
314
52:
( )57
10.2 - eID
10.2.1
58 22-11-2010 ,
,
.
.
.
57
11 , , 2010, :
http://www.observatory.gr/files/meletes/11_Broadband_report_a10.pdf
58
22-11-2010, :
http://www.opengov.gr/ypes/wp-content/uploads/downloads/2010/11/karta-politi.pdf
315
, (eID )
(eSign ).
. 12-12-2010
1361 ,
.
.
.
.
,
.
59
, ,
.
.
.
60 2011
59
, , ., 5/1/2011, :
http://avgi.gr/ArticleActionshow.action?articleID=590967
60
) , ,
29/12/2010, : http://www.tovima.gr/default.asp?pid=2&ct=32&artId=375343&dt=29/12/2010
316
.
:
/
.
,
,
.
( ).
10.2.2
(Art. 78-1 to 78-6 Code de procdure pnale)
.
.
ID , , , ,
.
) ,
& , 4/1/2011, :
http://www.ypes.gr/el/MediaCenter/Minister/Seasonable/?id=a8a1568b-1e50-4854-8f4d-6885d2f7ec90
) , &
, 29/12/2010, :
http://www.ypes.gr/el/MediaCenter/Minister/Seasonable/?id=797c2e9b-7ee8-41e9-8c3b-58e400a5d43a
317
.
ID
4 .
, .
MRZ .
.
.
.
2007.
.
INES
(carte d'identit nationale lectronique scurise)
RFID .
,
, CNIL (Commission nationale de
l'informatique et des liberts). -
:
. ID
1995 .
318
61.
ECC , (backwards
compatibility) (PKI, ePassport, - Carte
Vitale). ECC-IAS ( 6.7.3.2) [ID-CRED0210].
31: ID
61
319
10.2.3
,
. ,
[ 2252/2004] [ 444/2009] (
MRTDs),
. .
,
.
2 .
To 2006 9/11
. Identity Cards Act 2006
,
.
(Labour party: Tony Blair 1997-2007, Gordon Brown 2007-2010)
.
2009
.
.
.
,
.
,
(Lipset).
.
J. Christoph
320
.
,
62.
, 23-4-2009 .
(Home Office)
-
. .
, ,
, .
.
. eID
.
:
ID
.
.
62
http://el.wikipedia.org/wiki/___
321
PA
Consultancy ( . ) stick
84.000
,
.
eIDs.
.
- (4,5.)
.
( NO2ID)
.
32: NO2ID
322
2010
Conservative-Liberal Democrat eIDs.
Conservative-Liberal Democrat David Cameron
306+57 (Labour) 258
.
(Identity Documents Act 2010)
21 2011. 15.000
30 63.
(National Identity Register)
21 2011
. . Damian Green
, , 64.
.
257.
.
IBM
(
) , .
4 1.
.
63
Newspaper Guardian, ID cards scheme to be scrapped within 100 days, Alan Travis, 27-5-2010,
http://www.guardian.co.uk/politics/2010/may/27/theresa-may-scrapping-id-cards
64
323
33: eID .
10.3 - eID
10.3.1
,
(citizen card) ,
.
tokens (
)
324
, , . sourcePIN,
(
. email ),
(
).
sourcePIN
(3DES)
65
http://www.chipkarte.at/
66
http://www.a-trust.at/
67
325
http://zmr.bmi.gv.at/
69
70
326
/
. security layer middleware
.
PIN.
(server). O server (hardware security module)
.
, ( )
server.
PIN
.
server
PIN (). PIN
.
(TAN) (SMS).
.
marketing .
( 34)
-
.
34: , -
327
10.3.2
12 (
carte d'identit, identiteitskaart Personalausweis).
15
200 . .
(
, , ). ID 12
.
yy.mm.dd-xxx.xx ( yy-mm-dd
) MRZ .
.
.
- 71.
2004 eID
Infineon ( SLE66CX322P72) JavaCard Axalto.
136KB ROM, 4KB RAM 32KB EEPROM 32 KB
(EEPROM). eID
. eID 5 ,
.
, PIN
(PUK ) .
eID 10 25.
71
Belgian ID, Matrice photo, Critres dacceptation des documents didentit belges pour la photo
http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/8%20documentation/ZCA11495-matrix-BR-FRv8.pdf
72
328
identity file
, address file
.
X509 .
eID RSA 1024-bit :
, .
.
SSL/TLS.
.
(RRN)
, .
PIN ,
, PIN
, PIN
.
53 PKI .
.
Citizen CA. Root
CA (Gov CA)
(RRN Cert),
(Server Code sign Certs) . Root CA
GlobalSign,
. .
329
. 36 Kids ID
. Kids ID
6 .
.
chat , .
35: eID PC
73
73
331
10.3.3
.
PACE BSI eID
BAC.
BAC PACE
e-passports. 2005
ePass
.
, .
,
.
,
,
.
332
eID .
2010 2012
16 .
.
.
.
Bitkom 44% eIDs74.
, Chaos Computer Club (
)
Wolfgang Schuble Datenschleuder
2008
. ""
75.
:
ICAO,
,
online
: .
74
Business Review Europe, D. Moore, German eID Cards Spike Surveillance Fears, Nov 2010, available:
http://www.businessrevieweurope.eu/tags/german-id-cards/germans-eid-cards-spike-surveillance-fears
75
Kleinz Torsten (2008-03-31), "CCC publishes fingerprints of German Home Secretary", Heise Media UK Ltd.,
http://www.h-online.com/newsticker/news/item/CCC-publishes-fingerprints-of-German-Home-Secretary-734713.html
333
(RFID)
.
.
templates .
templates
.
NXP Semiconductors SmartMX
128KB.
4
8 10 .
.
reverse engineering laser
firewall 76.
,
.
.
.
.
.
:
.
76
http://www.nxp.com/infocus/topics/german_national_id_card/index.html
334
.
(eID)
.
,
.
(,
)
PACE
CAN MRZ ( )
PKI . eGovernment
eBusiness PKI
PIN (PACE
PIN). .
eID 6 24
10 24 .
335
10.3.4
2002 (: IDkaart)
FYROM, ,
. ID
15 78. 5 .
: 1 eID 79,
1,35 .
77
http://www.contactlessnews.com/2011/02/01/germany-deploys-contactless-national-id
78
http://www.politsei.ee/en/teenused/isikut-toendavad-dokumendid/id-kaart-kodanikule/taiskasvanule/
79
http://www.sk.ee/pages.php/0203
336
2000 eID
Infineon ( SLE66CX320P )
, Micardo v2.1 Sagem Orga.
136KB ROM, 4KB RAM 32KB EEPROM.
eID . .
.
(isikukood) .
GYYMMDDSSSC,
, G
( , , 1-2
19 , 3-4 20 , 5-6 21 ), SSS
C
.
-
.
(isikukood)
,
. 15/12/2000
.
(digidoc.sk.ee)
eIDs
.
.
,
.
, Trb Baltic AS
Trb AG. ,
337
PIN. ,
, (CA). CA
Trb Baltic AS
, 80 ,
. ,
PIN (RA) ,
PIN
.
eID
.
email .[.X]@eesti.ee. eesti.ee
S/MIME mailers
email .
ID
(eVoting). 2007 eVoting
30.000 .
: eID ,
,
(RSA), (RSA) .
, ,
.
eVoting
,
[OIT08].
eID X.509
(eGovernment) .
80
http://www.sk.ee/
338
, ,
( Eshop ) web 81.
eID .
eBanking (
), SMS 82.
email SMS
. eID ,
. eID
.
GSM
1 .
2007
SIM ,
.
81
82
339
38: eID
10.3.5
(Carta d'Identit Elettronica, CIE)
2001. 1 2006
CIE . 2009
CIE 1,8 .
.
.
180 IDs83
, PKI .
CIE , 25 - 45 [AGS10].
(Codice Fiscale) 16
.
.
83
http://en.wikipedia.org/wiki/Italian_electronic_identity_card
340
32KB (EEPROM)
64. ,
online
.
1 2010
.
. CIE eGovernment .
.
Tor Vergata.
133/2008,
5 10 .
39: eID
341
10.3.6
, ,
, , ,
. 14
(Documento nacional de identidad,
DNI).
256
.
40: eID
, 2009 14 . eID
[IDABC-PEGS] 46,5 .
eID
online .
DNI ,
.
342
. .
, ,
MRZ.
. 14
,
. 30 5 .
30 70 10 . 70
84.
2006 DNI 85
STMicroelectronics, ST19WL3486 32KB.
64KB (EEPROM). .
DNI
[1999/93/EC]
.
,
(Protection Profiles) [CWA 14169],
(National Cryptologic Centre-CCN)
(Intelligence National Intelligence Centre-CNI).
,
,
. :
component
84
PRADO, , http://www.consilium.europa.eu/prado/EL/2274/docHome.html
85
DNI-e, http://www.dnielectronico.es/
86
343
X509v3:
.
,
:
. X509v3.
.
(Spanish
Police Department-DGP) ,
. ,
,
(Validation Authority)
.
, ,
.
,
,
,
.
3
[HG10]:
344
component Diffie-Hellman .
.
RSA .
PIN .
.
(Punto de Actualization del DNIe) .
, o CA
.
EAC.
3 :
1.
PKCS#11.
2.
.
( PUK ).
3.
[EHQ07].
345
41: eID
10.3.7
16 .
16 .
72 (EEPROM)
80 (EEPROM) 87 ICAO
87
Personalisation Of Identity Documents Centre Under The Ministry Of The Interior Of The Republic Of Lithuania, Personal
Identity Card, http://www.dokumentai.lt/en/pic.php
346
[ 2252/2004] .
.
42: 2
(Population Register)
/ .
( ,
, ), ( ) .
. personalization
.
Gemalto 2009 900.000
Sealys Laser-Secured eID .
EAC
6: IC
.
347
.
online 88.
PKI
CVCA
.
DVCA
DV
CVCA .
eID
89.
88
http://www.dokumentai.lt/en/pic_ypat.php
89
http://www.dokumentai.lt/en/pic_bio.php
348
43: eID ( 2 )
10.3.8
21 2009 ID
2006
ICAO .
(Tax and Social
Security number - Sofi-number)90. 2006
( BAC ). ICAO :
BAC, Passive Active Authentication91.
ISO/IEC 19794-5
Photo Matrix 200792 ICAO.
.
90
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, Reading the chip, 2007, available:
http://www.paspoortinformatie.nl/english/Travel_documents/Reading_the_chip
91
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, Authenticity Features Model 2006, available:
http://www.paspoortinformatie.nl/english/Authenticity_features/Model_2006
92
349
.
.
5
( ).
(
)
.
44:
350
45:
. 2008
. OVchipcard
.
() (
) 93.
93
Statewatch article: RefNo# 29437, Netherlands: Biometric passport data linked to criminal databases by J van Someren and
K McGauran, Statewatch Bulletin; vol 19 no 3 July-September 2009, http://database.statewatch.org/article.asp?aid=29437
351
.
.
.
. ,
.
,
8
( ).
. ,
3 . . Peter Hustinx
94 : ,
. [...] ,
;.
Statewatch article: RefNo# 29882, Netherlands: Central databases challenged, by Kees Hudig, Statewatch Bulletin; vol 20 no
1 January-March 2010, http://database.statewatch.org/article.asp?aid=29882
94
352
10.3.9
18. .
:
PESEL (Powszechny Elektroniczny Spis Ewidencji Ludnoci General Electronic System for Citizens Evidence) NIP (Numer Identyfikacji
Podatkowej - Tax Identification Number) .
PESEL 11
YYMMDDZZZXQ. YYMMDD (
) , ZZZ
, X Q
.
95
. 2011
. eID IT
( ,
, ..).
PIN (polish
PIT - Personal Incoming Tax).
.
95
Centrum Projektw Informatycznych, CPI Projekty Informatyczne dla Administracji Publicznej, pl.ID - polska ID karta,
available: http://www.cpi.mswia.gov.pl/portal/cpi/38/195/plID__Elektroniczny_dowod_osobisty.html
353
46: eID
eID EN 15480
ID
96. pl.ID project
98 . 85%
97. eID ,
.
96
IDABC European eGovernment Services, eID Interoperability for PEGS, National Profile Poland, Nov 2007, available:
http://ec.europa.eu/idabc/en/document/6484/5938/
97
ePractice.eu, PL/EU: European Commission approved funding for the pl.ID project, 15 July 2010, available:
http://www.epractice.eu/en/news/327625
354
10.3.10
16
. 2007 (Carto de Cidado).
, .
( 47).
47 .
: 384KB
(ROM), 72KB / (EEPROM), 8KB
(RAM) 2KB
(crypto. RAM).
.
.
templates (
). 5 .
.
Frost & Sullivan, Yiru Zhong, Second Wave of eIDs in Europe, available:
http://www.frost.com/prod/servlet/cpo/197881723.htm
355
47: eID
10.3.11
.
. 2005
(identity fraud)
IDs .
(: nationellt id-kort)98
, 1 2005.
.
32KB (EEPROM).
eGovernment
(jpeg ) .
.
(: personnummer).
98
http://www.signguard.se/faq.aspx?faqno=9
http://www.epractice.eu/en/document/288382
356
, , (
), .
.
10
, ,
.
48: eID ( 2 )
MRZ
BAC. EAC.
.
357
10.3.12
(FINeID) 1998.
(henkilkortti/identitetskort)
. eID
[IDABC-PEGS] 2009, 250.000 eID
100.000 .
PKI .
.
PIN [FIDIS-D3.6].
2003 eID (shkinen henkilkortti/elektroniskt
identitetskort) .
6 . eID
.
.
.
52 [AGS10].
5 .
FINeID
eGovernment , emails
99. ,
(, ) .
( ) online ( eID )
.
99
358
(FINUID)
.
(SSIN) eGovernment .
eGovernment
.
,
, 0800
.
HelpDesk : )
online )
100.
1 2004 FINeID (Kela
card). FINeID
. ( 49)
, .
100
359
49: eID
10.3.13
.
2009 ID .
16 .
.
MRZ .
.
RFID . eID
.
360
361
11: -
,
-,
. .
11.1
eID e-passports
.
eIDs e-passports
.
eIDs e-passports ,
.
, ,
, , ,
. ,
,
.
.
.
. match-on-card
,
.
.
362
, ,
.
;
templates , .
;
;
[HHJ06] templates
, template
.
.
/
.
.
.
.
.
.
(
)
.
363
( - 43 49)
.
() () .
: ) , )
, )
, )
, )
( ).
.
( 10 ) .
, ( )
.
,
,
,
.
.
4.2.3
RFID.
.
eID .
364
.
,
ICAO
eMRTDs. [HHJ06]
USB ( ISO/IEC 7816-12).
General
Authentication Procedure 27
: )
(PACE), )
(Terminal
Authentication), )
(Chip Authentication), )
(Passive Authentication) )
(Secure Messaging).
CEN 15480
ICAO
ICAO
. ICAO CEN
.
CEN
( )
.
CEN , eIDs
.
( )
.
CEN (
365
[CEN 15480-2]
ICAO).
11.2
30 14 eIDs, 7
eID 6
. 3
eID .
eIDs
.
, ,
.
laptop
.
( ,
)
.
eID
(
,
), .
( 6.1)
, ,
366
( PIN
) .
.
.
(built in help)
(pre-installed, pre-configured),
.
ECC CEN 15480 1 2,
3 4,
ECC.
-
, ECC
.
.
,
ECC ,
.
11.2.1
Open
Smart Card Development Platform101, (
101
OpenSCDP, http://www.openscdp.org
367
PKI ,
),
, (
, , ). ,
RSA ,
.
368
[AGS10]
[BFK09]
[BKJ09]
[BnetzA10]
[BR93]
[CWP06]
[DATACRD]
[DBP96]
[DF10]
[DH76]
[DIN-SCS]
[EHQ07]
[ELG85]
[ENISA09]
[EU-CTS]
[EU-ID]
[EUROSM-ECC]
370
[FIDIS-D3.6]
[GK06]
[HG10]
[HHJ06]
Hoepman, J., Hubbers, E., Jacobs, B., Oostdijk, M., and Schreur,
R.W., Crossing Borders: Security and Privacy Issues of the European
e-Passport, in Proceedings of IWSEC, 2006, pp 152-167.
[HT02]
[IDABC]
[IDABC-PEGS]
[ID-CRED0210]
[JDA07]
Jean-Daniel Aussel. Smart Cards and Digital Identity. ISSN 00857130Telenor ASA 2007. Available:
http://www.mytelenor.com/no/resources/images/066078_SmartCards_tcm26-36814.pdf
[JDC]
[JMW05]
Ari Juels, David Molnar, David Wagner, Security and Privacy Issues in
E-passports, Number 2005/095, Cryptology {ePrint} Archive, 2005
[K87]
[KMHG07]
[KOKU99]
Oliver Kmmerling, Markus G. Kuhn, Design Principles for TamperResistant Smartcard Processors, Proceedings of the USENIX
Workshop on Smartcard Technology (SMARTCARD-99), pp. 9-20,
USENIX Association, May 10-11 1999
[Y08]
[MI86]
[MR+04]
[08]
[OBS-EID]
&
, , 2010,
:
http://www.observatory.gr/files/meletes/eID%20Status%20&%20C
itizen%20benefits%20v1.3%20final.pdf
[OIT08]
[97]
[P+99]
[PRADO]
[RE03]
[REG S7004]
[SCH]
[SSG10]
[WIKI-ID]
[WM09]
What Makes a Smart Card Secure? Smart Card Talk, July 2009. Smart
Card Alliance. Available:
http://www.smartcardalliance.org/pages/newsletter-200907feature?issue=200907
[WSC10]
&
[ANSI X9.62]
[BSI-TR-03110]
https://www.bsi.bund.de/cln_183/ContentBSI/EN/Publications/Te
chguidelines/TR03110/BSITR03110.html
[CC211]
International Organization for Standardization, ISO/IEC 154081:2005 Information technology -- Security techniques -- Evaluation
criteria for IT security-- Part 1: Introduction and general model, 2009
[CC212]
International Organization for Standardization, ISO/IEC 154081:2008 Information technology -- Security techniques -- Evaluation
criteria for IT security-- Part 2: Security functional components, 2008
[CC213]
International Organization for Standardization, ISO/IEC 154081:2009 Information technology -- Security techniques -- Evaluation
criteria for IT security-- Part 3: Security assurance components, 2008
[CEN 15480-2]
[CEN 15480-3]
[CEN 15480-4]
[CWA 14169]
[CWA 14170]
[CWA 14172-1]
[DIN V66291-1]
[EN 14890-1]
[EN 14890-2]
http://www.etsi.org/deliver/etsi_ts/102100_102199/10217601/02.0
0.00_60/ts_10217601v020000p.pdf
[ETSI SR 002 176]
[FIPS 180-3]
[FIPS 186-2]
[FIPS 186-3]
[ICAO GUID]
[ICAO GUIDL]
[ICAO SAC]
[ICAO SUPPL]
[IEEE P1363]
[ISO 7816-4]
[ISO7816-11]
[ISO 9796-2]
ISO/IEC 9796-2: "Information technology - Security techniques Digital signature schemes giving message recovery - Part 2: Integer
factorization based mechanisms",2002, (
ISO/IEC 9796-2 (1997): Mechanisms using a hash-function)
[ISO 10118-3]
ISO/IEC 10118-3: "Information technology - Security techniques Hash functions -Part 3: Dedicated hash functions", 2nd ed., 2004
[ISO 14888-3]
ISO/IEC 14888-3: Information technology - Security techniques Digital signatures with appendix - Part 3: Discrete logarithm based
mechanisms, 2006
[ISO 15946-2]
[RFC 3280]
[RFC 3447]
[RFC 3739]
[ 11/2010]
,
,
377
, ,
. 230/10-11-2010
, . . 1954/. . 35/2010,
, 22 2010
[EK/709/2000]
, 6 2000,
[ 2252/2004]
. 2252/2004,
, 2004
[ 444/2009]
. 444/2009,
() . 2252/2004
, 2009
[ 1030/2002]
. 1030/2002,
, 2002
[ 380/2008]
. 380/2008,
() . 1030/2002
, 2008
[ 562/2006]
. 562/2006,
( ), 2006
[10]
, . , ,
, :
2010, ,
....,
[N2672/1998]
14 . 2672/1998,
(- ), 290
/28.12.1998
[3230/2004]
3230/2004, ,
, 44/11.2.2004
[N3448/2006]
20 . 2672/1998, .
, 57/15.3.2006
378
[3471/2006]
.3471/2006,
. 2472/1997, 133/28.06.2006, :
http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/LAW/NOM
OTHESIA%20PROSOPIKA%20DEDOMENA/3471_2006.PDF
[N3536/2007]
25 .3536/2007,
, 42/'/23.2.2007
[150/2001]
150/2001,
99/93/
,
125/25.6.2001
[342/2002]
[/60/10/217]
. . /.60/10/217
() .. & ..
.....,
, 11 2007
[3021/2005]
. 3021/19/53, , ,
, 1440/18.10.2005
[3021/2010]
3021/22/10/2862005
,
, , ,
( 932), 1298/17.8.2010
[YA248/2002]
. 248/71,
, B 603/16.5.2002
[YA2512/2006]
. 2512.
,
1654/10.11.2006
[1995/46/]
1995/46/
24 1995
379
[1999/93/]
1999/93/
13 1999
[2002/58/]
2002/58/
12 2002
[UDC95]
[UNCITRAL96]
380
A I: ICAO DES
block
.
BAC
-
ICC IFD
(Secure Messaging).
[ICAO SUPPL] [ICAO 9303 P3V2]
.
ICAO triple-DES DES.
102
ISO 11568-2:2005 Banking - Key management (retail) - Part 2: Symmetric ciphers, their key management and life
cycles
.
.
ISO/IEC 9797-1103 MAC 3 DES IV
55. blocks a
block Kb .
ciphertext.
55: MAC
103
FIPS PUB 180-3, Secure Hash Standard (SHS), NIST October 2008,
SHA-1, SHA-224, SHA-256, SHA-384 SHA-512
,
blocks hashing
.
61: SHA [FIPS 180-3]
5
hash. :
Collision resistance,
hash
Preimage resistance,
( )
Second preimage resistance,
hash .
62 NIST SP 800-107 Recommendation for Applications Using Approved
Hash Algorithms Feb 2009, SHA .
SHA
keyed-hash MAC,
. SHA
.
.
63 NIST SP 800-57 Recommendation for Key Management Part 1: General
(revised) Mar 2007, SHA
. (bits of security)
(key derivation functions) (random number generator)
.
5
SHA-1
80
bits.
63: SHAs, bits [NIST SP
800-57]
ISO Standards
. : [DIN-SCS]
ISO/IEC 7810
Title: Identification cards Physical characteristics
CONTENT AND SCOPE
This International Standard specifies the physical characteristics of identification cards
including card materials, construction, characteristics, and dimensions for four sizes of
cards. This International Standard specifies the requirements for cards used for
identification. It takes into consideration both human and machine aspects and states
minimum requirements. It is the purpose of this standard to provide criteria to which
cards shall perform. No consideration is given within to the amount of use, if any,
experienced by the card prior to test. Failure to conform to specified criteria should be
negotiated between the involved parties.
STATUS
In 2010, a new release of ISO/IEC 7810 is expected. It is expected to include the
amendment plus other characteristics from other International Standards which might
need transfer to this standard as they
are no longer specific to one individual card technology.
NOTES
Thin flexible cards are not within the scope of this International Standard. Thin flexible
cards are addressed by the ISO/IEC 15457 series.
PRESENT RELEASES
ISO/IEC 7810: 1985, 1995, 2003, AMD 1:2009
ISO/IEC 7816
Title: Identification cards Integrated circuit cards
CONTENT AND SCOPE
This standard consists of 14 parts:
Part 1: Cards with contacts Physical characteristics
Part 2: Cards with contacts Dimensions and location of the contact
Part 3: Cards with contacts Electrical interface and transmission protocols
Part 4: Organization, security and commands for interchange
Part 5: Registration of application providers
Part 6: Interindustry data elements for interchange
Part 7: Commands for Structured Card Query Language (SCQL)
Part 8: Commands for security operations
Part 9: Commands for card management
Part 10: Cards with contacts Electrical interface for synchronous cards
Part 11: Personal verification through biometric methods
Part 12: Cards with contacts USB electrical interface and operating procedures
Part 13: Commands for application management in multi-application environment
Part 15: Cryptographic information application
Part 1 of ISO/IEC 7816 specifies the physical characteristics of integrated circuit(s) cards
with contacts. It applies to identification cards of the ID-1 card type which may include
embossing and/or a magnetic stripe as specified in ISO/IEC 7811, parts 1 to 6. This part
of ISO/IEC 7816 applies to cards which have a physical interface with electrical contacts.
It does not, however, define the nature, number and position of the integrated circuits in
the cards.
Part 2 of ISO/IEC 7816 specifies the dimensions, locations and assignment for each of
the contacts on integrated circuit cards of an ID-1 card type.
Part 3 of ISO/IEC 7816 specifies the power and signal structures, and information
exchange between an integrated circuit(s) card and an interface device such as a
terminal. It also covers signal rates, voltage levels, current values, parity convention,
operating procedure, transmission mechanisms and communication with the card. It
does not cover information and instruction content, such as identification of issuers and
users, services and limits, security features, journaling and instruction definitions.
Part 4 of ISO/IEC 7816 specifies: the content of the messages, commands and
responses, transmitted by the interface device to the card and conversely, the
structure and content of the historical bytes sent by the card during the answer to reset,
the structure of files and data, as seen at the interface when processing interindustry
commands for interchange, access methods to files and data in the card, a security
architecture defining access rights to files and data in the card, methods for secure
messaging, access methods to the algorithms processed by the card. It does not
describe these algorithms. It does not cover the internal implementation within the card
and/or the outside world. It allows further standardization of additional inter - industry
commands and security architectures.
Part 5 of ISO/IEC 7816 specifies a numbering system for application identifiers and a
registration procedure for application provider identifiers. The numbering system
described in this standard provides a means for an application and related services
offered by a provider to identify if a given card contains the components required by its
application and related services. An application identifier (AID) is used to address an
application in the card. This part of ISO/IEC 7816 specifies the coding of application
identifiers together with means and mechanisms for addressing application parts in
cards. This part of ISO/IEC 7816 establishes the authorities and procedures to ensure
and optimize the reliability of the corresponding registration.
Part 6 of ISO/IEC 7816 specifies directly or by reference the Data Elements (DE),
including composite DEs, used in interindustry interchange, based on integrated circuit
cards (ICCs). It identifies the following characteristics of each DE: Identifier; Name;
Description and ISO reference; Format and coding (if not available in other ISO
standards or parts of ISO/IEC 7816). The layout of each DE is described as seen at the
interface between the interface device (IFD) and the ICC. This part of ISO/IEC 7816
defines the means of retrieval of the DEs in the card (historical bytes, reset, command(s)
to perform and commands defined in this international standard). This part of ISO/IEC
7816 provides the definition of DEs without consideration of any restrictions on the
usage of the DEs.
Part 7 of the standard specifies the concept of a SCQL database (SCQL = Structured
Card Query Language based on SQL, see ISO/IEC 9075) and the related interindustry
enhanced commands.
Part 8 of ISO/IEC 7816 specifies: security protocols for use in cards; secure
messaging extensions; the mapping of the security mechanisms onto the cards
security functions/services, including a description of the in-card security mechanisms;
data elements for security support; the use of algorithms implemented on the card
(though the algorithms themselves are not described in detail); the use of certificates;
security related commands. This part of ISO/IEC 7816 does not cover the internal
implementation within the card and/or the outside world. The choice and conditions of
use of cryptographic mechanisms may affect card exportability. The evaluation of the
suitability of algorithms and protocols is outside the scope of this part of ISO/IEC 7816.
Part 9 of ISO/IEC 7816 specifies: a description and coding of the life cycle of cards and
related objects; a description and coding of security attributes of card related objects;
functions and syntax of additional interindustry commands; data elements associated
with these commands; a mechanism for initiating card-originated messages. This part
of ISO/IEC 7816 does not cover the internal implementation within the card and/or the
outside world.
Part 10 of ISO/IEC 7816 specifies the power, signal structures, and the structure for the
answer to reset between an integrated circuit(s) card with synchronous transmission and
an interface device such as a terminal. The specifications in ISO/IEC 7816-3 apply
where appropriate, unless otherwise stated here. It also covers signal rates, operating
conditions, and communication with the integrated circuit(s) card. This part of ISO/IEC
7816 specifies two types of synchronous cards: type 1 and type 2.
Part 11 of ISO/IEC 7816 specifies security related interindustry commands to be used for
personal verification with biometric methods in integrated circuit(s) cards. It also defines
data elements to be used with biometric methods. Identification of persons using
biometric methods is outside the scope of this standard.
Part 12 of ISO/IEC 7816 specifies the operating conditions of an integrated circuit card
that provides a USB interface.
Part 13 of ISO/IEC 7816 specifies the multi-application environment for the card and the
commands required for Application management. This part of ISO/IEC 7816 covers the
entire Application life cycle in a multi-application card, including pre-issuance (before the
card has been issued to the cardholder) and post-issuance (after the card has been
issued to the cardholder or after the card has expired). It does not cover the internal
implementation within the card and / or the outside world.
Part 15 of ISO/IEC 7816 specifies an application in a card. This application contains
information on cryptographic functionality. This part of ISO/IEC 7816 defines a common
syntax and format for the cryptographic information and mechanisms to share this
information whenever appropriate. This International Standard does not cover the inter
nal implementation within the card and/or the outside world. It shall not be mandatory for
implementations complying with this International Standard to support all options
described.
STATUS
ISO/IEC 7816-4 is currently under review.
ISO/IEC 7816-11 is currently under review.
ISO/IEC 7816-15 is currently under review.
PRESENT RELEASES
ISO/IEC 7816-1: 1987, 1998, AMD1:2003
ISO/IEC 7816-2: 1988, 1999, AMD1:2004
ISO/IEC 7816-3: 1989, AMD1:1992, AMD2:1994,
1997, AMD1:2002, 2006
ISO/IEC 7816-4: 1995, AMD1:1997, 2005
ISO/IEC 7816-5: 1994, AMD1:1996, 2004
ISO/IEC 7816-6: 1996, 2004, AMD1:2006
ISO/IEC 7816-7: 1999
ISO/IEC 7816-8: 1999, 2004
ISO/IEC 7816-9: 2000, 2004
ISO/IEC 7816-10: 1999
ISO/IEC 7816-11: 2004
ISO/IEC 7816-12: 2005
ISO/IEC 7816-13: 2007
ISO/IEC 7816-15: 2004
10
ISO/IEC 14443
Title: Identification cards Contactless integrated circuit(s) cards Proximity
integrated circuit(s) cards
CONTENT AND SCOPE
ISO/IEC 14443 specifies the physical characteristics of proximity cards (PICC). It applies
to identification cards of the card type ID-1 and of other form factors operating in
proximity of a coupling device. This standard specifies the characteristics of the fields to
be provided for power and bidirectional communication between proximity coupling
devices (PCDs) and proximity cards (PICCs). ISO/IEC 14443 describes:
polling for proximity cards (PICCs) entering the field of a proximity coupling device
(PCD),
the byte format, the frames and timing used during the initial phase of communication
between PCDs and PICCs,
the initial Request and Answer to Request command content,
methods to detect and communicate with one PICC among several PICCs
(anticollision),
other parameters required to initialize communications between a PICC and PCD,
optional means to ease and speed up the selection of one PICC among several PICCs
based on application criteria.
ISO/IEC 14443 specifies a half-duplex block transmission protocol featuring the special
needs of a contactless environment and defines the activation and deactivation
sequence of the protocol.
11
ISO/IEC 19794
Title: Information technology Biometric data interchange formats
CONTENT AND SCOPE
This standard describes the general aspects and requirements for defining biometric
data interchange formats. The notation and transfer formats provide platform
independence and separation of transfer syntax from content definition. This standard
defines what is commonly applied for biometric data formats, i.e. the standardization of
the common content, meaning, and representation of biometric data formats of biometric
types considered in the specific parts of the multipart standard.
The individual parts of this multipart standard specify for various biometric modalities a
data record interchange format for storing, recording, and transmitting the information
from one or more biometric characteristics as image or feature data within an ISO/IEC
19785-1 CBEFF data structure. This can be used for the exchange and comparison of
biometric reference data. It defines the content, format, and units of measurement for the
exchange of biometric reference data that may be used in the verification or identification
process of a subject. The information consists of a variety of mandatory and optional
items, including scanning parameters, compressed or uncompressed images and
vendor-specific information. This information is intended for interchange among
organizations that rely on automated devices and systems for identification or verification
purposes. Information compiled and formatted in accordance with this part of the
ISO/IEC 19794 standard can be recorded on machine-readable media or may be
transmitted by data communication facilities.
This standard consists of 13 parts:
Part 1: Framework
Part 2: Finger minutiae data
Part 3: Finger pattern spectral data
Part 4: Finger image data
Part 5: Face image data
Part 6: Iris image data
Part 7: Signature/sign time series data
Part 8: Finger pattern skeletal data
Part 9: Vascular image data
Part 10: Hand geometry silhouette data
Part 11: Signature/sign processed dynamic data
Part 13: Voice data
Part 14: DNA data
STATUS
Parts 11,13 and 14 are at WD stage.
NOTES
The revision process has been started for Part 1, 2, 3, 4, 5, 6, 8 Conformance testing
standards are under development in SC37 WG3
Part 11 has been cancelled by ISO in 2007. The project is now restarted.
12
PRESENT RELEASES
ISO/IEC 19794-1: 2006
ISO/IEC 19794-2: 2005
ISO/IEC 19794-3: 2006
ISO/IEC 19794-4: 2005
ISO/IEC 19794-5: 2005
ISO/IEC 19794-5:2005/Cor 1:2008
ISO/IEC 19794-5:2005/Cor 2:2008
ISO/IEC 19794-5:2005/Amd 1:2007
ISO/IEC 19794-5:2005/Amd 2:2009
ISO/IEC 19794-6: 2005
ISO/IEC 19794-7: 2007
ISO/IEC 19794-8: 2006
ISO/IEC 19794-9: 2007
ISO/IEC 19794-10: 2007
13
ISO/IEC 10373
Title: Identification cards Test methods
CONTENT AND SCOPE
ISO/IEC 10373 defines test methods for characteristics of identification cards according
to the definitions given in ISO/IEC 7810, ISO/IEC 7811, ISO/IEC 7813 and ISO/IEC
7816. Each test method is cross-referenced to one or more base standards, which may
be ISO/IEC 7810 or one or more of the supplementary standards that define the
information storage technologies employed in identification cards applications.
The first part of ISO/IEC 10373 defines test methods which are common to more than
one card technology. Other parts of ISO/IEC 10373 define technology specific test
methods.
Originally the standard series ISO/IEC 10373 had been intended to encompass all the
test methods related to identification cards. However, for some standards, which are also
covered by this summary report, it was decided by SC17 to associate a test method
standard to specifically that base standard, which is mostly referenced to. Therefore,
there are further test methods standards, which are a part of the related base standard,
with equal main standard number like the base standard.
This standard consists of 6 parts:
Part 1: General characteristics
Part 2: Cards with magnetic stripes
Part 3: Integrated circuit(s) cards with contacts and related interface devices
Part 5: Optical memory cards
Part 6: Proximity cards
Part 7: Vicinity cards
STATUS
A draft amendment to part 1 is in status WD which will basically consist of parts of
10373-3 which are no longer specific for cards with contacts only. ISO/IEC 10373-3 is
being under revision and will be re-issued by the end of 2009.
So is ISO/IEC 10373-6, which is under revision in CD status. The new release is
expected for 2010. That revised version will cover the Amendments 1 to 5, related to the
2001-version of 10373-6.
In order to publish the RFID interface related test methods for ePassports (compliant to
ISO/IEC 7501) as early as possible, it was decided to process an Amendment 7 to
ISO/IEC 10373-6:2001, although the revision of 10373-6 is running simultaneously. That
Amendment 7 is in FPDAM status and will be published by the end of 2009. As its first
release, its content is equal to the Parts 2 and 4 of the ICAO Technical Reports on test
methods, see 6.1. After a migration period, defined by ICAO TAG MRTD and SC17,
ISO/IEC 10373-6/Amendment 7 will totally replace those two ICAO Technical Reports
and then be further maintained and improved by SC17.
NOTES
The work on ISO/IEC 10373-4 was suspended in 2001.
PRESENT RELEASES
ISO/IEC 10373-1: 1998, 2006
ISO/IEC 10373-2: 1998, 2006
ISO/IEC 10373-3: 2001
14
15
IV:
(EESSI)
EESSI ETSI(/ESI) CEN(/ISSS),
.
16
,
IV, [99/93/EC].
.
, , ,
,
.
SSCDs.
,
.
( 56)
. ICC
.
Diffie-Hellman (RFC 2631) 57.
yb
ZZ .
ya ( , ).
ICC .
17
,
.
EN 726
Title: Identification card systems Telecommunications integrated circuit(s)
cards and terminals
CONTENT AND SCOPE
This European Standard defines the general concepts including the system overview,
the involved entities and the five different phases in the lifetime of a card and a card
system. It specifies the use of IC cards for telecommunication use. It describes a general
security approach. This European Standard specifies the application-independent card
characteristics of multi-application IC-cards and plug-in modules for telecommunication
applications in order to ensure interoperability for telecommunication cards with various
systems and terminals. It specifies the application independent card related
characteristics of card terminals. This European Standard specifies payment methods for
telecommunication applications, using IC cards. These payment methods are not
necessarily linked to the applications which use them, and they can be used by more
than one application. The document gives guidance on the interface between the IC card
and the external world. It considers an open system in which the payment methods will
be used. A closed system is a special case of the open system. The document defines
following telecommunication features: abbreviated dialling, last number dialing (stored
within the card), fixed number dialling. This European Standard specifies: The minimum
requirements for a Security Module (SM); the general card related functions embedded
and cryptographic processing described in annex A for the case where the SM is an ICC
should be supported if the SM is not an ICC or the configuration of the system, e.g.
where the SM handles more than one terminal/user card.
This standard consists of 7 parts:
Part 1: Systems overview
Part 2: Security framework
Part 3: Application independent card requirements
Part 4: Application independent card related terminal requirements
Part 5: Payment methods
Part 6: Telecommunication features
Part 7: Security module
NOTES
19
20
21